Analysis Overview
Threat Level: Known bad
The file https://download.tt2dd.com/ was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Suspicious use of NtCreateUserProcessOtherParentProcess
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Runs ping.exe
Modifies system certificate store
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Enumerates processes with tasklist
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
NTFS ADS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-02 14:21
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-02 14:21
Reported
2024-05-02 14:28
Platform
win10v2004-20240426-en
Max time kernel
409s
Max time network
394s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3304 created 3460 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4481714\Masturbating.pif | C:\Windows\Explorer.EXE |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4481714\Masturbating.pif | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591333275664676" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tt2dd.com/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc76f9ab58,0x7ffc76f9ab68,0x7ffc76f9ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=212 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4240 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3028 --field-trial-handle=1892,i,10581494066230559856,4539980887754945946,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\" -spe -an -ai#7zMap16728:138:7zEvent23127
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\" -spe -an -ai#7zMap10950:212:7zEvent24658
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe
"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Flu Flu.cmd && Flu.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 4481714
C:\Windows\SysWOW64\findstr.exe
findstr /V "SENSORSALICEECUADORJAMAICA" Massive
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Hop + Stuart + Den + Lightweight + Metallic 4481714\j
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4481714\Masturbating.pif
4481714\Masturbating.pif 4481714\j
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4481714\RegAsm.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4481714\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | download.tt2dd.com | udp |
| US | 108.178.44.242:443 | download.tt2dd.com | tcp |
| US | 8.8.8.8:53 | 10.200.250.142.in-addr.arpa | udp |
| US | 108.178.44.242:443 | download.tt2dd.com | udp |
| US | 8.8.8.8:53 | qsrc.sg | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| SG | 43.229.84.147:443 | qsrc.sg | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| SG | 43.229.84.147:443 | qsrc.sg | tcp |
| US | 8.8.8.8:53 | 242.44.178.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.84.229.43.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 147.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 108.178.44.242:443 | download.tt2dd.com | udp |
| US | 8.8.8.8:53 | inforzip.net | udp |
| GB | 149.255.58.44:443 | inforzip.net | tcp |
| US | 8.8.8.8:53 | 44.58.255.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ZYMikYGhrhAqbJsUidPnLr.ZYMikYGhrhAqbJsUidPnLr | udp |
Files
\??\pipe\crashpad_2344_DLXFBIVAGDCZGCLN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 55f02759c81b7beb897d1eab38869942 |
| SHA1 | 05b5a6d0ee150be6ac4f105fa3ef4965c92a0deb |
| SHA256 | 632a5c5bf73b103c00c6a070a13f28a5a30eb10dff3c82d312e39f954e6e77fc |
| SHA512 | b8e5be7c9af1ffbce11711e370cf25ddc5b5cac7852ccf7c77d9dfdebf5da34ddfe24047bce7c689163755ec14038afeae1e1c3c2d5d02ad4a8cc5c7d889ef6b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 64767bbcd9eda4cccaed6160eb0ecd55 |
| SHA1 | 92be4c5113c3b9c511210cb019d3a807359d9625 |
| SHA256 | 40919f318c6e8f35b923aa6bfce4888891d212a92b77bd812178a9dcfdfe843a |
| SHA512 | 446e46aefd74ad08e0e23b201e2de78027b80fd5cbad7425c02b1b1c810afaebf58d1288f75628404c107e04fefc5477a1032a27f897ec692bd47e1e3669a348 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 234b985b5a77602e2b7e4dbccc5f2cc6 |
| SHA1 | 11b8db01d94f5a9a1af33432f84ef5cb495a2c80 |
| SHA256 | 81594528bec5584a416f0c2a69e29844f3bc807fca674d788d2d264e3d7eb3fe |
| SHA512 | 06a649cc4d075468fc88f2f248ddc7183ed6fe7e3adcc478ebbd5ac38a8b68d5d4a95b0c097bf05c7cbcdbcd96eb7a7677a53cc50a5217373cf5841b6ccb39f7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 129754b5b23bddb732309be54363335f |
| SHA1 | fc9ce2c6a9326c0e35d24803e5dd8639359cbd32 |
| SHA256 | 06c81b4574b90b27f644fa76c0eb2d0b19dd48c0e51e99ad1d398573f0cb088e |
| SHA512 | f7e1fdde16cd5863d83fb920b7872fbe94ce7ddae8f0ca72d611a13c3b4ab632d1ec5c1b864cdc8e14cb559428c16d6cdb2be496b9d12277438e6055261c2479 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 033714f0722f40d5c742ddd1f748094c |
| SHA1 | a369cdca0245f8545eb6b841b6c4a87cc800a65b |
| SHA256 | 496a45600213e8825f1b5bb764ff1506b19c60a827b9daebd0d065b1a6c0b109 |
| SHA512 | 3c16ac93d1175af3c46c26f84e88069ce3fc60e6ae90f2555930b49aaf42451175cc0b8a81efa74e698a647aca51fe5c8527cfe179bae364a0fd5da11137fcfe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 83d4e984f2aae969af16bee7638bdd27 |
| SHA1 | 399e715c723b7fb908b44f84c5d6b7fd3ca52e5c |
| SHA256 | 05c838aa8cb3108aa501d4f28579c36daebd28e011e375e4983c13c416e94def |
| SHA512 | 32a37c4862fae3078b7ed4fc8c976dcc633211e6c2b41976c342056c271ef81e9ff15e4abd0de8e0e551fee77d3cf7cb99843e1f5b892b6f256ca8f56d71c48f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe587ad8.TMP
| MD5 | 550d0636e8252c2dbed031c5d4ba8182 |
| SHA1 | 8c176c7637b05276afd97a6a77968c0be4be6bce |
| SHA256 | 50ce7aec113a76a73faf3ddcdc952916ced6a345ae9854af3240674a3dd09e36 |
| SHA512 | 3d0a6c417a8e8fe17a5efbcfac1327c9938017ad91f9828c67e35567280915e2c07121a7b96ff2b956341056a644183910e28e872039440476db40ef4a49fd5d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 24b5b4b65fa417c9087e58c43afd40a3 |
| SHA1 | 5d2b1792eefb87fd153b0e980ba0d6bce3970011 |
| SHA256 | 0db23e56cc956a1c6d55d4bd6c5b1d81d200cf840f34ec09df4b756e2aab1fb9 |
| SHA512 | f363bb168acb08237065612aafc93f902536012deaadc2a8ef5a235e3e47b9cc16618d40c569cf19b930387eb3b01185f90fd4396250eab11605b0d52deac805 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | ec21a1d11603ca8f5faed7c7698e914c |
| SHA1 | 7972da32c7fd3807817c494fc92658d2d066a024 |
| SHA256 | eb4dc9e79dba69824f874e0ae8fb31b109068ad13bd76fe5775c9db5ddd758e8 |
| SHA512 | ce732c72e73959b39ef9718669c55403fa1cbaf9bb0ee32238920c3d7465bd1dd2aa8e22293fe869889560a011d10401f637a7458ea26a025f5e3ec715351c41 |
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar.gz
| MD5 | 2942f277bb2cd54bb0b81996d42f7802 |
| SHA1 | abdfb88cb8b72e8a20c8fa3483c5e5dfdadf7661 |
| SHA256 | 2caf0bb99ff4712b202bd2b51e24d70de8a2adb4b1aaba3d9394a40b32441254 |
| SHA512 | 39a56ef1fa3cb03954c6adfe8df540f0b79aa62c043d6a1a2806b92fac774d658c1969a964cc7dab962480ec313b879f7b0657bbf19d49a959e9a625e39244ac |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | c4f179889482b22e86eafa0355a6b069 |
| SHA1 | 36f73c8dd3f04f17f142b654d3fec71df8294670 |
| SHA256 | a31ad1b3295c8584d5ec0e94e8c9300601b2e4af4d362311df011a631ff3fd65 |
| SHA512 | f505d6eb51f38e2ee2ca98cdd1395bf11d3fe45b04ad4d45c94fa9f34e2e8d17076889977f19d4ea178d04517cdef5a0276e4d0b3dd4313e8c9e6eee0491f28e |
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\bin\Debug\MusicPlayerApp.vshost.exe.config
| MD5 | 28960c034283c54b6f70673f77fd07fa |
| SHA1 | 914b9e3f9557072ea35ec5725d046b825ef8b918 |
| SHA256 | 8d65429e0b2a82c11d3edc4ea04ed200aedfea1d7ef8b984e88a8e97cff54770 |
| SHA512 | d30dd93457a306d737aac32c0944880517ed4c3e8f2d1650ffca6c1d98e892082b41b40fb89ccf75d5f03d2464b0b4f943cd4b082071f0abfe978d149bd61479 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Flu
| MD5 | 7e7ce927035274de652713d2e76a48d8 |
| SHA1 | a3aaf56ebe58d2fad03a6d2adab5c6140497386d |
| SHA256 | d8110e2ea63fc466cda2945d1ce15f3a330ff263e1e9fd99b2075e06d2132ecf |
| SHA512 | af09e9d0de2743c976488c473cb0c71724cb2e4ff58ae37595f6df13e4c1b4e50a7d349f7b3dcd65eb2eb55e12140f927165a09e2ac402706de9d81eedd400a6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Massive
| MD5 | d1b987734c4107491262869203ea885d |
| SHA1 | a77977d58281980a0205f883d12e5a9567ed3c57 |
| SHA256 | d52ead1f44490d46259b0be6ecfacbf12f587c3e86ca8a93f29357b50f0d834d |
| SHA512 | 239c91c71c99d6b30e503dd8c4780303bf68e0c01bccd8e1abe11b249f7413667ea7b863d9f20a39875e93ad1e80a811e79b34f386991d2f7a4ba9bc07379b91 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Americans
| MD5 | f753d86ec907939c8471850ce2a79036 |
| SHA1 | 22f07dc2373730f8d146ef7b9d58a212bee0c193 |
| SHA256 | 6c6a50fc1900ec8d5fdb9ed6e3c337b63af96a75c74587d2e5d5c89d8d738def |
| SHA512 | 36e6146ce600bc0035eb526f6fdc6bffd90caf34a345504fb44e46100f41decc9e6a55736cecd5901152e39521418e10e2884dbe439fe2b91934447a3853d6e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Neural
| MD5 | 89a81cf3771cfff9ee01f2423480907e |
| SHA1 | a5e8faa5c7c90410416f8aed827ca5141ec5a673 |
| SHA256 | 2c360e946acdf604c7b7f9fa9a3fefe55a206034e39dd1c0e92e9280c63e9dd0 |
| SHA512 | c0b37b6af7a1d44889e1ac39ff5d67b2324f14f8af9c3ea1522bcc4a8c70d364d510b61c9b70bc1d4fdd582826c400d0311f5b5cdb7415eaab13732b961648f7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Enhancements
| MD5 | d698989610711e4b765d0f022feafecf |
| SHA1 | 859c28dcf1a2887606b180e8e8c5ef12e5dc18bc |
| SHA256 | 0b590a30e29b1d351a558db539a420e83bd4c490c9792f584b9f66b6ea4850e8 |
| SHA512 | f83c42df6e749664fd5e1f264cad212e6fbb666fe864e6abdb0fba0a15a465cdf62366fd83768caa70a36f881e19c3f76941b7a68835c01dbc62dba779d7961d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Beats
| MD5 | 2885880aa38707935c64f6b3c7800f96 |
| SHA1 | 85ee867d80b9cfb1f138e3b0c0ea2a2f1ed6dca6 |
| SHA256 | 373bbb960914f99e82bebf4fb13f6d0c16302ac73bfee987af7cc7023f799f6e |
| SHA512 | ba0a1f2f5478db647bea242b4170d2e505f899fc98c4b11d145395a17f638ba3ac828b96fd6a7b94c744d8176152bc47c5b32b00180e489926c1f6a8e718cf16 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Frankfurt
| MD5 | 23b74e5504f3aec97990cf2566590916 |
| SHA1 | 5a58935fc51697df3d41e6439ecd4aba0f2732a7 |
| SHA256 | 5a9cdc044add9a81bab24db70c7b8aec1c4936f4a706cbeb12d4e5cca7c98163 |
| SHA512 | 941268012c574bf3411708ca932b38185535978e8149d69a9fce81b8e727471ebc063503cf40dcf70aaeb2c317e065971e1e2227f67f5a5142e729f230d95a29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Coordinated
| MD5 | 03371e3e51103446a7d61646e6f4ebcc |
| SHA1 | dc28eaa3711df1e414821af095a76f34ad7f8e44 |
| SHA256 | 7008ac7fc2af470979e94eedf52d823f9dd3b3e1ff1d5a7914cbc0828d4832d5 |
| SHA512 | ab3abcea08a0a773014c7a22db3507c01635dbb43adff7dbf2253009335a2568c5603ebba9fac4fdedc7bc49d343436d6afb01649dcb9c071fe92cda2cb2d9ee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Aruba
| MD5 | e914b530dd18a000b39ce75d203b784e |
| SHA1 | 4e7f2d318cd32ad01b4d94071839ba9b50543212 |
| SHA256 | dec10daacfe6e37bc50bb3bb6b76550ed802892f3a71beb3449cfbfbea607259 |
| SHA512 | 3d2e1b74660401c151583e78ef60f53b1168520552e4ae190853ca6eca760dd4a701280a1b2af8a2b00a81744b08caaa988aaf77afb4335a2669c41f54fd4c75 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tone
| MD5 | 7b6ee2eb9f85cb183210389b0b0a5674 |
| SHA1 | 3922d0f86ca2b75ca6137da65bfe10ff29474495 |
| SHA256 | b6b91987a4a2dd89040fe8f22febfbfd91a764368b192ba91eea54acc7bc946a |
| SHA512 | ddc6090e1510d9793131e1ba4eb92fba589faba7e3e9851df337e2ce85b6952e2218194ea56ab54bc52d0a9aa156e063d0074aa8887b986fffa6dd4b15eb639e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spyware
| MD5 | 53d60db40a582d66f6f0b2c18a2a00a0 |
| SHA1 | 045e8decf2c5ed2199512646ebafa2e9c3e3b08b |
| SHA256 | 9322a9ff1608d3cba130f6d09d90d33af2946f501960124e9418b603ca6e4528 |
| SHA512 | f3d4d40de2796506a0b470c6473a4cd0c17adf601078bad766a0005f91a71568472a3ae05ebcd4b31eea1530dcf84a985a1944a80860b065303bacc210fb1705 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hop
| MD5 | 7ebc57599cccec5284f3d1ddc8c8894d |
| SHA1 | 152812380c876e6083c55da5f51f05502033d48a |
| SHA256 | bbfc1a4903a574e59b782b0c380b53fdcc6c5374708777ae6b3d6a9a5f1b10ba |
| SHA512 | 8067f2b5fb4821ca57ee00ef90ece08875356e96f62501bfec5fc2763a93e8c78919dea6d75cb6e515e94f5fb0497784ff5ca5e2d737ec02430374834d902b32 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Stuart
| MD5 | 75dfcf3a58bff19cb1e08e64cb37e672 |
| SHA1 | 4ef53d554be37c3b82b54d1e4761c19ccfacb50a |
| SHA256 | 01a421b0dd3a357c5d740650c0f579c0c9e4b22bf94834ee575a0da69d5de3bc |
| SHA512 | f6be9514b81a9353f57a571460d1a85d9473546ba2b097309ff0e6ec17d3efa432353e3232605039d44de98ba2fd42f811a9db5903b4eddea25a744e006e7f2a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lightweight
| MD5 | 780d5012edd68b16d7b184f4181021b5 |
| SHA1 | 20f9f80a29297c85c92ee2c70d2ec36ccff87593 |
| SHA256 | 40fc7cd83e83ba95fc5b1af629dbb8c7fa3020782badbb6088f0f90f52cc4cc3 |
| SHA512 | 04b00d79594dd919d165117c09b65e091a49ccecb6e5a0ada1d8615c289268e69d9c0463e89986baf28d7de8a38f7920edecd1d5bae4661a28e0c83ccab67b3a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Den
| MD5 | 82624b0ef5a2c57dad2a45392448a9b5 |
| SHA1 | e1f7ec58be7d744ea1aabe7d729cb8ceb0646511 |
| SHA256 | b8942ea1759d5712ba6722bd2019493217283471bf09e11a393cbd21e81e954f |
| SHA512 | 5d16be6a7aeadc1ab43207643578446a2b86bb4d894d4a44c02667065de1cac22ec8a2cccb8dca1dbc42bf2e3989b59053c2671ec30193d7475e252d1748fa4d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Metallic
| MD5 | f266514e1e9922b935796d012d03add5 |
| SHA1 | a5441cf2010d07a3c005c1f3f71e867789f87730 |
| SHA256 | 23058c81207b6d1044c40793e021782b849245293742883a050999d98174a12a |
| SHA512 | 165e8928844e2a3e912afa09dda4356bc31bf4a2c00b54ff98dd52390c23a99b18c811ba48431d87c9b247d0850748d10906e1dff0d99ed2c28adbd004416b47 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4481714\Masturbating.pif
| MD5 | 6ee7ddebff0a2b78c7ac30f6e00d1d11 |
| SHA1 | f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2 |
| SHA256 | 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4 |
| SHA512 | 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4481714\j
| MD5 | 4b4f86ad7203f525253d3d01566391d8 |
| SHA1 | a89e684e1841e2c1bedd38234ab9d636862f177a |
| SHA256 | 120f7c4cad476f254ea5e757eb0d6cf36d64f900775c438e745007af2a735122 |
| SHA512 | b7cb135d16027182805c74679930c19e6075ecbf1d857fde735966e9273c5b4e8b5b0c5863dfe71fcb4af25c8cc68712a9238154bdc83e154b2240ee0c20eab2 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-02 14:21
Reported
2024-05-02 14:27
Platform
win11-20240419-en
Max time kernel
315s
Max time network
311s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4216 created 3312 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4472604\Masturbating.pif | C:\Windows\Explorer.EXE |
| PID 3292 created 3312 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4474174\Masturbating.pif | C:\Windows\Explorer.EXE |
Executes dropped EXE
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591333270173318" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4472604\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4472604\RegAsm.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar.gz:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tt2dd.com/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2328cc40,0x7fff2328cc4c,0x7fff2328cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1800 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2084 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2252 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3104 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3240 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3524,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4508 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4524,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4864 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\" -spe -an -ai#7zMap11897:138:7zEvent1093
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\" -spe -an -ai#7zMap13264:212:7zEvent25481
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe
"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Flu Flu.cmd && Flu.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 4472604
C:\Windows\SysWOW64\findstr.exe
findstr /V "SENSORSALICEECUADORJAMAICA" Massive
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Hop + Stuart + Den + Lightweight + Metallic 4472604\j
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4472604\Masturbating.pif
4472604\Masturbating.pif 4472604\j
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=212,i,13494298440538460157,10800326874028418451,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4760 /prefetch:8
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4472604\RegAsm.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4472604\RegAsm.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe
"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Flu Flu.cmd && Flu.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 4474174
C:\Windows\SysWOW64\findstr.exe
findstr /V "SENSORSALICEECUADORJAMAICA" Massive
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Hop + Stuart + Den + Lightweight + Metallic 4474174\j
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4474174\Masturbating.pif
4474174\Masturbating.pif 4474174\j
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4474174\RegAsm.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4474174\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | download.tt2dd.com | udp |
| US | 108.178.44.242:443 | download.tt2dd.com | tcp |
| US | 108.178.44.242:443 | download.tt2dd.com | tcp |
| US | 108.178.44.242:443 | download.tt2dd.com | tcp |
| US | 108.178.44.242:443 | download.tt2dd.com | udp |
| SG | 43.229.84.147:443 | qsrc.sg | tcp |
| SG | 43.229.84.147:443 | qsrc.sg | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 108.178.44.242:443 | download.tt2dd.com | udp |
| GB | 149.255.58.44:443 | inforzip.net | tcp |
| UA | 45.89.53.206:4663 | tcp | |
| US | 8.8.8.8:53 | 206.53.89.45.in-addr.arpa | udp |
| UA | 45.89.53.206:4663 | tcp |
Files
\??\pipe\crashpad_872_TOXRQBZAGFLCKZYP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 9b5bbe79622d45dc4e931c979a0a0dea |
| SHA1 | d7ab38e3af868f1ca0b966752df9a3bee4b5ce96 |
| SHA256 | c80b8ea514d90a5b83677eee3718869eefef1c806e7dab65c1b37d953d2ede46 |
| SHA512 | 8da56963151a851ac1c8035dab158c3c22229d4454a51e9ace577cba3dc1ca403a8096fe7580d5b54cbc0c1557503746e814455a5c713df84448e172667e2244 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 3c776d4fc6ac3d2018ee26b56a5a8bf2 |
| SHA1 | 5d4a667b61a146333d6014622407affba6686e41 |
| SHA256 | cb573939f29b9a3ff7ee821fd66517b20e6d653afe66119cc8462e505344b62e |
| SHA512 | 82d1a6ceb810c3edf640d6964c115e361c0463385c95b050d40f5dd2fcafbea1abefb35d3e7f7af028d309e9e0e9892a8c2264df86ba1ca9cfd9883a03fb996d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9be257ac0227af885e0030d7853da877 |
| SHA1 | a1a7d2e2f1a113048f783f2d0771f03118dc629e |
| SHA256 | bdd74d5324df386bc3bf7b81d1954c382291bc1d8d114f89b56a929d4004d2ec |
| SHA512 | b15ce4e78db8ebac54a05eaafb7ddd9030afda90de1aeee86f9edd2cbfd394280fc44fc09f30ae5cfa504cebf5c16751bd4ced53fde97f733a710d03b2161741 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 49df5f39745df2cb505ad2485ec37792 |
| SHA1 | 843e26d3be7d3934f750947e548086c01402c1f8 |
| SHA256 | 95b4ac0d33c9e978bcffa16da9e28da37e659ba676e8baa9da96b128ff10663e |
| SHA512 | a5a3d9c6ac22dcdfc1e568ce380e365d40174a325319524fcdb9cd30c993150817ff718dcbe50cfbc49df4cb951e4928adc026a203a557abd18fe699d8371352 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9719312d34bc7a952d9d0472082f3d6a |
| SHA1 | 625278486c321cb1473bdf63fa64514baeb6b5be |
| SHA256 | cf27d189f1e04a845f5e8937ef5c5cca65cb284ce4e0389a15f29a2267b9ec8e |
| SHA512 | 7826f6cca2869e968154e7aec4fb840fe5174743e0e332c94ee695e71045e05f787e0d336099dc03ec0857806b3b0ea6e4ad26621750f91da58f8244c412a12b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 00364f017bb7c39a680d0882b444b7d2 |
| SHA1 | ff18334fad02d9461a595d5380ae083a32091a4d |
| SHA256 | 82a89ef93a9e57e57a0914f258fe03344bd5a6b116a91d09e3e4a5e42e31da77 |
| SHA512 | be8f84b24390d34185b006d20336110f51eb544fae3e6c98c7149c5df36a83dd5ee522025a6f621abf416c63ccd02794bbdb84c249fe950dfc79ac30cb7fecaa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 0d50de0a2c675ea56f1c72000126e147 |
| SHA1 | 3452abe93a606f3104d187b8222ddab4fc8ad2c0 |
| SHA256 | 3f99e670f395d1b02b968bdb4df888739a819fcc020f11b2e3f5fecba9f73a64 |
| SHA512 | ee4a230846f1a9dc74d191c61a57b57f9d29f0138f68f0cd5f8b4ee9c80013396dc9845c77149c6a66dad2585272672e461709e0bacd74ad4fe45669a647700a |
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar.gz.crdownload
| MD5 | 2942f277bb2cd54bb0b81996d42f7802 |
| SHA1 | abdfb88cb8b72e8a20c8fa3483c5e5dfdadf7661 |
| SHA256 | 2caf0bb99ff4712b202bd2b51e24d70de8a2adb4b1aaba3d9394a40b32441254 |
| SHA512 | 39a56ef1fa3cb03954c6adfe8df540f0b79aa62c043d6a1a2806b92fac774d658c1969a964cc7dab962480ec313b879f7b0657bbf19d49a959e9a625e39244ac |
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar.gz:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\12743002-f6ba-4dff-84fa-61f2d8a70cfa.tmp
| MD5 | be25a0f2486c8b2fd7d8ac5bd6528c4e |
| SHA1 | 64626fb5ee73372ff88e9406022d7d7b7b1c718e |
| SHA256 | 9a6b6ee0e78436957edd73195ba1192ff9ddff1e6503e7f04de58d57bd81f044 |
| SHA512 | 6c2486102f9d654b8d52f08f406c58bacf21f6f9284406404866b9e66e80f09f171476bb2efa5f56815b3d037721a9340ff492f277bab6d7be3dde630b8e75de |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | b7452661f19d4d69bc3f437c3338bc44 |
| SHA1 | 8272202a40d709bfd4e9f61f6a83a302d3474290 |
| SHA256 | 26cca34138f7333f719eb8b8c598c7fc2a8c33c8c40369bdde202e2f7da95270 |
| SHA512 | 78ff7215c0ec315a0eb6a48b1b8e2478ec03c5dbd06cf97bf6001e9a68298759de470a2d78bae8860f7b6b9aa4b98fb62bb83a9c19b8e23c65191982bec09d1e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4c936c5e008768a2fc4d86b43366b625 |
| SHA1 | 9848573eda768a38b8ed0a2d28111bdf56fc80ec |
| SHA256 | d64464365f67219435d7e267e7168877f9ce5bcc3e1e768358f9f5bac43d7695 |
| SHA512 | 5819154c935b5fbf65a7d2c69f952512a68ea3915d4be4525bbe015df79708525fb0a872c857edd446ce828c4e6d730d0213b20c23f44e582d94ad541fc34449 |
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\bin\Debug\MusicPlayerApp.vshost.exe.config
| MD5 | 28960c034283c54b6f70673f77fd07fa |
| SHA1 | 914b9e3f9557072ea35ec5725d046b825ef8b918 |
| SHA256 | 8d65429e0b2a82c11d3edc4ea04ed200aedfea1d7ef8b984e88a8e97cff54770 |
| SHA512 | d30dd93457a306d737aac32c0944880517ed4c3e8f2d1650ffca6c1d98e892082b41b40fb89ccf75d5f03d2464b0b4f943cd4b082071f0abfe978d149bd61479 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Flu
| MD5 | 7e7ce927035274de652713d2e76a48d8 |
| SHA1 | a3aaf56ebe58d2fad03a6d2adab5c6140497386d |
| SHA256 | d8110e2ea63fc466cda2945d1ce15f3a330ff263e1e9fd99b2075e06d2132ecf |
| SHA512 | af09e9d0de2743c976488c473cb0c71724cb2e4ff58ae37595f6df13e4c1b4e50a7d349f7b3dcd65eb2eb55e12140f927165a09e2ac402706de9d81eedd400a6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Massive
| MD5 | d1b987734c4107491262869203ea885d |
| SHA1 | a77977d58281980a0205f883d12e5a9567ed3c57 |
| SHA256 | d52ead1f44490d46259b0be6ecfacbf12f587c3e86ca8a93f29357b50f0d834d |
| SHA512 | 239c91c71c99d6b30e503dd8c4780303bf68e0c01bccd8e1abe11b249f7413667ea7b863d9f20a39875e93ad1e80a811e79b34f386991d2f7a4ba9bc07379b91 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Americans
| MD5 | f753d86ec907939c8471850ce2a79036 |
| SHA1 | 22f07dc2373730f8d146ef7b9d58a212bee0c193 |
| SHA256 | 6c6a50fc1900ec8d5fdb9ed6e3c337b63af96a75c74587d2e5d5c89d8d738def |
| SHA512 | 36e6146ce600bc0035eb526f6fdc6bffd90caf34a345504fb44e46100f41decc9e6a55736cecd5901152e39521418e10e2884dbe439fe2b91934447a3853d6e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Neural
| MD5 | 89a81cf3771cfff9ee01f2423480907e |
| SHA1 | a5e8faa5c7c90410416f8aed827ca5141ec5a673 |
| SHA256 | 2c360e946acdf604c7b7f9fa9a3fefe55a206034e39dd1c0e92e9280c63e9dd0 |
| SHA512 | c0b37b6af7a1d44889e1ac39ff5d67b2324f14f8af9c3ea1522bcc4a8c70d364d510b61c9b70bc1d4fdd582826c400d0311f5b5cdb7415eaab13732b961648f7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spyware
| MD5 | 53d60db40a582d66f6f0b2c18a2a00a0 |
| SHA1 | 045e8decf2c5ed2199512646ebafa2e9c3e3b08b |
| SHA256 | 9322a9ff1608d3cba130f6d09d90d33af2946f501960124e9418b603ca6e4528 |
| SHA512 | f3d4d40de2796506a0b470c6473a4cd0c17adf601078bad766a0005f91a71568472a3ae05ebcd4b31eea1530dcf84a985a1944a80860b065303bacc210fb1705 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tone
| MD5 | 7b6ee2eb9f85cb183210389b0b0a5674 |
| SHA1 | 3922d0f86ca2b75ca6137da65bfe10ff29474495 |
| SHA256 | b6b91987a4a2dd89040fe8f22febfbfd91a764368b192ba91eea54acc7bc946a |
| SHA512 | ddc6090e1510d9793131e1ba4eb92fba589faba7e3e9851df337e2ce85b6952e2218194ea56ab54bc52d0a9aa156e063d0074aa8887b986fffa6dd4b15eb639e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Aruba
| MD5 | e914b530dd18a000b39ce75d203b784e |
| SHA1 | 4e7f2d318cd32ad01b4d94071839ba9b50543212 |
| SHA256 | dec10daacfe6e37bc50bb3bb6b76550ed802892f3a71beb3449cfbfbea607259 |
| SHA512 | 3d2e1b74660401c151583e78ef60f53b1168520552e4ae190853ca6eca760dd4a701280a1b2af8a2b00a81744b08caaa988aaf77afb4335a2669c41f54fd4c75 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Coordinated
| MD5 | 03371e3e51103446a7d61646e6f4ebcc |
| SHA1 | dc28eaa3711df1e414821af095a76f34ad7f8e44 |
| SHA256 | 7008ac7fc2af470979e94eedf52d823f9dd3b3e1ff1d5a7914cbc0828d4832d5 |
| SHA512 | ab3abcea08a0a773014c7a22db3507c01635dbb43adff7dbf2253009335a2568c5603ebba9fac4fdedc7bc49d343436d6afb01649dcb9c071fe92cda2cb2d9ee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Frankfurt
| MD5 | 23b74e5504f3aec97990cf2566590916 |
| SHA1 | 5a58935fc51697df3d41e6439ecd4aba0f2732a7 |
| SHA256 | 5a9cdc044add9a81bab24db70c7b8aec1c4936f4a706cbeb12d4e5cca7c98163 |
| SHA512 | 941268012c574bf3411708ca932b38185535978e8149d69a9fce81b8e727471ebc063503cf40dcf70aaeb2c317e065971e1e2227f67f5a5142e729f230d95a29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Beats
| MD5 | 2885880aa38707935c64f6b3c7800f96 |
| SHA1 | 85ee867d80b9cfb1f138e3b0c0ea2a2f1ed6dca6 |
| SHA256 | 373bbb960914f99e82bebf4fb13f6d0c16302ac73bfee987af7cc7023f799f6e |
| SHA512 | ba0a1f2f5478db647bea242b4170d2e505f899fc98c4b11d145395a17f638ba3ac828b96fd6a7b94c744d8176152bc47c5b32b00180e489926c1f6a8e718cf16 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Enhancements
| MD5 | d698989610711e4b765d0f022feafecf |
| SHA1 | 859c28dcf1a2887606b180e8e8c5ef12e5dc18bc |
| SHA256 | 0b590a30e29b1d351a558db539a420e83bd4c490c9792f584b9f66b6ea4850e8 |
| SHA512 | f83c42df6e749664fd5e1f264cad212e6fbb666fe864e6abdb0fba0a15a465cdf62366fd83768caa70a36f881e19c3f76941b7a68835c01dbc62dba779d7961d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hop
| MD5 | 7ebc57599cccec5284f3d1ddc8c8894d |
| SHA1 | 152812380c876e6083c55da5f51f05502033d48a |
| SHA256 | bbfc1a4903a574e59b782b0c380b53fdcc6c5374708777ae6b3d6a9a5f1b10ba |
| SHA512 | 8067f2b5fb4821ca57ee00ef90ece08875356e96f62501bfec5fc2763a93e8c78919dea6d75cb6e515e94f5fb0497784ff5ca5e2d737ec02430374834d902b32 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Stuart
| MD5 | 75dfcf3a58bff19cb1e08e64cb37e672 |
| SHA1 | 4ef53d554be37c3b82b54d1e4761c19ccfacb50a |
| SHA256 | 01a421b0dd3a357c5d740650c0f579c0c9e4b22bf94834ee575a0da69d5de3bc |
| SHA512 | f6be9514b81a9353f57a571460d1a85d9473546ba2b097309ff0e6ec17d3efa432353e3232605039d44de98ba2fd42f811a9db5903b4eddea25a744e006e7f2a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Den
| MD5 | 82624b0ef5a2c57dad2a45392448a9b5 |
| SHA1 | e1f7ec58be7d744ea1aabe7d729cb8ceb0646511 |
| SHA256 | b8942ea1759d5712ba6722bd2019493217283471bf09e11a393cbd21e81e954f |
| SHA512 | 5d16be6a7aeadc1ab43207643578446a2b86bb4d894d4a44c02667065de1cac22ec8a2cccb8dca1dbc42bf2e3989b59053c2671ec30193d7475e252d1748fa4d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Metallic
| MD5 | f266514e1e9922b935796d012d03add5 |
| SHA1 | a5441cf2010d07a3c005c1f3f71e867789f87730 |
| SHA256 | 23058c81207b6d1044c40793e021782b849245293742883a050999d98174a12a |
| SHA512 | 165e8928844e2a3e912afa09dda4356bc31bf4a2c00b54ff98dd52390c23a99b18c811ba48431d87c9b247d0850748d10906e1dff0d99ed2c28adbd004416b47 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lightweight
| MD5 | 780d5012edd68b16d7b184f4181021b5 |
| SHA1 | 20f9f80a29297c85c92ee2c70d2ec36ccff87593 |
| SHA256 | 40fc7cd83e83ba95fc5b1af629dbb8c7fa3020782badbb6088f0f90f52cc4cc3 |
| SHA512 | 04b00d79594dd919d165117c09b65e091a49ccecb6e5a0ada1d8615c289268e69d9c0463e89986baf28d7de8a38f7920edecd1d5bae4661a28e0c83ccab67b3a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4472604\Masturbating.pif
| MD5 | 6ee7ddebff0a2b78c7ac30f6e00d1d11 |
| SHA1 | f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2 |
| SHA256 | 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4 |
| SHA512 | 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4472604\j
| MD5 | 4b4f86ad7203f525253d3d01566391d8 |
| SHA1 | a89e684e1841e2c1bedd38234ab9d636862f177a |
| SHA256 | 120f7c4cad476f254ea5e757eb0d6cf36d64f900775c438e745007af2a735122 |
| SHA512 | b7cb135d16027182805c74679930c19e6075ecbf1d857fde735966e9273c5b4e8b5b0c5863dfe71fcb4af25c8cc68712a9238154bdc83e154b2240ee0c20eab2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 52ab2545277c56832e770b6b3c881874 |
| SHA1 | 507a65880ec8ee94c197c1fe7bc9d777ee8b49f4 |
| SHA256 | f42fcd4c7d880de28fdfd9792cc17eabea55ed4296721aa74927bd567bc8b4fa |
| SHA512 | 294eff50fb35eb83c24a83bc441cb7cb3d1db53ea1b4af4b7603b3cfa74fa37fbf85585003aa8dd5a53167c83cc6f016123a5864971523927f4c9ffdbf282cfa |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | d222b77a61527f2c177b0869e7babc24 |
| SHA1 | 3f23acb984307a4aeba41ebbb70439c97ad1f268 |
| SHA256 | 80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747 |
| SHA512 | d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | b5ad5caaaee00cb8cf445427975ae66c |
| SHA1 | dcde6527290a326e048f9c3a85280d3fa71e1e22 |
| SHA256 | b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8 |
| SHA512 | 92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 777dee608fac3fc9616e044eb5a4e709 |
| SHA1 | cdf70cf7d1f8eb3c69d6751679f4d746aead14f2 |
| SHA256 | c0e380b92ada1c06e7d6b13a85999fdaf30164ce3f319cc5577f254e31e4c88f |
| SHA512 | 1f5471f15f7122247e520fe2ee0213c3f21968372bbadd5528bd8bbb221c6fb0300cd62a4711957b7e02d87571f6bcd6a568a55d23160972b7edc03d55f1e0ef |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4472604\RegAsm.exe
| MD5 | 42ab6e035df99a43dbb879c86b620b91 |
| SHA1 | c6e116569d17d8142dbb217b1f8bfa95bc148c38 |
| SHA256 | 53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b |
| SHA512 | 2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5 |
memory/1480-278-0x000001E008840000-0x000001E008841000-memory.dmp
memory/1480-280-0x000001E008840000-0x000001E008841000-memory.dmp
memory/1480-279-0x000001E008840000-0x000001E008841000-memory.dmp
memory/1480-290-0x000001E008840000-0x000001E008841000-memory.dmp
memory/1480-289-0x000001E008840000-0x000001E008841000-memory.dmp
memory/1480-288-0x000001E008840000-0x000001E008841000-memory.dmp
memory/1480-287-0x000001E008840000-0x000001E008841000-memory.dmp
memory/1480-286-0x000001E008840000-0x000001E008841000-memory.dmp
memory/1480-285-0x000001E008840000-0x000001E008841000-memory.dmp
memory/1480-284-0x000001E008840000-0x000001E008841000-memory.dmp
memory/828-291-0x0000000000B50000-0x0000000000BA2000-memory.dmp
memory/828-293-0x0000000005A50000-0x0000000005FF6000-memory.dmp
memory/828-294-0x00000000055A0000-0x0000000005632000-memory.dmp
memory/828-295-0x0000000005750000-0x000000000575A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp640F.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/828-310-0x0000000006100000-0x0000000006176000-memory.dmp
memory/828-311-0x0000000006790000-0x00000000067AE000-memory.dmp
memory/828-314-0x0000000006ED0000-0x00000000074E8000-memory.dmp
memory/828-315-0x0000000006A20000-0x0000000006B2A000-memory.dmp
memory/828-316-0x0000000006960000-0x0000000006972000-memory.dmp
memory/828-317-0x00000000069C0000-0x00000000069FC000-memory.dmp
memory/828-318-0x0000000006B30000-0x0000000006B7C000-memory.dmp
memory/828-319-0x0000000006C80000-0x0000000006CE6000-memory.dmp
memory/828-322-0x00000000075F0000-0x0000000007640000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5430aa2f13b013b68275db2066f94f2e |
| SHA1 | c099fa2423e003a85a4b4fa3aad5f585508983bc |
| SHA256 | 9a7e95e8e0486b828813edda9468203e70118118086b1e7b255cacd685bc6ddf |
| SHA512 | 266ead0c62e8ec14d1b2c0b0891640743219123958fc4a623b4af3a0612f2098fba3a2055b89481c25d76017599ad8259ca6beab3b80a661b064c7278da6a07b |
memory/828-333-0x0000000007D30000-0x0000000007EF2000-memory.dmp
memory/828-334-0x0000000008BB0000-0x00000000090DC000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
| MD5 | b29bd20f97fab37886d1c59bfe538ebb |
| SHA1 | 50aa9d3e21db2b86fd1d84cd3b4599317c081b2c |
| SHA256 | a022af7bde687d0d857d94aab4985e1be31e2a7022c342ae8b971938fe9e1a13 |
| SHA512 | e52915f16a16fcf85e29b9abf763ff9b734ecaa55901489153987680b37c8a6749e553d44a7a3c2a7b66167a3b6388b200421946675f2060c93e3bc6e12fda63 |
memory/232-381-0x0000000001100000-0x0000000001152000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
| MD5 | efda3630f946cbbf082e90258678f517 |
| SHA1 | 892764ed662f696b5eff334a223c6a588ec3e317 |
| SHA256 | bf2b8b89f30a49928b1cfc780b0cf46053e4854902166f54bf5e50fe6902ee60 |
| SHA512 | 7f1f6755892e5f73dd9dce7c1d12e664ee9fba3a910554049a14f29ca1a382849904854fb29fd9341400e0c40c7087c0f69d52a7aaf6b73d4f0297f430798dc3 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | db0c47ecd0100d932cddfcfdc1771bb9 |
| SHA1 | aebae048bcb40790ae256a9ae1bdceb341fc1890 |
| SHA256 | edb03ca496c56fcdcc3c10e77a5b50d9023e497dee6f2c1f0e360e279cd44a01 |
| SHA512 | 8ce2128d11da81251914b14a1bbb00d0098ce99d5218846261f438f98b70d20acd5a36aa7f20726970110ab2a3c7c6a411d60c162dae46c58890d10982e2700b |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 27558ea2fc1e1a380e1b4afb6ba64885 |
| SHA1 | f62b86cf76e4534a3cafb028b1cbe146d8b88a0b |
| SHA256 | 13da2e03b26f782e20b073f8b654908d81561f338d723ad7e531b24797e92412 |
| SHA512 | fcd20d4f50556301b8c82ce235cb8810dc2ae568ec32aa4bab6898552442cd7d8df36c71eedbc12eca5134552540068d05a0fec989e08745d8b0a17a3f96cfcf |
memory/232-402-0x0000000006EE0000-0x0000000006F2C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-02 14:21
Reported
2024-05-02 14:27
Platform
win7-20240221-en
Max time kernel
153s
Max time network
312s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tt2dd.com/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef76c9758,0x7fef76c9768,0x7fef76c9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2152 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2284 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1380 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 --field-trial-handle=1368,i,9321073404670048423,14774167145562133,131072 /prefetch:8
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar.gz"
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\" -spe -an -ai#7zMap20060:132:7zEvent30541
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\Setup.exe
"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Flu Flu.cmd && Flu.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 4477764
C:\Windows\SysWOW64\findstr.exe
findstr /V "SENSORSALICEECUADORJAMAICA" Massive
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Hop + Stuart + Den + Lightweight + Metallic 4477764\j
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4477764\Masturbating.pif
4477764\Masturbating.pif 4477764\j
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\system32\SndVol.exe
SndVol.exe -m 69273373
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\Setup.exe
"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\Setup.exe"
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4477764\RegAsm.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4477764\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Flu Flu.cmd && Flu.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 4478684
C:\Windows\SysWOW64\findstr.exe
findstr /V "SENSORSALICEECUADORJAMAICA" Massive
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Hop + Stuart + Den + Lightweight + Metallic 4478684\j
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4478684\Masturbating.pif
4478684\Masturbating.pif 4478684\j
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | download.tt2dd.com | udp |
| US | 108.178.44.242:443 | download.tt2dd.com | tcp |
| US | 108.178.44.242:443 | download.tt2dd.com | tcp |
| US | 108.178.44.242:443 | download.tt2dd.com | tcp |
| US | 108.178.44.242:443 | download.tt2dd.com | udp |
| US | 8.8.8.8:53 | qsrc.sg | udp |
| SG | 43.229.84.147:443 | qsrc.sg | tcp |
| SG | 43.229.84.147:443 | qsrc.sg | tcp |
| US | 8.8.8.8:53 | inforzip.net | udp |
| GB | 149.255.58.44:443 | inforzip.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | ZYMikYGhrhAqbJsUidPnLr.ZYMikYGhrhAqbJsUidPnLr | udp |
| UA | 45.89.53.206:4663 | tcp |
Files
\??\pipe\crashpad_1652_UTXVNTLBEGYZMFQS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar.gz
| MD5 | 2942f277bb2cd54bb0b81996d42f7802 |
| SHA1 | abdfb88cb8b72e8a20c8fa3483c5e5dfdadf7661 |
| SHA256 | 2caf0bb99ff4712b202bd2b51e24d70de8a2adb4b1aaba3d9394a40b32441254 |
| SHA512 | 39a56ef1fa3cb03954c6adfe8df540f0b79aa62c043d6a1a2806b92fac774d658c1969a964cc7dab962480ec313b879f7b0657bbf19d49a959e9a625e39244ac |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 845daf0ab9efe8fe1e108d24dd018591 |
| SHA1 | 7577861edfa67b48e81609c92bf4ec4424dd949f |
| SHA256 | 703272461b424413a4cc39a725f47bedddc69ef0101a51f4e4c797e7bbc34f36 |
| SHA512 | 2fea715ee03eba839fa1a1f2f7743d71f2358576dfc5ba7f132973dc190d275e31c7332277e1f67e4b6b3efd85278673d94b46fd7320f39dd58445cd043e1160 |
C:\Users\Admin\Downloads\bin\Debug\MusicPlayerApp.vshost.exe.config
| MD5 | 28960c034283c54b6f70673f77fd07fa |
| SHA1 | 914b9e3f9557072ea35ec5725d046b825ef8b918 |
| SHA256 | 8d65429e0b2a82c11d3edc4ea04ed200aedfea1d7ef8b984e88a8e97cff54770 |
| SHA512 | d30dd93457a306d737aac32c0944880517ed4c3e8f2d1650ffca6c1d98e892082b41b40fb89ccf75d5f03d2464b0b4f943cd4b082071f0abfe978d149bd61479 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1f7dcff5b0c005caf6d5525f51977ffd |
| SHA1 | dfc5a55f0a94b18bdc39105c2efb5ae83a21b3d1 |
| SHA256 | cdfb0d39dd78d0063706277441373744e095a537de3d9043816632ea6fac9e4b |
| SHA512 | 3ef31e86e1af32badbcf06e260be1128cb0a62904fb319e995927ed54de5652c988ed8de2b71cfb1daa3559533531c9aea204f37913e7d3d6bd2b1aa3a1a909e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 750ade3220ea019b50ad4d926b02c453 |
| SHA1 | 42427d954841a517d71d1eaa677853d1b750d9cb |
| SHA256 | 5676bc6c295dd75724c40d7fcc7112af64a84dc029925cdd9ed19663c17a1899 |
| SHA512 | 4745add71198df0bec819c2085224f54d2f074f2264859b6741b625f3f06152c04aec22957091505fb450c5b3b8c03f0d7e861576cc49c6f0d3b50f54e110e3f |
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\bin\Debug\AxInterop.WMPLib.dll
| MD5 | 8314c1c68e3b3a1299dea6dd6d72481d |
| SHA1 | 5e76211c54647ad063966f0e9e48c6dbfbaaf97f |
| SHA256 | 78fa2eb63e55f1627d4f74e0f1c58d11a90611b7d756bdf3194f38776b2c3b78 |
| SHA512 | be8c454093b5047b7e0e7caf78dcd03e4d240b186d5f19eab69e00a9f6e7f9f638e45788880d87b50aa66028bf00f3334dc15b4a95ae860e39e7b8ac37f28f29 |
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\bin\Debug\MusicPlayerApp.pdb
| MD5 | 06bcd2145d13606fad3f92e2204e9bc3 |
| SHA1 | 2aa3da2b78d3f17d7b653c3deb10b6e8ca02e470 |
| SHA256 | a822c1e5704b39785232a335543de5e8120cd9b971113eac1059e6bbbb7225fd |
| SHA512 | 3231875b841d7764917ed88e6a9dd9fb614b2b40406be37812cf2293b87d8f1444184d029a94b4bb8e722efd46dbeb0548fc855c7f55fb9c055c3f238967faed |
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\bin\Debug\MusicPlayerApp.exe
| MD5 | 07902ccf8de472410921d9c227b17f4c |
| SHA1 | a2c1bc9031eec1930bb5864f81be8c67b609e660 |
| SHA256 | 562a9b6db51783eb0c71b243c39c359d218b72ee6a6bb1508cc64465f8d4893a |
| SHA512 | 4631d0e1a79ea59f2a53bfac28e61d730618dd5ca00558cf41cb2793c8b3dbe325cf14b060ef106f78813dac6a21d6482cd234919eb87f60f10e77bd27e4a813 |
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110\bin\Debug\Interop.WMPLib.dll
| MD5 | 080765723df758e60fe61498ae0f2cba |
| SHA1 | ff6bd0f8defe6ee844ddcde416176dc900b07293 |
| SHA256 | b06b558ace77acc8737ef0a9573c965b9c841f3569a694bfb468872b589d94d9 |
| SHA512 | 51bde71b374e76e57b4406c3eb5a03e839673586bfb508f15383995b979d26cbc58923aa93be004ac1d57183e6a686870127cda1a939ae570c22ff74f045e3c6 |
memory/2872-245-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2872-244-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\edc503e0-c4f7-40bb-832d-93a0d26eed1a.tmp
| MD5 | e6b343f0a5ee2499571e1ac5120eb3ca |
| SHA1 | a146f5c18f538ef7c3aca3401725cd5ca09d72ff |
| SHA256 | 679e10fd9d8ca5d9013563c3a4adc8fc3eab0c2ef7c68f0ce5a18aa2ff7c9fc2 |
| SHA512 | 66aaf3d4c5930d766d91c5b393ff2682eded183e95a46ae6cba9ffad31a8c962fbcabd8cebddaff7111a9f0605db34e4b7792314de6d023c34bebf035c13790f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Flu
| MD5 | 7e7ce927035274de652713d2e76a48d8 |
| SHA1 | a3aaf56ebe58d2fad03a6d2adab5c6140497386d |
| SHA256 | d8110e2ea63fc466cda2945d1ce15f3a330ff263e1e9fd99b2075e06d2132ecf |
| SHA512 | af09e9d0de2743c976488c473cb0c71724cb2e4ff58ae37595f6df13e4c1b4e50a7d349f7b3dcd65eb2eb55e12140f927165a09e2ac402706de9d81eedd400a6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Massive
| MD5 | d1b987734c4107491262869203ea885d |
| SHA1 | a77977d58281980a0205f883d12e5a9567ed3c57 |
| SHA256 | d52ead1f44490d46259b0be6ecfacbf12f587c3e86ca8a93f29357b50f0d834d |
| SHA512 | 239c91c71c99d6b30e503dd8c4780303bf68e0c01bccd8e1abe11b249f7413667ea7b863d9f20a39875e93ad1e80a811e79b34f386991d2f7a4ba9bc07379b91 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Hop
| MD5 | 7ebc57599cccec5284f3d1ddc8c8894d |
| SHA1 | 152812380c876e6083c55da5f51f05502033d48a |
| SHA256 | bbfc1a4903a574e59b782b0c380b53fdcc6c5374708777ae6b3d6a9a5f1b10ba |
| SHA512 | 8067f2b5fb4821ca57ee00ef90ece08875356e96f62501bfec5fc2763a93e8c78919dea6d75cb6e515e94f5fb0497784ff5ca5e2d737ec02430374834d902b32 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Aruba
| MD5 | e914b530dd18a000b39ce75d203b784e |
| SHA1 | 4e7f2d318cd32ad01b4d94071839ba9b50543212 |
| SHA256 | dec10daacfe6e37bc50bb3bb6b76550ed802892f3a71beb3449cfbfbea607259 |
| SHA512 | 3d2e1b74660401c151583e78ef60f53b1168520552e4ae190853ca6eca760dd4a701280a1b2af8a2b00a81744b08caaa988aaf77afb4335a2669c41f54fd4c75 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Spyware
| MD5 | 53d60db40a582d66f6f0b2c18a2a00a0 |
| SHA1 | 045e8decf2c5ed2199512646ebafa2e9c3e3b08b |
| SHA256 | 9322a9ff1608d3cba130f6d09d90d33af2946f501960124e9418b603ca6e4528 |
| SHA512 | f3d4d40de2796506a0b470c6473a4cd0c17adf601078bad766a0005f91a71568472a3ae05ebcd4b31eea1530dcf84a985a1944a80860b065303bacc210fb1705 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Coordinated
| MD5 | 03371e3e51103446a7d61646e6f4ebcc |
| SHA1 | dc28eaa3711df1e414821af095a76f34ad7f8e44 |
| SHA256 | 7008ac7fc2af470979e94eedf52d823f9dd3b3e1ff1d5a7914cbc0828d4832d5 |
| SHA512 | ab3abcea08a0a773014c7a22db3507c01635dbb43adff7dbf2253009335a2568c5603ebba9fac4fdedc7bc49d343436d6afb01649dcb9c071fe92cda2cb2d9ee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Frankfurt
| MD5 | 23b74e5504f3aec97990cf2566590916 |
| SHA1 | 5a58935fc51697df3d41e6439ecd4aba0f2732a7 |
| SHA256 | 5a9cdc044add9a81bab24db70c7b8aec1c4936f4a706cbeb12d4e5cca7c98163 |
| SHA512 | 941268012c574bf3411708ca932b38185535978e8149d69a9fce81b8e727471ebc063503cf40dcf70aaeb2c317e065971e1e2227f67f5a5142e729f230d95a29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Beats
| MD5 | 2885880aa38707935c64f6b3c7800f96 |
| SHA1 | 85ee867d80b9cfb1f138e3b0c0ea2a2f1ed6dca6 |
| SHA256 | 373bbb960914f99e82bebf4fb13f6d0c16302ac73bfee987af7cc7023f799f6e |
| SHA512 | ba0a1f2f5478db647bea242b4170d2e505f899fc98c4b11d145395a17f638ba3ac828b96fd6a7b94c744d8176152bc47c5b32b00180e489926c1f6a8e718cf16 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Enhancements
| MD5 | d698989610711e4b765d0f022feafecf |
| SHA1 | 859c28dcf1a2887606b180e8e8c5ef12e5dc18bc |
| SHA256 | 0b590a30e29b1d351a558db539a420e83bd4c490c9792f584b9f66b6ea4850e8 |
| SHA512 | f83c42df6e749664fd5e1f264cad212e6fbb666fe864e6abdb0fba0a15a465cdf62366fd83768caa70a36f881e19c3f76941b7a68835c01dbc62dba779d7961d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Tone
| MD5 | 7b6ee2eb9f85cb183210389b0b0a5674 |
| SHA1 | 3922d0f86ca2b75ca6137da65bfe10ff29474495 |
| SHA256 | b6b91987a4a2dd89040fe8f22febfbfd91a764368b192ba91eea54acc7bc946a |
| SHA512 | ddc6090e1510d9793131e1ba4eb92fba589faba7e3e9851df337e2ce85b6952e2218194ea56ab54bc52d0a9aa156e063d0074aa8887b986fffa6dd4b15eb639e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Neural
| MD5 | 89a81cf3771cfff9ee01f2423480907e |
| SHA1 | a5e8faa5c7c90410416f8aed827ca5141ec5a673 |
| SHA256 | 2c360e946acdf604c7b7f9fa9a3fefe55a206034e39dd1c0e92e9280c63e9dd0 |
| SHA512 | c0b37b6af7a1d44889e1ac39ff5d67b2324f14f8af9c3ea1522bcc4a8c70d364d510b61c9b70bc1d4fdd582826c400d0311f5b5cdb7415eaab13732b961648f7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Americans
| MD5 | f753d86ec907939c8471850ce2a79036 |
| SHA1 | 22f07dc2373730f8d146ef7b9d58a212bee0c193 |
| SHA256 | 6c6a50fc1900ec8d5fdb9ed6e3c337b63af96a75c74587d2e5d5c89d8d738def |
| SHA512 | 36e6146ce600bc0035eb526f6fdc6bffd90caf34a345504fb44e46100f41decc9e6a55736cecd5901152e39521418e10e2884dbe439fe2b91934447a3853d6e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Den
| MD5 | 82624b0ef5a2c57dad2a45392448a9b5 |
| SHA1 | e1f7ec58be7d744ea1aabe7d729cb8ceb0646511 |
| SHA256 | b8942ea1759d5712ba6722bd2019493217283471bf09e11a393cbd21e81e954f |
| SHA512 | 5d16be6a7aeadc1ab43207643578446a2b86bb4d894d4a44c02667065de1cac22ec8a2cccb8dca1dbc42bf2e3989b59053c2671ec30193d7475e252d1748fa4d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Stuart
| MD5 | 75dfcf3a58bff19cb1e08e64cb37e672 |
| SHA1 | 4ef53d554be37c3b82b54d1e4761c19ccfacb50a |
| SHA256 | 01a421b0dd3a357c5d740650c0f579c0c9e4b22bf94834ee575a0da69d5de3bc |
| SHA512 | f6be9514b81a9353f57a571460d1a85d9473546ba2b097309ff0e6ec17d3efa432353e3232605039d44de98ba2fd42f811a9db5903b4eddea25a744e006e7f2a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Metallic
| MD5 | f266514e1e9922b935796d012d03add5 |
| SHA1 | a5441cf2010d07a3c005c1f3f71e867789f87730 |
| SHA256 | 23058c81207b6d1044c40793e021782b849245293742883a050999d98174a12a |
| SHA512 | 165e8928844e2a3e912afa09dda4356bc31bf4a2c00b54ff98dd52390c23a99b18c811ba48431d87c9b247d0850748d10906e1dff0d99ed2c28adbd004416b47 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lightweight
| MD5 | 780d5012edd68b16d7b184f4181021b5 |
| SHA1 | 20f9f80a29297c85c92ee2c70d2ec36ccff87593 |
| SHA256 | 40fc7cd83e83ba95fc5b1af629dbb8c7fa3020782badbb6088f0f90f52cc4cc3 |
| SHA512 | 04b00d79594dd919d165117c09b65e091a49ccecb6e5a0ada1d8615c289268e69d9c0463e89986baf28d7de8a38f7920edecd1d5bae4661a28e0c83ccab67b3a |
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4477764\Masturbating.pif
| MD5 | 6ee7ddebff0a2b78c7ac30f6e00d1d11 |
| SHA1 | f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2 |
| SHA256 | 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4 |
| SHA512 | 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4477764\j
| MD5 | 4b4f86ad7203f525253d3d01566391d8 |
| SHA1 | a89e684e1841e2c1bedd38234ab9d636862f177a |
| SHA256 | 120f7c4cad476f254ea5e757eb0d6cf36d64f900775c438e745007af2a735122 |
| SHA512 | b7cb135d16027182805c74679930c19e6075ecbf1d857fde735966e9273c5b4e8b5b0c5863dfe71fcb4af25c8cc68712a9238154bdc83e154b2240ee0c20eab2 |
memory/2872-304-0x0000000002050000-0x0000000002060000-memory.dmp
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4477764\RegAsm.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
memory/1956-353-0x00000000000D0000-0x0000000000122000-memory.dmp
memory/1956-355-0x00000000000D0000-0x0000000000122000-memory.dmp
memory/1956-356-0x00000000000D0000-0x0000000000122000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpC62D.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-02 14:21
Reported
2024-05-02 14:28
Platform
win10-20240404-en
Max time kernel
396s
Max time network
397s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4692 created 3412 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\Masturbating.pif | C:\Windows\Explorer.EXE |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\Masturbating.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\RegAsm.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591333269846389" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\RegAsm.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tt2dd.com/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc87b29758,0x7ffc87b29768,0x7ffc87b29778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2588 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:8
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4692 --field-trial-handle=1792,i,14096871723616758807,6117573471040748100,131072 /prefetch:2
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\" -spe -an -ai#7zMap29300:138:7zEvent20484
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\" -spe -an -ai#7zMap400:212:7zEvent20615
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe
"C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Flu Flu.cmd && Flu.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 4480834
C:\Windows\SysWOW64\findstr.exe
findstr /V "SENSORSALICEECUADORJAMAICA" Massive
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Hop + Stuart + Den + Lightweight + Metallic 4480834\j
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\Masturbating.pif
4480834\Masturbating.pif 4480834\j
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\RegAsm.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | download.tt2dd.com | udp |
| US | 108.178.44.242:443 | download.tt2dd.com | tcp |
| US | 108.178.44.242:443 | download.tt2dd.com | tcp |
| US | 8.8.8.8:53 | 242.44.178.108.in-addr.arpa | udp |
| US | 108.178.44.242:443 | download.tt2dd.com | udp |
| US | 8.8.8.8:53 | qsrc.sg | udp |
| US | 20.231.121.79:80 | tcp | |
| SG | 43.229.84.147:443 | qsrc.sg | tcp |
| SG | 43.229.84.147:443 | qsrc.sg | tcp |
| US | 8.8.8.8:53 | 147.84.229.43.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 108.178.44.242:443 | download.tt2dd.com | udp |
| US | 8.8.8.8:53 | inforzip.net | udp |
| GB | 149.255.58.44:443 | inforzip.net | tcp |
| US | 8.8.8.8:53 | 44.58.255.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ZYMikYGhrhAqbJsUidPnLr.ZYMikYGhrhAqbJsUidPnLr | udp |
| UA | 45.89.53.206:4663 | tcp | |
| US | 8.8.8.8:53 | 206.53.89.45.in-addr.arpa | udp |
Files
\??\pipe\crashpad_1900_XFURHHMHWQZTMQUM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 65292068ce28e88dde96602d645050ff |
| SHA1 | 81c838f57e613b6d814a84cec493616bf0b234c9 |
| SHA256 | b0f8d254071b7c051130f8bb769dc64d08a1e87da41ac865729aedad54fed373 |
| SHA512 | bb3801b0ae1576ca32d68b60b9db2d2a7a5a9bb535842f72d0b3405267d945bb5352c27f16ff7a216e21e7d6a31b86291ff7d9f3e31776eba1da44ddc01ce5db |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | eab6b20d22d73e75a953ed475f42f5b9 |
| SHA1 | 0461d1b5e2fce7eb8c8525790201262f0e58da9d |
| SHA256 | 64a62dd6bbc0e7b256d0c12832663e4457ba99cd704c0a46146b4aa1e251259a |
| SHA512 | d052a2e8859a685fc371103ac42f036bc0c7561023f4add2ad5ccc88a09b8c64f7fd76257a03125cc5cb1f9c361855f26d261fc26456b18d7d992d1819346fcb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 09b72ff632c16d87faf66b5bbb8137a1 |
| SHA1 | 67d3eb9c686e04336b21ae3aef36788d8556d0e0 |
| SHA256 | 1cbbf8d148e037a0bd3cf9331eddb36ca4bf7d116fc4a9f5cce4ebc4aedd0a1e |
| SHA512 | f8649237b6d848dc2bee0dfa2b8732d9e982d7cb6e67bc4166a1832465f97300e5f0277e2052806f10664d7db3abac2d771c263dbcec75494f3b75415737d22d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a959f3aab81676bbd39b196f95fa73c4 |
| SHA1 | 2e7f486685753323feeeb1a7065ee04216f03cb4 |
| SHA256 | c7a576354d8af6d709227370e2bc029f0f31d234a397e115794fbfeeb0e03f27 |
| SHA512 | 5d0d8fa4725d2303079867cf5eeb04c02a2b21c372becef22ea73ef151238ffccfd9a0463d11bb1dc1c8b14756d566c01ab18e63fc7fcebf9ac0254174d88127 |
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar.gz.crdownload
| MD5 | 2942f277bb2cd54bb0b81996d42f7802 |
| SHA1 | abdfb88cb8b72e8a20c8fa3483c5e5dfdadf7661 |
| SHA256 | 2caf0bb99ff4712b202bd2b51e24d70de8a2adb4b1aaba3d9394a40b32441254 |
| SHA512 | 39a56ef1fa3cb03954c6adfe8df540f0b79aa62c043d6a1a2806b92fac774d658c1969a964cc7dab962480ec313b879f7b0657bbf19d49a959e9a625e39244ac |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e059fa1b8dcca3ab9f4afd98536dcd98 |
| SHA1 | 233cd100f73e7bcf03c41558240ed1637d629f04 |
| SHA256 | 213cfeb1f969eeb011f74e5d3d6dea4241e3ebccd050bd0e06b36471523a5f7e |
| SHA512 | b220342f1e67142704bb5a192efd1c39b62a1816250d0e8c6f4b776af6a1cf74fa02691121a3cc2fa95c4d1078950d4f62f81a105fd6fd09bc90565a415411a3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 6a0f7d52ab9c913f1a2d6a6befe1e63c |
| SHA1 | 7cfbf9d759e767ba6ef4ad07337d0cca8d93f319 |
| SHA256 | f818d3bbb6b0013b14374c210e0506cb1bac1a49e4542c1af20dcda77abe6997 |
| SHA512 | 9e4e0df4e0747841db92ecb9a8e61bccb02c0632b2a8f4557ff7f98eb357f6d321cb95e0aa1396b0f57c740d927b3dbd8b934810d6a8816ff4ac2178b74118aa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | ec635d84773280189d4e83c7a9aaa8bd |
| SHA1 | 14be7b5dd3c19dcd081d23dcae9eabf5c512cbea |
| SHA256 | 7cb48b5c7ef8b2d9c625b8e97908fadfe2c530eec99502cc1a508f090a117336 |
| SHA512 | 28d6892bf7454d9f76df3b5245aea5c70fe2153ba6a408ec69ab1995ce95d38a708f307d1d102a648aebcf4b8c93b83579b78c3b7fb0e1e2777438603b04b6f7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | ba4d7469a5d06cb7651159b7d4951463 |
| SHA1 | 35b007dfa1018bf95df09f908ec0a7949e0721cd |
| SHA256 | 5660fb1ff50acec57529599ba1553d2ca4886fc3b699664ad47a070331294e38 |
| SHA512 | 54ff8d375449eed5024954aed95830fee5b4aca653a869211f60fd62fd2dca58256abec5bfa9825ffd741e930818486cf71534780626023299da99d153380dbc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5894d8.TMP
| MD5 | afc2a6d00afcb2ad3b369f75c66b6e5c |
| SHA1 | adbbc0173839857eb1438061fd3004b6f40354e4 |
| SHA256 | 0d6f07ca5ced3ccade03d4994a4f0f424e07c9b10b1a41fd9b4ad59be17c6ff6 |
| SHA512 | 7b5d275b3de12faa2c66297022bbe9dfa625bca035629b10eff64932db49627bab41dd537d59bf9bb29d78de8a577a24ec99512c0cca389a4047d6992ab8dae9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | c7f2159b14265e31fb31958abf7d3213 |
| SHA1 | e2064a4ac85b479b95833848035cf85ed4328375 |
| SHA256 | 21fb42d1467568cacdded73c381c5cbbd718182de3aca4fbd5bdedbc1d7ed3a6 |
| SHA512 | 98e4a5cb6431bef5dac88516c108fc99a5b107cfcaa7f01da8a0870cbed28c56bd6bec8f260af7ea34d317ba2cdb04ac3a00cf3da2b2947a054a909f84f4b9bc |
C:\Users\Admin\Downloads\Manual-Installer-V6.283878g98781110.tar\Manual-Installer-V6.283878g98781110\bin\Debug\MusicPlayerApp.vshost.exe.config
| MD5 | 28960c034283c54b6f70673f77fd07fa |
| SHA1 | 914b9e3f9557072ea35ec5725d046b825ef8b918 |
| SHA256 | 8d65429e0b2a82c11d3edc4ea04ed200aedfea1d7ef8b984e88a8e97cff54770 |
| SHA512 | d30dd93457a306d737aac32c0944880517ed4c3e8f2d1650ffca6c1d98e892082b41b40fb89ccf75d5f03d2464b0b4f943cd4b082071f0abfe978d149bd61479 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Flu
| MD5 | 7e7ce927035274de652713d2e76a48d8 |
| SHA1 | a3aaf56ebe58d2fad03a6d2adab5c6140497386d |
| SHA256 | d8110e2ea63fc466cda2945d1ce15f3a330ff263e1e9fd99b2075e06d2132ecf |
| SHA512 | af09e9d0de2743c976488c473cb0c71724cb2e4ff58ae37595f6df13e4c1b4e50a7d349f7b3dcd65eb2eb55e12140f927165a09e2ac402706de9d81eedd400a6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Massive
| MD5 | d1b987734c4107491262869203ea885d |
| SHA1 | a77977d58281980a0205f883d12e5a9567ed3c57 |
| SHA256 | d52ead1f44490d46259b0be6ecfacbf12f587c3e86ca8a93f29357b50f0d834d |
| SHA512 | 239c91c71c99d6b30e503dd8c4780303bf68e0c01bccd8e1abe11b249f7413667ea7b863d9f20a39875e93ad1e80a811e79b34f386991d2f7a4ba9bc07379b91 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Americans
| MD5 | f753d86ec907939c8471850ce2a79036 |
| SHA1 | 22f07dc2373730f8d146ef7b9d58a212bee0c193 |
| SHA256 | 6c6a50fc1900ec8d5fdb9ed6e3c337b63af96a75c74587d2e5d5c89d8d738def |
| SHA512 | 36e6146ce600bc0035eb526f6fdc6bffd90caf34a345504fb44e46100f41decc9e6a55736cecd5901152e39521418e10e2884dbe439fe2b91934447a3853d6e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Neural
| MD5 | 89a81cf3771cfff9ee01f2423480907e |
| SHA1 | a5e8faa5c7c90410416f8aed827ca5141ec5a673 |
| SHA256 | 2c360e946acdf604c7b7f9fa9a3fefe55a206034e39dd1c0e92e9280c63e9dd0 |
| SHA512 | c0b37b6af7a1d44889e1ac39ff5d67b2324f14f8af9c3ea1522bcc4a8c70d364d510b61c9b70bc1d4fdd582826c400d0311f5b5cdb7415eaab13732b961648f7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Enhancements
| MD5 | d698989610711e4b765d0f022feafecf |
| SHA1 | 859c28dcf1a2887606b180e8e8c5ef12e5dc18bc |
| SHA256 | 0b590a30e29b1d351a558db539a420e83bd4c490c9792f584b9f66b6ea4850e8 |
| SHA512 | f83c42df6e749664fd5e1f264cad212e6fbb666fe864e6abdb0fba0a15a465cdf62366fd83768caa70a36f881e19c3f76941b7a68835c01dbc62dba779d7961d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Beats
| MD5 | 2885880aa38707935c64f6b3c7800f96 |
| SHA1 | 85ee867d80b9cfb1f138e3b0c0ea2a2f1ed6dca6 |
| SHA256 | 373bbb960914f99e82bebf4fb13f6d0c16302ac73bfee987af7cc7023f799f6e |
| SHA512 | ba0a1f2f5478db647bea242b4170d2e505f899fc98c4b11d145395a17f638ba3ac828b96fd6a7b94c744d8176152bc47c5b32b00180e489926c1f6a8e718cf16 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Frankfurt
| MD5 | 23b74e5504f3aec97990cf2566590916 |
| SHA1 | 5a58935fc51697df3d41e6439ecd4aba0f2732a7 |
| SHA256 | 5a9cdc044add9a81bab24db70c7b8aec1c4936f4a706cbeb12d4e5cca7c98163 |
| SHA512 | 941268012c574bf3411708ca932b38185535978e8149d69a9fce81b8e727471ebc063503cf40dcf70aaeb2c317e065971e1e2227f67f5a5142e729f230d95a29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Coordinated
| MD5 | 03371e3e51103446a7d61646e6f4ebcc |
| SHA1 | dc28eaa3711df1e414821af095a76f34ad7f8e44 |
| SHA256 | 7008ac7fc2af470979e94eedf52d823f9dd3b3e1ff1d5a7914cbc0828d4832d5 |
| SHA512 | ab3abcea08a0a773014c7a22db3507c01635dbb43adff7dbf2253009335a2568c5603ebba9fac4fdedc7bc49d343436d6afb01649dcb9c071fe92cda2cb2d9ee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Aruba
| MD5 | e914b530dd18a000b39ce75d203b784e |
| SHA1 | 4e7f2d318cd32ad01b4d94071839ba9b50543212 |
| SHA256 | dec10daacfe6e37bc50bb3bb6b76550ed802892f3a71beb3449cfbfbea607259 |
| SHA512 | 3d2e1b74660401c151583e78ef60f53b1168520552e4ae190853ca6eca760dd4a701280a1b2af8a2b00a81744b08caaa988aaf77afb4335a2669c41f54fd4c75 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tone
| MD5 | 7b6ee2eb9f85cb183210389b0b0a5674 |
| SHA1 | 3922d0f86ca2b75ca6137da65bfe10ff29474495 |
| SHA256 | b6b91987a4a2dd89040fe8f22febfbfd91a764368b192ba91eea54acc7bc946a |
| SHA512 | ddc6090e1510d9793131e1ba4eb92fba589faba7e3e9851df337e2ce85b6952e2218194ea56ab54bc52d0a9aa156e063d0074aa8887b986fffa6dd4b15eb639e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spyware
| MD5 | 53d60db40a582d66f6f0b2c18a2a00a0 |
| SHA1 | 045e8decf2c5ed2199512646ebafa2e9c3e3b08b |
| SHA256 | 9322a9ff1608d3cba130f6d09d90d33af2946f501960124e9418b603ca6e4528 |
| SHA512 | f3d4d40de2796506a0b470c6473a4cd0c17adf601078bad766a0005f91a71568472a3ae05ebcd4b31eea1530dcf84a985a1944a80860b065303bacc210fb1705 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hop
| MD5 | 7ebc57599cccec5284f3d1ddc8c8894d |
| SHA1 | 152812380c876e6083c55da5f51f05502033d48a |
| SHA256 | bbfc1a4903a574e59b782b0c380b53fdcc6c5374708777ae6b3d6a9a5f1b10ba |
| SHA512 | 8067f2b5fb4821ca57ee00ef90ece08875356e96f62501bfec5fc2763a93e8c78919dea6d75cb6e515e94f5fb0497784ff5ca5e2d737ec02430374834d902b32 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Stuart
| MD5 | 75dfcf3a58bff19cb1e08e64cb37e672 |
| SHA1 | 4ef53d554be37c3b82b54d1e4761c19ccfacb50a |
| SHA256 | 01a421b0dd3a357c5d740650c0f579c0c9e4b22bf94834ee575a0da69d5de3bc |
| SHA512 | f6be9514b81a9353f57a571460d1a85d9473546ba2b097309ff0e6ec17d3efa432353e3232605039d44de98ba2fd42f811a9db5903b4eddea25a744e006e7f2a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lightweight
| MD5 | 780d5012edd68b16d7b184f4181021b5 |
| SHA1 | 20f9f80a29297c85c92ee2c70d2ec36ccff87593 |
| SHA256 | 40fc7cd83e83ba95fc5b1af629dbb8c7fa3020782badbb6088f0f90f52cc4cc3 |
| SHA512 | 04b00d79594dd919d165117c09b65e091a49ccecb6e5a0ada1d8615c289268e69d9c0463e89986baf28d7de8a38f7920edecd1d5bae4661a28e0c83ccab67b3a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Den
| MD5 | 82624b0ef5a2c57dad2a45392448a9b5 |
| SHA1 | e1f7ec58be7d744ea1aabe7d729cb8ceb0646511 |
| SHA256 | b8942ea1759d5712ba6722bd2019493217283471bf09e11a393cbd21e81e954f |
| SHA512 | 5d16be6a7aeadc1ab43207643578446a2b86bb4d894d4a44c02667065de1cac22ec8a2cccb8dca1dbc42bf2e3989b59053c2671ec30193d7475e252d1748fa4d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Metallic
| MD5 | f266514e1e9922b935796d012d03add5 |
| SHA1 | a5441cf2010d07a3c005c1f3f71e867789f87730 |
| SHA256 | 23058c81207b6d1044c40793e021782b849245293742883a050999d98174a12a |
| SHA512 | 165e8928844e2a3e912afa09dda4356bc31bf4a2c00b54ff98dd52390c23a99b18c811ba48431d87c9b247d0850748d10906e1dff0d99ed2c28adbd004416b47 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\Masturbating.pif
| MD5 | 6ee7ddebff0a2b78c7ac30f6e00d1d11 |
| SHA1 | f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2 |
| SHA256 | 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4 |
| SHA512 | 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\j
| MD5 | 4b4f86ad7203f525253d3d01566391d8 |
| SHA1 | a89e684e1841e2c1bedd38234ab9d636862f177a |
| SHA256 | 120f7c4cad476f254ea5e757eb0d6cf36d64f900775c438e745007af2a735122 |
| SHA512 | b7cb135d16027182805c74679930c19e6075ecbf1d857fde735966e9273c5b4e8b5b0c5863dfe71fcb4af25c8cc68712a9238154bdc83e154b2240ee0c20eab2 |
memory/3032-231-0x0000000000800000-0x0000000000852000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4480834\RegAsm.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
memory/3032-234-0x0000000005280000-0x000000000577E000-memory.dmp
memory/3032-235-0x0000000004D80000-0x0000000004E12000-memory.dmp
memory/3032-236-0x0000000004D10000-0x0000000004D1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp49AE.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/3032-253-0x0000000005880000-0x00000000058F6000-memory.dmp
memory/3032-254-0x0000000005FD0000-0x0000000005FEE000-memory.dmp
memory/3032-256-0x0000000006600000-0x0000000006C06000-memory.dmp
memory/3032-257-0x0000000006170000-0x000000000627A000-memory.dmp
memory/3032-258-0x00000000060A0000-0x00000000060B2000-memory.dmp
memory/3032-259-0x0000000006100000-0x000000000613E000-memory.dmp
memory/3032-260-0x0000000006280000-0x00000000062CB000-memory.dmp
memory/3032-261-0x00000000063B0000-0x0000000006416000-memory.dmp
memory/3032-264-0x0000000006E60000-0x0000000006EB0000-memory.dmp
memory/3032-266-0x00000000073D0000-0x0000000007592000-memory.dmp
memory/3032-267-0x0000000007FE0000-0x000000000850C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
| MD5 | 0cb50bb721cfa48d61c234fe56bd4e2e |
| SHA1 | 9bfb0bdc15eaa505531cc4c614d4b449867ed78f |
| SHA256 | 05d4e0afd2c55f0444d353abdbf0f328e60a9d20a947bdbc07ba8111d305d1e8 |
| SHA512 | cbad5f07a77f79f974b32eb3008889e47f7c0098b853e111416b46c688495bd3ca04df69e8104f5a9b19e503cd4700bae7d6ee8ea218da596b84d91cd42d3925 |