hxxps://steamcommunity[.]com/app/2139460/discussions/0/4410795727365222831/

Analysis

max time kernel
1139s
max time network
1134s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
11/07/2024, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steamcommunity.com/app/2139460/discussions/0/4410795727365222831/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3766757357-1293853516-507035944-1000\{CF76C6B8-82AE-4EAB-B718-A8A7CF4F4003}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2432	msedge.exe
2432	msedge.exe
5028	msedge.exe
5028	msedge.exe
768	identity_helper.exe
768	identity_helper.exe
1788	msedge.exe
1788	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5032	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 2412	5028	msedge.exe	81
PID 5028 wrote to memory of 2412	5028	msedge.exe	81
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2328	5028	msedge.exe	82
PID 5028 wrote to memory of 2432	5028	msedge.exe	83
PID 5028 wrote to memory of 2432	5028	msedge.exe	83
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84
PID 5028 wrote to memory of 1204	5028	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/app/2139460/discussions/0/4410795727365222831/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc8abb3cb8,0x7ffc8abb3cc8,0x7ffc8abb3cd8
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4960 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1760,7240765375261086822,3157759667885774467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
  2⤵
  PID:2192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2520

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d33f465a73554cd1c183cbcd0a28a2

SHA1
f5c16fc4edff600cb307f762d950500aa29a1e8b

SHA256
22d8c228cdcfd3e05431d7377748014035a3488ad3a0d4aecc334e724245a1f9

SHA512
7cc94f77f3943143ee86eabbfddcb110ce52c6ff0975842e3a3d06072f51f2c48914ee61f24484a539888ad19a7e6a1becfb029485cd5984bc736434a63cee95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
575466f58c7d9d3224035d23f102d140

SHA1
2fce4082fa83534b3ddc91e42fb242baee4afa1c

SHA256
9da0e657652daa1ef86af7c3db62b0af9cce372a5f765c98c68479922ccf1923

SHA512
06503e718fe967076dd8a061b57debdc663b9616b005f8567099a84fc7184880633079335d622c243918efc3356b40e683708fb0583084abeed7db6168a212ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
36d8d7f11c950370153af565561347e4

SHA1
28004a22b0231fbdd232ebd3553eec54a277e11a

SHA256
719cda99e8628c040f1b4f097c04440d9a40ddce21a4ab9574983d04dfac750b

SHA512
30fa8ccb048ca3a369faa43c18db08bf6729ed68f7cca1bcb9ac783e3d947b1267ac21d45e7457d4e0990fdb1d0ce556df7e6545273b225b73680126e43d4592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
86900e55e011d2b09af74485525faf1c

SHA1
83993bc50222fdd23392720f89fbee897d019d75

SHA256
1a84e6637084691e2fcd803cb6bb8cc6e60fbce0baa74bd9ccce7cdee402c41f

SHA512
5d81755ec75bb14de32fb346548d405603e406f6ba8a1371006222d464a72e78c0bb997a8e91839345b542533c665406491ae147ea1bfbdfefdd41c2eb1a89f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ebadbadbabe8b690184d1ae118d2a1f0

SHA1
13461f0cb00271d2483536609a7049601138faee

SHA256
fe139120f2d15b2e6f4100b9895de455e394e442a68c9e93d890d1ca04228067

SHA512
74cc8915372da65ec767e65284efb0ba630aabb35b1311de664e59d4c8806e6f151af4131bf3d4a8d5705fca737953abe09759b4a3d0112404b5bb9e263343d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
55a4486d94093438e0b9d82a525323ab

SHA1
9febe2a63cbf5311b894c28aeba83dee247d7829

SHA256
c83345f9a7c90247b74ccf3c31e2ac0b7a18ec60914dd8af9806666d85500052

SHA512
7ec8c07cb3e3bed93168a6fb394eb92703b26514b1b4bfb934106682c5f084dc3dfcf87a0bc4fd9eb6f1cf7f67e7973a5cf80d3866f24a8b86ffd284a7683d7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
3606406ef04d078e1f1869824502368d

SHA1
899dafe6a8bee0960a924c9cb4bba690d695202b

SHA256
06fd36c98952508fc9cef8ed2b9fd1e8a24fca550cd7c1dc10fcab5bace9fa9b

SHA512
94408ae51269cf2d6b75c33a5641ff3d99a7e08c861f8b7eede077128a04466b34c8d195784b7e154233ec748dd752c6cd3146502e3ed24af5e5b72301598df2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
278B

MD5
c4dababa0614b07d06091d8eda114131

SHA1
f23973fd7b0faf094e736dc76e6e871a10f18319

SHA256
7b3b54bf475b821fb51d7488cf34c1e4a84370b76c9b5d77b27dccbcc0770b28

SHA512
4fc08c2e89de423d2ea69830c0eedbc33238cfe88533d4a31be4530acbbd1cc91edaf56a122420f11b9ca83294fece2299df74bb801636b4070e382e7519d7e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
3db8550a4827697a8dc4764a0197201d

SHA1
ac54227b5d223c6ef48ec77271b1d8826d1dc3e7

SHA256
ef60ef23c6a0abf0a058fa96726dba926769868ca19778e0a826088687dc8950

SHA512
98b3c8fa54a8c5dddb7e85bc475d61d6f820cb4aa3ea6edfff1584b276e1b4b7319166841843ff69e723f50f6a5e67859c3489ed32d400a9609432ff4e26f493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
365B

MD5
0c903fcd8251024edcbbf9b5d3a8abad

SHA1
fecf11554adad45c31923dd25afefe09d31c5bc8

SHA256
dfed1b60078992d1743c4472c197228f8ca2756873a1bceabea68ba657fac117

SHA512
a906469957ae60e58f32be33905bc288dbab893309f1aab4a09f1caed765cc098990e2abd312c0cd7b93961c974672e0b4d8ac518d59f90a2d04d43ec3be61bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b13df7feee5d09fbf3fcc3dda9dc89e1

SHA1
20e9c6fc440ef3260822bc76e3d7f9239f489c7d

SHA256
19777e94564b7cfd4b156443610c432b00d62fe190d54a99ec5355198807b91b

SHA512
35b33fc90cc39bc9d62f912919daababed2b3b8855ca983da712766dd6ac0bed783fc01056ff3ef7de8a86f9151fd0ecdd2e1c68376bea5e9a8d3a04493334ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4fa883159207897ca21b4f5d02d1300f

SHA1
bc3fa751570313b9fb5f49cff70703a7a6ec2dde

SHA256
d11d799097a515df045bdb208800ec0cb4676abfa06e2a1808eb4c83d98e4778

SHA512
241ee449d9cb9cf5ad737215fa45e93221695a8c0567994f69468bf1c53bca9d9a707f201edd84fb9fb1eb8bdbc6c05abdefa3698b7712b5849842a9bab92f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
18f597abd2f7b1f3da4bc845befd20cd

SHA1
fd71917d27e1fd4b90cdae236d64a215a00c4c22

SHA256
a79cb64ac7ce8bcbadd1a01e89fb844196e5e06b5bd150367959c3e0ec9333a7

SHA512
2b0cbdcd98f2fcde2de111f662427a96aa151a29f4f34837f6286dd875f896a413718ccc74c9b12157d29d3ced072ecf6c6fdfd49c523006ff010f040f9b0892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2388d68052f7a40f919c462b5cf6e3fb

SHA1
0942e110e66d91ea6450579b4dd9da1414bfd6a2

SHA256
758656eae56a5cce1d7dbf8a75291ecd886c79304aac09181a313c426a2381e9

SHA512
8482b03eabdd75e7356cf3fdcaed4d976e0a73d9502a40ef1552959178fbe98fd867b30ac59f67de78b4d2f3882920d0b5adbcba8e4ad9d2095c279062be4d65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
21f097604451f5ba59afc314f0be9a0e

SHA1
39a91cd59e145abec69bb790746e5a429aad8b4b

SHA256
e3fd3335020d815a90a9cb7f21317f347216a67330e56f98581cf0dc6cc54c7d

SHA512
451bb8bc9f823971ef654764ce5cfdea37526adb9054b786407813ca8179c26a92adce0e417a50595e82c6b3bb2119240e85defaf0cb91e65c36d55b953e3b2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
078e2d7408d2b0ebfffedc7bd39c03d5

SHA1
f4abe2d5f61c2de398813041c565467072d4241e

SHA256
ce1bd5ff4201c7820f959f238da56b1b574cc422be9efc930073f4b1396b8e50

SHA512
02cdcaf61126a2dbf06bc1157d63f37e4bc5559e70e3867033fa96ccef944da4f06510f96ddce2a3233ebaefc918a74b1574bc24de942352fa725b6f399b3366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
bdd0c330021e8ff65a2a000137979e8c

SHA1
2856b31dff834dfeac3183d889b19a8ad1db907b

SHA256
6541dac8e4c2bfc8d4ce877f0e69731eca5f651a46f41efa25f65ae7cb153959

SHA512
e0222551f1a13dcbd506c4c507592d19d53e242386daece33b03a3a35b0b129198d6328af94d0e52e933d3e2cecf52d52701b45501fc9614b1ee7cbe5e72e486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0f32c8df30a6eb44b227c05825b7c756

SHA1
499897939546aa96983a4ab317f2b28bf5e70e54

SHA256
13b319a2b6fd7d2e6852756a43e4463ecbab817495662ad03073d7948f2f7e41

SHA512
16c9f6b850fdfd8b11ab5909f97785f6df6dad923cf55f55d48ca82b7aa5769c3dec41a9796f7b9757b9f73671739500aa77074abadb1e208a3094c66a9b623a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
123247d58979c2c23fa9aadf194fbf46

SHA1
c3b51d4a4b5eb43cf6b49802a356106e32f2b6d9

SHA256
1cd16534ab632d16d78ee8addb96bebb4e62fc015d2caae6762fbea6158b342d

SHA512
a525065b88f1dc31596b0ed82ce6e254194ae11dea9b73e3a03ac354e9bc7dfcb6b7896e4eeba9bb8defbd5007fa0c6aaa2ee5155a72b451498f2f8a6e003f16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
df8d5d828dd0d84bd097883c8d73f0fa

SHA1
4843fb8ae90a07df8871496dd52eb24db4d3653c

SHA256
3ab432e642b269570784309e2b7b80e37f259bb225c2ba542bc2bf854bd5d054

SHA512
a695db314adfe23e914506e687df99567ec632a7a8028ee5e9c18ba79089caf88ffd020c04c08830924e19e8feb8e4d451951727d0b84f1c4d646e8ab19c96b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5881be.TMP

Filesize
204B

MD5
11d8fb5eb052906c0d98dec032fd2b41

SHA1
a8b5764fab337feb687fb40d181fc7a444ac013c

SHA256
e828895d1a1d1c72d339ee4368e0858363c6dad5de0ce887dc2288125690c70c

SHA512
e925f19257da8f9e20a448a90bcc872132ba60acc8bfbbbeeb02ae507936c444edc634f0e923d99cc8427f74597c4a3da8d4dc67f0ad79fd740ea1bc2bbff174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0813ef8516ab4f769d30ed6aa63127fe

SHA1
eae9145c13cebc9b58b2447d9c98934fbe8773f1

SHA256
676c90274d1e2e57ed6628ca4b9c3dcffcc215308d31aeca2e3ce0e98c242790

SHA512
a46d43d79009f0145a66db2bf6146e4503474187000acdd0b23ed41092ecffe8c0d6bfe09db19d98553c0f51735d5e6193759946c3b51b0e47121c2d9b98e134

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
f14d35e09a6dc5894408e3e4d2b71cdc

SHA1
df29ec121d401c6894fa1abd4ccc73b164b2beff

SHA256
8880a0b04af6e95fed9d68f98585fa976416a373ced4706c535bb37a8820d984

SHA512
e5ec58fc970dafb685f6990b213447e9fb4e40a14c25a79567f619d68be5b05061ef736110026d389c343573e30fe134d0de442b53593af54dd29b3c446d306c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
41f62efff38a9b0557e99b64771c82f6

SHA1
6645c784761332151ecd67117935a06d54f7e202

SHA256
2caf7f293bf4c39090340fa5b10d3d68b55545fa9af6b2249f9a203b3af2a4c2

SHA512
e567b0aab4d6406d7d7211d82173b2243fb3c37f56a9efa912cf6b8b59e1dde5441ec9ed1a14334f055ed4649afe300ada2309c4d7188c26fb11f75b966ea61a

Download Submit