Overview
overview
7Static
static
3ShadowGen ...rp.exe
windows7-x64
7ShadowGen ...rp.exe
windows11-21h2-x64
7shadowgen.pyc
windows10-2004-x64
3shadowgen.pyc
windows11-21h2-x64
3ShadowGen ...et.dll
windows10-1703-x64
1ShadowGen ...et.dll
windows11-21h2-x64
1ShadowGen ...en.exe
windows10-2004-x64
7ShadowGen ...en.exe
windows11-21h2-x64
7ShadowGen ...er.dll
windows7-x64
1ShadowGen ...er.dll
windows11-21h2-x64
1ShadowGen ...it.dll
windows10-1703-x64
1ShadowGen ...it.dll
windows11-21h2-x64
1ShadowGen ...32.exe
windows10-1703-x64
1ShadowGen ...32.exe
windows11-21h2-x64
1ShadowGen ...ef.exe
windows7-x64
1ShadowGen ...ef.exe
windows11-21h2-x64
1ShadowGen ...32.dll
windows10-1703-x64
1ShadowGen ...32.dll
windows11-21h2-x64
1ShadowGen ...oc.dll
windows11-21h2-x64
1ShadowGen ...oc.dll
windows11-21h2-x64
1Analysis
-
max time kernel
139s -
max time network
134s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-06-2024 19:50
Behavioral task
behavioral1
Sample
ShadowGen By ShadowOxygen/CefSharp.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ShadowGen By ShadowOxygen/CefSharp.exe
Resource
win11-20240426-en
Behavioral task
behavioral3
Sample
shadowgen.pyc
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
shadowgen.pyc
Resource
win11-20240508-en
Behavioral task
behavioral5
Sample
ShadowGen By ShadowOxygen/Extreme.Net.dll
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
ShadowGen By ShadowOxygen/Extreme.Net.dll
Resource
win11-20240508-en
Behavioral task
behavioral7
Sample
ShadowGen By ShadowOxygen/ShadowGen By ShadowOxygen.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
ShadowGen By ShadowOxygen/ShadowGen By ShadowOxygen.exe
Resource
win11-20240426-en
Behavioral task
behavioral9
Sample
ShadowGen By ShadowOxygen/WebDriver.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
ShadowGen By ShadowOxygen/WebDriver.dll
Resource
win11-20240508-en
Behavioral task
behavioral11
Sample
ShadowGen By ShadowOxygen/Xceed.Wpf.Toolkit.dll
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
ShadowGen By ShadowOxygen/Xceed.Wpf.Toolkit.dll
Resource
win11-20240426-en
Behavioral task
behavioral13
Sample
ShadowGen By ShadowOxygen/bin32.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
ShadowGen By ShadowOxygen/bin32.exe
Resource
win11-20240419-en
Behavioral task
behavioral15
Sample
ShadowGen By ShadowOxygen/libcef.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
ShadowGen By ShadowOxygen/libcef.exe
Resource
win11-20240508-en
Behavioral task
behavioral17
Sample
ShadowGen By ShadowOxygen/msacm32.dll
Resource
win10-20240404-en
Behavioral task
behavioral18
Sample
ShadowGen By ShadowOxygen/msacm32.dll
Resource
win11-20240508-en
Behavioral task
behavioral19
Sample
ShadowGen By ShadowOxygen/secproc.dll
Resource
win11-20240426-en
Behavioral task
behavioral20
Sample
ShadowGen By ShadowOxygen/secproc.dll
Resource
win11-20240508-en
General
-
Target
ShadowGen By ShadowOxygen/CefSharp.exe
-
Size
5.1MB
-
MD5
dc28a95657072fc5b40f011c8078bb80
-
SHA1
11e0fdd502cd881814885285c05ed5b61e164636
-
SHA256
24a95e0286a530b5962a48ccf0246b1f0bfb35b77a25d4792e16cfdf675c26d5
-
SHA512
80dcc85fefff319f508b1a90a9bc9beefe42003e7ab9092d4697b64c3fbddbbffb3fe2d07e295329df5a10fc7f527167d085c9c6d858f5d014c79ecc5b717446
-
SSDEEP
98304:9h55mrHQktlw2Kce26t+JhVWn2xxjsOIzsU8Ys04RRNNH:9h5u3tlKXqXWnA1IzXtXiNH
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
Processes:
CefSharp.exepid Process 1388 CefSharp.exe 1388 CefSharp.exe 1388 CefSharp.exe 1388 CefSharp.exe 1388 CefSharp.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133619186081050694" chrome.exe -
Modifies registry class 1 IoCs
Processes:
MiniSearchHost.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chrome.exepid Process 1220 chrome.exe 1220 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exepid Process 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
CefSharp.exechrome.exedescription pid Process Token: 35 1388 CefSharp.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe Token: SeShutdownPrivilege 1220 chrome.exe Token: SeCreatePagefilePrivilege 1220 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
chrome.exepid Process 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
chrome.exepid Process 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MiniSearchHost.exepid Process 1316 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
CefSharp.exechrome.exedescription pid Process procid_target PID 448 wrote to memory of 1388 448 CefSharp.exe 78 PID 448 wrote to memory of 1388 448 CefSharp.exe 78 PID 1220 wrote to memory of 4304 1220 chrome.exe 82 PID 1220 wrote to memory of 4304 1220 chrome.exe 82 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 2608 1220 chrome.exe 83 PID 1220 wrote to memory of 1380 1220 chrome.exe 84 PID 1220 wrote to memory of 1380 1220 chrome.exe 84 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85 PID 1220 wrote to memory of 1552 1220 chrome.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe"C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe"C:\Users\Admin\AppData\Local\Temp\ShadowGen By ShadowOxygen\CefSharp.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff95a15ab58,0x7ff95a15ab68,0x7ff95a15ab782⤵PID:4304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:22⤵PID:2608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:82⤵PID:1380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:82⤵PID:1552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:12⤵PID:4064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:12⤵PID:2196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4240 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:12⤵PID:936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4388 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:82⤵PID:2204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:82⤵PID:1524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:82⤵PID:4368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:82⤵PID:1684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:82⤵PID:3168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4912 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:12⤵PID:1412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3036 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:12⤵PID:892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4704 --field-trial-handle=1744,i,11454777009450143805,12584487992944702060,131072 /prefetch:12⤵PID:2460
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:5076
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
576B
MD5c703d43950ab1986eebe5b0aac6bc90a
SHA17fa6e9b092fa2b3aad3f60736b1ea84d5428bb5c
SHA2562b9d6a1862696d18f494c1c0051854352ac0fb18a8ed29f513daf063be1ed518
SHA5124f34017fe0de705107a73aebbd4e7950ed167c770faff9dff550eb2fabe4d4f02a6d5ab63a9a88f80d387cfda4a2cd719bd9e0c3c98928cbb74393e730b2c259
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
3KB
MD5ebd0ff2e3367a21ee6f157956f477541
SHA1a6003b62ddbe59223e733300a29ee9b197b44b0f
SHA25657493d0558e718dd051aa1a13ebb12086cc6c9de0d6d039f51bb164e4076829f
SHA512ed005b9d37a5019829727ecfce4b1cb84a4d8fa320e03b6b95e6cb92893251584e034db212b677a71fefd87530f8ff30c63ec93fd28656614d2571f31ee7afce
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD5d9cdd8812b654a3f0ede47024cc7aa75
SHA1311f804db51890f314bcdb70cf8c9f0934a22a23
SHA256b9acc4910f966c4ef5c41241ccd8d8141c3e79cbae681e434d26af4c4b985b32
SHA5122091f37c41210f7174243ed4949d9ece9142255c56794411cc4b74b7c032a8da74798d87ce654a4c8b181d10be0905e1ca2f1dfc82e6a7a8fa3ffa18cab0ac3e
-
Filesize
356B
MD54fa0ec2d2b7f108127d1dd30fd30d241
SHA182abedbf05da39056d45ced5f98d08cd0af15e10
SHA2563c3728b805d1906dbe76c53e430183399980eb7d0d5f5953e423327e790b3e74
SHA51279ed97b7ecf307689257483166a1f55fe032f89f4d3ceabeb450e203a53e0d08a8912565261128730d303f2149849afa2e9ec5129b678412f78d0901f847ac6e
-
Filesize
7KB
MD516894b4218c7f751ae5d462d722107a3
SHA1c2ad727debeade0c239a610a20ffb0d8cc1c5076
SHA25695b6a23ca3680f1f5a9ec7ecb159eb6ea14faad153f2e0dbe188e73fe2942669
SHA51203b048db6c8dae51742499512f5590476e820bfa5e087ed69242428b505e04d0dbddac49f77e10b63009c7725a60261621d6fa27ec37ede6f9ae74f640dddded
-
Filesize
7KB
MD54e71c0875ed41c60c807d60fed85891b
SHA1900dfac7c73cbfb55fc367cfb4583334ecbcd1a8
SHA2569f2f162b2ed54b800436d4387e627ec732cf20d531ad3120653e7631e9b8fd5b
SHA512d04af7a21cfa3dae57c591b7e4920b3911ed74b11c71eb1bd9f4325428c716d2c47962bfe4d8569decc1a021552e178db976dc08579924f5b5d0b1e10f9471a2
-
Filesize
7KB
MD5781550d2fdf5c0c2edd2f2146f2f2acf
SHA15d431a7332899a16f5c0781b6ef09c6fabee23df
SHA2567c393f9384bdbac509e91e16c3a3010c98258237eea567af165f444d90c862d6
SHA5125f094ccf010a892417092863d5ae1e39ed47a4d952afd83b98b21b4368db401172436bb9ad0a05ca9220fbc2c2ee9c0bc1c67641f523c1237872bf5fa5322944
-
Filesize
16KB
MD5407199b1afe3a2bb7c6010812b5fdebb
SHA1f744f2297f1e1192f30b3383b84285dc22b2cfd8
SHA256cb67a33c2a104c9925fb8a7e6a022606bdc9cfc53a8d1deacda60b65fb605bcd
SHA51231da3a025f8e57406980c078a0a1531823bc4a76dd2deb7a1fa9758eb4dcbdd66ab9027250677ef06fc50d3a056bba342dcd144a12c15f50a1f16a405545708f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize56B
MD594275bde03760c160b707ba8806ef545
SHA1aad8d87b0796de7baca00ab000b2b12a26427859
SHA256c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968
SHA5122aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe590edb.TMP
Filesize120B
MD5ecbe8da4741e79f2dd90835caa4e3e05
SHA1ea533aa9c645acce2a2160156da0aefe3980dd68
SHA2565aa5f49449d3821de91c05ddf1e39cedcb72622834fa43c172e837fac381fcd7
SHA5120bb4e675b95092ebd123e8c873cca4f6603bf6866e8995e1292c6882cc06b6850035d9a7a797fb80d967f4f39cd277f8189aefbe2d3f646f743c15c26ecd89d3
-
Filesize
260KB
MD5370e5802c514e31f25017fd771bfc186
SHA1ef39abbb5f2c85eedea3713ffe9fe9fa76496a0d
SHA256d353ef78da38163ea8043893b0847c15ba0287a9a6a295fca9131be546d63abf
SHA5120fc326494e1c315c716193f797d64bf8493705444e0ba6dbcf2b1e015958176c71c3c990e5053f6c191d5821a403e7da3ca9304a6966b3c7ebb5613b100834dc
-
Filesize
260KB
MD58836c35fea6b3cbe2eb151131b23fe70
SHA1f9282ec46083c0c6eec1762695782ba5b936232d
SHA2560f1343babecf001f7817f60d2290779da2dcd9252a2c9fe7f244b21404467491
SHA5128a035242292ed3c3a395541f168b9af1b13861dcecb558c66f75044af95ef601f799c4ed8f4f3b52bfe3f6a66e476e666e70870f4bfd3646aa463fe472c3616e
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD50e3aeafd55d6bd5185cac0576dc68cde
SHA1138e081aba01626f9cbcf67c0a886a035cd1329f
SHA2569227c44bbf30ab193b600d87eb927114d968ab9334f4b0bcbf185464576fd9fc
SHA51223d308c78e35cb3c53f9d417f9e741c8cdda41cd9d32fb72547a3b5f2983831e9ac5e601f7f261386dde110cfe93e7a2a31e6d060a4454a233eb7fcd33dbcaad
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD52f23663111658be2ba0b273463ff5e60
SHA1c2af77369b83a0177bfdb90c11fad4c5f897a983
SHA256eab4709a1ad32b0b87a53d307893899eb3ee26c6a59a1b34fe83062c79817513
SHA512e0fdfe555a47709cbf14c4c22498c89c3e8fd61c5b40806b9dd06aee20fbdcd3d9c4f7861d1183df15e9c64ed25828f97c8292bc6b4a700d3d4586433bf45bd8
-
Filesize
87KB
MD50e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
Filesize
129KB
MD52f21f50d2252e3083555a724ca57b71e
SHA149ec351d569a466284b8cc55ee9aeaf3fbf20099
SHA25609887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce
SHA512e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb
-
Filesize
38KB
MD5c3b19ad5381b9832e313a448de7c5210
SHA151777d53e1ea5592efede1ed349418345b55f367
SHA256bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc
SHA5127f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb
-
Filesize
760KB
MD5057917a14cf42e6a27902be13bf1b5af
SHA1c1e2437235b002a77f88fe7938b4bef560499739
SHA256be8e5189ce4183ef24cbc06c8db98f7da16b9b236e6375450b688bd51fedf224
SHA51231951fa321971a8a273cdbf0f9c7fae7b4f9880d2b7ab64e324562b5fa0650c053db099b760cc3cfe4033296bb7b26cb7d3d94f5bac3b50d3afce8a3d01a3cb8
-
Filesize
2.4MB
MD5022a61849adab67e3a59bcf4d0f1c40b
SHA1fca2e1e8c30767c88f7ab5b42fe2bd9abb644672
SHA2562a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f
SHA51294ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246
-
Filesize
3.7MB
MD562125a78b9be5ac58c3b55413f085028
SHA146c643f70dd3b3e82ab4a5d1bc979946039e35b2
SHA25617c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f
SHA512e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e