Malware Analysis Report

2024-11-16 15:51

Sample ID 240206-x9jdkaeca6
Target http://prdev.xyz
Tags
redline zgrat newhope2 discovery infostealer persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://prdev.xyz was found to be: Known bad.

Malicious Activity Summary

redline zgrat newhope2 discovery infostealer persistence rat spyware

RedLine payload

RedLine

Detect ZGRat V1

ZGRat

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Windows directory

Modifies registry class

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-06 19:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 19:33

Reported

2024-02-06 19:38

Platform

win10-20231215-en

Max time kernel

261s

Max time network

251s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://prdev.xyz

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\MW-28cceab8-c39a-48f4-b559-9781ceb3e646\files\costcodeproresieres.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\costcodeprores.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 60 set thread context of 4844 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\costcode.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File created C:\Windows\Installer\e57e465.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57e465.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE61A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File created C:\Windows\Installer\SourceHash{A9CC28B9-1D51-4AC4-B983-3D5E9B4ED314} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133517216526491023" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 308 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 3052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 308 wrote to memory of 2188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://prdev.xyz

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb51e79758,0x7ffb51e79768,0x7ffb51e79778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2632 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2640 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4392 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3760 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3268 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1732,i,7741324272075129565,997380753489288717,131072 /prefetch:8

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\EngineChromium.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D24A23837F6412676B128B082EC54B50

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-28cceab8-c39a-48f4-b559-9781ceb3e646\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-28cceab8-c39a-48f4-b559-9781ceb3e646\files\costcodeproresieres.exe

"C:\Users\Admin\AppData\Local\Temp\MW-28cceab8-c39a-48f4-b559-9781ceb3e646\files\costcodeproresieres.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c costcode.bat

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\costcodeprores.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\costcodeprores.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\costcode.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\costcode.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\probablyprogram.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\probablyprogram.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 prdev.xyz udp
BR 149.62.37.57:80 prdev.xyz tcp
BR 149.62.37.57:80 prdev.xyz tcp
BR 149.62.37.57:80 prdev.xyz tcp
BR 149.62.37.57:443 prdev.xyz tcp
BR 149.62.37.57:443 prdev.xyz tcp
BR 149.62.37.57:443 prdev.xyz udp
US 8.8.8.8:53 57.37.62.149.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2542116.fls.doubleclick.net udp
GB 172.217.169.6:443 2542116.fls.doubleclick.net tcp
US 8.8.8.8:53 tools.google.com udp
US 8.8.8.8:53 s.ytimg.com udp
GB 216.58.213.14:443 tools.google.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 142.250.200.14:443 www.youtube.com tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 142.250.178.6:443 static.doubleclick.net tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 8.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 6.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 226.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 6.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 stutti.de udp
DE 173.212.217.249:443 stutti.de tcp
DE 173.212.217.249:443 stutti.de tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 249.217.212.173.in-addr.arpa udp
US 8.8.8.8:53 205.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
NL 91.92.246.148:3362 tcp
US 8.8.8.8:53 148.246.92.91.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 49.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.179.17.96.in-addr.arpa udp

Files

\??\pipe\crashpad_308_YCRFIUOXDTMFRFJW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 bb95b490ee491205162edb815223f895
SHA1 360e0d36ffce4d7a748711bbbb317b0a85e5d207
SHA256 460f1169d9d647739fbb6d438cc28d382df9ea7017a679d7b4f745b437bfc911
SHA512 e7ff97de1e23e240aa26c6718e601feede117ff20828a0aa36d645bb1f9f921b44bf14df5cce3950a4f477f0cdff6557f734f31daaac35d7a01867b3854194d3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8a29fbfd7334efb0c39aef7ebd7a0507
SHA1 e9999d76fc4bb97485fdb3385936a129a8e061f2
SHA256 4363f5c42a457dc31f3cc92e41bfa180c5f178ec3b35058abcbf8453043d7dd7
SHA512 8a969901182d281a359f75d131b71550081279e21d090e14f11615ed9791c701f2529fca65e7a95b04ec96cce740a14af3bbe63f11bb4fb287acec134d17751c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 4aa1a0ddcc67b88989ae8431f2ebef09
SHA1 f60d3800f8697545a9c16176b95674fdc198590a
SHA256 6749dc2c2996b4e7c6d52faa6ebe811aac000780bae4b154118d8453ac69c18e
SHA512 81595e541c17402c6b49cd22143333c4390ee471673987fde0351b49fb73a182384786f797465532fe5592547d284b7e15f16f1951722633d5042aba7d665af5

C:\Users\Admin\Downloads\EngineChromium.msi

MD5 d9b93011424198b035e7f44f3ae59e38
SHA1 ec26237d1d0feda70fc39e411e5f4106a6d82e81
SHA256 d285c9cf45b5d65f3b6a47d9774bf3b309c215251ed66aca32fdccb6299171ef
SHA512 7bad06ea50da83020d14918a5b247d756a91548e5562ad893e19ed829d914b7b08c9247e363df1e989f58583196518e5ac49e1da1735be6a780c1c2d2d39c94c

C:\Users\Admin\Downloads\EngineChromium.msi

MD5 3bb90c98fbb422ef4bf20071cfe5c628
SHA1 568691d1e6087fceb32c81b9adc94aebcd45308c
SHA256 206fd08ebfe355009c108fddc2396a39d0fe7f5ac7ae77bbaa10389b6c3a036a
SHA512 6c117f4afd8174d7e70edbc8dd61ab006f68251d7ae1a15d4620f5b0f115becc5a0dfe5240c300969bed23e059993819bf245c4636d79408a062712885fdd4f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 74489b39c26741702852e22903d5313a
SHA1 d35750611c516e423bce0eb72faeaefda21d31c4
SHA256 08e0e273ff191183bdbedc0bd66834b4c0f99873ba2fa5e734161b4266ddc5b6
SHA512 bcf9ab8808fd3aaa7fac5d484c8d68f424d61e8aa05ade7e12b10525000014a7c21e776dad322c17c86af224e3d452414942737408182db30aaf1996585b7c02

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 32a72c09de5574d6320fc73b232a881f
SHA1 fb70bde15738d4b9166e91bd130bb6761b26373f
SHA256 ac89707ffe67b7edc9fb29427fc606f09fe6f2949bcce9963a42403015227b46
SHA512 26196bcef8b02cbd11b3bd974c8a683eeaa5f28fdf84c95d1ebdcbeacffcc1539bc7408fb5fb7446af37b655ba6041c44d1c0c612e20c6e8e10661b792f4c40c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 bceeae32eda7e992e4f81814ad4a93e8
SHA1 a4e5e10ddacd31ebfd78789e1d16aa3188c48e80
SHA256 be43f564f8fcd404c81f9e7adf6300277e7ab9acdd4b5586e632a99efd5b0a99
SHA512 aba064a56206b33ae765d34bc71ecfc4a43cecd8ef6005b69f4563b22407da32ec155bfc3972c1e7068920db138443b5dd397d35e55e7b1c87178d97c6602e45

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57dc85.TMP

MD5 02fd6c1dba133a5bdf49a91df0eac92d
SHA1 f329a1dfc777e4f9fc702e88907d52363456e86e
SHA256 198b2fa7491b49793a5d9bd355b575eb9bf1541a5b0c0cc51a9ed35d7f3108d9
SHA512 cfd0ed76f21f3d12351577436f586a0e51c38377a267aa2d63ef68ddc2a06ce9d3c7829af0bdf3f5e6a8520851674db0d0a1136bcc5641a2e724b504cc11ca2e

C:\Windows\Installer\MSIE61A.tmp

MD5 a76cbbe21d3da9dd17ab8b8063c4450d
SHA1 ca9733f9361f104a2e662ae949a479123e857603
SHA256 654cf015a378368578204ce5abbb14d010da6bada17c970819661043408c6a7b
SHA512 fc14f994f196db8a01f176ab47aede3f63d04b03df068b03d54bf79b738a754862e7d7dd8ea604109f0af9b0b15656ce319bbb0af77a6d2e0e85f8437246684a

\Windows\Installer\MSIE61A.tmp

MD5 e9c1de8bca11ca0eab2f2f9544da3b8f
SHA1 14707614fbd5945d52c3d097a6caaf9bbe4bb7e9
SHA256 b153782975f8a7325a12c7e8f8109991ea6cf1e823a5841216655bce16caff1d
SHA512 4bac5a57dcde4f74902472c8cdefa19d95c80364dd8a16ce4129e800b0c066fafc84aed1a58a631595b59270fac75eee092a49bc02b1e985b86ff89efb602958

C:\Users\Admin\AppData\Local\Temp\MW-28cceab8-c39a-48f4-b559-9781ceb3e646\msiwrapper.ini

MD5 1ae873f1158abba920e401d2f38a16b7
SHA1 4662404f6b2140428683684e823badcc026c2a20
SHA256 e65d438767702164f669264f86d672985213bf57a73372fea787a86646bbef1b
SHA512 272cf0a1185361df7162acfe0a5235aec3f110b92738cade76d5ebdccfaed2138946e7e7a4d64f055f645e8c59de10216769256d8ba3a24cd01ae35ddf2fd5b5

C:\Users\Admin\AppData\Local\Temp\MW-28cceab8-c39a-48f4-b559-9781ceb3e646\files.cab

MD5 9e0a3020cdc3480aabd2621edc1665fc
SHA1 9b4ff0de37b6704ad3dfd026b264acda3314fa79
SHA256 c6bc5c6bf309148e61394d1b6572b43a7cc46843a44ef0bcf5bcfa1db5c2c014
SHA512 d0dd54eb8ac163c35900f22c693cfc20ae58813e260e0d6454dcfdd21235eb1a41256ff1a0db5e0665376d5599fb6bbf303ba23525b80db2d5594df2d511fbe4

C:\Users\Admin\AppData\Local\Temp\MW-28cceab8-c39a-48f4-b559-9781ceb3e646\files\costcodeproresieres.exe

MD5 1042eb8394630a31aa0ecaefb3bc9f1e
SHA1 369b7bba01dbfd48ab54a90729fcdca4458fc1a4
SHA256 8a9c8b3b58f9ca2c4a18ffc1aaa81fffaad4fe4c59973a51346b98210878f000
SHA512 d846099db8bd266f152494b69bb754084f0d237546948d6ace4aca965b43bb18924346137345a3aa6c87d532adff83109f087d5fe5f99d6f9c25e425791847ec

C:\Users\Admin\AppData\Local\Temp\MW-28cceab8-c39a-48f4-b559-9781ceb3e646\files\costcodeproresieres.exe

MD5 2e6dde473eb4e63acc8c67dee0c191cb
SHA1 e81bbd4e117e0d4b4ebc9586883666e2a0566a12
SHA256 26d91bdcb82d7abdda57b4f6ad4d42c857c335f6efe8e0b8566c997a6e51e916
SHA512 24e609da2e7f6325067d7415a60d5580c781c35382be6820fae564c94289fc567aed0ed9648a85417474410647ab4daa83d362bbb2ae9d5b79ac5a2d15504165

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\costcode.bat

MD5 aad2830f24f0808e7fe50b82acdfbdf9
SHA1 53d35b0dd209a10dd4cbf4394cbd3cd64bf758be
SHA256 a6236e067a745bc082ab9b7ce0b4d7b39816efa191ea2c25baee7a334fa70a2b
SHA512 4b30f274012064bac12fd88289f16a592328bec99557d1514f90bdc2402e9a790badd0fed116734fd6dc4654f2e7d0b681d9aff506781e7407a68312a983cd1f

memory/3812-201-0x0000000071F70000-0x000000007265E000-memory.dmp

memory/3812-200-0x00000000049A0000-0x00000000049D6000-memory.dmp

memory/3812-202-0x0000000004A20000-0x0000000004A30000-memory.dmp

memory/3812-203-0x00000000071A0000-0x00000000077C8000-memory.dmp

memory/3812-204-0x00000000070E0000-0x0000000007102000-memory.dmp

memory/3812-206-0x0000000007A20000-0x0000000007A86000-memory.dmp

memory/3812-205-0x00000000079B0000-0x0000000007A16000-memory.dmp

memory/3812-207-0x0000000007A90000-0x0000000007DE0000-memory.dmp

memory/3812-208-0x0000000007830000-0x000000000784C000-memory.dmp

memory/3812-209-0x0000000007F20000-0x0000000007F6B000-memory.dmp

memory/3812-210-0x00000000081D0000-0x0000000008246000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zlf4hkz5.wuj.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3812-227-0x000000007E490000-0x000000007E4A0000-memory.dmp

memory/3812-230-0x0000000009020000-0x000000000903E000-memory.dmp

memory/3812-229-0x000000006ECC0000-0x000000006ED0B000-memory.dmp

memory/3812-235-0x00000000093C0000-0x0000000009465000-memory.dmp

memory/3812-228-0x0000000009040000-0x0000000009073000-memory.dmp

memory/3812-236-0x0000000004A20000-0x0000000004A30000-memory.dmp

memory/3812-237-0x0000000009570000-0x0000000009604000-memory.dmp

memory/3812-430-0x0000000009510000-0x000000000952A000-memory.dmp

memory/3812-435-0x0000000009500000-0x0000000009508000-memory.dmp

memory/3812-463-0x0000000071F70000-0x000000007265E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\costcodeprores.exe

MD5 a2a9b9ff6360aa4ffcb3e545d1506a20
SHA1 d7fb75dd00991d1d31d0fdc4707788e6b6104c04
SHA256 65d0def240fd57cbeb098c593fe834d33f2cd8f83823d627bf8bd6c27d8e5ff7
SHA512 b8e8e65da52a0b730c64186c269437c50da45bb7cc599deb63cbc63417e58e67b68421a8df1712bf0b954b3834c77cb9f57b24a20affc6ab94350a157dd3e24d

memory/60-467-0x0000000071FA0000-0x000000007268E000-memory.dmp

memory/60-466-0x0000000000C00000-0x0000000000CD4000-memory.dmp

memory/60-468-0x00000000054E0000-0x0000000005592000-memory.dmp

memory/60-469-0x00000000055E0000-0x0000000005692000-memory.dmp

memory/60-470-0x0000000005690000-0x0000000005744000-memory.dmp

memory/60-476-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-482-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-484-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-480-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-478-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-488-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-486-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-474-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-472-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-471-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-490-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-496-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-500-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-498-0x0000000005690000-0x000000000573D000-memory.dmp

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 54f4337708ee8f988f76815321826691
SHA1 996e6bc5b63c98df29708a119414ba798596054e
SHA256 08784225f3d2ca56b0a389df61d2cb2ce747094866f1f4c02e8c30cda8571115
SHA512 32d41122480e0b3f3cd6622a938b2bcc258591b72e03269973f0bc3174982ae2ba2f62c823764bf746e38eba2af6abb16496096532f354e4dc15304a9eb244f2

\??\Volume{e69dc57c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1374447e-3710-404c-a447-5191c36599e9}_OnDiskSnapshotProp

MD5 f5ac421e27e162dc7d05d05cb1acd31c
SHA1 3da354a5ec0f44b460cd92e13a81520c284f0096
SHA256 2cf02ac5a2fa763baa15e0de7f583430ac2fc35e5c3cb7c01fa9057cdc893ab2
SHA512 62ff78f9bd82ce69f2351a5134d76448483c8b1d43c22a87d9eb67ace2bae4706d15ad85fbe45936b0e4093470a0ffae3c320917f41dd01ac8ad636be8441b4a

memory/60-502-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-494-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-506-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-508-0x0000000005690000-0x000000000573D000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 43b4b73cc6e402e8d681371f57a57bd7
SHA1 792963bdddf08f802126b6ad1f5883d2a619c7d9
SHA256 9965c2a758ce8ede4ff95c2abcdb157cc0c9663ef39bced1e376553fa09aaa48
SHA512 f45c6a7184d01eaf456a9ac243f590374a863a8b9d41615af915e615d338a840f0efe96e91432989c6c65dfd3a71139fe8319910024d98e25acaaea939cf72a2

memory/60-492-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-519-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-525-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-533-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-539-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-541-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-545-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-543-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-537-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-535-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-531-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-529-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-527-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-523-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-521-0x0000000005690000-0x000000000573D000-memory.dmp

memory/60-1415-0x00000000057E0000-0x000000000582C000-memory.dmp

memory/60-1414-0x0000000005780000-0x00000000057CA000-memory.dmp

memory/60-1416-0x0000000005950000-0x00000000059E2000-memory.dmp

memory/60-1417-0x0000000006320000-0x000000000681E000-memory.dmp

memory/60-1422-0x0000000071FA0000-0x000000007268E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 885e95aa86dfb6f94a60d962e39cfceb
SHA1 432ae460fb4921c8241484615eae4208464e5497
SHA256 9ff968e8d943f98e640824d83ea1c2f337a7e0a4b4cf5ecfaa38477d4a3f2449
SHA512 de273d22cc5d92086a6a5e90ebf41e1f3ae57d7572e2be0a7e466f866c3f5935c5f1f4e1fadb94da04704acb9dba893d689e8c80439da7552ea963eb4a16ddb0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 6a0288563ad0130b09110c00bcaf9976
SHA1 d9c6c6689868ce6fb3ef666a4f70e5072b386e16
SHA256 b3628b9c1f47ac079a5c384d61cc711c0df20c5b0d88c8ce47c10f85f261f45d
SHA512 47745338ecd0394f2ea00936ef51331eb4c82f0c7d67723577e10ea7762257e0b8270ec37f93d470310d8695a412cc10a88a78a0f9402e849aef2014eaf2b857

memory/60-1457-0x0000000071FA0000-0x000000007268E000-memory.dmp

memory/4844-1458-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4844-1459-0x0000000071FA0000-0x000000007268E000-memory.dmp

memory/4844-1461-0x0000000005000000-0x000000000500A000-memory.dmp

memory/4528-1460-0x0000000000E40000-0x0000000000F8A000-memory.dmp

memory/4528-1462-0x0000000071FA0000-0x000000007268E000-memory.dmp

memory/4528-1463-0x0000000005800000-0x0000000005928000-memory.dmp

memory/4528-1464-0x0000000005A30000-0x0000000005B58000-memory.dmp

memory/4844-1466-0x0000000005DB0000-0x00000000063B6000-memory.dmp

memory/4528-1465-0x0000000005B60000-0x0000000005C8A000-memory.dmp

memory/4844-1467-0x00000000057A0000-0x00000000058AA000-memory.dmp

memory/4844-1471-0x00000000050F0000-0x0000000005102000-memory.dmp

memory/4844-1474-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4844-1476-0x0000000005190000-0x00000000051DB000-memory.dmp

memory/4528-2403-0x0000000005D10000-0x0000000005DD0000-memory.dmp

memory/4844-2409-0x0000000007430000-0x00000000075F2000-memory.dmp

memory/4844-2410-0x0000000007B30000-0x000000000805C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

MD5 620f4d3b222e97fd07c8953f2700c3fc
SHA1 fc09eef94307f7d8567539ec3dbd465c667e4c5d
SHA256 d51df67d81b8c49528b2a7931b32d13e927c00fcf1fbe52972fcbeb5a49007cf
SHA512 7e1374b68a1020646777b69322746462d52181887ddf8a0f902207e294e7ff5bcb392beabab2dbc9cb3f61aebd84f7c7630bf2c1c613c37037eadeb2ff465a4d

memory/4844-2412-0x0000000006E40000-0x0000000006E90000-memory.dmp

memory/4844-2413-0x0000000071FA0000-0x000000007268E000-memory.dmp

memory/4844-2415-0x0000000071FA0000-0x000000007268E000-memory.dmp

memory/4528-2416-0x0000000071FA0000-0x000000007268E000-memory.dmp