hxxps://github[.]com

max time kernel
1798s
max time network
1768s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sidebar = "C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun"	sidebar.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	sidebar.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	sidebar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	sidebar.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1744	chrome.exe
1744	chrome.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
2924	ehshell.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
2364	sidebar.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe
3024	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3024	taskmgr.exe
2364	sidebar.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1744	chrome.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1524	xpsrchvw.exe
1524	xpsrchvw.exe
1524	xpsrchvw.exe
1524	xpsrchvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2544	1744	chrome.exe	28
PID 1744 wrote to memory of 2544	1744	chrome.exe	28
PID 1744 wrote to memory of 2544	1744	chrome.exe	28
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2208	1744	chrome.exe	30
PID 1744 wrote to memory of 2816	1744	chrome.exe	31
PID 1744 wrote to memory of 2816	1744	chrome.exe	31
PID 1744 wrote to memory of 2816	1744	chrome.exe	31
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32
PID 1744 wrote to memory of 1636	1744	chrome.exe	32

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef71f9758,0x7fef71f9768,0x7fef71f9778
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1376,i,11955542714728780248,12090398639573407349,131072 /prefetch:2
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1376,i,11955542714728780248,12090398639573407349,131072 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1376,i,11955542714728780248,12090398639573407349,131072 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1376,i,11955542714728780248,12090398639573407349,131072 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1376,i,11955542714728780248,12090398639573407349,131072 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1172 --field-trial-handle=1376,i,11955542714728780248,12090398639573407349,131072 /prefetch:2
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3172 --field-trial-handle=1376,i,11955542714728780248,12090398639573407349,131072 /prefetch:1
  2⤵
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3704 --field-trial-handle=1376,i,11955542714728780248,12090398639573407349,131072 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3836 --field-trial-handle=1376,i,11955542714728780248,12090398639573407349,131072 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3996 --field-trial-handle=1376,i,11955542714728780248,12090398639573407349,131072 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4128 --field-trial-handle=1376,i,11955542714728780248,12090398639573407349,131072 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4132 --field-trial-handle=1376,i,11955542714728780248,12090398639573407349,131072 /prefetch:8
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4308 --field-trial-handle=1376,i,11955542714728780248,12090398639573407349,131072 /prefetch:8
  2⤵
  PID:2016

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2900

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1392

C:\Windows\ehome\ehshell.exe
"C:\Windows\ehome\ehshell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 1256
  2⤵
  PID:2180

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468
1⤵
PID:2508

C:\Windows\ehome\ehshell.exe
"C:\Windows\ehome\ehshell.exe"
1⤵
PID:1348

C:\Windows\system32\xpsrchvw.exe
"C:\Windows\system32\xpsrchvw.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Program Files\DVD Maker\DVDMaker.exe
"C:\Program Files\DVD Maker\DVDMaker.exe"
1⤵
PID:2628
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /SysTrayAndQuit /UpdateClientID:DvdMaker
  2⤵
  PID:2220

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3024

C:\Program Files\Windows Sidebar\sidebar.exe
"C:\Program Files\Windows Sidebar\sidebar.exe" /showgadgets
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a76a02fec3c9a247d76ede593a5d1879

SHA1
edb52f252b07d3268173f5125b36a70ae897971a

SHA256
d93d28221d9ba08c68a1e09558520e1313373cc6834a61372cae3d8372b8ca0f

SHA512
94b52d76a6178336e4b8ebb00531fdb28c76ebd06b9adb24cef1d18986f484cb8866157182fd1f3977bb1508742455a203c73fda7c33e912c4f43ad6730a983c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1cc5001b-1833-4e12-97a9-c765c3b59a9b.tmp

Filesize
114KB

MD5
b25e5c33fb80b12153e3717e1acd4566

SHA1
7738d5f5fb5669368449244a8710901eda5df460

SHA256
d35744ccde75bde5c74fe315c99c534bb451304a17c62b5ce9eaf8ea6598a9c9

SHA512
33a45d1dd12aac7b7a22108fe87cf4461420dba863d614fa8013dca40a46a5d8293ef7a695f02506fd776cb4a14cc96226b0cc2c3fc277838a50ec1b202cf434

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
cbe5d2a765e2b472f7e7239e5924f015

SHA1
cc4e753268b895bdab39c8c5ace21b1c7ee2809a

SHA256
6fdc67f6117ba5d45b016f138094823136c6290337bbeb4bbd6c92b4b5438da4

SHA512
6f7f834c942a9f555f336df4050849288779b0fcfb079cd159cebcb39c45c9eafcb6160231d2859aa44addf08e26017cf8164c572e1712e8a32f03bb97054910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
27ff8d0396537391ec4a4173da973462

SHA1
a9b8e9b84d8234895c8866e168c85a50fcf408fd

SHA256
f5998db7839362eb46524447638fa8c9744c3be69c09542c22671f2b3f648dd5

SHA512
f9fc424104fef3a9a487a7a562095b2a5d2c779a7e97e5895e6649a75653b8f5f0b597ff42916c1509a7d5020c8e84ea5056c75f567e42641a8877d7e4c38a1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
2d5bbeff5f0a7235a074753bbd43b0ad

SHA1
ba12d99723eb9b6d1f6a118443539ee942919e9d

SHA256
5dc9d56d882245c585e35d4e4be3b70b2b68b31bbd1758099ee9e5316d84ead7

SHA512
22b794db9ffb9af69ad954bf7d5dece82dbb217cc894d0c35df6f1b8d03644d11c2bebc0211497f106f4a2a5bdf1a1c198f9a332bd415a251b640afabbce2e11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
152f8d4c729f4d0177de2f2c80f07fd5

SHA1
be8d87259e6b479125180723049cef236d0eee45

SHA256
27b98958890f5d8a2ee5e451339586064317f87b1b34ae177283eabe7aeeef88

SHA512
94ec4fdb20e4488516736ac6c7a6d78859018b7bb425b9cbdaf813deeec98141e00e5edcdc5eb059a9a6439d57b3479b5085b7836e1a0ac646bf779570027cb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
4dc44d2f8d47886c2d76f09745b654a9

SHA1
27930018b391f5f6e07fe31161594555265c61df

SHA256
719449c3f47c2aa75b9707e2aae0b763ab251ef4f74c4bdd6e0e6166d1409930

SHA512
7f5ad810695864a8007f449ab6472612ac3ccf654186b5f1df483370621e66b0be6dc69501d3ddfd1c255359362b9d18598a0094368e93f97359890d7b333cad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
6f16602352ac0309b171d961c85011f0

SHA1
ed79471d46975e2021c6a27b909ace6e8f557302

SHA256
98b500e31a781590172e8aa8e2edd8adc209b86f580d7481ed55ee54202858c2

SHA512
86d000f1b63c2c72c6a0d77dc812b89cac92de6e7a861eb3f179fb3cf279fe3b621ac7a2f17cc323e741b2f18deb28bfa9ea2b795584f6b6dad6d892db979ca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

Filesize
1KB

MD5
75ff1c570be212a1cfb2321e14061801

SHA1
666a41caa3f91e020a73af385220bfc914dda7bb

SHA256
8006e5e2e0159990e9db91b5936a94ee98970f50967c37516151b6ee6be85623

SHA512
5d62298cdc0cf47ddc12ec0bb59aa5df6b2202ec29cf3e71348715fb0129a7f41eb7de5b6b525e980948c826205e35076108689502619f168ed6b4226269a274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

Filesize
2KB

MD5
d7ca989e72879cc2ffd23bbae47d49da

SHA1
0e98ae783facf9816614913786257489dd9f87c3

SHA256
81aa9d6501bc0d6b4189a4aa2814920fa721d5251c157822443671456bfd873f

SHA512
72125db6c7f74bfffc8e684347841c625308d36f02e686d8ceafcf3efa37b0e0400667ac68a163fd6de536b98cd7ba67b8479415eb34b93101ca113633539343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

Filesize
2KB

MD5
1919f4170acefa6e3714431335d65c44

SHA1
c405e342302464dd0718c496880c2fd5fb698a1a

SHA256
e250aa65de4e5d60ab926ad93058be84ffb8aa3086ffed4c44f9beec26721ce6

SHA512
0841885279a9161683b99640df797db09588b133c0a580607d7b031ed314ae0dc3cc98db74787dbb5bb791e2db3b599e3854e71ff01f4975021ba20964ec3072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

Filesize
3KB

MD5
186b0b7422f57d4e15558fb85a028d81

SHA1
9962f5013f4b820d03418c5817e4053686f091ee

SHA256
4f76620601d04338248f34249b9f02ed2ab6a58aa0c6603c9995edbb833e8c22

SHA512
e34cd9eb21fd3f4c0808234d973a2505d204e4c55540fc2491230c9e6c46f30bb01ced556876f368f67d4255da21e4d53e5c30c21f83b431314f2e410a07d160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

Filesize
4KB

MD5
8fa98c7e6b110ca0004f74ee880f8566

SHA1
98fb8d4f76c3fe167e64e8545483f68195b52b73

SHA256
9870e5b61b35493f1c6a2dd5d3b1eaba2c404d63c4ff4b3a4fabfc30c302650a

SHA512
b5f47e6703614579c042feccc7ea49821bfd2ed041c402f080cb226de2b6831a8bd9276cff544e119c09e9d7235da896406c889834d1e295f7947546e61e7c3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

Filesize
4KB

MD5
06dea7ffddda06339c883fe50138d591

SHA1
4f9a3c1d73152197db2628e41ac69b436585979e

SHA256
6c8b8637a4ff26bc8b534e925910566286443c830503bc76a13c6bee08b3f866

SHA512
5c860e91a25d32c24068090a443d804bd5568dc7c288794ca7fe2de75780f6757561fb6ab1f80c40c1ff72e9f18c2c1ea9cc1ee61b1b848536c89ac960d2e41c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

Filesize
5KB

MD5
fd64adda8392062e71894d689b3546d9

SHA1
d297624278164b57e1ae422f93503ef34be8de0c

SHA256
526e4f74cb532e0f31500a3cf0319fb1574acb7b4f029860b4df0bb223d62dee

SHA512
c929f8842eec2b3a74e559bf849cd740bfc1890716eaaa62d2fba6e75d76d27b446331e311deef68557999164126d53f55116257cb3ef9490dca8b85deb97423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

Filesize
5KB

MD5
fb1e8cc4878047d5ed7a95e28b565a57

SHA1
d90ce6e1262b3e9a454013c1d2b37a9d64e07357

SHA256
3c18f739709b8aaa0036861ce61c64536d2680a4c83e23602332e7911e5da456

SHA512
19842d2c9771fdd89464e3cacbbe36610cadc6c30844538188775e431fcc8191b9790c17e5f34b27336083aae02e70fbd9db4bfe7183d7acaf1be822548b04a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D0I6KXNQ\data[1].xml

Filesize
1KB

MD5
d504054899ab0b1bff4c6cbcd9f5ee27

SHA1
e059dd07aefc4977f20b2eecc1ac3eeea67123bd

SHA256
68e69ae14e9cf56a539119ae960d0b13b2be81a807ea64ef2894e4ee9aa23525

SHA512
7b4fd405b7e2bc12d955c16aca9b622407a582b58dfc958ac56ba2af823c6219a07df3729b4b6b7afe456d970ef955d1074b63663d0f6c1aa700ff79bab0251f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RU3RPYUN\data[1].xml

Filesize
1KB

MD5
1a1140fd8d654e2bf07b8ac2282d6c98

SHA1
ce3602ba91255728bd6eeb38ac430f4d259c29d1

SHA256
dd7fe57b43b2184eb536c8ef9f1afc80551942e502bb6b1b3d892578ff39158e

SHA512
bef3c1c4d477a22457bd85b073de43a9c179264f096ddf53a6d2081e576c30d195efe8654cc3810a2cea703048c553f453bd91f89f3cc1a65fc3a568faa7fa50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab829A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar911E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-452311807-3713411997-1028535425-1000\8f96978fc46d9f00d8780351026924d7_ccfa0506-02d3-430a-9cb5-3bbf5536069a

Filesize
59B

MD5
db733e033c397fec5917611957620271

SHA1
6f94d1daa0fc4ec1b2d4cbcb93730d8edb77a2b7

SHA256
1f3ffadd3b80c7f95be06e245410768e8302a24e573868da3c6fd91230025bdc

SHA512
9a9bb4cf6380bb0a73ea414ca2226a344c7da003e49610dc38bd10892dc17244e4c88bf8a466131027e3c064c693ad99014e6853fff51edb21cb690b926b962f

Download Submit
\??\c:\programdata\microsoft\ehome\mcepg2-0.db

Filesize
340KB

MD5
3b0c143c1d1f038b5f742f409d32480c

SHA1
9adbcfc82d84de0943b4c1f28458d0392bbc1ffd

SHA256
07dbb7ecf3fdcf902365a74802bb01cb7905fd5cc477650ad5a823fa44d06321

SHA512
db5fcd7e6eaf08a61cae6bed5bd53d25a1ba2d32844cea3648579e79a744bcd13c6f9f4f549e7bd4410753fe47225c99a3949adb5a29322fa35901ce6829a408

Download Submit
memory/1348-305-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/1348-300-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/1348-301-0x0000000001F10000-0x0000000001F90000-memory.dmp

Filesize
512KB

Download
memory/1392-291-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1392-292-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2180-303-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/2364-593-0x000007FEF3270000-0x000007FEF3C0D000-memory.dmp

Filesize
9.6MB

Download
memory/2364-424-0x000007FEF3270000-0x000007FEF3C0D000-memory.dmp

Filesize
9.6MB

Download
memory/2364-537-0x00000000230C0000-0x00000000230E0000-memory.dmp

Filesize
128KB

Download
memory/2364-437-0x000007FEF3270000-0x000007FEF3C0D000-memory.dmp

Filesize
9.6MB

Download
memory/2364-434-0x0000000008CB0000-0x0000000008D30000-memory.dmp

Filesize
512KB

Download
memory/2364-501-0x000007FFFFDE0000-0x000007FFFFDF0000-memory.dmp

Filesize
64KB

Download
memory/2364-594-0x0000000008CB0000-0x0000000008D30000-memory.dmp

Filesize
512KB

Download
memory/2628-307-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2924-299-0x0000000000350000-0x00000000003D0000-memory.dmp

Filesize
512KB

Download
memory/2924-298-0x0000000000350000-0x00000000003D0000-memory.dmp

Filesize
512KB

Download
memory/2924-293-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2924-304-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2924-296-0x0000000000350000-0x00000000003D0000-memory.dmp

Filesize
512KB

Download
memory/2924-306-0x0000000000350000-0x00000000003D0000-memory.dmp

Filesize
512KB

Download
memory/2924-295-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2924-294-0x0000000000350000-0x00000000003D0000-memory.dmp

Filesize
512KB

Download
memory/3024-722-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1045-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-313-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-312-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-311-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-626-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-625-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-671-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-721-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-310-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-723-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-770-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-773-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-829-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-830-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-877-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-878-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-925-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-942-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-941-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1000-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-341-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1046-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1090-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1095-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1096-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1146-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1145-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1197-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1247-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1248-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1293-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1294-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1340-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1341-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1388-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-1389-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-309-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-2270-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-2271-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3024-308-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download