hxxps://download[.]tt2dd[.]com/

Resubmissions

22-05-2024 04:29

240522-e39m3aca78 10

11-05-2024 11:09

11-05-2024 10:59

09-05-2024 13:02

04-05-2024 06:42

02-05-2024 14:21

Analysis

max time kernel
409s
max time network
394s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.tt2dd.com/

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Masturbating.pif

description pid process target process

PID 3304 created 3460 3304 Masturbating.pif Explorer.EXE
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Setup.exe
Executes dropped EXE 2 IoCs

Processes:

Setup.exeMasturbating.pif

pid process

3064 Setup.exe
3304 Masturbating.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

5100 tasklist.exe
4436 tasklist.exe

description	pid	process	target process
PID 3304 created 3460	3304	Masturbating.pif	Explorer.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Setup.exe

pid	process
3064	Setup.exe
3304	Masturbating.pif

pid	process
5100	tasklist.exe
4436	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591333275664676"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings chrome.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3248 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	chrome.exe

pid	process
3248	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

chrome.exechrome.exeMasturbating.pif

pid	process
2344	chrome.exe
2344	chrome.exe
4112	chrome.exe
4112	chrome.exe
3304	Masturbating.pif
3304	Masturbating.pif
3304	Masturbating.pif
3304	Masturbating.pif
3304	Masturbating.pif
3304	Masturbating.pif
3304	Masturbating.pif
3304	Masturbating.pif
3304	Masturbating.pif
3304	Masturbating.pif
3304	Masturbating.pif
3304	Masturbating.pif
3304	Masturbating.pif
3304	Masturbating.pif

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

2344 chrome.exe
2344 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeCreatePagefilePrivilege	2344	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

chrome.exe7zG.exe7zG.exeMasturbating.pif

pid	process
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
1396	7zG.exe
2764	7zG.exe
3304	Masturbating.pif
3304	Masturbating.pif
3304	Masturbating.pif

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exeMasturbating.pif

pid	process
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
3304	Masturbating.pif
3304	Masturbating.pif
3304	Masturbating.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2344 wrote to memory of 1164	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1164	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1784	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 3176	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 3176	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe
PID 2344 wrote to memory of 1872	2344	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tt2dd.com/
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc76f9ab58,0x7ffc76f9ab68,0x7ffc76f9ab78
3⤵
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:2
3⤵
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:8
3⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:8
3⤵
PID:1872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:1
3⤵
PID:3508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:1
3⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:8
3⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:8
3⤵
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=212 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:8
3⤵
PID:3224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:8
3⤵
PID:3564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4240 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3028 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:8
3⤵
PID:3556

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\" -spe -an -ai#7zMap16728:138:7zEvent23127
2⤵
- Suspicious use of FindShellTrayWindow
PID:1396

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\" -spe -an -ai#7zMap10950:212:7zEvent24658
2⤵
- Suspicious use of FindShellTrayWindow
PID:2764

C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe
"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Flu Flu.cmd && Flu.cmd
3⤵
PID:3932

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:5100

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:4912

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:4436

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
cmd /c md 4481714
4⤵
PID:2916

C:\Windows\SysWOW64\findstr.exe
findstr /V "SENSORSALICEECUADORJAMAICA" Massive
4⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Hop + Stuart + Den + Lightweight + Metallic 4481714\j
4⤵
PID:1964

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4481714\Masturbating.pif
4481714\Masturbating.pif 4481714\j
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3304

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:3248

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4481714\RegAsm.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4481714\RegAsm.exe
2⤵
PID:2840

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
129754b5b23bddb732309be54363335f

SHA1
fc9ce2c6a9326c0e35d24803e5dd8639359cbd32

SHA256
06c81b4574b90b27f644fa76c0eb2d0b19dd48c0e51e99ad1d398573f0cb088e

SHA512
f7e1fdde16cd5863d83fb920b7872fbe94ce7ddae8f0ca72d611a13c3b4ab632d1ec5c1b864cdc8e14cb559428c16d6cdb2be496b9d12277438e6055261c2479

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
ec21a1d11603ca8f5faed7c7698e914c

SHA1
7972da32c7fd3807817c494fc92658d2d066a024

SHA256
eb4dc9e79dba69824f874e0ae8fb31b109068ad13bd76fe5775c9db5ddd758e8

SHA512
ce732c72e73959b39ef9718669c55403fa1cbaf9bb0ee32238920c3d7465bd1dd2aa8e22293fe869889560a011d10401f637a7458ea26a025f5e3ec715351c41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
033714f0722f40d5c742ddd1f748094c

SHA1
a369cdca0245f8545eb6b841b6c4a87cc800a65b

SHA256
496a45600213e8825f1b5bb764ff1506b19c60a827b9daebd0d065b1a6c0b109

SHA512
3c16ac93d1175af3c46c26f84e88069ce3fc60e6ae90f2555930b49aaf42451175cc0b8a81efa74e698a647aca51fe5c8527cfe179bae364a0fd5da11137fcfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
234b985b5a77602e2b7e4dbccc5f2cc6

SHA1
11b8db01d94f5a9a1af33432f84ef5cb495a2c80

SHA256
81594528bec5584a416f0c2a69e29844f3bc807fca674d788d2d264e3d7eb3fe

SHA512
06a649cc4d075468fc88f2f248ddc7183ed6fe7e3adcc478ebbd5ac38a8b68d5d4a95b0c097bf05c7cbcdbcd96eb7a7677a53cc50a5217373cf5841b6ccb39f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
24b5b4b65fa417c9087e58c43afd40a3

SHA1
5d2b1792eefb87fd153b0e980ba0d6bce3970011

SHA256
0db23e56cc956a1c6d55d4bd6c5b1d81d200cf840f34ec09df4b756e2aab1fb9

SHA512
f363bb168acb08237065612aafc93f902536012deaadc2a8ef5a235e3e47b9cc16618d40c569cf19b930387eb3b01185f90fd4396250eab11605b0d52deac805

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
64767bbcd9eda4cccaed6160eb0ecd55

SHA1
92be4c5113c3b9c511210cb019d3a807359d9625

SHA256
40919f318c6e8f35b923aa6bfce4888891d212a92b77bd812178a9dcfdfe843a

SHA512
446e46aefd74ad08e0e23b201e2de78027b80fd5cbad7425c02b1b1c810afaebf58d1288f75628404c107e04fefc5477a1032a27f897ec692bd47e1e3669a348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
55f02759c81b7beb897d1eab38869942

SHA1
05b5a6d0ee150be6ac4f105fa3ef4965c92a0deb

SHA256
632a5c5bf73b103c00c6a070a13f28a5a30eb10dff3c82d312e39f954e6e77fc

SHA512
b8e5be7c9af1ffbce11711e370cf25ddc5b5cac7852ccf7c77d9dfdebf5da34ddfe24047bce7c689163755ec14038afeae1e1c3c2d5d02ad4a8cc5c7d889ef6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
94KB

MD5
83d4e984f2aae969af16bee7638bdd27

SHA1
399e715c723b7fb908b44f84c5d6b7fd3ca52e5c

SHA256
05c838aa8cb3108aa501d4f28579c36daebd28e011e375e4983c13c416e94def

SHA512
32a37c4862fae3078b7ed4fc8c976dcc633211e6c2b41976c342056c271ef81e9ff15e4abd0de8e0e551fee77d3cf7cb99843e1f5b892b6f256ca8f56d71c48f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
c4f179889482b22e86eafa0355a6b069

SHA1
36f73c8dd3f04f17f142b654d3fec71df8294670

SHA256
a31ad1b3295c8584d5ec0e94e8c9300601b2e4af4d362311df011a631ff3fd65

SHA512
f505d6eb51f38e2ee2ca98cdd1395bf11d3fe45b04ad4d45c94fa9f34e2e8d17076889977f19d4ea178d04517cdef5a0276e4d0b3dd4313e8c9e6eee0491f28e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe587ad8.TMP
Filesize
88KB

MD5
550d0636e8252c2dbed031c5d4ba8182

SHA1
8c176c7637b05276afd97a6a77968c0be4be6bce

SHA256
50ce7aec113a76a73faf3ddcdc952916ced6a345ae9854af3240674a3dd09e36

SHA512
3d0a6c417a8e8fe17a5efbcfac1327c9938017ad91f9828c67e35567280915e2c07121a7b96ff2b956341056a644183910e28e872039440476db40ef4a49fd5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4481714\Masturbating.pif
Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4481714\j
Filesize
425KB

MD5
4b4f86ad7203f525253d3d01566391d8

SHA1
a89e684e1841e2c1bedd38234ab9d636862f177a

SHA256
120f7c4cad476f254ea5e757eb0d6cf36d64f900775c438e745007af2a735122

SHA512
b7cb135d16027182805c74679930c19e6075ecbf1d857fde735966e9273c5b4e8b5b0c5863dfe71fcb4af25c8cc68712a9238154bdc83e154b2240ee0c20eab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Americans
Filesize
166KB

MD5
f753d86ec907939c8471850ce2a79036

SHA1
22f07dc2373730f8d146ef7b9d58a212bee0c193

SHA256
6c6a50fc1900ec8d5fdb9ed6e3c337b63af96a75c74587d2e5d5c89d8d738def

SHA512
36e6146ce600bc0035eb526f6fdc6bffd90caf34a345504fb44e46100f41decc9e6a55736cecd5901152e39521418e10e2884dbe439fe2b91934447a3853d6e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Aruba
Filesize
112KB

MD5
e914b530dd18a000b39ce75d203b784e

SHA1
4e7f2d318cd32ad01b4d94071839ba9b50543212

SHA256
dec10daacfe6e37bc50bb3bb6b76550ed802892f3a71beb3449cfbfbea607259

SHA512
3d2e1b74660401c151583e78ef60f53b1168520552e4ae190853ca6eca760dd4a701280a1b2af8a2b00a81744b08caaa988aaf77afb4335a2669c41f54fd4c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Beats
Filesize
97KB

MD5
2885880aa38707935c64f6b3c7800f96

SHA1
85ee867d80b9cfb1f138e3b0c0ea2a2f1ed6dca6

SHA256
373bbb960914f99e82bebf4fb13f6d0c16302ac73bfee987af7cc7023f799f6e

SHA512
ba0a1f2f5478db647bea242b4170d2e505f899fc98c4b11d145395a17f638ba3ac828b96fd6a7b94c744d8176152bc47c5b32b00180e489926c1f6a8e718cf16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Coordinated
Filesize
159KB

MD5
03371e3e51103446a7d61646e6f4ebcc

SHA1
dc28eaa3711df1e414821af095a76f34ad7f8e44

SHA256
7008ac7fc2af470979e94eedf52d823f9dd3b3e1ff1d5a7914cbc0828d4832d5

SHA512
ab3abcea08a0a773014c7a22db3507c01635dbb43adff7dbf2253009335a2568c5603ebba9fac4fdedc7bc49d343436d6afb01649dcb9c071fe92cda2cb2d9ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Den
Filesize
99KB

MD5
82624b0ef5a2c57dad2a45392448a9b5

SHA1
e1f7ec58be7d744ea1aabe7d729cb8ceb0646511

SHA256
b8942ea1759d5712ba6722bd2019493217283471bf09e11a393cbd21e81e954f

SHA512
5d16be6a7aeadc1ab43207643578446a2b86bb4d894d4a44c02667065de1cac22ec8a2cccb8dca1dbc42bf2e3989b59053c2671ec30193d7475e252d1748fa4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Enhancements
Filesize
98KB

MD5
d698989610711e4b765d0f022feafecf

SHA1
859c28dcf1a2887606b180e8e8c5ef12e5dc18bc

SHA256
0b590a30e29b1d351a558db539a420e83bd4c490c9792f584b9f66b6ea4850e8

SHA512
f83c42df6e749664fd5e1f264cad212e6fbb666fe864e6abdb0fba0a15a465cdf62366fd83768caa70a36f881e19c3f76941b7a68835c01dbc62dba779d7961d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Flu
Filesize
18KB

MD5
7e7ce927035274de652713d2e76a48d8

SHA1
a3aaf56ebe58d2fad03a6d2adab5c6140497386d

SHA256
d8110e2ea63fc466cda2945d1ce15f3a330ff263e1e9fd99b2075e06d2132ecf

SHA512
af09e9d0de2743c976488c473cb0c71724cb2e4ff58ae37595f6df13e4c1b4e50a7d349f7b3dcd65eb2eb55e12140f927165a09e2ac402706de9d81eedd400a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Frankfurt
Filesize
202KB

MD5
23b74e5504f3aec97990cf2566590916

SHA1
5a58935fc51697df3d41e6439ecd4aba0f2732a7

SHA256
5a9cdc044add9a81bab24db70c7b8aec1c4936f4a706cbeb12d4e5cca7c98163

SHA512
941268012c574bf3411708ca932b38185535978e8149d69a9fce81b8e727471ebc063503cf40dcf70aaeb2c317e065971e1e2227f67f5a5142e729f230d95a29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hop
Filesize
64KB

MD5
7ebc57599cccec5284f3d1ddc8c8894d

SHA1
152812380c876e6083c55da5f51f05502033d48a

SHA256
bbfc1a4903a574e59b782b0c380b53fdcc6c5374708777ae6b3d6a9a5f1b10ba

SHA512
8067f2b5fb4821ca57ee00ef90ece08875356e96f62501bfec5fc2763a93e8c78919dea6d75cb6e515e94f5fb0497784ff5ca5e2d737ec02430374834d902b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lightweight
Filesize
63KB

MD5
780d5012edd68b16d7b184f4181021b5

SHA1
20f9f80a29297c85c92ee2c70d2ec36ccff87593

SHA256
40fc7cd83e83ba95fc5b1af629dbb8c7fa3020782badbb6088f0f90f52cc4cc3

SHA512
04b00d79594dd919d165117c09b65e091a49ccecb6e5a0ada1d8615c289268e69d9c0463e89986baf28d7de8a38f7920edecd1d5bae4661a28e0c83ccab67b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Massive
Filesize
132B

MD5
d1b987734c4107491262869203ea885d

SHA1
a77977d58281980a0205f883d12e5a9567ed3c57

SHA256
d52ead1f44490d46259b0be6ecfacbf12f587c3e86ca8a93f29357b50f0d834d

SHA512
239c91c71c99d6b30e503dd8c4780303bf68e0c01bccd8e1abe11b249f7413667ea7b863d9f20a39875e93ad1e80a811e79b34f386991d2f7a4ba9bc07379b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Metallic
Filesize
100KB

MD5
f266514e1e9922b935796d012d03add5

SHA1
a5441cf2010d07a3c005c1f3f71e867789f87730

SHA256
23058c81207b6d1044c40793e021782b849245293742883a050999d98174a12a

SHA512
165e8928844e2a3e912afa09dda4356bc31bf4a2c00b54ff98dd52390c23a99b18c811ba48431d87c9b247d0850748d10906e1dff0d99ed2c28adbd004416b47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Neural
Filesize
19KB

MD5
89a81cf3771cfff9ee01f2423480907e

SHA1
a5e8faa5c7c90410416f8aed827ca5141ec5a673

SHA256
2c360e946acdf604c7b7f9fa9a3fefe55a206034e39dd1c0e92e9280c63e9dd0

SHA512
c0b37b6af7a1d44889e1ac39ff5d67b2324f14f8af9c3ea1522bcc4a8c70d364d510b61c9b70bc1d4fdd582826c400d0311f5b5cdb7415eaab13732b961648f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spyware
Filesize
6KB

MD5
53d60db40a582d66f6f0b2c18a2a00a0

SHA1
045e8decf2c5ed2199512646ebafa2e9c3e3b08b

SHA256
9322a9ff1608d3cba130f6d09d90d33af2946f501960124e9418b603ca6e4528

SHA512
f3d4d40de2796506a0b470c6473a4cd0c17adf601078bad766a0005f91a71568472a3ae05ebcd4b31eea1530dcf84a985a1944a80860b065303bacc210fb1705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Stuart
Filesize
99KB

MD5
75dfcf3a58bff19cb1e08e64cb37e672

SHA1
4ef53d554be37c3b82b54d1e4761c19ccfacb50a

SHA256
01a421b0dd3a357c5d740650c0f579c0c9e4b22bf94834ee575a0da69d5de3bc

SHA512
f6be9514b81a9353f57a571460d1a85d9473546ba2b097309ff0e6ec17d3efa432353e3232605039d44de98ba2fd42f811a9db5903b4eddea25a744e006e7f2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tone
Filesize
13KB

MD5
7b6ee2eb9f85cb183210389b0b0a5674

SHA1
3922d0f86ca2b75ca6137da65bfe10ff29474495

SHA256
b6b91987a4a2dd89040fe8f22febfbfd91a764368b192ba91eea54acc7bc946a

SHA512
ddc6090e1510d9793131e1ba4eb92fba589faba7e3e9851df337e2ce85b6952e2218194ea56ab54bc52d0a9aa156e063d0074aa8887b986fffa6dd4b15eb639e

Download Submit
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar.gz
Filesize
1.5MB

MD5
2942f277bb2cd54bb0b81996d42f7802

SHA1
abdfb88cb8b72e8a20c8fa3483c5e5dfdadf7661

SHA256
2caf0bb99ff4712b202bd2b51e24d70de8a2adb4b1aaba3d9394a40b32441254

SHA512
39a56ef1fa3cb03954c6adfe8df540f0b79aa62c043d6a1a2806b92fac774d658c1969a964cc7dab962480ec313b879f7b0657bbf19d49a959e9a625e39244ac

Download Submit
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\bin\Debug\MusicPlayerApp.vshost.exe.config
Filesize
184B

MD5
28960c034283c54b6f70673f77fd07fa

SHA1
914b9e3f9557072ea35ec5725d046b825ef8b918

SHA256
8d65429e0b2a82c11d3edc4ea04ed200aedfea1d7ef8b984e88a8e97cff54770

SHA512
d30dd93457a306d737aac32c0944880517ed4c3e8f2d1650ffca6c1d98e892082b41b40fb89ccf75d5f03d2464b0b4f943cd4b082071f0abfe978d149bd61479

Download Submit
\??\pipe\crashpad_2344_DLXFBIVAGDCZGCLN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit