Analysis
-
max time kernel
261s -
max time network
251s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
06-02-2024 19:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://prdev.xyz
Resource
win10-20231215-en
General
-
Target
http://prdev.xyz
Malware Config
Extracted
redline
newhope2
91.92.246.148:3362
Signatures
-
Detect ZGRat V1 35 IoCs
Processes:
resource yara_rule behavioral1/memory/60-470-0x0000000005690000-0x0000000005744000-memory.dmp family_zgrat_v1 behavioral1/memory/60-476-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-482-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-484-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-480-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-478-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-488-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-486-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-474-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-472-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-471-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-490-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-496-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-500-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-498-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-502-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-494-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-506-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-508-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-492-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-519-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-525-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-533-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-539-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-541-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-545-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-543-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-537-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-535-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-531-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-529-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-527-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-523-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/60-521-0x0000000005690000-0x000000000573D000-memory.dmp family_zgrat_v1 behavioral1/memory/4528-1465-0x0000000005B60000-0x0000000005C8A000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4844-1458-0x0000000000400000-0x0000000000454000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
Processes:
costcodeproresieres.execostcodeprores.exepid process 3648 costcodeproresieres.exe 4804 costcodeprores.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid process 4892 MsiExec.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
costcodeproresieres.execostcodeprores.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" costcodeproresieres.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" costcodeprores.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
costcode.exedescription pid process target process PID 60 set thread context of 4844 60 costcode.exe MSBuild.exe -
Drops file in Windows directory 9 IoCs
Processes:
EXPAND.EXEmsiexec.exedescription ioc process File opened for modification C:\Windows\Logs\DPX\setuperr.log EXPAND.EXE File created C:\Windows\Installer\e57e465.msi msiexec.exe File opened for modification C:\Windows\Installer\e57e465.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIE61A.tmp msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log EXPAND.EXE File created C:\Windows\Installer\SourceHash{A9CC28B9-1D51-4AC4-B983-3D5E9B4ED314} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133517216526491023" chrome.exe -
Modifies registry class 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings chrome.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
chrome.exemsiexec.exepowershell.exeMSBuild.exepid process 308 chrome.exe 308 chrome.exe 1684 msiexec.exe 1684 msiexec.exe 3812 powershell.exe 3812 powershell.exe 3812 powershell.exe 3812 powershell.exe 4844 MSBuild.exe 4844 MSBuild.exe 4844 MSBuild.exe 4844 MSBuild.exe 4844 MSBuild.exe 4844 MSBuild.exe 4844 MSBuild.exe 4844 MSBuild.exe 4844 MSBuild.exe 4844 MSBuild.exe 4844 MSBuild.exe 4844 MSBuild.exe 4844 MSBuild.exe 4844 MSBuild.exe 4844 MSBuild.exe 4844 MSBuild.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid process 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exemsiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 308 chrome.exe Token: SeCreatePagefilePrivilege 308 chrome.exe Token: SeShutdownPrivilege 2900 msiexec.exe Token: SeIncreaseQuotaPrivilege 2900 msiexec.exe Token: SeSecurityPrivilege 1684 msiexec.exe Token: SeCreateTokenPrivilege 2900 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2900 msiexec.exe Token: SeLockMemoryPrivilege 2900 msiexec.exe Token: SeIncreaseQuotaPrivilege 2900 msiexec.exe Token: SeMachineAccountPrivilege 2900 msiexec.exe Token: SeTcbPrivilege 2900 msiexec.exe Token: SeSecurityPrivilege 2900 msiexec.exe Token: SeTakeOwnershipPrivilege 2900 msiexec.exe Token: SeLoadDriverPrivilege 2900 msiexec.exe Token: SeSystemProfilePrivilege 2900 msiexec.exe Token: SeSystemtimePrivilege 2900 msiexec.exe Token: SeProfSingleProcessPrivilege 2900 msiexec.exe Token: SeIncBasePriorityPrivilege 2900 msiexec.exe Token: SeCreatePagefilePrivilege 2900 msiexec.exe Token: SeCreatePermanentPrivilege 2900 msiexec.exe Token: SeBackupPrivilege 2900 msiexec.exe Token: SeRestorePrivilege 2900 msiexec.exe Token: SeShutdownPrivilege 2900 msiexec.exe Token: SeDebugPrivilege 2900 msiexec.exe Token: SeAuditPrivilege 2900 msiexec.exe Token: SeSystemEnvironmentPrivilege 2900 msiexec.exe Token: SeChangeNotifyPrivilege 2900 msiexec.exe Token: SeRemoteShutdownPrivilege 2900 msiexec.exe Token: SeUndockPrivilege 2900 msiexec.exe Token: SeSyncAgentPrivilege 2900 msiexec.exe Token: SeEnableDelegationPrivilege 2900 msiexec.exe Token: SeManageVolumePrivilege 2900 msiexec.exe -
Suspicious use of FindShellTrayWindow 53 IoCs
Processes:
chrome.exemsiexec.exepid process 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 2900 msiexec.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe 308 chrome.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
costcodeproresieres.execmd.execostcode.exeMSBuild.exeprobablyprogram.exepid process 3648 costcodeproresieres.exe 3724 cmd.exe 60 costcode.exe 4844 MSBuild.exe 4528 probablyprogram.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 308 wrote to memory of 5116 308 chrome.exe chrome.exe PID 308 wrote to memory of 5116 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 3052 308 chrome.exe chrome.exe PID 308 wrote to memory of 4608 308 chrome.exe chrome.exe PID 308 wrote to memory of 4608 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe PID 308 wrote to memory of 2188 308 chrome.exe chrome.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://prdev.xyz1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb51e79758,0x7ffb51e79768,0x7ffb51e797782⤵PID:5116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:82⤵PID:4608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2632 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:12⤵PID:1292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:82⤵PID:2188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:22⤵PID:3052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2640 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:12⤵PID:2004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4392 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:12⤵PID:704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:82⤵PID:4972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3760 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:82⤵PID:1792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3268 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:12⤵PID:660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:82⤵PID:1800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:82⤵PID:2560
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\EngineChromium.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2900
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2584
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4468
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D24A23837F6412676B128B082EC54B502⤵
- Loads dropped DLL
PID:4892 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-28cceab8-c39a-48f4-b559-9781ceb3e646\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:4220
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:4648
-
-
C:\Users\Admin\AppData\Local\Temp\MW-28cceab8-c39a-48f4-b559-9781ceb3e646\files\costcodeproresieres.exe"C:\Users\Admin\AppData\Local\Temp\MW-28cceab8-c39a-48f4-b559-9781ceb3e646\files\costcodeproresieres.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3648 -
C:\Windows\SysWOW64\cmd.execmd /c costcode.bat4⤵
- Suspicious use of SetWindowsHookEx
PID:3724 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath 'C:\'5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3812
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\costcodeprores.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\costcodeprores.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\costcode.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\costcode.exe5⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:60 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4844
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\probablyprogram.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\probablyprogram.exe5⤵
- Suspicious use of SetWindowsHookEx
PID:4528
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD574489b39c26741702852e22903d5313a
SHA1d35750611c516e423bce0eb72faeaefda21d31c4
SHA25608e0e273ff191183bdbedc0bd66834b4c0f99873ba2fa5e734161b4266ddc5b6
SHA512bcf9ab8808fd3aaa7fac5d484c8d68f424d61e8aa05ade7e12b10525000014a7c21e776dad322c17c86af224e3d452414942737408182db30aaf1996585b7c02
-
Filesize
20KB
MD5620f4d3b222e97fd07c8953f2700c3fc
SHA1fc09eef94307f7d8567539ec3dbd465c667e4c5d
SHA256d51df67d81b8c49528b2a7931b32d13e927c00fcf1fbe52972fcbeb5a49007cf
SHA5127e1374b68a1020646777b69322746462d52181887ddf8a0f902207e294e7ff5bcb392beabab2dbc9cb3f61aebd84f7c7630bf2c1c613c37037eadeb2ff465a4d
-
Filesize
1KB
MD56a0288563ad0130b09110c00bcaf9976
SHA1d9c6c6689868ce6fb3ef666a4f70e5072b386e16
SHA256b3628b9c1f47ac079a5c384d61cc711c0df20c5b0d88c8ce47c10f85f261f45d
SHA51247745338ecd0394f2ea00936ef51331eb4c82f0c7d67723577e10ea7762257e0b8270ec37f93d470310d8695a412cc10a88a78a0f9402e849aef2014eaf2b857
-
Filesize
1KB
MD54aa1a0ddcc67b88989ae8431f2ebef09
SHA1f60d3800f8697545a9c16176b95674fdc198590a
SHA2566749dc2c2996b4e7c6d52faa6ebe811aac000780bae4b154118d8453ac69c18e
SHA51281595e541c17402c6b49cd22143333c4390ee471673987fde0351b49fb73a182384786f797465532fe5592547d284b7e15f16f1951722633d5042aba7d665af5
-
Filesize
6KB
MD532a72c09de5574d6320fc73b232a881f
SHA1fb70bde15738d4b9166e91bd130bb6761b26373f
SHA256ac89707ffe67b7edc9fb29427fc606f09fe6f2949bcce9963a42403015227b46
SHA51226196bcef8b02cbd11b3bd974c8a683eeaa5f28fdf84c95d1ebdcbeacffcc1539bc7408fb5fb7446af37b655ba6041c44d1c0c612e20c6e8e10661b792f4c40c
-
Filesize
6KB
MD5885e95aa86dfb6f94a60d962e39cfceb
SHA1432ae460fb4921c8241484615eae4208464e5497
SHA2569ff968e8d943f98e640824d83ea1c2f337a7e0a4b4cf5ecfaa38477d4a3f2449
SHA512de273d22cc5d92086a6a5e90ebf41e1f3ae57d7572e2be0a7e466f866c3f5935c5f1f4e1fadb94da04704acb9dba893d689e8c80439da7552ea963eb4a16ddb0
-
Filesize
6KB
MD58a29fbfd7334efb0c39aef7ebd7a0507
SHA1e9999d76fc4bb97485fdb3385936a129a8e061f2
SHA2564363f5c42a457dc31f3cc92e41bfa180c5f178ec3b35058abcbf8453043d7dd7
SHA5128a969901182d281a359f75d131b71550081279e21d090e14f11615ed9791c701f2529fca65e7a95b04ec96cce740a14af3bbe63f11bb4fb287acec134d17751c
-
Filesize
6KB
MD543b4b73cc6e402e8d681371f57a57bd7
SHA1792963bdddf08f802126b6ad1f5883d2a619c7d9
SHA2569965c2a758ce8ede4ff95c2abcdb157cc0c9663ef39bced1e376553fa09aaa48
SHA512f45c6a7184d01eaf456a9ac243f590374a863a8b9d41615af915e615d338a840f0efe96e91432989c6c65dfd3a71139fe8319910024d98e25acaaea939cf72a2
-
Filesize
114KB
MD5bb95b490ee491205162edb815223f895
SHA1360e0d36ffce4d7a748711bbbb317b0a85e5d207
SHA256460f1169d9d647739fbb6d438cc28d382df9ea7017a679d7b4f745b437bfc911
SHA512e7ff97de1e23e240aa26c6718e601feede117ff20828a0aa36d645bb1f9f921b44bf14df5cce3950a4f477f0cdff6557f734f31daaac35d7a01867b3854194d3
-
Filesize
111KB
MD5bceeae32eda7e992e4f81814ad4a93e8
SHA1a4e5e10ddacd31ebfd78789e1d16aa3188c48e80
SHA256be43f564f8fcd404c81f9e7adf6300277e7ab9acdd4b5586e632a99efd5b0a99
SHA512aba064a56206b33ae765d34bc71ecfc4a43cecd8ef6005b69f4563b22407da32ec155bfc3972c1e7068920db138443b5dd397d35e55e7b1c87178d97c6602e45
-
Filesize
105KB
MD502fd6c1dba133a5bdf49a91df0eac92d
SHA1f329a1dfc777e4f9fc702e88907d52363456e86e
SHA256198b2fa7491b49793a5d9bd355b575eb9bf1541a5b0c0cc51a9ed35d7f3108d9
SHA512cfd0ed76f21f3d12351577436f586a0e51c38377a267aa2d63ef68ddc2a06ce9d3c7829af0bdf3f5e6a8520851674db0d0a1136bcc5641a2e724b504cc11ca2e
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
145B
MD5aad2830f24f0808e7fe50b82acdfbdf9
SHA153d35b0dd209a10dd4cbf4394cbd3cd64bf758be
SHA256a6236e067a745bc082ab9b7ce0b4d7b39816efa191ea2c25baee7a334fa70a2b
SHA5124b30f274012064bac12fd88289f16a592328bec99557d1514f90bdc2402e9a790badd0fed116734fd6dc4654f2e7d0b681d9aff506781e7407a68312a983cd1f
-
Filesize
261KB
MD5a2a9b9ff6360aa4ffcb3e545d1506a20
SHA1d7fb75dd00991d1d31d0fdc4707788e6b6104c04
SHA25665d0def240fd57cbeb098c593fe834d33f2cd8f83823d627bf8bd6c27d8e5ff7
SHA512b8e8e65da52a0b730c64186c269437c50da45bb7cc599deb63cbc63417e58e67b68421a8df1712bf0b954b3834c77cb9f57b24a20affc6ab94350a157dd3e24d
-
Filesize
2.1MB
MD59e0a3020cdc3480aabd2621edc1665fc
SHA19b4ff0de37b6704ad3dfd026b264acda3314fa79
SHA256c6bc5c6bf309148e61394d1b6572b43a7cc46843a44ef0bcf5bcfa1db5c2c014
SHA512d0dd54eb8ac163c35900f22c693cfc20ae58813e260e0d6454dcfdd21235eb1a41256ff1a0db5e0665376d5599fb6bbf303ba23525b80db2d5594df2d511fbe4
-
C:\Users\Admin\AppData\Local\Temp\MW-28cceab8-c39a-48f4-b559-9781ceb3e646\files\costcodeproresieres.exe
Filesize1006KB
MD51042eb8394630a31aa0ecaefb3bc9f1e
SHA1369b7bba01dbfd48ab54a90729fcdca4458fc1a4
SHA2568a9c8b3b58f9ca2c4a18ffc1aaa81fffaad4fe4c59973a51346b98210878f000
SHA512d846099db8bd266f152494b69bb754084f0d237546948d6ace4aca965b43bb18924346137345a3aa6c87d532adff83109f087d5fe5f99d6f9c25e425791847ec
-
C:\Users\Admin\AppData\Local\Temp\MW-28cceab8-c39a-48f4-b559-9781ceb3e646\files\costcodeproresieres.exe
Filesize995KB
MD52e6dde473eb4e63acc8c67dee0c191cb
SHA1e81bbd4e117e0d4b4ebc9586883666e2a0566a12
SHA25626d91bdcb82d7abdda57b4f6ad4d42c857c335f6efe8e0b8566c997a6e51e916
SHA51224e609da2e7f6325067d7415a60d5580c781c35382be6820fae564c94289fc567aed0ed9648a85417474410647ab4daa83d362bbb2ae9d5b79ac5a2d15504165
-
Filesize
1KB
MD51ae873f1158abba920e401d2f38a16b7
SHA14662404f6b2140428683684e823badcc026c2a20
SHA256e65d438767702164f669264f86d672985213bf57a73372fea787a86646bbef1b
SHA512272cf0a1185361df7162acfe0a5235aec3f110b92738cade76d5ebdccfaed2138946e7e7a4d64f055f645e8c59de10216769256d8ba3a24cd01ae35ddf2fd5b5
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
3.2MB
MD5d9b93011424198b035e7f44f3ae59e38
SHA1ec26237d1d0feda70fc39e411e5f4106a6d82e81
SHA256d285c9cf45b5d65f3b6a47d9774bf3b309c215251ed66aca32fdccb6299171ef
SHA5127bad06ea50da83020d14918a5b247d756a91548e5562ad893e19ed829d914b7b08c9247e363df1e989f58583196518e5ac49e1da1735be6a780c1c2d2d39c94c
-
Filesize
2.4MB
MD53bb90c98fbb422ef4bf20071cfe5c628
SHA1568691d1e6087fceb32c81b9adc94aebcd45308c
SHA256206fd08ebfe355009c108fddc2396a39d0fe7f5ac7ae77bbaa10389b6c3a036a
SHA5126c117f4afd8174d7e70edbc8dd61ab006f68251d7ae1a15d4620f5b0f115becc5a0dfe5240c300969bed23e059993819bf245c4636d79408a062712885fdd4f6
-
Filesize
147KB
MD5a76cbbe21d3da9dd17ab8b8063c4450d
SHA1ca9733f9361f104a2e662ae949a479123e857603
SHA256654cf015a378368578204ce5abbb14d010da6bada17c970819661043408c6a7b
SHA512fc14f994f196db8a01f176ab47aede3f63d04b03df068b03d54bf79b738a754862e7d7dd8ea604109f0af9b0b15656ce319bbb0af77a6d2e0e85f8437246684a
-
Filesize
124KB
MD554f4337708ee8f988f76815321826691
SHA1996e6bc5b63c98df29708a119414ba798596054e
SHA25608784225f3d2ca56b0a389df61d2cb2ce747094866f1f4c02e8c30cda8571115
SHA51232d41122480e0b3f3cd6622a938b2bcc258591b72e03269973f0bc3174982ae2ba2f62c823764bf746e38eba2af6abb16496096532f354e4dc15304a9eb244f2
-
\??\Volume{e69dc57c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1374447e-3710-404c-a447-5191c36599e9}_OnDiskSnapshotProp
Filesize5KB
MD5f5ac421e27e162dc7d05d05cb1acd31c
SHA13da354a5ec0f44b460cd92e13a81520c284f0096
SHA2562cf02ac5a2fa763baa15e0de7f583430ac2fc35e5c3cb7c01fa9057cdc893ab2
SHA51262ff78f9bd82ce69f2351a5134d76448483c8b1d43c22a87d9eb67ace2bae4706d15ad85fbe45936b0e4093470a0ffae3c320917f41dd01ac8ad636be8441b4a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
9KB
MD5e9c1de8bca11ca0eab2f2f9544da3b8f
SHA114707614fbd5945d52c3d097a6caaf9bbe4bb7e9
SHA256b153782975f8a7325a12c7e8f8109991ea6cf1e823a5841216655bce16caff1d
SHA5124bac5a57dcde4f74902472c8cdefa19d95c80364dd8a16ce4129e800b0c066fafc84aed1a58a631595b59270fac75eee092a49bc02b1e985b86ff89efb602958