222aac7073d8c2826c61fb517263f356fd893eb069c92677ec5e52435e3adb3f

Analysis

max time kernel
104s
max time network
106s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23-02-2024 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Phoenix/AngleSharp.dll
Size

861KB
MD5

ba231be096738680abadcb0504361b6e
SHA1

7eb1609f8643d1964ec252f897c05a10345b7d85
SHA256

78e304f09e0af840441733b89bb3c268109fa1c4200085a7c1edb097b6723d7a
SHA512

3a662033bbd0688cd76da84970d988c6932912a7cbac7f6ed1b26e32f480e9ac4866609764334a610c3b8b52de4d52c557e23d3ea111f154ff41e426d14923cc
SSDEEP

6144:JnFGmSD2smAF5DvLpN15eNcWx0x1DOlzWrBmXgis5zEJ0rlz6zoMJsJG/YLfjrkS:J8XlrNHwqd6aD26o2GckUMIC5Yq6ku

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 discord.com
22 discord.com
23 discord.com

flow	ioc
1	discord.com
22	discord.com
23	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

Processes:

MiniSearchHost.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4280069375-290121026-380765049-1000\{C1E1D254-2912-4997-AF56-6C94A1FD186A}	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
2352	msedge.exe
2352	msedge.exe
3900	msedge.exe
3900	msedge.exe
1496	identity_helper.exe
1496	identity_helper.exe
3736	msedge.exe
3736	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

msedge.exe

pid	process
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

msedge.exe

pid	process
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

5380 MiniSearchHost.exe

pid	process
5380	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1116 wrote to memory of 3840	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 3840	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2448	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2352	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2352	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe
PID 1116 wrote to memory of 2436	1116	msedge.exe	msedge.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Phoenix\AngleSharp.dll,#1
1⤵
PID:2480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff87eaf3cb8,0x7ff87eaf3cc8,0x7ff87eaf3cd8
2⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:2
2⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
2⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
2⤵
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
2⤵
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
2⤵
PID:2796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
2⤵
PID:580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
2⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
2⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
2⤵
PID:2156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
2⤵
PID:840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
2⤵
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3428 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5500 /prefetch:8
2⤵
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
2⤵
PID:1292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
2⤵
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
2⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
2⤵
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
2⤵
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,3302842618967491888,4489875404943967507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
2⤵
PID:5776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2644

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\4673bc08-13b7-449a-b90b-d7905a691aa3.tmp

Filesize
11KB

MD5
292a2b88cdf011668e2397cbf6a7ceb8

SHA1
8af9c61f95239982076e9a44221a458853bad263

SHA256
611ce8597820e79e992fcbe8c11359b2c8db7d80471d194ccd29ac8246d15e04

SHA512
4fc3496867fb0780538dcd61f4a8ef8767da219c2aa9281fb7d33709e0d40283a4a660593b5a8397770a1c88f2c24176164a30b140324d1d3b5072ad1c8636c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0407c5de270b9ae0ceee6cb9b61bbf1

SHA1
fb2bb8184c1b8e680bf873e5537e1260f057751e

SHA256
a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd

SHA512
65162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ded21ddc295846e2b00e1fd766c807db

SHA1
497eb7c9c09cb2a247b4a3663ce808869872b410

SHA256
26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305

SHA512
ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3c4b04598d66e99feff1eeae780f7df0

SHA1
7fb96db8503c0bdd1954c44461f61f33640fb5b5

SHA256
76cc58578b5d7326311ae11f73ac9c16b0664db8a1efe48cebfa4f7c7f0cc1af

SHA512
01ad67d82cc00285ffbdcfae75c3ebc705b85aacd835f05c4eed56671b52e3c1bda9f3fde2739e5e779c46db5b85ad6eefcf865d365459c8dd41b0f333aedb6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
67e4121200c6e879c89ff10e22c09eac

SHA1
37e2c92db87d402b82c238e1194ab90a251108cb

SHA256
b93594a14dd1201d1f7d084fa5751fecac10d7cb950766d214e3756a9c1da088

SHA512
1f24a002daaa578cbc155b6fc458f5cbcb71be052bad04c069f6a96a08425c83bb836ef6a122b859fa20fffc95948477272b0ac67282acab7b758831a1a63194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b8ffa510998fc48aea421a2a6a3fc022

SHA1
4f931988c4e536d0ff19b98c4ae57276fb52c823

SHA256
f0182d5dd9a612ba0ed34a95602f1e256d13c763d6830248ad056ab6febef6a4

SHA512
3e5fabdb1eea986b4a89d04963bd5f24913e918ab16098f87e8e5d94dca865938e301be7293501c9b2edcd93828cfd7d331e9df4bdd31416ba2edcd72b3bfdd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a3ffefd5e9adfdff3f59058726d1aece

SHA1
f79e03c87a7a5b8187a195da9329ee6e615c6536

SHA256
b4c2dca4d768a27b887814e2a03e052ad9d40e8027b154733dc502c37b3ae33d

SHA512
ab8bc0dc8bf115598396d8a912824fbc6e1e27d698dfbea3180819199caa80973d0a69f817d6a3ab4e29e48fc0a11a1ae169a8cd97a85de655870c84c1ea542e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25db3e22bbecd3ed3f963390bc8a4daa

SHA1
e4ad939ae1f0a415b47477ac5f8bcc48a421e392

SHA256
d54a20d68ae1d38047327fc3f4716f0e819d356a855785842338bd90ce3cf5de

SHA512
056aa5952e4b9daab8d3a02b3d8ddff9c4713b073330e8130b3833c5e56666d77f935a8226a1952aadccf220a9df146608e2f8bfb1fac4aa7d0225d0f3e9070d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d587330675dd78d44f0b583ee78c4ee2

SHA1
d906ebc0a2884e7124a75200ecdad09d4797e5a4

SHA256
680d6a68f08cfb212447eddfa19a1b268b5adb2602dbab638f524017f1de5695

SHA512
6ae5ebbf54aa064cd1fb85286fdd0d068b5fd5adeca436db6ab9e5e3f61ea58884a3daaa1fd189731cf02deafb8b2b40e85617d2017bbc11017505e8fc1a57d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e8429c1334a5f0347df162d131c90bd

SHA1
4778b35fc0dfe5ffd09d934ff06c0c7ea5e6ab12

SHA256
ef9a0bc7b721b546864b56779e6f4ce25ef2178a4d24ac7d2f5b35f6cb188f80

SHA512
a49ac498d170c15129ffac54d76dae0c3fd31bffc342ef0358b59aebc43103ba02a193b0849cdc0ae89dea52cb7ecf2178960fe79c0028ec5810d984680e0256

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5add90c90935146a949c76044f4bc391

SHA1
41c26164140a10175b251fda26041ea021b2bfb5

SHA256
a889748918ed11907ea0f339d18d97b2bcab1c46e7cec49313d848585f31db29

SHA512
0240054b85b1dbbd1d8bba52e7fcfb9a9047017865804de86d349592157af42d4f7886e6312bad44fa9f030b99c40fde4f160db890c8cf1fec577bfa932b4e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5edd1343fc2b7a8ef2e9c0dbfe07e6f5

SHA1
fcc159d065296ca174dc6f10a9ff3e623e00c413

SHA256
eda5aaa94f2607f332254f97acc801a16891bc4f72a54aee3c83e6fffc4b9404

SHA512
1523c24488f33e07519676f49961586ce7c88122b1a84fd91fab2f4cccb516f6301d05ca67ada155dff9476856264a25852f78ee3c2c0667e9e3ecddd972e1d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a98eea2e-c357-4fe7-a3c2-436e31cc56a6.tmp

Filesize
6KB

MD5
d18339d2c89c15f670fe64be39f88e35

SHA1
fb046058aa70846bcb2d18ee8e2d4373f40b3ae5

SHA256
25b27fe2cf568e7b99f85fce96070db4842a9b23df4efe921f7a690a802b687f

SHA512
f2ae7c1f1f05532524d61178efb9be12699220b71ce7b34ab62d7609e84db86df3b4705ee4303f369c20b0f9a312e919bde07eee3c9021bdc85d57511b986575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eee259f2c826481d7e9c4173dcbd5ff5

SHA1
36218a5d1ae4c3428de9aeb521137bd634e78a25

SHA256
7f845526d729a177ad4e1f83b7768fa08ffc369e4b9c070241c409727ca96b33

SHA512
0777e26bbde296d457e884e57d03e4f64e1e3907f045749e774ab299636ea67f0dc42df4f3ea191e69b0b7d1237ab226874f540f791529e1b208f58a0b4fca23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
df747db7ca3a96a4a8e8e19f2592536d

SHA1
31979797283d23a5f0b7470ee9765bb6569c970a

SHA256
d54195627374f5a1795ddd9983a611eba2e7387d929476a56bc37ce939b58547

SHA512
682b38086940b2b34265cd3dfe2a0c1b886dcc4e9907a0719a31c882ba918536f543753379052e7eff1982a921a9fef5a18b40ced2ef02d86b49bf9017b43e00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
db3f851f3b8cc4b051425c0b1377ea29

SHA1
42d279bd688ad57b1e374dc6c39f03f3c75945f7

SHA256
8dcf7518d2604abeece37bfd1d0b2d2f10d98a227f569fee3178a56585760506

SHA512
a226ace0f29ce6b1c6e1e45dcb9da19cd5918925aecbc8d12f0be9295773919496937808fcd85fdce30706d252db2fc33a26c0e9900ffc0d40c19f2d63a94a4d

Download Submit
\??\pipe\LOCAL\crashpad_1116_KUZYQPGXWHPKHVEC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit