hxxp://pornhub[.]com | Triage

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 16:43

Sharing

Report Analysis Logs

General

Target

http://pornhub.com

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000_Classes\Local Settings	mspaint.exe

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
1568	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1316	vlc.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
220	msedge.exe
220	msedge.exe
3460	msedge.exe
3460	msedge.exe
392	identity_helper.exe
392	identity_helper.exe
4864	mspaint.exe
4864	mspaint.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1316	vlc.exe
1200	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
1316	vlc.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1316	vlc.exe
4864	mspaint.exe
1200	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 5356	3460	msedge.exe	58
PID 3460 wrote to memory of 5356	3460	msedge.exe	58
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 224	3460	msedge.exe	90
PID 3460 wrote to memory of 220	3460	msedge.exe	91
PID 3460 wrote to memory of 220	3460	msedge.exe	91
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92
PID 3460 wrote to memory of 5920	3460	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pornhub.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb46db46f8,0x7ffb46db4708,0x7ffb46db4718
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9916018840622433636,10578538659546738444,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5216

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ConvertFromDismount.DVR-MS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1316

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\SplitOptimize.fon
1⤵
PID:5700

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SwitchExit.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:1568

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\PushUnblock.jfif" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5296

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e189354a800c436e6cec7c07e6c0feea

SHA1
5c84fbda33c9276736ff3cb01d30ff34b032f781

SHA256
826adca1e688de79a3ec5b91c75990927fb2a33ae717f474608c68336053f427

SHA512
ceb069a5e83a634503e253846fa17b8bf7aaa539c3353ce61251633d69068e24c5eadd1b496f43058790d2b513e65d2c0b0213730813d0b58bb82a00596e05e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9e3e150cfe464e9ebf0a6db1aa5e7a2

SHA1
3cb184e2781c07ac000661bf82e3857a83601813

SHA256
2325a6292907263d1fb089a09f22fbcc6bad56f4961d427efdef1abaef097bcc

SHA512
f5eb1e76eb9441cf5000d8d4db9296077b61714ead5012779c084b37f4bba07614055738f5dce69b13b25975d9b7c03eab049b7685eee09b23fd8d4a7d71a039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
674KB

MD5
2c0ca69e3be8a4217ab29a793a358424

SHA1
26d94dba90cba0958a3004340c4c7a5b300180d3

SHA256
e85ec14ed25c12f1206acd9bf5404088c89291cd5700d1159976d97e74c1d4f4

SHA512
c62ec7dd75aff567fa2a1ed192cfbdaa8e06e8b148604c9c2f8a4d1e7f6df4e235c75c13c5a48b96d08c14343b68aab3775c828b40aa48e419ab176b11fc48e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
34441334a40d3fe5dffd4ca3ac77ded6

SHA1
ad3977374f4f891316f5c718d9d595e9096a8767

SHA256
98231e48a6523b4e50e018604eb71d300d3b524763359fda2863f2bb6f7384c1

SHA512
5e9e450aa49cd38ab4e7ceb49bded73a8e83302b464aeaf86e1171ca3fd124fe6512f15332f7c64518dc99706bcb81874afaf512eb1a246ae12bc222aef780ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4fa7fb00cda43287ee7458f4b7abea09

SHA1
db56b9153f6f5016ef2aeebdaf0c3c3275b1bae4

SHA256
fb9c9738572c37ad26387d6f70c9fc5486a2779bf6ed592a3bb9bf7b7a2d5510

SHA512
5ee5b67af73b5110a4e7a30d012e0b56a8af90848c90bcef093706b514b715b17e0fb39fb737d59fa91d32a59c14403aba08bb581edaa03cb1ed9d3a98d3daa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
59fd76dce4be712018c42e77dceee3c0

SHA1
314e0658f80d722c99cd144efc781cb6007549b7

SHA256
ab08d176ad12976181eb4ac89c32f1458e3b1f5c44549d748936999a7d574a4b

SHA512
867ecde240ab464c5e995c69cc307fe4489d41bd3c2a4b6bf87a6c3a431e1f41d01128a523858648d3e4e18645fb51a5042ea6d5add786a68c1d8e2563dc9ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8902ed261b946cdfdc8c13b87c71e9c7

SHA1
06582280459e7986290b60fc44b5c47c49c034d2

SHA256
ae11f079aff1afe6ffd9483526d13cb70e8c4820fd54b6e8be3ec982e4efff71

SHA512
e7829672231742d5007e06df65f97b11b364154a02537726331b0b02d3778ae71131251b2a6dd86ff90612dafc64c1f0344b5bbea7ac108d0d9d27ae7cc159f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
28b472a9b81c35fc1c5c44b1b006a66e

SHA1
6768574419a81a71bc56d5304f0b263058a6c6b2

SHA256
15089b04f6a5874f8e2f7361d1309be89fb5b8bfbc63b4a9404d0aa5e264d70a

SHA512
297b1f63c9c5d04e179ac20a4a0744780d4f9db4cfc0c8a37725870255e1e18c47b377029f75c4a467240c9e89f6fc97c61fc117615a2e55d48a50453dc6fde6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
37be307062298c173ea3594816403a30

SHA1
3f2510d611a791110f8f337923db6004c538540a

SHA256
f216ce98340a12b9747d55dd9fc67582b5a5c1fc32935aa7691d28c06402221c

SHA512
9c8044beb13094b2447896120e4c19a2a5f4a42a0943430cbc515d32ca4dc89e85660acc29d0872a1845ae56dc7fb066a4800ec033956837afa353d23d51ffb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
e6d336f39ae90b58ee7f056a0c386da7

SHA1
924fdbf8080b2c2bfac5c1ea0b0b7928b5059bdf

SHA256
f42e6c45f36a74604a8a4ccd88011caa19c4fbd7cb26c3b521396cfd71b4738d

SHA512
0bad47cf7bbaecaad6d5e799edac2f4d058e4da95941a8ea596def511ce137470b55f9b1cfd71464487f34f1bf7ee4753a5a14e42ea87c610a2227b58a557584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579460.TMP

Filesize
48B

MD5
50fd4692940311e458998cfd6d5c1390

SHA1
ebc928527a4554268ccbe95a81fe9c7f0378eb57

SHA256
3b0cf8d94ea86209b7387dd19cbd79a87b907a189c4f79457f0d86826f9f0a2c

SHA512
a0ae73719f026f9099b021a1a95f10247bd0617e3a208cc3960f2c5066e0b4dd092898018d4f5cbcc14a59459f54d61b563f56bc5f643b5e552149dc6cbf8c2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
26a9d74d2ed0d15bb1a5900efa214d09

SHA1
3d8312398a5ef621642c125aac6bb71f88b85c28

SHA256
0dcfc56d77994f89b604b347b7d67c536273cb62770e65a4265256747de200ce

SHA512
dda74473ad5ade51caf91aac6170a85b7e33c9e5204b8a5752ec320bb502d8deea5ddf36ad9ab37767ac7831ef751efbc04c38e6115254658c457f62b54bdca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5849a6.TMP

Filesize
871B

MD5
07997301a022fa7ee8b12c196a6a9073

SHA1
442ff7418c9df7d8e58d4e3c6b3261db107fc524

SHA256
b6c1de8728f4f77c15efe8c78277820bfd7ee767ce04883879be1c343a100da4

SHA512
ada4f8bbc5f3080cd243c0cd76ea3f2f08fa16add1541025d94e48802b966ec6abd019f971e912278e4806a537e36b599d52ad33e99e8d5d0fc82e1cd147b4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
26abeff6d1e790b4c88d495a8c6a4ace

SHA1
8884939989640d0f79bddb1f3bac6df66b20f7ff

SHA256
c1e621087cdd0c17fb071f6f8082fbaee752baa82d98be0e32ac00a362c9ca9b

SHA512
312020b1bd7c3ef6c63149361471c0b0d6d119a2ef1fc8a8456ae10b7ce225be3e17396902bd15b4c5750c931a25a0656e2e72c30c5c3f2824b50b90a7752e5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fe29431e6086221c784bd13fe95d5195

SHA1
1a06bac93b5f0e5d76c94e68c09cb8ab244e37b8

SHA256
806bdda6cb1a862f339f64e9d5b621fb319a968c0b9b8260ff1749c465629d0c

SHA512
4c548b8a30fe1461e3892878c5bf1fd6e96f7534be4031898fe068a0b75950fc655ac2ad320b0465fc198ce2eeffc44ecb2ec7b911d0a06e25388322c368b215

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.UJ1316

Filesize
87B

MD5
7cf0b1db2c7286ad7c7f5542c0b22525

SHA1
84989639eb5ff0141d221c620f718d4c87a763eb

SHA256
911ab8d07c0482bc7f0dc812838acb132467baa7285b9bf03558243525d1d6dc

SHA512
699836b7ee4de676482c3a581fafadf73fe8838c176c1b6eb37a2a37484a56ea4514a5e047b60eae27f1a8865e76b3e3f13394070d3fa660ce1e2e896bc486dd

Download Submit
memory/1316-223-0x00007FFB32EE0000-0x00007FFB32FF2000-memory.dmp

Filesize
1.1MB

Download
memory/1316-222-0x00007FFB338B0000-0x00007FFB3495B000-memory.dmp

Filesize
16.7MB

Download
memory/1316-219-0x00007FF71ECC0000-0x00007FF71EDB8000-memory.dmp

Filesize
992KB

Download
memory/1316-220-0x00007FFB47000000-0x00007FFB47034000-memory.dmp

Filesize
208KB

Download
memory/1316-221-0x00007FFB35C80000-0x00007FFB35F34000-memory.dmp

Filesize
2.7MB

Download
memory/5296-248-0x00000232A4EF0000-0x00000232A4EF1000-memory.dmp

Filesize
4KB

Download
memory/5296-250-0x00000232A4F80000-0x00000232A4F81000-memory.dmp

Filesize
4KB

Download
memory/5296-251-0x00000232A4F90000-0x00000232A4F91000-memory.dmp

Filesize
4KB

Download
memory/5296-252-0x00000232A4F90000-0x00000232A4F91000-memory.dmp

Filesize
4KB

Download
memory/5296-233-0x000002329CB60000-0x000002329CB70000-memory.dmp

Filesize
64KB

Download
memory/5296-249-0x00000232A4F80000-0x00000232A4F81000-memory.dmp

Filesize
4KB

Download
memory/5296-237-0x000002329CBA0000-0x000002329CBB0000-memory.dmp

Filesize
64KB

Download
memory/5296-246-0x00000232A4EF0000-0x00000232A4EF1000-memory.dmp

Filesize
4KB

Download
memory/5296-244-0x00000232A4E70000-0x00000232A4E71000-memory.dmp

Filesize
4KB

Download