90897d1c60f45943a2971a3c255f36838b4775179c94c44b6eb2a90f7f44898f

Analysis

max time kernel
183s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 04:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PngMbrBuilder.exe
Size

269KB
MD5

889d7c6ef3c2a41b094efea12504829a
SHA1

bb1d80ae26938d024e501c4263690cb23c4cc027
SHA256

90897d1c60f45943a2971a3c255f36838b4775179c94c44b6eb2a90f7f44898f
SHA512

7e7f108d78c8d2d76696203439a3fbb8908d0525120ad8970ae1d1881323b0757ecd41b68de22d18733fc2b40fc019dd3884763ebc188cb721b51fe7a32d0edf
SSDEEP

6144:SeJuz35Y0upkpcaLb+WX08/Gd0eWIkZpakD0JmIdx4BjRqPdLB+RNripyoD/qSl/:S/DZU4caLb+pcneeQkD0JmjBjkoNriph

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	PngMbrBuilder.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607408723942796"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	PngMbrBuilder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Pictures"	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	PngMbrBuilder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	PngMbrBuilder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80d43aad2469a5304598e1ab02f9417aa80000	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	PngMbrBuilder.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e00310000000000b558b026100054656d7000003a0009000400efbea858c653b558b0262e0000008ee1010000000100000000000000000000000000000052908e00540065006d007000000014000000	PngMbrBuilder.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	PngMbrBuilder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	PngMbrBuilder.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 9600310000000000a858595810007b37413743457e3100007e0009000400efbea8585958a85859582e000000c12f0200000005000000000000000000000000000000a4bdea007b00370041003700430045003500360044002d0030004200360035002d0034003600300037002d0039003000300041002d003200430030003100320032003300390031004300410033007d00000018000000	PngMbrBuilder.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3 = 19002f463a5c000000000000000000000000000000000000000000	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	PngMbrBuilder.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	PngMbrBuilder.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	PngMbrBuilder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	PngMbrBuilder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\MRUListEx = ffffffff	PngMbrBuilder.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Downloads"	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	PngMbrBuilder.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	PngMbrBuilder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\MRUListEx = ffffffff	PngMbrBuilder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	PngMbrBuilder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3932	mspaint.exe
3932	mspaint.exe
3196	chrome.exe
3196	chrome.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3012	PngMbrBuilder.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	3416	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3416	AUDIODG.EXE
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe
Token: SeShutdownPrivilege	3196	chrome.exe
Token: SeCreatePagefilePrivilege	3196	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3012	PngMbrBuilder.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
3196	chrome.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe
2224	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3012	PngMbrBuilder.exe
3012	PngMbrBuilder.exe
3932	mspaint.exe
3932	mspaint.exe
3932	mspaint.exe
3932	mspaint.exe
968	chrome.exe
888	chrome.exe
3012	PngMbrBuilder.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3932	3012	PngMbrBuilder.exe	100
PID 3012 wrote to memory of 3932	3012	PngMbrBuilder.exe	100
PID 3196 wrote to memory of 3904	3196	chrome.exe	106
PID 3196 wrote to memory of 3904	3196	chrome.exe	106
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 4288	3196	chrome.exe	107
PID 3196 wrote to memory of 3120	3196	chrome.exe	108
PID 3196 wrote to memory of 3120	3196	chrome.exe	108
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109
PID 3196 wrote to memory of 2768	3196	chrome.exe	109

C:\Users\Admin\AppData\Local\Temp\PngMbrBuilder.exe
"C:\Users\Admin\AppData\Local\Temp\PngMbrBuilder.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\AddUnlock.png"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3cc 0x46c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0x100,0x128,0x7ff8c523ab58,0x7ff8c523ab68,0x7ff8c523ab78
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=584 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:2
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4344 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:8
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:5040
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff6ae00ae48,0x7ff6ae00ae58,0x7ff6ae00ae68
    3⤵
    PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4860 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:1
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1560 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5016 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3044 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3952 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:8
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=1768,i,3610853023099421699,7997392829595634401,131072 /prefetch:8
  2⤵
  PID:3820

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3516

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
69KB

MD5
805d4fdfc3d3e5ddd5391b8f361fa519

SHA1
5425f05d27964bc57cd879e16914bce5053ec743

SHA256
3924dabf7b129ad34cdd665768bff84c6ffa449b942cab5df2e30b0ea9efb659

SHA512
7a64df530a77faf100ba32d9cf82ca5d57f6f11f40a1e6688d695d3b726b807b6f7e34853fb2b7ecb30c137465618f09077031f42b24eb80ee90ab5c3a0bd8ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
325KB

MD5
744df7d7778849bd70ae8d9767d8124a

SHA1
d7732942325e9fed9326e4c606b5391f5a67f8a0

SHA256
d3931e8df42bb43a2ae5a2b3547ae38f5fad230f94a35d05d51092a0b625a514

SHA512
43a52022c949d427f5c69077ce35f626d55cf70b38c74dc216caec4975f31a6215284b7797cc0a3bf1f51a8c5ad4aeef5ac19ea1eae35e2e1b16b93529fc820f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
141KB

MD5
5861037e5c3dee2885eed8c2390c7740

SHA1
ae8ff249982b4c6ae1f4c7b918de4e08cbc81626

SHA256
8702a6a062ac9258b607ca43d7509a44233738944cda4f8b139ae7d2458e82cc

SHA512
0add69e90b01a31572a59c401c282365539120567e351609a7f06979cc53c5b384f13bbc4edc15d6f0fe4d45e5320d31732f1bbad684bbebe747a0fde086bf45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000033

Filesize
17KB

MD5
c7294f8389c01171c456032146e7a75d

SHA1
17d3f4dfad8f7af172c308ad4a0b3342557f07b0

SHA256
b37d816b86b1a9619fa68bbc747dbf9ce7f01558734dd2c9fb8ba6b57b03c824

SHA512
e6831f9a71de8dd706c4d7566d0a70cb7a7972879d282e0b66a4bf6ca6c8b8f50d18e6ec1fe19fd1b1ba386fc81975ded9bcab1a52c45c52ba2e64049df3c648

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
1ccb2a26782a47cb03c17c16ab96047e

SHA1
e6ac4fb701c232000473057599c238f02d25e2f8

SHA256
5277a0ffba183cd74ca2e7ea8edaa9869d087c332cad8661f684234fbc3270e6

SHA512
4f20de7e1006d3dc2330cf166a475f146297aa89625c78987fd81e37a7209b1d5de06b3d9d93381b04307d8e58e90a391e273a7edf027f2de686628184a2fc24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
de3e8f23b0f46c8a90a409cb8a8d74c4

SHA1
f6687b5e61194f514cebb6c48412b320d9376879

SHA256
dec9df062885573f8cae3ac748b3a66c66f3100849056108e9a52c93cc24bf80

SHA512
eb354f040f3407a7adfbe36b187713a520809d6f72d798e03f1eee09e4530228bd74071b2365864c0b05348269d119fe12e88bc1942ce6dd56fbb04ec948d6f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
71ca28bdbe180ee0e19f88d9b43d47db

SHA1
f9976782eb758a4d2951467b13dcfd02b5c5ee12

SHA256
57adfbd064d9ba6a5f1b51b06661b82f291c634c77154e2a8030089665a71dd0

SHA512
885d0c451b97d9d80b8214daaeaf694a7432c68a9b84b2424425befdb9de5d7d1cb793d200746d26d0c99d1b341de0f622d8cf1787880d7cdc4cd44a5435fec6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
10130238cd0ebf211cd800cf5afb3e70

SHA1
26ea82ea1baa915c504ba700e980ad14f34e42ff

SHA256
0a24f736ffd9bed7cf2ded8c1a656e24fd61407dee1d49bbd8e2ec8d3f51a271

SHA512
11815af11d94df0d6e28191346b7f83096c408e10f1c0918fc92f8241fb86d16531fd84e9e36358048bbed4ca137fa1173eab9fc643d93a41745e6d5150ac603

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
5716402bc2a178b7703c95ec744e2be7

SHA1
ed14391ee0942d39cfd512de1da9ccd5754651b8

SHA256
283c21aa0ad84c6d92879129f0f4b7da8027e2895267584dafb97c8d2920c04d

SHA512
59171b3e4744bbb5590a6a2a239cc90c9d43d911c7cb1c45f1e662b6e060797a52d54482a33edf2c30afe5aa505c2ad894f1153d099163b204b8b3e354c282f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
f18bfe8cb8d174fb9bab129279223292

SHA1
e6e29df98b0b4f020c6aa337d220f7b01a3614b2

SHA256
f38eab0e35d23ba69ac1db58458fd53cf6b6d26dca8a5b2b034ea37340f38ba2

SHA512
32f8d837effe56134498f3b362b2d28c9b6467dfd64f3d7f705da522f09a968c8429e1649ace3954fecc75dc9052730944fcd5ecb12d50ef9aaac3e45b7d6770

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
65441ab91fc5fd5a242bdb7d29c8276b

SHA1
895c50c30c2082e1a4fbab7c7d1bdf6e99e2999e

SHA256
7a4c7f18ba8c8a9f6531c25120adba9d43a3897fb1800e2753eca9d2c281324c

SHA512
704d9bd4b8a6106bf62a41ebbe8e9643d100f054031a344472d139b1dcc3c7db0909a3b017a89691f6ab37f47024ecb24fbcadeed074ad5c7bfe51db35b4ba0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
114d3bd9891892e4896dd579b593ecf6

SHA1
a43ceb621e0e98f986726407ec70d4df213f3e44

SHA256
a3b9c26fb90304c727084c9056f3c749dc0ee809fe0dcadb3ccdad960c09cb65

SHA512
f62dd7dc07bb756d45fae575d4e5bed791e664d8ac093cfafe673185dd0c26b24539fc2a185f63702f331e9ae700215395ab6744960907a1f964260fb46589cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a3d8340dfefd95f3619dd6b12696018b

SHA1
a3a1c42699e61880ed8de73c38c1eee0f491108c

SHA256
f1a88bbd0ed3cc902ca4e4e8cb672f0df7e73255268966614386ed9eafdf2f01

SHA512
90f7368269b1e2edd6dee92af69892733cdcfaefd9c5f0240f517e74f4c1def961cdcdb950731379ee9e2c7f31c3220b59761f493d0d47e99ae566b19ff8a109

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
57e02cfe3bdebc3013287e643bfcf0e3

SHA1
dbadcc15280a93acbc57d69d38d45d18fa5624e1

SHA256
6c7412eb3098629c744faf6d337b67b7f65ff066063d60653d2370583a719e37

SHA512
512abbfb32faa33d3350131e552aae536981991d31f41d127f12868668c2c09290ebbd794469004f8b45932d770a82678f9603209401a7b1aaedade1b9251831

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bdfef96541aec823b8b6190edd304b7b

SHA1
7042bbc7314d0f0fb05b07c5c04f96b280642996

SHA256
f92bc38551c5f33f2932b1491874c6ab7083618079a3c9255b7fa0f2b7ef276f

SHA512
abd2408f3ddccae951a221ca2e4d518c30ead971dbbce6d7837d2d2480fd02d1aa92ea60ab7906b88fad61fc09f55f80fd018c433bf364fcbd6ebffa9919b0a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
17e0e83cb5e96d431da13bbf5d7b38c4

SHA1
a18a219b0f11dc6fbd8fa95b54570ca6d0efd8f4

SHA256
4f752c2bff1784ebcdf719ede240847e63c675bb6fc14580077561d422bfd2b0

SHA512
be95d0df64270eb949c36aa84648321874c01ac8254d91162954a7855f00b7067c62db752990c35e5d8b84db3dbaf0b7451707bf615d7197c678c5cd79252b37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
ef76aeeb6cbcc5029914e551e353f066

SHA1
5bcef4de941e285872b80c9601859198ba44752f

SHA256
52075cbba73df5e08a69acb77bd49e31c2359d45f73e3c7f9de4807f120eed95

SHA512
58d17a8cd50c486e901ddedc0486bf28eaed8622bfa09b649282e3ecc017790f766bcd9275a315cdedccf5330507a21e2707c724a439d9ac7db808a54153ebb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
05bb55f685824816442803f44f7b138b

SHA1
366df705623cc6390814e774687ed330e56445b6

SHA256
9edcdcc8df0d223fef9a74823af59a5f073f004cb98b303a71d35b29b879e87d

SHA512
7dda0d4ad29f061328085bc683cebb2c728fba5ddc7461ae5be9f90a4b3a29632bfb8dad0862d7299b9bc03bae3751e7d064faac7164a2348a80c831905245f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
3939dd17cd208a626da5e401081f749a

SHA1
ac4db6d935ee6e647c5476d5b6e38283f35dafb2

SHA256
5d2fe67952776197ceb58a5feed342899bc2bb29d71342bcf1327c136b5fdc76

SHA512
90c5218e2b61b50b1081553f61fd32a55fa99cf429684d828ed581a31c1b5897e1849b85e011d20898c6c16f3411e597284fc2a511f01f0505b9966ba4d61fdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
784f50f830bb57bb96326700e388b47a

SHA1
964c5377a38e983b74597ff61782cecfdf6bbd1b

SHA256
9a37e58c82cec2153e7806380bdca72fc43587260cb527cdd442f4dc99bc312c

SHA512
f350513b7508f97562d50150392d71569e1b09a5707797c64ba09ba55701f959a2dde2e2cdd23d48ab436d966f1176ce7f5e19e30025f635ffdf1db834b805bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
d46db5fbecf8f91f0fc6573577452e24

SHA1
37ad303978a818ce6231784ec1e152b3cdc6dd96

SHA256
ce4c839991776ef767457fa2cb83fec09ce9c989ef8405c3f4e88ac571bb641c

SHA512
315d901d9f08cebc7115d17378c29ef74c62c696a5a752e501d90f86420ed9f9110443d11a961da2eb84afc16d7d9efb6a5f6d7880c4109b71fa3d114be81e91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58d78f.TMP

Filesize
89KB

MD5
491b5ae1b23d6bb52c89587dc5b008ab

SHA1
36ab66c3cd1bb104d9678b764912033cc761ccf3

SHA256
9a95ebc73c66a17d9ebf64cadde456ecd75a19857c899310458426c759c5598b

SHA512
c3d91c749571cc6fc6e82645967d4472f258cf8f6881821c30873f6a60a9489dae20fd2093fb4414d947263697a8f51a57a163a79936a6d0972332eed3b9c653

Download Submit
C:\Users\Admin\Downloads\321668.png

Filesize
160KB

MD5
c8b027ecdf6ed1e79c3e6b1e2b742288

SHA1
cb202ac64f066d7c0a5f56200fbd6b20d84d607a

SHA256
ff04361efc341c1a3a46a060798dab8a08fb4aa0aeb63a3c21f2fc893c00843c

SHA512
6915b4aa4cb7d6bb777f5e71529510f7bc6915fd7c60ef0bad469d44e9c8fd881dd5a0c7206122e810620d5ba24ae04b567d7f2a5ab6816b0bd25fd761744b42

Download Submit
memory/2224-604-0x000001FED98B0000-0x000001FED98B1000-memory.dmp

Filesize
4KB

Download
memory/2224-608-0x000001FED98B0000-0x000001FED98B1000-memory.dmp

Filesize
4KB

Download
memory/2224-609-0x000001FED98B0000-0x000001FED98B1000-memory.dmp

Filesize
4KB

Download
memory/2224-610-0x000001FED98B0000-0x000001FED98B1000-memory.dmp

Filesize
4KB

Download
memory/2224-611-0x000001FED98B0000-0x000001FED98B1000-memory.dmp

Filesize
4KB

Download
memory/2224-612-0x000001FED98B0000-0x000001FED98B1000-memory.dmp

Filesize
4KB

Download
memory/2224-613-0x000001FED98B0000-0x000001FED98B1000-memory.dmp

Filesize
4KB

Download
memory/2224-614-0x000001FED98B0000-0x000001FED98B1000-memory.dmp

Filesize
4KB

Download
memory/2224-602-0x000001FED98B0000-0x000001FED98B1000-memory.dmp

Filesize
4KB

Download
memory/2224-603-0x000001FED98B0000-0x000001FED98B1000-memory.dmp

Filesize
4KB

Download
memory/3012-6-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-0-0x00007FF8CEBF3000-0x00007FF8CEBF5000-memory.dmp

Filesize
8KB

Download
memory/3012-1-0x0000000000FF0000-0x000000000103E000-memory.dmp

Filesize
312KB

Download
memory/3012-2-0x0000000003090000-0x0000000003096000-memory.dmp

Filesize
24KB

Download
memory/3012-3-0x000000001BF00000-0x000000001C034000-memory.dmp

Filesize
1.2MB

Download
memory/3012-4-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-5-0x00000000030A0000-0x00000000030A6000-memory.dmp

Filesize
24KB

Download
memory/3012-7-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-8-0x00007FF8CEBF3000-0x00007FF8CEBF5000-memory.dmp

Filesize
8KB

Download
memory/3012-9-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-10-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-11-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-616-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp

Filesize
10.8MB

Download