c9a37582c258883ce7ea000ba8cd9f1aebc57176e641b460038b9a8e4031abbc

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2023 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Actives_Setup_2023_As_PassKey.rar
Size

12.4MB
MD5

61040d324af567376629c49a5e1dddf2
SHA1

c2b4e2907bab7584cb48d161fdf3ce119ece92c3
SHA256

901c4fc8c8a5cd7de5536f98e97df4eb84bb328c32dab62dbb01a566d6d776c6
SHA512

2374e6c2f5ea3e4a8a0196fb159b12f9552a53f2cb56edef6e50189416f7663d2ac7d405ac94efbbd514d3d5913717b3ec5830cc22811bd6154e57bff0643b7b
SSDEEP

196608:8ez+JcHqUMpAtZAoggGKoAyt7N95hCbdk34gtqXVyUEvJF4uT/4//cpCAiJhr3D6:JgtSaKoHNLhn4gV1THUO1iJd3DwbUlk

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133251961826490425"	chrome.exe

Modifies registry class 64 IoCs

Processes:

OpenWith.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\ၩ𸠈〫鴰\ = "rar_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\rar_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.rar	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\rar_auto_file\shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\rar_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\rar_auto_file\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c003100000000005456aaa1110050524f4752417e310000740009000400efbe874fdb495456aaa12e0000003f0000000000010000000000000000004a000000000057260d00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000005456dd981000372d5a6970003c0009000400efbe5456dd985456dd982e00000010250200000009000000000000000000000000000000dcbec60037002d005a0069007000000014000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Applications\7z.exe\shell\open\command	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Applications\7z.exe	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\ၩ𸠈〫鴰	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Applications\7z.exe\shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

3272 chrome.exe
3272 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

1664 OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

chrome.exe

pid	process
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7z.exechrome.exe

description	pid	process
Token: SeRestorePrivilege	4232	7z.exe
Token: 35	4232	7z.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe
Token: SeShutdownPrivilege	3272	chrome.exe
Token: SeCreatePagefilePrivilege	3272	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

chrome.exe7zG.exe7zG.exe

pid	process
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
4968	7zG.exe
1904	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

OpenWith.exe

pid	process
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe
1664	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OpenWith.exechrome.exe

description	pid	process	target process
PID 1664 wrote to memory of 4232	1664	OpenWith.exe	7z.exe
PID 1664 wrote to memory of 4232	1664	OpenWith.exe	7z.exe
PID 3272 wrote to memory of 1552	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 1552	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 4580	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 5036	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 5036	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 440	3272	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Actives_Setup_2023_As_PassKey.rar
1⤵
PID:4120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\AppData\Local\Temp\Actives_Setup_2023_As_PassKey.rar"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa63e69758,0x7ffa63e69768,0x7ffa63e69778
2⤵
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:2
2⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:8
2⤵
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:8
2⤵
PID:440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3144 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:1
2⤵
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3280 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:1
2⤵
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4480 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:1
2⤵
PID:884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4776 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:8
2⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:8
2⤵
PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:8
2⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4944 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:8
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:8
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5016 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:1
2⤵
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4940 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:1
2⤵
PID:4196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3184 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:8
2⤵
PID:4300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3348 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:1
2⤵
PID:708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5296 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:1
2⤵
PID:1076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5440 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:1
2⤵
PID:4088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5300 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:1
2⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5288 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:1
2⤵
PID:1096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4972 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:1
2⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5996 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:1
2⤵
PID:2040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6124 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:8
2⤵
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6288 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:8
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6152 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:1
2⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6120 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:1
2⤵
PID:1644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5824 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:1
2⤵
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6924 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:8
2⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 --field-trial-handle=1788,i,12631045414301112029,17946678795812312220,131072 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4852

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Actives_Version_Full_Setup\" -spe -an -ai#7zMap6837:114:7zEvent1908
1⤵
- Suspicious use of FindShellTrayWindow
PID:4968

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Actives_Version_Full_Setup\" -an -ai#7zMap11009:174:7zEvent18601
1⤵
- Suspicious use of FindShellTrayWindow
PID:1904

C:\Users\Admin\Downloads\Actives_Version_Full_Setup\satup.exe
"C:\Users\Admin\Downloads\Actives_Version_Full_Setup\satup.exe"
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
37KB

MD5
47ae9b25af86702d77c7895ac6f6b57c

SHA1
f56f78729b99247a975620a1103cac3ee9f313a5

SHA256
9bde79a1b0866f68d6baa43f920e971b5feb35a8e0af7ffadc114366f8538224

SHA512
72b5296e3dd1c5b4c42d8c3e4a56693819779167b9f02bc2d5f5a626b519a9cf10bee59846d614c929c42094b65d13039f6024f6cb1c023e740969aaefd060c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4845f1eed62c0784ba4e1e75f06c1527

SHA1
591ef6fb423fdda2c26043e72b18840219643b77

SHA256
da33ef7eaf67250c4bdd3c1be7ebc949a500742dd635642b95bcb3bc2d0c93d5

SHA512
5634e031d75773ef7d9ed8deb6bd0132c5b3cf5a62659c59e9838d46e7060d5faa935b14846e9cc69d033c524fd2ea50c6334676a9c480d2540ac088ba0e0b96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
232f512831176d522b46ae74bac52521

SHA1
fe04eddf579dd1fd8d6cbae2deccc82ee1f72ba2

SHA256
3b457d2ac43ba824414d70fcb52d43a857d4d0a51aeda4b5ee3e8257f81ec45a

SHA512
b60e2328c166d734d7c1d98183b13b272a43b4edb094dea7db6e6272f6c3fef2d9996835450fb4fd4d0e0411558c23499228c5f4047a306c208cd1916d7d38ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d73c25dceda0e7eaa2090fbd14e9a5c9

SHA1
a0796b51b295c8709280d584be5af7bd23d4a0f8

SHA256
6b8242a0d7d0037afa640ccf018668990a7f574646c4cae6495288c5320a3553

SHA512
d935c954dbdc6591be27fb920993226f6de74374d2c52292e348b67f01cdc5b0483cc27d1871dfa4cd80e9efea04e3aeaf060d02ba22c6f28dce30ded6931365

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4e657b8d329d327a2c28e02f42ff787c

SHA1
2d396829f654fb8338e4e8d2e24227f982697057

SHA256
ae9ada2083a36beafd5d1e09f9db3a34fc78f9565ba22479df1e1000c2b39d3a

SHA512
6b03e5707910636792ed28e74c3583b3e52bb7df5ceb43e34a1e3d4e28b594d7453d1bd804c605f2b28732f875178997aa9fa8ca4c107a22c3661cbaf4c36d87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
b905dbe6d075afa1d54451e8cd8bd090

SHA1
a4fb82278af5a8a36e6d81f25adbb4d0242c50ef

SHA256
8bed1b9937ee5119ec5c48a7d24cb38bbe93869d85a71e0f0bdc9ef8ce489a7a

SHA512
34ceb13d6771419fa0d9c5ca582ced7707626e6621da5c93c454caf5153205c64badeb408a5dd0f1c14ee3d1a47f7d9170781c9551ddb820b079d8901a9badab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e5c360c69a38aad37a4cee9e175785be

SHA1
f9b66adcb957886dfd1f155b46c6c85e70b23834

SHA256
f954366c20cc1d7a33aea349dcb6c661a80aa59f1dd81f1bbb75664ab4ad1744

SHA512
5aa39bbfbece37ae72a2e0f643509645a97ee26704a0e6d8a780fa1405f544c78fc109e4a253996937fde7f0b76abdded46564f48723112e64c9fd19d657e3f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ec1b35ea5b7a992a021def10d9505077

SHA1
01615700d2809bf9d5b5c4c299072e217ef25620

SHA256
d399e925bc46a55e858c2230758a4f58c5de6a26120dc91a5d69b15c9574d3fd

SHA512
3fb8eafe8824499d11b6dd1395305ccf8016e76e9cf664979d4913af32a7a4cf8f22bfa28dd44ccdc52bde74940974b40fda048b2b9608d7963041b1c57087ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
29aff08d7441b4e01927eeb76ba37ae7

SHA1
f2ef24b9391d9ff4ca24a18e3f10a4f6ded44828

SHA256
b4a0edeacd2fdd0bf292a237541ea3e039a514cb96af29b274b0665b9cb69830

SHA512
e7161276d623572f6b5ba888c08a47c56216b81e050ee5b07dadb7fbfe37386dbb028fb3c095c519308bbfbfc451079398c8fb0bdd390d8addaade440b993f5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
61a3ffb9af44dd1e0ee071c39b5484a8

SHA1
f45149c4f62ae7e3a25e2c50bbb7abb02768f2cd

SHA256
68dfbaf03b371f8a4ed2a79f87f5692bfdee816010b6a3299c64c93441685cbc

SHA512
7bf4fba904d0128ce1578c189f2f46b9077f602b9c2652179c61d042657fc78624ee8db5efea7e7e662bd8aaef0637e837559862cf5f03d08ecb76d46de14d86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
12bcee1432baafce4d23724c6f4006e0

SHA1
af44db0376a116472d97e6a8c75ee76746224fee

SHA256
1f7cd91ff16e88d7b404392bfd25fc7949b1aa4a621063b4e309de0139faec42

SHA512
5e3c16b30b2d830e98805cc9372fe041e93de3cb48f5d7013c05824aac82ad666163e55647e5e6f15bc7e76283ee60c23fa86b644777a3b74462c00fce6facce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7208212ecd7eb02fbd80e3cec5b506c1

SHA1
c7608f5ac861bd50a1d6852a41501d8536f3f6c0

SHA256
bc065b0ba4617d1c14c7e4f264ba8b7d84ba48b6ffadc20981be44aaca341a4a

SHA512
761acd09f1b8a0d3cdd6b247b347fc382bdae7ec484e050472d83b7f1f7c8510b9fe4e28f63d0b3e36698d1cb6193a99a7ae02af305f1d398388e7b9295ea23d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
0d9732023b26bb5053ff24f662a60670

SHA1
ce7b4ca87ac3bb3a6f1275d77a27ef0bbe79ba50

SHA256
46140986be27ffa1542659eb25c7d3f4a9f6de560cff783f5d6332decb657061

SHA512
a52bc91f1e475d304d2b9230c47d18457c591a6dee6dc21fae76ea19fd3cf08b729e6fb82d6a539b5677ae4a1e9b7ee3190ae7121f46dd38ef888c5277d1ca4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
e3c11450784a7286af8bf93eb8e00f28

SHA1
95f824eae0f7e2e2c86dc0c089cadd77178f27b6

SHA256
2113b3956a3a42c077caffacb9d59d1c181178940adcea4cc2270819bad59d53

SHA512
4e652a3402bc2c04f3e19ec96abaede299493efdac31c1f903d94650bd9b8ea62bb55694a194c04c6f8e1bb6faecad8a4975331d06424caaf727ba540022db74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
a925e3300d83b2acaec5eedcd595c238

SHA1
3a411c49b0f1f98fd6c8d250e8a1674a20390983

SHA256
ca181e9f0221e9cb64769132930d2bfbe8ee500f250bfbf758fd077ec70c09ff

SHA512
77b3cd865e06a93b8a29e645375a54643b4c51fb2141c7a8530136e2b68a9451fca028279dd3b13c98419cf9bc44075f2a06ad66e2e0c9697dcbfb2cf185b12e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
33d346a8aee6628acb0a7c35d9ab89f5

SHA1
a745563b15c113ce8293dfbc10ed2eeb90c86dbf

SHA256
f8f1ecaa648eaa76071c33ea58523dc8aa665556d779e8e88cc11e0ad0755b9c

SHA512
57051a038eff3efae0d67467c83775ea7e0b08687c068f87439b91dd1dcf8c9f73449dc8c6208dc51696c6f72bb51ae94b799e615eb6a8389643e3b438d86724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5807ac.TMP

Filesize
96KB

MD5
70abbd672631283b9f364e4d3a8c0c5d

SHA1
82526959337279c82e98bbdaacab66da4ea9f39d

SHA256
ef5526769c6df8b7a4020dea4c4ba149425a4d1715d4c85190fa9538238030e8

SHA512
4f24eebd0f17b0ee6ad3b24aa894133633afa4b3cad6cf840aef8df55a4d895239f57b60a1123800a0830251bb9f6283ef8935cd0cca698f86bda13123a4c958

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
fb42b64db264601f97f4b77272e6f35e

SHA1
57c6b90cc7087bb4a07f23252cc063ba636c4df5

SHA256
6186ff6a9a0f172e034af34fc1b1e30b14cd5673ca3bec1f53c6e9dff1eb9d5e

SHA512
b85aa8a264b720a8696a8ee54bd403f17dfdbaf8071d02ca1c33471518b5fdf89270dc93d3bfe2433c72c9d42b6fb0f2b73f5aa5c0db782eafa3423ee2cc011c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
a395439ea9262695e78c2e8dd2cbfe9d

SHA1
ef5aa5dcfe0dcc5e8611e9201eb7411189a68507

SHA256
77835ae0080838be6da19e8e868449f1b2c9e9b8c9f1392c6e3bef967c01e01f

SHA512
23a9faff2996e350e1a1ca39f97cddd0d5e96a1c4197f4a8815cc8ac929cdfe3443bfdc30aa99aff8e846a87ea652ba11d1ba10f99f92455a0ef2195ec53db7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Actives_Version_Full_Setup.zip

Filesize
12.4MB

MD5
651729debd3d19ab67a4de34957dbc9e

SHA1
df04d159bd9ea045f7fd0f009f3ddb4f6cc0e61c

SHA256
c9a37582c258883ce7ea000ba8cd9f1aebc57176e641b460038b9a8e4031abbc

SHA512
c0d0a5cd97a890ec158627771aa8a8a3033041a2cb0ec0a035acfa8561dc14ba6485bdf0a9be25ff0abf401d244a54b2421f95d650fb159cfb1baf5d9d52e4b9

Download Submit
C:\Users\Admin\Downloads\Actives_Version_Full_Setup\Actives_Setup_2023_As_PassKey.rar

Filesize
12.4MB

MD5
61040d324af567376629c49a5e1dddf2

SHA1
c2b4e2907bab7584cb48d161fdf3ce119ece92c3

SHA256
901c4fc8c8a5cd7de5536f98e97df4eb84bb328c32dab62dbb01a566d6d776c6

SHA512
2374e6c2f5ea3e4a8a0196fb159b12f9552a53f2cb56edef6e50189416f7663d2ac7d405ac94efbbd514d3d5913717b3ec5830cc22811bd6154e57bff0643b7b

Download Submit
\??\pipe\crashpad_3272_YWSJHZCEAORRIWLG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit