hxxp://google[.]com

Analysis

max time kernel
177s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2023 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1120	rptviewer.exe
4704	rptviewer.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000231d0-545.dat	upx
behavioral1/files/0x00080000000231d0-563.dat	upx
behavioral1/files/0x00080000000231d0-564.dat	upx
behavioral1/memory/1120-565-0x0000000000400000-0x00000000004E4000-memory.dmp	upx
behavioral1/files/0x00080000000231d0-567.dat	upx
behavioral1/memory/4704-568-0x0000000000400000-0x00000000004E4000-memory.dmp	upx
behavioral1/memory/1120-590-0x0000000000400000-0x00000000004E4000-memory.dmp	upx
behavioral1/memory/4704-592-0x0000000000400000-0x00000000004E4000-memory.dmp	upx
behavioral1/memory/1120-593-0x0000000000400000-0x00000000004E4000-memory.dmp	upx
behavioral1/memory/1120-594-0x0000000000400000-0x00000000004E4000-memory.dmp	upx
behavioral1/memory/1120-595-0x0000000000400000-0x00000000004E4000-memory.dmp	upx
behavioral1/memory/1120-601-0x0000000000400000-0x00000000004E4000-memory.dmp	upx
behavioral1/memory/1120-603-0x0000000000400000-0x00000000004E4000-memory.dmp	upx
behavioral1/memory/1120-613-0x0000000000400000-0x00000000004E4000-memory.dmp	upx
behavioral1/memory/1120-614-0x0000000000400000-0x00000000004E4000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f5425481e03947bc34db131e946b44c8dd50000	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	rptviewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	rptviewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	rptviewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	rptviewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\IconSize = "48"	rptviewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616257"	rptviewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rptviewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:PID = "0"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	rptviewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	rptviewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy	rptviewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	rptviewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	rptviewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{24CCB8A6-C45A-477D-B940-3382B9225668}	rptviewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	rptviewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	rptviewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	rptviewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}	rptviewer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "5"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "4"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\LogicalViewMode = "2"	rptviewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	rptviewer.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\Mode = "6"	rptviewer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2"	rptviewer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616257"	rptviewer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2632	chrome.exe
2632	chrome.exe
2132	chrome.exe
2132	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1120	rptviewer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe
Token: SeShutdownPrivilege	2632	chrome.exe
Token: SeCreatePagefilePrivilege	2632	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe
2632	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1120	rptviewer.exe
1120	rptviewer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2064	2632	chrome.exe	80
PID 2632 wrote to memory of 2064	2632	chrome.exe	80
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 1152	2632	chrome.exe	82
PID 2632 wrote to memory of 3920	2632	chrome.exe	83
PID 2632 wrote to memory of 3920	2632	chrome.exe	83
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84
PID 2632 wrote to memory of 1256	2632	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://google.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffadbe09758,0x7ffadbe09768,0x7ffadbe09778
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:2
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:1
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3132 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4960 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5016 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5128 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5260 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5412 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5488 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5876 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2368 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6864 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6796 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7052 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6956 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7040 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6924 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:1552
- C:\Users\Admin\Downloads\rptviewer.exe
  "C:\Users\Admin\Downloads\rptviewer.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1120
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:3988
- C:\Users\Admin\Downloads\rptviewer.exe
  "C:\Users\Admin\Downloads\rptviewer.exe"
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=1808 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=892 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:1
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6312 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6196 --field-trial-handle=1904,i,12675968185093135078,8958502554231242496,131072 /prefetch:8
  2⤵
  PID:3276

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4432

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4864

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f8e8231d8460f88d59cc094fc6555f32

SHA1
8ff332837d9605bca9deff824663593c69876f4c

SHA256
b0ae2c65cf2be864a86490e06910128abb67057e020b5769801b86e048efb683

SHA512
dd45d2d041cedbe72d5755a717fed847bb2278cd1a032a3b75f1c4a83494ba803d97d34323473b2e343290195fdfe5c5847d8084059bcb41fe2b6f6b96215a2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
dd3bd4f8839fbf35600655e39539fed3

SHA1
6819f86ae885deca5b51de4ba084c7ce17dfa0c5

SHA256
d466df5606fdba622b709adeed12074b3f6568d8fa97a91e598edebda4bc3980

SHA512
6551e10234c4a7991618660735c3df98b8a6160a86c3f43d75f0075be80bf19c4955188bf446128d7e92d68e9eb80d26fdd8967b0d4b2a71a15e7e69abcb5b8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
d62a91c914848237ad778b3e2d6dd0b2

SHA1
9c644bba47474b606de1637f5dcd4dfbac7100dc

SHA256
38367d1c70bd6b4878f9aa9a14ba7690bae89085326f89a7c57b384e6b385ec0

SHA512
d3ca69642c79df4a88b766f6caa1433599258c5d3e0a9237556b0e0d523295d37e24313e4d83eb372f560b9dae6915a6b11ee0dfed11d7d4fcbe8a0d313231bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
d7f976e18c19bed77f83024bf433552a

SHA1
1f1e48c4cfc706a2e305f43491a130c8f795ee88

SHA256
caffb239869a7d6cf64989275c75bf5c0320c759d379e7ae942e51b40f00a0a0

SHA512
6d3034553074f2e3f22bd4090cfb7e587b3f81c83905aa3aaf852bc8de2601243bf9a154a18af63ef2ef2250ca9e2b9177f1b1c6526a93fa68f9545b2022e5c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
66a49c76ddf998a46c2b9e2c35429231

SHA1
4efb51d9483500898f77ce20da83705033b69e1f

SHA256
8e596b0853bba0089d49ce30c250c334b390bf62c60819de17b47731b65b78d6

SHA512
78bd09c726bbd149318df3b03fe60dfd9fcf9e2a1720e1c2e0691826a76603047aa872377a01ff141a82fdfedea46aa56ff0a40819f97ba067ce2c89f14e7232

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
f3e4856fd7c1e3e8686b35145b1828cd

SHA1
5a80abf6f22a1e518686a86713f5d2fd89a31714

SHA256
5d25a1d48e7cf29c066b830a35092ef5a21beba0f34de0e09743fc64d9fa44ba

SHA512
acb3f8187d9dfeafeba582fff632d8ec46671bf3c1ef911983d35e48a66e86f3b017fea5e790271c4329e4bb6ebe888a7441d4a6d6971bc6938bd8490412421c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
e4c3ba2924591f1d48b4a9f11746640b

SHA1
d3bf2085bda289a4a5e80ef58bdcd6512606e516

SHA256
ac5645dfd21f6f51e4f32f142ee38471a5c57e17f3827bbaa5e6a6466b7954ec

SHA512
4cdf0e0cb75ac3f5cb747188763a38d86cfdb524b6afd2d7685a99929cd036b9d2580bbf1d64c480905dda3b58d0fbc5c5a1ea799e27e04b372131eed048e5b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
244affe6ae5528d8407660748e59156a

SHA1
8b4a11064009969c127df33f2e0353fe919f32e8

SHA256
b211e49add18aa587b253f4da7fe3b0ddac962a18ee1d6a0291e0333666f2148

SHA512
1f4e8b5e36c61d8c83dbd7e7c2589f1d2f4b3d15cc0e252365c7c3c17d09d769b20c8832305c876e47a7638eab79bb5ea5163b17006d4e287cdc2a4432b6ecaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
337db38927cfc296d83315c76932e994

SHA1
42543d824c8f54953f9b01ca57efa640cd4ae228

SHA256
d3f0323e6d4058597b9344f941ba0009b290f56702ad0ff123db69ab10f1f69c

SHA512
56bdb656febbf0573efd0c630b80be31c41b360f379091c11f8c656fb011466f54a8b2bfd71694d5140d54bfea2bcd405d5ec4e0a66febbec2d157d33d625fdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e842cfa5eeefb5d90b6ba96784b65bc8

SHA1
795f34e73e6573f8358df494bcd0e6ba50150d30

SHA256
bb189af191b39d87e0f000087dbb5cde90f534cd16d00c464baf882d0734f2eb

SHA512
c6eca944da68558ace110762a3b8e167d931e33f4f8fd2e476cf3302480b1b79100689d73ed6e059f1e1d09d7d44037deb973a7959cb2e323c2f8d2a0f8777c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8109dd197b4fe1754d8d5cf0981b48a7

SHA1
dc423f49c39332a1c1cff66e097eeccaf0afa74b

SHA256
f9e9f63e87bd4460b1a4cdc6bb9f55d76cd9561851a1d87ebda3a7efd95f2ce8

SHA512
c8fccf8d41e34716dbe3b4b8c3f018698707382629dcf3a8b1c3bd1b2dc7c66f5719a7e2c5c6e4360c8c3e271892cac6352853003dd6c2c90c5a1040b9a723f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a587da2989b3e87c31fc1ca34b9e0d7e

SHA1
171b292eb6ed5cbdcf44cf56f3561e5a67d407f9

SHA256
ebfdb1a6f87cde20ceb959c8451680c31b0572f5c1769941f9e0ff02afc5bd49

SHA512
6589d991790c8942a4ae8ac909d8ca5351d421af16fcd221c0423134941d9dee6eb729cb6125f1dbd2fd53f450d558ed5e1ac7c15208cc81ba655577b2f5fd90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d2012543c9d04cc6901a355776fda6ef

SHA1
40a7940fe17be589b00af750e7b832271b2e7cc4

SHA256
b5af3bf22750faf5a407a5ccf9321af2a8fc94a38aa380535171126f092a3242

SHA512
5dbbd1f45be566582aac7c27a0487e85fb277337327312243c3560710c13330eb149ab770df927e48d903d9fee2cbce5b02a85c23317744720791e42281aae46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
171KB

MD5
9cd408a57a74310465e2abc18824f79a

SHA1
d9283b2d0665809e725995fb9f2b6d9948a3598e

SHA256
7cb5a90ac3c727056794156225b635793880e5f316c7a875e937aed72c8c3538

SHA512
d7de1ac2136e5f3ef9f891a325406efe6b8489a9b98592238f9cc0597da7bf93ed5b95ae55cbef07bf3bd183c8cb22fa7783dea2a35b2f59b0efb1e77e9eb82b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
171KB

MD5
14f7500a0ecd87fc6e8d1e548ee24a81

SHA1
6eaf45a511f94c587877c8c258ece1ca595e3db3

SHA256
4044999e0c9a0ad1b688d5a9ca6a0336a69f9d72d1838d771ebd0cedbba6e4ea

SHA512
c2237d4b5b7e94d72a1a0322803e7a6c65fefde6b34d00048f282feeedfdbabde956d9e7ff511701e17a7f08388d76bffe74a3ac53abe612d5cbadadc954faf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
171KB

MD5
2aeb65bd702218b5c1caeec256a187ba

SHA1
b084c31ff3a78c2426e0288d6a4003792f9de0c0

SHA256
5255e9f9fc3936385808976f9316a604eb5b979c00cb59d652e90c5355e25a18

SHA512
9ec14ad5a454a9855bf7b36cd0f2010f533de4ab8a6b61b66e7885fcdb336f3b981b154200766d90fbf9983a5b4ea77d7d481d8dd4a5439de68444178ee1c683

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
90a027d4ceed5dcb8289f65d72fa0127

SHA1
4df28b8a792ec0431e7fa5e5475492a164f07641

SHA256
b657b3c5bf0178c5463d5d311ac54690d4dbd95442eba19028eeef8a9dcf3d27

SHA512
a1df7936f3f2e5b21e380fb9dc90a98ae334c58a65e0252f336af6ee209182ea77acb0a92c154d975b351fbaf3176ca1510b6ac1a8386db1ad41c799ee0a8577

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
069f0478357879ee5e0a7cda87148ff8

SHA1
e3b0d74d0e5b32e2d52511d8c58443a0c2c0224f

SHA256
7341f85166c6aa869cd25dd1c47d071a670b3208384383210b2eae607b9c4bb5

SHA512
7a19615c06365cbe22e7080ff7d3d38fd10d01ec43a36670a36c9f253b59119b13630cded15785bd98578cb9a8857845567b1266dd72ced6fc328898be7c27a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
118KB

MD5
fef1c191483595064890cd78bb206a92

SHA1
670338dc8102be820ed129e3d0c7d478939bd675

SHA256
51cb8a17662375781220b7035ae31278f9ef6f1be0838e4fcc5d95ed678fc138

SHA512
87bf4dc902e5b1faebff935074940e9fab75d961619da4b9bd68b372548498e87d41259be03426ebce9793d5467a0460155573ede484b19a1c63ab6304556806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580d88.TMP

Filesize
97KB

MD5
76a4d2da3da3b936e826d2c27433bfb4

SHA1
105acafc7ab6284ebbceff0a3cc00dd80bff73f6

SHA256
61ea4f7214a91a38f43828347d7bf160b1a238d3be6b954ec2f995b89bf9ca30

SHA512
a0f81f9dc8a61659a0164eb810beed0142082ad685c00f4a44c3885df80236beb3c12e67d9fee9c7150d25aa7a71e0493ccca80cdcbceb38b2ba0330fa0e7179

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 575963.crdownload

Filesize
306KB

MD5
c4e9345233aba8b4873139adbb1ba64e

SHA1
1611a6d424211620047a665103bcd504f196a2d5

SHA256
5742e2ca2afa634c28ec6734439eba71c35ab5b9ab480fee7db92ee2cb5b8ba8

SHA512
37fe15390b9b965f0ebddf0741e163cb6bd8c62137aa3409515df26462defbd8408ebfba6676a804362022347df065a7084c7abccf65a207ba068a31a2aff2fb

Download Submit
C:\Users\Admin\Downloads\rptviewer.exe

Filesize
306KB

MD5
c4e9345233aba8b4873139adbb1ba64e

SHA1
1611a6d424211620047a665103bcd504f196a2d5

SHA256
5742e2ca2afa634c28ec6734439eba71c35ab5b9ab480fee7db92ee2cb5b8ba8

SHA512
37fe15390b9b965f0ebddf0741e163cb6bd8c62137aa3409515df26462defbd8408ebfba6676a804362022347df065a7084c7abccf65a207ba068a31a2aff2fb

Download Submit
C:\Users\Admin\Downloads\rptviewer.exe

Filesize
306KB

MD5
c4e9345233aba8b4873139adbb1ba64e

SHA1
1611a6d424211620047a665103bcd504f196a2d5

SHA256
5742e2ca2afa634c28ec6734439eba71c35ab5b9ab480fee7db92ee2cb5b8ba8

SHA512
37fe15390b9b965f0ebddf0741e163cb6bd8c62137aa3409515df26462defbd8408ebfba6676a804362022347df065a7084c7abccf65a207ba068a31a2aff2fb

Download Submit
C:\Users\Admin\Downloads\rptviewer.exe

Filesize
306KB

MD5
c4e9345233aba8b4873139adbb1ba64e

SHA1
1611a6d424211620047a665103bcd504f196a2d5

SHA256
5742e2ca2afa634c28ec6734439eba71c35ab5b9ab480fee7db92ee2cb5b8ba8

SHA512
37fe15390b9b965f0ebddf0741e163cb6bd8c62137aa3409515df26462defbd8408ebfba6676a804362022347df065a7084c7abccf65a207ba068a31a2aff2fb

Download Submit
memory/1120-565-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1120-603-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1120-566-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1120-593-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1120-594-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1120-595-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1120-601-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1120-591-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1120-590-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1120-613-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1120-614-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4704-569-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/4704-568-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4704-592-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download