donutloader | 4156e2eee44ca9dcc857741f3944991cf5fa38a5ef0c575e153a3f13c2748fca

Analysis

max time kernel
149s
max time network
142s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250425-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250425-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
07/05/2025, 19:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

InstallerApp_ver12.02/InstallerApp_ver12.02.exe
Size

7.3MB
MD5

fa122de570f5f04feb13ded859bfa96c
SHA1

9cf36c88df020156afeee73adb9c78b931ad7f43
SHA256

55ea17a44d7a9882236b5cda25fa844e62cb1a4fe8d5cdc17b3591f4f98aa802
SHA512

e69c2180c3c08ea15784706a89944d5ccff35fa89a68e23aa60335b65740363804282f8737e7147f78f904180de6cc3e5d1e3ec2f6b255234c3799a8d3567ddb
SSDEEP

98304:xRTmitxvjSgoSIlDPfwk+UYhOjEJeHMqBF/3A2dxulfpm5+X0t5P8QpqQ9A3bQqm:3TnmgoSIlDPov1hQqjqBFFif0+u5P8q

Score

10^/10

donutloader discovery loader spyware stealer

Malware Config

Signatures

Detects DonutLoader 1 IoCs

loader

resource	yara_rule
behavioral1/memory/4712-115-0x00007FF64D2A0000-0x00007FF64D5B3000-memory.dmp	family_donutloader

DonutLoader
DonutLoader is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.
loader donutloader
Donutloader family
donutloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1884 set thread context of 4712	1884	InstallerApp_ver12.02.exe	90

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Loads dropped DLL 1 IoCs

pid	Process
4712	RQLconfig_beta_v3.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallerApp_ver12.02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133911199081967256"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1884	InstallerApp_ver12.02.exe
1884	InstallerApp_ver12.02.exe
1884	InstallerApp_ver12.02.exe
1884	InstallerApp_ver12.02.exe
4712	RQLconfig_beta_v3.exe
4712	RQLconfig_beta_v3.exe
5428	chrome.exe
5428	chrome.exe
4712	RQLconfig_beta_v3.exe
4712	RQLconfig_beta_v3.exe
4712	RQLconfig_beta_v3.exe
4712	RQLconfig_beta_v3.exe
4712	RQLconfig_beta_v3.exe
4712	RQLconfig_beta_v3.exe
5428	chrome.exe
5428	chrome.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1884	InstallerApp_ver12.02.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe
Token: SeShutdownPrivilege	5428	chrome.exe
Token: SeCreatePagefilePrivilege	5428	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe
5428	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 4712	1884	InstallerApp_ver12.02.exe	90
PID 1884 wrote to memory of 4712	1884	InstallerApp_ver12.02.exe	90
PID 1884 wrote to memory of 4712	1884	InstallerApp_ver12.02.exe	90
PID 1884 wrote to memory of 4712	1884	InstallerApp_ver12.02.exe	90
PID 1884 wrote to memory of 5076	1884	InstallerApp_ver12.02.exe	91
PID 1884 wrote to memory of 5076	1884	InstallerApp_ver12.02.exe	91
PID 1884 wrote to memory of 5076	1884	InstallerApp_ver12.02.exe	91
PID 4712 wrote to memory of 5428	4712	RQLconfig_beta_v3.exe	94
PID 4712 wrote to memory of 5428	4712	RQLconfig_beta_v3.exe	94
PID 5428 wrote to memory of 5988	5428	chrome.exe	95
PID 5428 wrote to memory of 5988	5428	chrome.exe	95
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4900	5428	chrome.exe	96
PID 5428 wrote to memory of 4388	5428	chrome.exe	97
PID 5428 wrote to memory of 4388	5428	chrome.exe	97
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98
PID 5428 wrote to memory of 3300	5428	chrome.exe	98

C:\Users\Admin\AppData\Local\Temp\InstallerApp_ver12.02\InstallerApp_ver12.02.exe
"C:\Users\Admin\AppData\Local\Temp\InstallerApp_ver12.02\InstallerApp_ver12.02.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\RQLconfig_beta_v3.exe
  C:\Users\Admin\AppData\Local\Temp\RQLconfig_beta_v3.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    3⤵
    - Drops file in Windows directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5428
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7fff7f72dcf8,0x7fff7f72dd04,0x7fff7f72dd10
      4⤵
      PID:5988
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2012,i,18047051570409322198,8922109674654337731,262144 --variations-seed-version=20250424-180054.397000 --mojo-platform-channel-handle=2008 /prefetch:2
      4⤵
      PID:4900
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1604,i,18047051570409322198,8922109674654337731,262144 --variations-seed-version=20250424-180054.397000 --mojo-platform-channel-handle=2304 /prefetch:3
      4⤵
      PID:4388
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2308,i,18047051570409322198,8922109674654337731,262144 --variations-seed-version=20250424-180054.397000 --mojo-platform-channel-handle=2428 /prefetch:8
      4⤵
      PID:3300
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,18047051570409322198,8922109674654337731,262144 --variations-seed-version=20250424-180054.397000 --mojo-platform-channel-handle=3244 /prefetch:1
      4⤵
      PID:4288
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,18047051570409322198,8922109674654337731,262144 --variations-seed-version=20250424-180054.397000 --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:1504
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4072,i,18047051570409322198,8922109674654337731,262144 --variations-seed-version=20250424-180054.397000 --mojo-platform-channel-handle=4092 /prefetch:2
      4⤵
      PID:3292
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4736,i,18047051570409322198,8922109674654337731,262144 --variations-seed-version=20250424-180054.397000 --mojo-platform-channel-handle=4740 /prefetch:1
      4⤵
      PID:4364
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5480,i,18047051570409322198,8922109674654337731,262144 --variations-seed-version=20250424-180054.397000 --mojo-platform-channel-handle=5492 /prefetch:8
      4⤵
      PID:6064
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5728,i,18047051570409322198,8922109674654337731,262144 --variations-seed-version=20250424-180054.397000 --mojo-platform-channel-handle=5740 /prefetch:8
      4⤵
      PID:5056
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=512,i,18047051570409322198,8922109674654337731,262144 --variations-seed-version=20250424-180054.397000 --mojo-platform-channel-handle=5556 /prefetch:8
      4⤵
      PID:5288
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5508,i,18047051570409322198,8922109674654337731,262144 --variations-seed-version=20250424-180054.397000 --mojo-platform-channel-handle=5616 /prefetch:8
      4⤵
      PID:2332
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5528,i,18047051570409322198,8922109674654337731,262144 --variations-seed-version=20250424-180054.397000 --mojo-platform-channel-handle=5540 /prefetch:8
      4⤵
      PID:444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5076

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2176

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:188

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b279db6776881d9d7516370fec287552

SHA1
c788385820293d5bf39684950b236fa64ad78a75

SHA256
859fdd76906ecb68de92650b38e2136c205e0aef7c49d08e53f14c46b725e8f3

SHA512
0552cc07e61ae85f870c7c974c7a06e438300565ba96103d20a598fab934fa7c3ecf408a46d574b2c93754dae812b70a5a78a1601268e15c497515d6624258a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
91d1b9f9bc58e86a040788273f76e1f2

SHA1
46960159bcc57d971fa5468957e1bf78eaf211a2

SHA256
b35888c615df56d4c57e11d09b5b29530023f5a2f53d8b3c49acd67461217817

SHA512
20744efa084c9a1ca0324ebe556da6524d85d54408aa6290c264d6a52f058aab4634c375f16c28e78e5cbcf20bf1bce55892db584f51d24dba4a4ae1a97a1cdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3b0c76cac7aa272409e3e35eb4b00cf4

SHA1
5f65d712ae5e1863550adcd59d2fe40fc9944044

SHA256
fb8149548696e3c635e939d81e4883d97d31bbee625742c19d0f8834a83353e3

SHA512
9b5050f48db3157cc1b1b3f434a3c7d74a2766f59dde2ce6fff3a47099b5eb17d8b1cda420c107d32913f0ace34ef41551a3f9bd7723c85f78d3b076accb85c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c6f2c0a79c811c28409bd9e9eaf560c2

SHA1
1ce650500a2509e35931e6a97c8a028b11b124a4

SHA256
ee7fa45204cdb39415d5268f88308b32d1957cc8ea3754d255800dad5f690a06

SHA512
641007bb28ebd7d40d64171dd4c474471e3266fd6ca576c355edb3b2c5473f347cd875522632d209423c24ace96273974ad4583d586467dd75d2fa161b215a26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
4bb92b040861b509e72c1c2094209977

SHA1
a92e81a59924ccbf241935f497f293af3fda2805

SHA256
94a6f4777d7f30e05ef5700d6af44ece4dc3cefeb99869e8d5b80fa7f516b21d

SHA512
cd330710b2dd78a85bc1805df067b112097ae7fe7622d0bac599bb13452832e7b2f43115beae93b2bd2ab5ccd95443f8e2d4013433d3c900d00d9cbc0cd6eed2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe619356.TMP

Filesize
48B

MD5
c540447897dedbeb36f81ac573c39acf

SHA1
3cb3fe6437138b3c4e907277eb73cf8cb6c650e2

SHA256
c2f18c19b9b0cd165bb2e4915570dd58f8caf67c4c233a943ef13391aa58f7f2

SHA512
b91ed27f92d25faa3b9fd8d613a310cb92b464c27be04badab52604b7c016f76310cf5d295a59e6449684e99bab3351f4a124066945c4f983dd01bc6bbc9fa20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
13B

MD5
a4710a30ca124ef24daf2c2462a1da92

SHA1
96958e2fe60d71e08ea922dfd5e69a50e38cc5db

SHA256
7114eaf0a021d2eb098b1e9f56f3500dc4f74ac68a87f5256922e4a4b9fa66b7

SHA512
43878e3bc6479df9e4ebd11092be61a73ab5a1441cd0bc8755edd401d37032c44a7279bab477c01d563ab4fa5d8078c0ba163a9207383538e894e0a7ff5a3e15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
864b1b2da67539f854a065978b056e0a

SHA1
94720f045f7aad11ce40fbfee665bba6229aa54d

SHA256
91615b0ceb1607402a6365cfa20301ca6a0de9ca4018b895d7d906812fe21acf

SHA512
3d5f62ed5230aff3f3b3937c5bc76bc378a80f64532dd0f1e30b0ede7866d0c5ea75d5704c976cd4b768fc1936ec71471df78a7828227918705f5ea84ebf3ec5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
405b679344e42121f40b30f1572a2ac4

SHA1
29c3e30b34dab188567f680d3c5f951e418777ba

SHA256
8faecac8060baab50ea155965379dfe95597970105f1f857d22059ff2edbbaa2

SHA512
80f696a77388e462c8090d28493bc2cc686f774dfb22dd284705ab37abf0a724716dacac5322ef8041810500b99c68a685072598aaeec10db7cdd6f873a3a9fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
1faea5aa8e8140333f0e799244d71bb4

SHA1
5be80f8f804dd0803a709979237f1a4b0bc4c7e6

SHA256
bad027e7500b63117e11d8271a82e3688a1fe1424df0beceafcc482be7d2933a

SHA512
96d5bce0382ffe03283700c630eed0e78c6ffb621eee72686f8acc3774a17a50eb1c7f922b9d3b0d4ac806d8143e2b4d23ffbeb106d781c850e012430b515151

Download Submit
C:\Users\Admin\AppData\Local\Temp\15AC2B8.tmp

Filesize
5.4MB

MD5
77d87a0bff1d51a436d1217e3709cfcc

SHA1
3df0e01d3e1f66030aa38f2af74ad3c5e948b611

SHA256
f3512b16706b334e53eeebb7972a8e048c512b2b62ca21b73fa5e6a12716602c

SHA512
69c51775315205f0839aafac7e3fe828c0faf622ceafe634e74d7e80168599fb1725fd2db1fc3019549eb265e6b7c420e72acfbcd184992d97cd7b15f433987a

Download Submit
C:\Users\Admin\AppData\Local\Temp\601F38E.tmp

Filesize
40B

MD5
1e816517f14edc986ef7fa94ecef3c93

SHA1
f3aa168238a485be070988d9a5d435d1a6a44e0e

SHA256
f4df2876c953785ec2cafcd64b56cbabe8cd1b15292df99885491c1a44a9378e

SHA512
d5b5987fc0bce8c3a960078f615615769b71d37a5a8dcd6594e35977cce554825a2d11990d44bc7f07397ad79481cdcbd52f489a422a62895bed8f4ee22c5ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQLconfig_beta_v3.exe

Filesize
2.3MB

MD5
967f4470627f823f4d7981e511c9824f

SHA1
416501b096df80ddc49f4144c3832cf2cadb9cb2

SHA256
b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91

SHA512
8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c

Download Submit
memory/1884-0-0x0000000074C60000-0x0000000074CAF000-memory.dmp

Filesize
316KB

Download
memory/1884-18-0x0000000074C60000-0x0000000074CAF000-memory.dmp

Filesize
316KB

Download
memory/1884-8-0x0000000074C60000-0x0000000074CAF000-memory.dmp

Filesize
316KB

Download
memory/1884-6-0x0000000074C75000-0x0000000074C76000-memory.dmp

Filesize
4KB

Download
memory/1884-3-0x0000000000400000-0x0000000000B8B000-memory.dmp

Filesize
7.5MB

Download
memory/1884-4-0x0000000061C00000-0x0000000061C9C000-memory.dmp

Filesize
624KB

Download
memory/1884-1-0x00007FFF9E5F0000-0x00007FFF9E7E8000-memory.dmp

Filesize
2.0MB

Download
memory/4712-17-0x00007FF64D2A0000-0x00007FF64D5B3000-memory.dmp

Filesize
3.1MB

Download
memory/4712-56-0x00007FF64D2A0000-0x00007FF64D5B3000-memory.dmp

Filesize
3.1MB

Download
memory/4712-21-0x00007FF64D2A0000-0x00007FF64D5B3000-memory.dmp

Filesize
3.1MB

Download
memory/4712-22-0x00007FF64D2A1000-0x00007FF64D4AC000-memory.dmp

Filesize
2.0MB

Download
memory/4712-10-0x00007FF64D2A0000-0x00007FF64D5B3000-memory.dmp

Filesize
3.1MB

Download
memory/4712-115-0x00007FF64D2A0000-0x00007FF64D5B3000-memory.dmp

Filesize
3.1MB

Download