Analysis
-
max time kernel
1800s -
max time network
1801s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
22/01/2024, 14:22
General
-
Target
https://zelenka.guru/proxy.php?link=https%3A%2F%2Fdisk.yandex.ru%2Fd%2FGgnVcFAK2iaoyg&hash=525565395fc528e32c70d575456a1c39
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 9 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 22 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 8 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://zelenka.guru/proxy.php?link=https%3A%2F%2Fdisk.yandex.ru%2Fd%2FGgnVcFAK2iaoyg&hash=525565395fc528e32c70d575456a1c391⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcae169758,0x7ffcae169768,0x7ffcae1697782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1592 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5504 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3320 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:82⤵
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\GrexClient.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1852 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4728 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5160 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6120 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3284 --field-trial-handle=1876,i,7357306286202951702,17542600918457111041,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6980:82:7zEvent321761⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\GrexClient.exe"C:\Users\Admin\Downloads\GrexClient.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Hyperagentwebsessionhost\sCDaCT5RiV0ZmI47PN4hzdO5i.vbe"2⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Hyperagentwebsessionhost\xgHODI7d8tvl5y0vdAAvQ1c.bat" "3⤵
-
C:\Hyperagentwebsessionhost\MsWebreview.exe"C:\Hyperagentwebsessionhost\MsWebreview.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Recovery\WindowsRE\lsass.exe"C:\Recovery\WindowsRE\lsass.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\de-DE\chrome.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\de-DE\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 11 /tr "'C:\Hyperagentwebsessionhost\chrome.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Hyperagentwebsessionhost\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 12 /tr "'C:\Hyperagentwebsessionhost\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Documents\My Pictures\chrome.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\My Pictures\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Hyperagentwebsessionhost\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Hyperagentwebsessionhost\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Hyperagentwebsessionhost\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\chrome.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap25809:82:7zEvent239601⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\xgHODI7d8tvl5y0vdAAvQ1c.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\xgHODI7d8tvl5y0vdAAvQ1c.bat" "1⤵
-
C:\Hyperagentwebsessionhost\MsWebreview.exe"C:\Hyperagentwebsessionhost\MsWebreview.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Recovery\WindowsRE\lsass.exeC:\Recovery\WindowsRE\lsass.exe1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Google\Temp\csrss.exe"C:\Program Files (x86)\Google\Temp\csrss.exe"1⤵
- Executes dropped EXE
-
C:\Hyperagentwebsessionhost\services.exeC:\Hyperagentwebsessionhost\services.exe1⤵
- Executes dropped EXE
-
C:\Recovery\WindowsRE\lsass.exeC:\Recovery\WindowsRE\lsass.exe1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Google\Temp\csrss.exe"C:\Program Files (x86)\Google\Temp\csrss.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\Windows Multimedia Platform\dwm.exe"C:\Program Files\Windows Multimedia Platform\dwm.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\chrome.exe"C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\chrome.exe"1⤵
- Executes dropped EXE
-
C:\Users\Default User\sppsvc.exe"C:\Users\Default User\sppsvc.exe"1⤵
- Executes dropped EXE
-
C:\Recovery\WindowsRE\cmd.exeC:\Recovery\WindowsRE\cmd.exe1⤵
- Executes dropped EXE
-
C:\Recovery\WindowsRE\lsass.exeC:\Recovery\WindowsRE\lsass.exe1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Google\Temp\csrss.exe"C:\Program Files (x86)\Google\Temp\csrss.exe"1⤵
- Executes dropped EXE
-
C:\Hyperagentwebsessionhost\services.exeC:\Hyperagentwebsessionhost\services.exe1⤵
- Executes dropped EXE
-
C:\Recovery\WindowsRE\lsass.exeC:\Recovery\WindowsRE\lsass.exe1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Google\Temp\csrss.exe"C:\Program Files (x86)\Google\Temp\csrss.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\Windows Multimedia Platform\dwm.exe"C:\Program Files\Windows Multimedia Platform\dwm.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\chrome.exe"C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\chrome.exe"1⤵
- Executes dropped EXE
-
C:\Users\Default User\sppsvc.exe"C:\Users\Default User\sppsvc.exe"1⤵
- Executes dropped EXE
-
C:\Recovery\WindowsRE\cmd.exeC:\Recovery\WindowsRE\cmd.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD56ff32677b2cb6d61ec93df4bb6935d46
SHA18d7af0099f82a5fc01f2c3f87ef2ce85a468b9ce
SHA256d2a83ec3aef439b63c0ac0356aa20dd6923506f607351da6c2dbc0d52758e71c
SHA5121e9a4709a0f9609282f6ea6010c32f48e0785b408b30b70be1ea5204660a380e0c52f95dbf39310e1f93a955d4d1a59e380ab56eabc61cb87ac00be1e098811b
-
Filesize
224B
MD51d98b099655625f96d09513265f091f0
SHA1e48d0ccedcead45b677ebd811603a9e20e45ce05
SHA256582b8eb44103f9871e0ecf282e1bb82834416d11623da91d2c5fb9e0c6766710
SHA51264fbda0be8aa5b54bfb3daeb654d3222fc205331a689edeea7f75c0567d4a3308dff173901e63a345e2f0e359229bc9def9bdba3f27bc0189ef8b45788e013b1
-
Filesize
157B
MD5942151f4e162b76e0a36ecd322a0b5e1
SHA19e0db52f07636c0a2f13aedbc7c0b7e5a2f6d5b7
SHA256fc708d4cff09585c766434d68f3087d940822e1ba693e691f6111019a0cdf736
SHA512566b04fe67542028d1461b731803adff80ace05c2634e18a552b18a713f6ef30d55e02e291d4075ba651d37ed037683f975158d8579fd0170fd3764341876682
-
Filesize
979KB
MD5ec293d1790c8778e7eedc878c7400ce3
SHA183ec15a8c1d1385fb36436614fff5266c986b1d2
SHA2569b63097bcd045f99635ebc9128d0990a97e87d40656cff990ea3bc380d29b0c9
SHA5127a9da69db1bbae24c7d6a99e95427935fcab312ca1f5463ea9a697fbf18628154c5b271ab44f0f8012ee47b39dca94f807e3644b2a15d7843c80eb6550dd2861
-
Filesize
695KB
MD5ecf9b46e005aae66cf4f2c7b5bfde72f
SHA1297ddaeb3d6bec84e42186b9db858c6d9e6958ce
SHA256031888680911be3f154c001d2090621e4de7efbe1c49d7c1df87fdc2e89bd346
SHA512f0eb90daa16e2901c7260897a6d511ca127266d91c70c78e6d616fd45be2dccd6ed90b1afaaa53c35b6bde8c2311538323ab391414a6870b7cfcd9909f865f1d
-
Filesize
548KB
MD507035f7e0c3641dbf001bc3b044ec274
SHA1dea5f69db72f70b323666ca6c376fd29af60ab0d
SHA256af5655ea3790419d9a5a50a6de618f2cea531d9e70b342589aeee258a56411fc
SHA51285c136dd6ef1e226151e849cef9a3d36e931eb8a3232804eca97d0ac832e630818a0b6f9a2c37e218a2bfee4a61df964a662c8155fc717ffe85480ea33257660
-
Filesize
766KB
MD557882c3b98e9fa9d11edddbbee48859b
SHA1837586832301015dee17011cc1b160ced68a7e96
SHA256011f8ba6aedb855a162472073aeef4ac92f71ecc70871fd111248f8694ae29f0
SHA512a6ccf5748944de23d44b7fdc70569551dad3bc9ee173a9c94d96653255c5c660e884bdc4b66ec029f3d0afef416b9afb07570d06fc15d34f0bb91fa61e29cca0
-
Filesize
602KB
MD5859f1df8525519f137b67166e09198b0
SHA1969fa6ae819b2415e6cdab69e8cb229ceda6db4a
SHA256ad80175dd2c343a4e65bef2bd80c7becff77c3050f4d289a83a9423aeb9daf65
SHA51205ea0f76dd069cc3f0fb375c68030a17419f00f37f40c1681830099318e4368d1d7fbbbe9e319aa501b91f6524ea12ab15eec98819283a2886f4cfcc9c08f618
-
Filesize
982KB
MD5d0bd6b55bfc4912f78db9bba7eb82716
SHA1ff96f5bb8586a05da236c81c3aed9d6774d2f2c4
SHA25674c4748066ddafb39b1c45ea97b6f4ab1b4dc84ace5c562fabd450b9cabf46b9
SHA512f000eb77fdcdc13f03f268aa398907efde7c99c8d8049775349ea80bf0f3c5bdb2c2101979316f61e26dba087994c12951eaa6b6606d9d7763fa590327ba8863
-
Filesize
55KB
MD58dd822028e96cf7d5c4adbeaff1b57ce
SHA18d1396c2ef9fdc8b8f07674063a4ac970986298a
SHA2569ca0db4d9566c4127bbadbf5443898ae6212f545d94a8c584101a9a3bda126ce
SHA51242e89fe27f3cf20c596b05aed29c883ec79a481ac298ecceef1645089507f0e13263c4e9135561de73fb3ba01eff2dbe61bb91b4f2415db00449a6358023dceb
-
Filesize
792B
MD5dffe0fd638983971f23f9f2ae8897046
SHA147a7eb670fcf42bd0c1c4e0063e246aec468a775
SHA25651e4491654c62fa4bb3e07426fc1f2e631da4dab5794885555da9b2150c7e16b
SHA512c736a0d7afaa0f07882bb6ebc75c0aaa3cfaff25530f34a486dbe65d801857524ebf06a1a1d17c443c5a77fb5df80dc64504f90bfeef6db0d030bf788de17f89
-
Filesize
336B
MD5a08f41c5abb3e928bb66868a436d1ab3
SHA128fb1b56e081a753042a54b3f0b093153f8b2eb2
SHA25678ef43dc91cf38f84495c13f136980f11910e84822383fec68a6836d75872be4
SHA512361e18830335d687d77e2a15b751b1a267821529d88ec58d1646cd17c974fe0103941065bd8ad5f88341387282390292dd09c9afd13b13dcbdbfd17a7b09c30b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
36KB
MD5a700d491c941b50e84cc018788998698
SHA149311ae2411458a85f8970566e18c9db8740f180
SHA256195dadce5b32df284f6bc0e73e1c854fc1e97d55d75de80e37cea2fe96d433af
SHA512e04d9fe4897ff60adbd6bf8c01fc55497c6c42ebcae2702fcb45cfff3686c042448bbe15764ee03642e45055ba400d54777b68861c993b69268300a29c44461a
-
Filesize
4KB
MD56a6e4acda6a07096d83f1c3218735b3a
SHA180496955fcdfcfabb7aafbe2a4f722c7a9055bde
SHA256e1819ae7410e72a58bcda48c8e85fa062c849dcc8a8d1421b769c3db8a452e50
SHA512b61fccb0d0812ce122ef28e3d3174408b85cffe248f2f84fd4728d52167aee6c7c1679d7f94a64713499dd80751a999bab342824a03289c7f46e05735fefe2df
-
Filesize
4KB
MD5fb25536801bdcc284ba225e6f8a3ff91
SHA137a27ba1ea2b8f6b2e7a5bee0844c68c0c76c088
SHA256552de269f434b1d245a16068d2f179c649ac9253e70de3b8c6fd3ca8ca09ad15
SHA512bd1584ee0d3d14e450a493e6cb0a922fa84ac2e7e7a26e1d840e70174b95a82bf6372f524f413d3d1f3a494c8b23253473cd372813d31c82ae65813dbb436752
-
Filesize
4KB
MD5e4245fb4b1f403c5ee189406a8d13117
SHA1912451e642026c34ee0fb3a39cb6f2836d07d1b7
SHA256e475380d3bde9164d6af70dff000ae8f1ff85e6c12f4360773b1f8fbb2d0f34b
SHA5123c67e02aaa94ec1ff5635f150c761c61a1988005334cb6da7ee02d91331c02689412036de2f8677f028a75cfb82c706d0f3a2d96f408af79dcffcfd4d09b3dd4
-
Filesize
1KB
MD5be6cafa90227009f2d787f4daed0e393
SHA1a3f0afe509cca3d783c8af5a06040715b8554d36
SHA25612a16dfc88367c9d362d738f1343988ee9981ffb6f46250703bafb561c667c86
SHA51214668bc6a06957fb97cce4ea8ca99605f0261bc258d3071fa153049ffe37474903bf687b26b2711656f9c30d050e3e68bc4122239f5ec4697a46b258c240b520
-
Filesize
1KB
MD5fe0120f48ffffa14a253bf8ef28e89b5
SHA1dda7c4f50e61fe4bb0789df13073e873e9b77093
SHA25643112bf6270599112139a24c78a961fa46b9452b2e4ac34d9d1fc5946ceb7ad9
SHA512f5b7c4d68f9efac507561e8a8f7a9f1a9e47bff9b8c302b99123be0a2ca18b8bd9fdaf7a5583b3f98d6e1f16d66baf19b16cf409f446375e0ae9d8858196b14e
-
Filesize
2KB
MD5d8a3ee8130856bc9645ae5c00cb839c5
SHA129383d45eb98b63956d5c88e35fd50026841a6d3
SHA256d314f12fdc9cde46f929ff385e880a21caa186190accf7f51e84a1bb2a753ab0
SHA51260fdfb7d5e6f6529693a61c213f3965f51aba290eef70c8d421fed5f76002f7507da0119430d6f4e493199444a158914e6f2c443c016ad0dd7d1603cf789e27b
-
Filesize
2KB
MD58c169c8c75ff9d160d2b430110959d62
SHA16233a9d8fcd6ada01c7ae24989d6cd4468a45397
SHA25647db81dd79f6115cea549bcfd8d3735ed7bd61e53f94cc57bae163bb0a819671
SHA5128a085617a9f1754a5c510ade03332a7d93ca343e593a40d11f0c41d09008db753a34c79c37f3f2886081d9604ce08b6b5ffa6342c10cf3e30a96832b45a293b4
-
Filesize
2KB
MD591308ee5484604b98c27e3d63c9938a8
SHA18c63500ef1d7367c2f6b3122a30bda6bf3eb8fc3
SHA2560c3b9d8c3e350af2d98dc167fb95b12eb240574f4c5cb205fc4956d6f9e5fa5b
SHA51285f3fd776ff593dff211df2a9b837ce671028fcbd0028f8c284f0f013d67232e55ebb4f2dffbb83924dc3f7af753100679457e0684101cd6e5d955b3e51ebbed
-
Filesize
6KB
MD52e5b7a7c8d8bd010eca65f5a2ec421f6
SHA1bc0bd92a20ef0b767b23b42a7806188f485eb108
SHA256590b5bad9a0646a15030be563d9f149b5b52b0647d081f7f1180cdc05f9a13b2
SHA512e02b549e7646904e5c08a21e1db39a1ee4ef306a98c6802b7a33de529b61b82374e5b0839e941b92867c361a7e291018fa2750298495d41c383c25d95838293a
-
Filesize
6KB
MD5ca941a21f23e55ccb5450632db9f1c0b
SHA1a62d24e741cd2bce391196f110e1756754ab8b58
SHA256b2ac1bed01375839a80ec7a851e8c1cbfd78de67e3eb5296e30b0d8b8832df95
SHA5123964d8efa527d8e1ea9e94b8c591ce8324f72480cd935e250f75b127e31ecb06319d0522e30dee31bc0b998cf497b66e5a7474c2bf361ad30ca31ac9cc5b7e76
-
Filesize
7KB
MD5124707e1ce9bf90534a11b2654073dd7
SHA177d20b6a3e9659152418229ce226f867339874d4
SHA25676fd1e0d06d28a066cada4963e5d79e363505036e5215e4213d50dcc0d63f2a7
SHA5128c69ba23f5ddcafec5b8507d2f9c63cdcb11f39e8439d12b3bc185281b4e710add6e9700df41ba33cdcfdf73a0b489ed7af7be5594c437222b023c30508213f9
-
Filesize
6KB
MD5059eb4a74af88aa3eab09819b4388372
SHA1966aabb11a9e2b0bed88f75e1be49d2751f576b8
SHA256ee3fc017da2bffc5b6b38da2839b7a07d37533a20291f94f4e0816a3c8102c97
SHA512bf73ebd9b1b88cde8415ee28d288731fe93de6f7f363e40559066ad0580a80a2aab0e87b64a29519454c55c02bac1f3bc251ea55fb74be2262a29b77c13d18bb
-
Filesize
7KB
MD56fec1bab56d8a8eaba9b1fbbe1c62a22
SHA1be7b0577be2d6ba8e4f242bbe76baec7333d44f2
SHA256f6a81c757e0669bcd832872abfb3cd9efd370224a1a1ab4d4331ba8ccbc3bbea
SHA51257ba0e60a1cc8cd35f0493fcda3609eb2f393402fc9063a635863fc26a4105127c5d5c08ebcaa6d09343d677bd6f2589879f29efd803a0ac6e660f2548032647
-
Filesize
114KB
MD56b67180c173ddd46d8f6aeea0b3d88a8
SHA177870403a86c79b02c11511954ba18fea6729329
SHA256f3b9aa981db04cd148ac12ee8e65e4e3674f1923bd6e5542867ae4352dc243f1
SHA5126f724a863fd1c9c6ac9a0b2464b0055c8a7946fcae9e889c33e098cbed44b8bc43ebe05f263b036efe5750de2cdd79fcb97a0779fc41fcd5752766432348a367
-
Filesize
114KB
MD5af596daa8dbca68941cf1839a9d1082a
SHA10fdbad64bed72eba8180acd4a71a15a29a9c3b38
SHA256ffb029a19ff71fb39d64cf116555bbf0c1d3a049c51b5c3136f4d67d51403f90
SHA51242ebfeadcc2852f478b44f05e2c3a7a4c79cc12cf2be079c85ff9d55b07cefa202f1d46cbc72fb8cafb32228f5bf9a60e11e294c278d52fd1a006960fc7f91e4
-
Filesize
114KB
MD59566d6c7983d208cb75c3c9196664cc1
SHA147e33ccef7c6d456833bf8987c95427ca5f09af4
SHA256e7230a15a68bd979041ad9d0d46244e47502427ce8f7be3e51f0b01f2af4ac6e
SHA5129ab0d5414af03fd5e5439d81255c00ef3c2abd408d02889bb748ed5e2d20c3042cb6d59122a7434b671918f7580da5d9374f0c05e64c68a87471fb4f62ae00f2
-
Filesize
101KB
MD59fc18b3c54041de0ec1a0e066113b99c
SHA1511426f143bb640fae1ffb937957c2acab08a287
SHA256e1970e3694652f591b71cff80c228499ef4772ba3450b39363728893ff927281
SHA5121ebe04fad9d06e8c364324aa359f98991731f001280a62d4c504ac9905f5d7a9e1594f6f1bcb9854ca9aedd1467829414820e357f21a2a4446da5d102436430f
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
1KB
MD5c6ecc3bc2cdd7883e4f2039a5a5cf884
SHA120c9dd2a200e4b0390d490a7a76fa184bfc78151
SHA256b3d90663a46ee5333f8f99df4d43c0c76bf3902e3ba3ab36c0903027176d340d
SHA512892a8f8e50ff350e790e1543032c64b3e1c050198b1810f89b6ce8a23de947a3e8299e880f0e79da7e4b5373a6b95e7dd7814cd5d7406a1553ef104ff2ff091e
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
1.5MB
MD53fb629b64f92c9aa7640df4f0027ef13
SHA1ea023adaffdea9286dd97f4ee8e29299281cf01e
SHA2569b3e29d4c38fbf4014e09d396501b42673ed9f581bcfed08075c2a083536500c
SHA512f8e7a8e2b85360bc07f58ddd2b8b919fb1b13241004be3d66d550a0e7cd1bcf48dcd47eb6d2a7e09eaa9242ee31fd0699278106c07d4a3e819853e05fd59f12f
-
Filesize
926KB
MD5f0ea700b3ded049661a98393fbeebaa0
SHA16879700d0ad768fb0719830674b02483e2633813
SHA25614e4302e109fb121e1294d5ad8dd93d0e27bfbb1bcd6d3fb50610474d949ca16
SHA512d5fb7e4f5261136824a569fa35126f473504071d21c32d153da34a4bf7fc579ccc679dd35b7935a7327081e1cec69db01c5ec25dfb95b4155afac45a07049c43
-
Filesize
157B
MD5a6d34f2eb6a0fc1a79c4ef1d98965e02
SHA148661a5dce400b2b2a2175fdc3de89114cb0279b
SHA256a8a6257b8c94239e774ee061bbd3781f54743c6adf8f188e58561a2603efa6bc
SHA512dfc65bc90dfdcb5d59831503c5e31ca9ac4b821a72f530581c09ac241b199dc26846946ee3f34db1ba92b26b9e109c3e03c8c542034ed8f682a6c832822db550
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
320KB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
1.2MB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB