cce85515020d1c17291e229ff8c1824c9d9c8d012467c9795cee5922a96dc73e

Analysis

max time kernel
62s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cute Reapers in my Room.exe
Size

638KB
MD5

74eedfc115baba5e57c0658d868263f8
SHA1

442d79588eb97a63d99f85b0f8a219d7acd52d5f
SHA256

cce85515020d1c17291e229ff8c1824c9d9c8d012467c9795cee5922a96dc73e
SHA512

e80cb00395c0a5156c79f2ade14795e02c85f6796f6b75ddf5c4846a8812c91466e3769ff6404cdf61a5fa73be1ac9a0c2f728a0df71b8a04a6ab8b50313f913
SSDEEP

12288:coCC/UA8mI9vzaB98UZa3b/4jJKk0Xp4:nnUA8mIhzagUZa3b/4jJKk0Xp4

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c01ea8a73f0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-101 = "Chrysanthemum"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b05909a33f0adb01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000607b87993f0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1228	chrome.exe
1228	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2724	SearchIndexer.exe
Token: 33	2724	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2724	SearchIndexer.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe
Token: SeShutdownPrivilege	1228	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe
1228	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1624	SearchProtocolHost.exe
1624	SearchProtocolHost.exe
1624	SearchProtocolHost.exe
1624	SearchProtocolHost.exe
1624	SearchProtocolHost.exe
1624	SearchProtocolHost.exe
1624	SearchProtocolHost.exe
1624	SearchProtocolHost.exe
1624	SearchProtocolHost.exe
1624	SearchProtocolHost.exe
1624	SearchProtocolHost.exe
1624	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 1624	2724	SearchIndexer.exe	34
PID 2724 wrote to memory of 1624	2724	SearchIndexer.exe	34
PID 2724 wrote to memory of 1624	2724	SearchIndexer.exe	34
PID 2724 wrote to memory of 1792	2724	SearchIndexer.exe	35
PID 2724 wrote to memory of 1792	2724	SearchIndexer.exe	35
PID 2724 wrote to memory of 1792	2724	SearchIndexer.exe	35
PID 1228 wrote to memory of 1644	1228	chrome.exe	37
PID 1228 wrote to memory of 1644	1228	chrome.exe	37
PID 1228 wrote to memory of 1644	1228	chrome.exe	37
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2672	1228	chrome.exe	39
PID 1228 wrote to memory of 2300	1228	chrome.exe	40
PID 1228 wrote to memory of 2300	1228	chrome.exe	40
PID 1228 wrote to memory of 2300	1228	chrome.exe	40
PID 1228 wrote to memory of 2764	1228	chrome.exe	41
PID 1228 wrote to memory of 2764	1228	chrome.exe	41
PID 1228 wrote to memory of 2764	1228	chrome.exe	41
PID 1228 wrote to memory of 2764	1228	chrome.exe	41
PID 1228 wrote to memory of 2764	1228	chrome.exe	41
PID 1228 wrote to memory of 2764	1228	chrome.exe	41
PID 1228 wrote to memory of 2764	1228	chrome.exe	41
PID 1228 wrote to memory of 2764	1228	chrome.exe	41
PID 1228 wrote to memory of 2764	1228	chrome.exe	41
PID 1228 wrote to memory of 2764	1228	chrome.exe	41
PID 1228 wrote to memory of 2764	1228	chrome.exe	41
PID 1228 wrote to memory of 2764	1228	chrome.exe	41
PID 1228 wrote to memory of 2764	1228	chrome.exe	41

C:\Users\Admin\AppData\Local\Temp\Cute Reapers in my Room.exe
"C:\Users\Admin\AppData\Local\Temp\Cute Reapers in my Room.exe"
1⤵
PID:2240

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:888

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1624
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
  2⤵
  PID:1792
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
  2⤵
  PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4769758,0x7fef4769768,0x7fef4769778
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1304,i,17918459314166319010,8643434979675138148,131072 /prefetch:2
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1304,i,17918459314166319010,8643434979675138148,131072 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1304,i,17918459314166319010,8643434979675138148,131072 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2164 --field-trial-handle=1304,i,17918459314166319010,8643434979675138148,131072 /prefetch:1
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2172 --field-trial-handle=1304,i,17918459314166319010,8643434979675138148,131072 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1380 --field-trial-handle=1304,i,17918459314166319010,8643434979675138148,131072 /prefetch:2
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1472 --field-trial-handle=1304,i,17918459314166319010,8643434979675138148,131072 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3464 --field-trial-handle=1304,i,17918459314166319010,8643434979675138148,131072 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 --field-trial-handle=1304,i,17918459314166319010,8643434979675138148,131072 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1148 --field-trial-handle=1304,i,17918459314166319010,8643434979675138148,131072 /prefetch:8
  2⤵
  PID:2176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
84ca72efbf79e289bcc90292b8a5580b

SHA1
e1246a230739351a44850d75a27bc8052a9462bd

SHA256
9c7bc0480510edd003dc9ee6c8b9cbd42301900b8dfcafc18698c896db1aea1e

SHA512
4d037f7fea337a3343456a7c5a7253f38e479faeeb260a189877c752941f81dc6ff55a1087a78f53251428c49979f4f5fd57580cecb4ce146323b4060df0f877

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

Filesize
1024KB

MD5
8a07b0c9416fa2cdc4abd6531f18418e

SHA1
ee51274c2177c055fb4aaaaf66c89d1c985b9a4f

SHA256
237efa597397db3590a037690dc712178f04769752e207310f888bc3f8fd2ec5

SHA512
20a89dc3f7bceeb0d779e730b3d2910ac5262a1d0096f1c63c46127ee3486044bf8b326148ca002bb8b47685fbc04aeefebda44ce2e63bdde8674ab0c0924bfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
03b219434d65356ed05e33cf79a958e0

SHA1
47cae1cd58032816532e504d62b05c7fbccf13fc

SHA256
3c450b0eaf95724262c0f186d28477a9ae9f0f4d3694721582f27b5b9e2f1e02

SHA512
d9d31564ebbf5477cd6d19f14e11373a0871496618ae85ab236b2303af028065d0675b0c17540ce2653fef812a4b947ee4576fb58a2efaef43380833ea483f26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
88dee93fc68159c3a9deadeb42ea56af

SHA1
2f951bdf45abe898fbc086418bb390fbf8fb3ebf

SHA256
0581372b73ea6a20fb18b17ecf39f4fdd7dfa819afa26acbfb5a82d36a2a005b

SHA512
3c0ad18edc3542d56ca820841573497c4a4f8e1f753fa84b5b250f0935d358379046081ae9a28bd9df57040f3ba59f9c5515b9ee3730cf041a5a7e5e49221c1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
memory/2724-178-0x0000000003D40000-0x0000000003D48000-memory.dmp

Filesize
32KB

Download
memory/2724-182-0x0000000003D30000-0x0000000003D38000-memory.dmp

Filesize
32KB

Download
memory/2724-49-0x00000000013C0000-0x00000000013C8000-memory.dmp

Filesize
32KB

Download
memory/2724-43-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/2724-42-0x0000000001400000-0x0000000001408000-memory.dmp

Filesize
32KB

Download
memory/2724-51-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/2724-179-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/2724-66-0x00000000033B0000-0x00000000033B8000-memory.dmp

Filesize
32KB

Download
memory/2724-60-0x0000000001410000-0x0000000001418000-memory.dmp

Filesize
32KB

Download
memory/2724-16-0x0000000001CC0000-0x0000000001CD0000-memory.dmp

Filesize
64KB

Download
memory/2724-210-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/2724-216-0x0000000005570000-0x0000000005578000-memory.dmp

Filesize
32KB

Download
memory/2724-220-0x0000000005560000-0x0000000005568000-memory.dmp

Filesize
32KB

Download
memory/2724-0-0x0000000001BC0000-0x0000000001BD0000-memory.dmp

Filesize
64KB

Download
memory/2724-217-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2724-225-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download