redline | hxxps://download[.]tt2dd[.]com/

Resubmissions

22-05-2024 04:29

240522-e39m3aca78 10

11-05-2024 11:09

11-05-2024 10:59

09-05-2024 13:02

04-05-2024 06:42

02-05-2024 14:21

Analysis

max time kernel
153s
max time network
312s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.tt2dd.com/

Score

10^/10

redline rajab infostealer

Malware Config

Extracted

Family

redline

Botnet

rajab

45.89.53.206:4663

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1956-353-0x00000000000D0000-0x0000000000122000-memory.dmp	family_redline
behavioral1/memory/1956-355-0x00000000000D0000-0x0000000000122000-memory.dmp	family_redline
behavioral1/memory/1956-356-0x00000000000D0000-0x0000000000122000-memory.dmp	family_redline

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

2708 tasklist.exe
2672 tasklist.exe
452 tasklist.exe
300 tasklist.exe

pid	process
2708	tasklist.exe
2672	tasklist.exe
452	tasklist.exe
300	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2220 PING.EXE
1840 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exe

pid process

1652 chrome.exe
1652 chrome.exe
1652 chrome.exe
1652 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2068 7zFM.exe

pid	process
2220	PING.EXE
1840	PING.EXE

pid	process
2068	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zFM.exe

description	pid	process
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeRestorePrivilege	2068	7zFM.exe
Token: 35	2068	7zFM.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1652 wrote to memory of 2172	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2172	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2172	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2512	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2808	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2808	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2808	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2524	1652	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tt2dd.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef76c9758,0x7fef76c9768,0x7fef76c9778
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:2
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2152 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2284 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1380 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:2
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:8
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar.gz"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2068

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2784

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\" -spe -an -ai#7zMap20060:132:7zEvent30541
1⤵
PID:1404

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2872

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2288

C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\Setup.exe
"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\Setup.exe"
1⤵
PID:356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Flu Flu.cmd && Flu.cmd
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2708
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2672
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 4477764
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "SENSORSALICEECUADORJAMAICA" Massive
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Hop + Stuart + Den + Lightweight + Metallic 4477764\j
    3⤵
    PID:2636
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4477764\Masturbating.pif
    4477764\Masturbating.pif 4477764\j
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2220

C:\Windows\system32\SndVol.exe
SndVol.exe -m 69273373
1⤵
PID:2836

C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\Setup.exe
"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\Setup.exe"
1⤵
PID:2344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Flu Flu.cmd && Flu.cmd
  2⤵
  PID:1312
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:452
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:300
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 4478684
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "SENSORSALICEECUADORJAMAICA" Massive
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Hop + Stuart + Den + Lightweight + Metallic 4478684\j
    3⤵
    PID:2852
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4478684\Masturbating.pif
    4478684\Masturbating.pif 4478684\j
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1840

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4477764\RegAsm.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4477764\RegAsm.exe"
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
750ade3220ea019b50ad4d926b02c453

SHA1
42427d954841a517d71d1eaa677853d1b750d9cb

SHA256
5676bc6c295dd75724c40d7fcc7112af64a84dc029925cdd9ed19663c17a1899

SHA512
4745add71198df0bec819c2085224f54d2f074f2264859b6741b625f3f06152c04aec22957091505fb450c5b3b8c03f0d7e861576cc49c6f0d3b50f54e110e3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1f7dcff5b0c005caf6d5525f51977ffd

SHA1
dfc5a55f0a94b18bdc39105c2efb5ae83a21b3d1

SHA256
cdfb0d39dd78d0063706277441373744e095a537de3d9043816632ea6fac9e4b

SHA512
3ef31e86e1af32badbcf06e260be1128cb0a62904fb319e995927ed54de5652c988ed8de2b71cfb1daa3559533531c9aea204f37913e7d3d6bd2b1aa3a1a909e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
845daf0ab9efe8fe1e108d24dd018591

SHA1
7577861edfa67b48e81609c92bf4ec4424dd949f

SHA256
703272461b424413a4cc39a725f47bedddc69ef0101a51f4e4c797e7bbc34f36

SHA512
2fea715ee03eba839fa1a1f2f7743d71f2358576dfc5ba7f132973dc190d275e31c7332277e1f67e4b6b3efd85278673d94b46fd7320f39dd58445cd043e1160

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\edc503e0-c4f7-40bb-832d-93a0d26eed1a.tmp

Filesize
6KB

MD5
e6b343f0a5ee2499571e1ac5120eb3ca

SHA1
a146f5c18f538ef7c3aca3401725cd5ca09d72ff

SHA256
679e10fd9d8ca5d9013563c3a4adc8fc3eab0c2ef7c68f0ce5a18aa2ff7c9fc2

SHA512
66aaf3d4c5930d766d91c5b393ff2682eded183e95a46ae6cba9ffad31a8c962fbcabd8cebddaff7111a9f0605db34e4b7792314de6d023c34bebf035c13790f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4477764\j

Filesize
425KB

MD5
4b4f86ad7203f525253d3d01566391d8

SHA1
a89e684e1841e2c1bedd38234ab9d636862f177a

SHA256
120f7c4cad476f254ea5e757eb0d6cf36d64f900775c438e745007af2a735122

SHA512
b7cb135d16027182805c74679930c19e6075ecbf1d857fde735966e9273c5b4e8b5b0c5863dfe71fcb4af25c8cc68712a9238154bdc83e154b2240ee0c20eab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Americans

Filesize
166KB

MD5
f753d86ec907939c8471850ce2a79036

SHA1
22f07dc2373730f8d146ef7b9d58a212bee0c193

SHA256
6c6a50fc1900ec8d5fdb9ed6e3c337b63af96a75c74587d2e5d5c89d8d738def

SHA512
36e6146ce600bc0035eb526f6fdc6bffd90caf34a345504fb44e46100f41decc9e6a55736cecd5901152e39521418e10e2884dbe439fe2b91934447a3853d6e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Aruba

Filesize
112KB

MD5
e914b530dd18a000b39ce75d203b784e

SHA1
4e7f2d318cd32ad01b4d94071839ba9b50543212

SHA256
dec10daacfe6e37bc50bb3bb6b76550ed802892f3a71beb3449cfbfbea607259

SHA512
3d2e1b74660401c151583e78ef60f53b1168520552e4ae190853ca6eca760dd4a701280a1b2af8a2b00a81744b08caaa988aaf77afb4335a2669c41f54fd4c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Beats

Filesize
97KB

MD5
2885880aa38707935c64f6b3c7800f96

SHA1
85ee867d80b9cfb1f138e3b0c0ea2a2f1ed6dca6

SHA256
373bbb960914f99e82bebf4fb13f6d0c16302ac73bfee987af7cc7023f799f6e

SHA512
ba0a1f2f5478db647bea242b4170d2e505f899fc98c4b11d145395a17f638ba3ac828b96fd6a7b94c744d8176152bc47c5b32b00180e489926c1f6a8e718cf16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Coordinated

Filesize
159KB

MD5
03371e3e51103446a7d61646e6f4ebcc

SHA1
dc28eaa3711df1e414821af095a76f34ad7f8e44

SHA256
7008ac7fc2af470979e94eedf52d823f9dd3b3e1ff1d5a7914cbc0828d4832d5

SHA512
ab3abcea08a0a773014c7a22db3507c01635dbb43adff7dbf2253009335a2568c5603ebba9fac4fdedc7bc49d343436d6afb01649dcb9c071fe92cda2cb2d9ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Den

Filesize
99KB

MD5
82624b0ef5a2c57dad2a45392448a9b5

SHA1
e1f7ec58be7d744ea1aabe7d729cb8ceb0646511

SHA256
b8942ea1759d5712ba6722bd2019493217283471bf09e11a393cbd21e81e954f

SHA512
5d16be6a7aeadc1ab43207643578446a2b86bb4d894d4a44c02667065de1cac22ec8a2cccb8dca1dbc42bf2e3989b59053c2671ec30193d7475e252d1748fa4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Enhancements

Filesize
98KB

MD5
d698989610711e4b765d0f022feafecf

SHA1
859c28dcf1a2887606b180e8e8c5ef12e5dc18bc

SHA256
0b590a30e29b1d351a558db539a420e83bd4c490c9792f584b9f66b6ea4850e8

SHA512
f83c42df6e749664fd5e1f264cad212e6fbb666fe864e6abdb0fba0a15a465cdf62366fd83768caa70a36f881e19c3f76941b7a68835c01dbc62dba779d7961d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Flu

Filesize
18KB

MD5
7e7ce927035274de652713d2e76a48d8

SHA1
a3aaf56ebe58d2fad03a6d2adab5c6140497386d

SHA256
d8110e2ea63fc466cda2945d1ce15f3a330ff263e1e9fd99b2075e06d2132ecf

SHA512
af09e9d0de2743c976488c473cb0c71724cb2e4ff58ae37595f6df13e4c1b4e50a7d349f7b3dcd65eb2eb55e12140f927165a09e2ac402706de9d81eedd400a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Frankfurt

Filesize
202KB

MD5
23b74e5504f3aec97990cf2566590916

SHA1
5a58935fc51697df3d41e6439ecd4aba0f2732a7

SHA256
5a9cdc044add9a81bab24db70c7b8aec1c4936f4a706cbeb12d4e5cca7c98163

SHA512
941268012c574bf3411708ca932b38185535978e8149d69a9fce81b8e727471ebc063503cf40dcf70aaeb2c317e065971e1e2227f67f5a5142e729f230d95a29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Hop

Filesize
64KB

MD5
7ebc57599cccec5284f3d1ddc8c8894d

SHA1
152812380c876e6083c55da5f51f05502033d48a

SHA256
bbfc1a4903a574e59b782b0c380b53fdcc6c5374708777ae6b3d6a9a5f1b10ba

SHA512
8067f2b5fb4821ca57ee00ef90ece08875356e96f62501bfec5fc2763a93e8c78919dea6d75cb6e515e94f5fb0497784ff5ca5e2d737ec02430374834d902b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lightweight

Filesize
63KB

MD5
780d5012edd68b16d7b184f4181021b5

SHA1
20f9f80a29297c85c92ee2c70d2ec36ccff87593

SHA256
40fc7cd83e83ba95fc5b1af629dbb8c7fa3020782badbb6088f0f90f52cc4cc3

SHA512
04b00d79594dd919d165117c09b65e091a49ccecb6e5a0ada1d8615c289268e69d9c0463e89986baf28d7de8a38f7920edecd1d5bae4661a28e0c83ccab67b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Massive

Filesize
132B

MD5
d1b987734c4107491262869203ea885d

SHA1
a77977d58281980a0205f883d12e5a9567ed3c57

SHA256
d52ead1f44490d46259b0be6ecfacbf12f587c3e86ca8a93f29357b50f0d834d

SHA512
239c91c71c99d6b30e503dd8c4780303bf68e0c01bccd8e1abe11b249f7413667ea7b863d9f20a39875e93ad1e80a811e79b34f386991d2f7a4ba9bc07379b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Metallic

Filesize
100KB

MD5
f266514e1e9922b935796d012d03add5

SHA1
a5441cf2010d07a3c005c1f3f71e867789f87730

SHA256
23058c81207b6d1044c40793e021782b849245293742883a050999d98174a12a

SHA512
165e8928844e2a3e912afa09dda4356bc31bf4a2c00b54ff98dd52390c23a99b18c811ba48431d87c9b247d0850748d10906e1dff0d99ed2c28adbd004416b47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Neural

Filesize
19KB

MD5
89a81cf3771cfff9ee01f2423480907e

SHA1
a5e8faa5c7c90410416f8aed827ca5141ec5a673

SHA256
2c360e946acdf604c7b7f9fa9a3fefe55a206034e39dd1c0e92e9280c63e9dd0

SHA512
c0b37b6af7a1d44889e1ac39ff5d67b2324f14f8af9c3ea1522bcc4a8c70d364d510b61c9b70bc1d4fdd582826c400d0311f5b5cdb7415eaab13732b961648f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Spyware

Filesize
6KB

MD5
53d60db40a582d66f6f0b2c18a2a00a0

SHA1
045e8decf2c5ed2199512646ebafa2e9c3e3b08b

SHA256
9322a9ff1608d3cba130f6d09d90d33af2946f501960124e9418b603ca6e4528

SHA512
f3d4d40de2796506a0b470c6473a4cd0c17adf601078bad766a0005f91a71568472a3ae05ebcd4b31eea1530dcf84a985a1944a80860b065303bacc210fb1705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Stuart

Filesize
99KB

MD5
75dfcf3a58bff19cb1e08e64cb37e672

SHA1
4ef53d554be37c3b82b54d1e4761c19ccfacb50a

SHA256
01a421b0dd3a357c5d740650c0f579c0c9e4b22bf94834ee575a0da69d5de3bc

SHA512
f6be9514b81a9353f57a571460d1a85d9473546ba2b097309ff0e6ec17d3efa432353e3232605039d44de98ba2fd42f811a9db5903b4eddea25a744e006e7f2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Tone

Filesize
13KB

MD5
7b6ee2eb9f85cb183210389b0b0a5674

SHA1
3922d0f86ca2b75ca6137da65bfe10ff29474495

SHA256
b6b91987a4a2dd89040fe8f22febfbfd91a764368b192ba91eea54acc7bc946a

SHA512
ddc6090e1510d9793131e1ba4eb92fba589faba7e3e9851df337e2ce85b6952e2218194ea56ab54bc52d0a9aa156e063d0074aa8887b986fffa6dd4b15eb639e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpC62D.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar.gz

Filesize
1.5MB

MD5
2942f277bb2cd54bb0b81996d42f7802

SHA1
abdfb88cb8b72e8a20c8fa3483c5e5dfdadf7661

SHA256
2caf0bb99ff4712b202bd2b51e24d70de8a2adb4b1aaba3d9394a40b32441254

SHA512
39a56ef1fa3cb03954c6adfe8df540f0b79aa62c043d6a1a2806b92fac774d658c1969a964cc7dab962480ec313b879f7b0657bbf19d49a959e9a625e39244ac

Download Submit
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\bin\Debug\AxInterop.WMPLib.dll

Filesize
52KB

MD5
8314c1c68e3b3a1299dea6dd6d72481d

SHA1
5e76211c54647ad063966f0e9e48c6dbfbaaf97f

SHA256
78fa2eb63e55f1627d4f74e0f1c58d11a90611b7d756bdf3194f38776b2c3b78

SHA512
be8c454093b5047b7e0e7caf78dcd03e4d240b186d5f19eab69e00a9f6e7f9f638e45788880d87b50aa66028bf00f3334dc15b4a95ae860e39e7b8ac37f28f29

Download Submit
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\bin\Debug\Interop.WMPLib.dll

Filesize
323KB

MD5
080765723df758e60fe61498ae0f2cba

SHA1
ff6bd0f8defe6ee844ddcde416176dc900b07293

SHA256
b06b558ace77acc8737ef0a9573c965b9c841f3569a694bfb468872b589d94d9

SHA512
51bde71b374e76e57b4406c3eb5a03e839673586bfb508f15383995b979d26cbc58923aa93be004ac1d57183e6a686870127cda1a939ae570c22ff74f045e3c6

Download Submit
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\bin\Debug\MusicPlayerApp.exe

Filesize
12KB

MD5
07902ccf8de472410921d9c227b17f4c

SHA1
a2c1bc9031eec1930bb5864f81be8c67b609e660

SHA256
562a9b6db51783eb0c71b243c39c359d218b72ee6a6bb1508cc64465f8d4893a

SHA512
4631d0e1a79ea59f2a53bfac28e61d730618dd5ca00558cf41cb2793c8b3dbe325cf14b060ef106f78813dac6a21d6482cd234919eb87f60f10e77bd27e4a813

Download Submit
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\bin\Debug\MusicPlayerApp.pdb

Filesize
21KB

MD5
06bcd2145d13606fad3f92e2204e9bc3

SHA1
2aa3da2b78d3f17d7b653c3deb10b6e8ca02e470

SHA256
a822c1e5704b39785232a335543de5e8120cd9b971113eac1059e6bbbb7225fd

SHA512
3231875b841d7764917ed88e6a9dd9fb614b2b40406be37812cf2293b87d8f1444184d029a94b4bb8e722efd46dbeb0548fc855c7f55fb9c055c3f238967faed

Download Submit
C:\Users\Admin\Downloads\bin\Debug\MusicPlayerApp.vshost.exe.config

Filesize
184B

MD5
28960c034283c54b6f70673f77fd07fa

SHA1
914b9e3f9557072ea35ec5725d046b825ef8b918

SHA256
8d65429e0b2a82c11d3edc4ea04ed200aedfea1d7ef8b984e88a8e97cff54770

SHA512
d30dd93457a306d737aac32c0944880517ed4c3e8f2d1650ffca6c1d98e892082b41b40fb89ccf75d5f03d2464b0b4f943cd4b082071f0abfe978d149bd61479

Download Submit
\??\pipe\crashpad_1652_UTXVNTLBEGYZMFQS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4477764\Masturbating.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4477764\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1956-353-0x00000000000D0000-0x0000000000122000-memory.dmp

Filesize
328KB

Download
memory/1956-355-0x00000000000D0000-0x0000000000122000-memory.dmp

Filesize
328KB

Download
memory/1956-356-0x00000000000D0000-0x0000000000122000-memory.dmp

Filesize
328KB

Download
memory/2872-244-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2872-304-0x0000000002050000-0x0000000002060000-memory.dmp

Filesize
64KB

Download
memory/2872-245-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download