Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 22:24
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-3UE08848LD4431933%2FU-0MS034988G838440A%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=taLzfjr4YgYU-jC39Z5IexrcVx3uR8E9iE-XPw&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-3UE08848LD4431933%2FU-0MS034988G838440A%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3DtaLzfjr4YgYU-jC39Z5IexrcVx3uR8E9iE-XPw%22%7D%7D&flowContextData=1rISB52CDeQpw-10RoR1U2Yf5JytQhNmxmV00n037FT31116cbQziyVRzG_K2JPLQTuj933Pu2LVyTGAyhOFKRna7TgSJ5BNEHtDGd9lVJbwRcnPG_TwQTI8Pv0a-n082liTIs9KYtavb26ub8E6vmypYCiom-BrihXvs75oS8UEZKK-THj1nGi0gDa5UagEQscwfooQqK5oDMP2RkwhJfg24sXPcphl0e0pQZ4ZVbjvMAeVLQaBba-eRk-6hgO6L29ZDas6vPoOj7aJG4bEP1_ENRzeAkJbHi-Itj3jg3Fjx8fH0pxmaFQDcY8phmJl9mF9TZYyFAvV2nGcNu9bN5VQcsBz-8yE8xa_RyRtvW-yl1ygY--jhG2SyUTN4zgEV7BOlf_XK-aEmDsJZ9AR6fNiQTJD3c8wHPjE6aIG4kFNQgz2GRgTcqqK19QGcK5bhX0wqHcQ-dk2HbR8ZfRT0Ku-b-7y0UMZj_ynBQzSAzfbWNxGYdlZmO5npFr-VqygfKJu4oGlkarJhqVhxvRxFwODpRTRzK1WzpWVcSdEVNmhnUq7OI2P7JIX6xq&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=c351c7b3-a819-11ef-9358-e312637f7d78&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=c351c7b3-a819-11ef-9358-e312637f7d78&calc=f326424f366fb&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin
Resource
win10v2004-20241007-en
General
-
Target
https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-3UE08848LD4431933%2FU-0MS034988G838440A%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=taLzfjr4YgYU-jC39Z5IexrcVx3uR8E9iE-XPw&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-3UE08848LD4431933%2FU-0MS034988G838440A%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3DtaLzfjr4YgYU-jC39Z5IexrcVx3uR8E9iE-XPw%22%7D%7D&flowContextData=1rISB52CDeQpw-10RoR1U2Yf5JytQhNmxmV00n037FT31116cbQziyVRzG_K2JPLQTuj933Pu2LVyTGAyhOFKRna7TgSJ5BNEHtDGd9lVJbwRcnPG_TwQTI8Pv0a-n082liTIs9KYtavb26ub8E6vmypYCiom-BrihXvs75oS8UEZKK-THj1nGi0gDa5UagEQscwfooQqK5oDMP2RkwhJfg24sXPcphl0e0pQZ4ZVbjvMAeVLQaBba-eRk-6hgO6L29ZDas6vPoOj7aJG4bEP1_ENRzeAkJbHi-Itj3jg3Fjx8fH0pxmaFQDcY8phmJl9mF9TZYyFAvV2nGcNu9bN5VQcsBz-8yE8xa_RyRtvW-yl1ygY--jhG2SyUTN4zgEV7BOlf_XK-aEmDsJZ9AR6fNiQTJD3c8wHPjE6aIG4kFNQgz2GRgTcqqK19QGcK5bhX0wqHcQ-dk2HbR8ZfRT0Ku-b-7y0UMZj_ynBQzSAzfbWNxGYdlZmO5npFr-VqygfKJu4oGlkarJhqVhxvRxFwODpRTRzK1WzpWVcSdEVNmhnUq7OI2P7JIX6xq&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=c351c7b3-a819-11ef-9358-e312637f7d78&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=c351c7b3-a819-11ef-9358-e312637f7d78&calc=f326424f366fb&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin
Malware Config
Signatures
-
A potential corporate email address has been identified in the URL: [email protected]
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 8 IoCs
Processes:
msedge.exemsedge.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe" msedge.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children msedge.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msedge.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe msedge.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{EF426323-30F2-459F-9FFE-DAD47178F482} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox" msedge.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid Process 5096 msedge.exe 5096 msedge.exe 2736 msedge.exe 2736 msedge.exe 404 msedge.exe 404 msedge.exe 3744 identity_helper.exe 3744 identity_helper.exe 4056 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
Processes:
msedge.exepid Process 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid Process 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid Process 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe 2736 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 2736 wrote to memory of 1028 2736 msedge.exe 82 PID 2736 wrote to memory of 1028 2736 msedge.exe 82 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 1484 2736 msedge.exe 83 PID 2736 wrote to memory of 5096 2736 msedge.exe 84 PID 2736 wrote to memory of 5096 2736 msedge.exe 84 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85 PID 2736 wrote to memory of 2780 2736 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-3UE08848LD4431933%2FU-0MS034988G838440A%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=taLzfjr4YgYU-jC39Z5IexrcVx3uR8E9iE-XPw&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-3UE08848LD4431933%2FU-0MS034988G838440A%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3DtaLzfjr4YgYU-jC39Z5IexrcVx3uR8E9iE-XPw%22%7D%7D&flowContextData=1rISB52CDeQpw-10RoR1U2Yf5JytQhNmxmV00n037FT31116cbQziyVRzG_K2JPLQTuj933Pu2LVyTGAyhOFKRna7TgSJ5BNEHtDGd9lVJbwRcnPG_TwQTI8Pv0a-n082liTIs9KYtavb26ub8E6vmypYCiom-BrihXvs75oS8UEZKK-THj1nGi0gDa5UagEQscwfooQqK5oDMP2RkwhJfg24sXPcphl0e0pQZ4ZVbjvMAeVLQaBba-eRk-6hgO6L29ZDas6vPoOj7aJG4bEP1_ENRzeAkJbHi-Itj3jg3Fjx8fH0pxmaFQDcY8phmJl9mF9TZYyFAvV2nGcNu9bN5VQcsBz-8yE8xa_RyRtvW-yl1ygY--jhG2SyUTN4zgEV7BOlf_XK-aEmDsJZ9AR6fNiQTJD3c8wHPjE6aIG4kFNQgz2GRgTcqqK19QGcK5bhX0wqHcQ-dk2HbR8ZfRT0Ku-b-7y0UMZj_ynBQzSAzfbWNxGYdlZmO5npFr-VqygfKJu4oGlkarJhqVhxvRxFwODpRTRzK1WzpWVcSdEVNmhnUq7OI2P7JIX6xq&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=c351c7b3-a819-11ef-9358-e312637f7d78&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=c351c7b3-a819-11ef-9358-e312637f7d78&calc=f326424f366fb&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda8d446f8,0x7ffda8d44708,0x7ffda8d447182⤵PID:1028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:82⤵PID:2780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵PID:1220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:12⤵PID:1304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5164 /prefetch:82⤵PID:464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5176 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 /prefetch:82⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:12⤵PID:3288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:12⤵PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6904 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:12⤵PID:3292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:4052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7112 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1686404969337570344,14823045532531623335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:12⤵PID:2496
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4432
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3200
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
31KB
MD53c644abade6411b60ef1f6b84a54ecdd
SHA1d54ec3ff8ab43dc3e98da409b181f270f4605d20
SHA2565cd644da3cd0af5b61ddaea72ab6df13a6fe26b9a8fcd0e9a06b59a76d38adaf
SHA512293a6edbefc996388b4a4e96f69ce0546cba6addd28ca4943e01d8653d09d817ff33669a0b848151d90f66abc3710aaa0504596198901ea39482b31155981f7a
-
Filesize
31KB
MD54209a6187bc58debe1c391bacb754c18
SHA158953c4296930f1239e951a3dd5d32c1d2e28a8a
SHA256836dfea35428547d9a521c25236f3ed853650ccf483e2932960da000e5287ef6
SHA5124826d76a95df92b26c348e9efb4b3bc070c91c5c70db598b9a50168dbcc6a429dfd273d5a41338571de18ffacc54346913ae659279dce4b5a5909c4c4d79b05b
-
Filesize
47KB
MD571a948874fb937a672574a29ef18ee90
SHA1adfad9db35d9707917286b38086a97f538f6bd76
SHA256b50de42a5947b63f7bb048adcbc894d50928bedc7072bb6e35d9e41d22f5032c
SHA512fee0165035dbeb56367a2f6dc0c1850879206f48ac3fd86038da73c87ebd3b0140f0f281bdb5b6ec55bae7de8162ca8e27a367fe47512fc85a5242d2f53fea66
-
Filesize
22KB
MD58355f283c8b5b0b6cf5af16685c6ed8e
SHA1e1a88fd7e2776779a374ba4a81c0367082894675
SHA256165d0214613ebc1f2a0ce484ebe2c9d45d5743dc6fd2726a3cbf11749e317e0e
SHA512d2779461e7db166e218142f11d1dc16e3861558b26346f9fef383750a0633ac6fc96d4c8e047944dc125968c4b8140ab727df598a75693b716c3bade33ce8dfa
-
Filesize
41KB
MD5e319c7af7370ac080fbc66374603ed3a
SHA14f0cd3c48c2e82a167384d967c210bdacc6904f9
SHA2565ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132
SHA5124681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011
-
Filesize
215KB
MD52be38925751dc3580e84c3af3a87f98d
SHA18a390d24e6588bef5da1d3db713784c11ca58921
SHA2561412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b
SHA5121341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize936B
MD5026965274f206a9cfd793333790cbd91
SHA15b22e1943426b6948bafbf5fba464a1dbf2fef71
SHA25607f921fea3d57f9715099278d5a1a0e4387394b02d4d76c7ac8977d5259dd03c
SHA5123e0181f90170a3482aea6f25c8c84f5518d1b2e8713b9f24888a1ea4bcc26372c3bc53a3c2f2aa5a51a729848d8156b96deb5bec506997f20436ff5ec2eeadf9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5dc516c2247fdb30d569141965ec482b1
SHA11ddc5d7dd4958a11fc2a75a34f5482173af72f5f
SHA256532ec50d0bf522539132f6d23ba28f97789c39f9c36ed02b97ae14d29df54c06
SHA5121899bd7703e1764dfb86cd279384fa653185516018187a2e31a771cba9e28742eb5c40919c6b431a4b1e287c8c30d4ab3f384932be2ce9ce9d62ea1e3a24172b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.paypal.com_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
1KB
MD50ced0f955c6087ee709b9cc976868933
SHA15640ef394cd519e87f056389a2931bb7ceda7a23
SHA2565dbb60a617b29909bc8e2b9909cc8990663facce8be200e187e00b17f29f3d97
SHA512d1bf6729b6039d4865cbd1bda50d6ff57f38a3ac5aab76e8c460445e26a54dd7ef5ed4d9428838ee7640094616ce95981a5f77c95d079d7c0083c16c2c7ae4cc
-
Filesize
7KB
MD5c634e67ce86907457a3e755e2e23025a
SHA14b0c68eeee5d91d5bbb65b7a4c1c205e83fe36cc
SHA2562934e4556c9fb1e4c65f42a249431eb7c36f7afab28e639c054ee7adbf1cf529
SHA5127d94aacc0a49bf105026b29bcbeda370952b2a5010aa2712373d47f39c8e077fd6b1bcbf874eb68c40a5d3561a62c337b57633e7d3be7c54e0de4ca5dc2e3bd1
-
Filesize
6KB
MD54686165911569c21cb251c460ce208b7
SHA1905a0ec31bc75b07052863fee83df074b7914032
SHA256707e15b21be48118d52ee8cc5bf363bcdf98ead0ab5da9ea949c778668ec4d97
SHA512b5f8575a4f8b6d29446e00562bcf19e727d1150f007899a257fd6d6b110e8b15c6eb9b6c01ee845683084a8727ded2462ace457a58915619fdc8e20d4fc20007
-
Filesize
7KB
MD54ddc452f1074c893a487edc4964fe447
SHA1e298829f4b93cf13c7118c448838f07f41234d53
SHA256d065323ae38da78b054848fb8d8c8feb61b3c6792eeb57212c2eaa495bb077df
SHA512f108cfb1ed05aaa7699e7971d202329be1d5b320754225cbcea9f4d84d5d933612277a2ec78229e1b6cd6a030f95a59b0532b5d2680bb3c15f480eb0cb552ce8
-
Filesize
5KB
MD59e714e7ebe39f59060de78a9354ddcda
SHA165ed8d4718e9f9233bc46de883811a6f443a7c8b
SHA2560c7708cca975a92230b8d815be5e43832a28efc4538f0c53b0259a6ce2f97779
SHA512d0ae0f093fe3127ab1220862dbb44d5d14437afede917e46e36306267ba668a477d77796a021f7913ef8c090c76e26e9e1aa1c64fdd5fc80f3cd29a9bb4268fb
-
Filesize
1KB
MD5b64a61d3521a9b1a716ec40bed876a79
SHA13e21c6259d61ed53ccb31fca341d78e97f6010cb
SHA25648c1db2ed51d04a72147c12964e5a1e2dac1563c53741ef1b0ebc52e2e61f38d
SHA5125f706d669bf6b9dc3cd1fb4f17c04ff851dbfb377bafdfa68096b596397e86b4f128cb2d3de02206925871736b6e15fd00b62709106001dabc5d8efd1e9a25e9
-
Filesize
1KB
MD5ad1d11d0578af8bf1fd55135b826f8be
SHA1535aa051850efb276e7b8c0a032799cb18ec4844
SHA256f87c33d2b509e42fc76555ce6784fa3ff4b4cde0d7fe46548d72a30b56307f5b
SHA512057d910505afd3aef49f206f80c28b60a426a09fa6365c5c195894a5c0c3b93596870da41c30ff0a44a83e093b0623d3f47420ea4c095b59d8f8083b661ae061
-
Filesize
1KB
MD55d90e8e184f5e5f367cbe16a6104bb90
SHA1111c599e27fcc29fecd820519f42b4b24a3026a9
SHA2562aff458324590c58168ed799b1718e4841b965cded2a0c3ce879a1534d2e02c4
SHA512db377e0637fa764122503b48f737537c84d7504dbe0e9cb546ffdee8419b27219ac92df24bc43242f89273ad915458112516173b26f01b4519fab426294d64fb
-
Filesize
1KB
MD501696a70a6a422b00827906025653061
SHA1cdbe2e350382f7e5daefbae13acecda221cd2eda
SHA256e82beb3e12a894f952e81ba9d43657df22a8bb222b52081775cc15c592ec8dca
SHA51240f5e66bf058172bd7a9536cbaba8f94c1eb653f81c34b9950721849295c3f602075e480cd9a3b061d6fd78a91c477ab8bec109cb464f773a970f3c715b75171
-
Filesize
1KB
MD58c23c254da050ed8344a5905cfcc4338
SHA14204c1f9365aa3f079383afe526f55f44fad2fb6
SHA256cf3f19b8f1169da6ca7f4a859b7cbd59172eb083403d2a6ad96fc6ace0e1135e
SHA51204c056dd3e046840a8f0467835b8b9ef7cae6b0f60669cb7c4ccade46c6ee2cae564e73bccb82db3ea957ca3b405dc48506fa9c91c934b3101b39d5b5b85102c
-
Filesize
1KB
MD5810579177bbf6e2455a06d6da2884330
SHA126457d54d95515ecc93dc78e0904613c83d84990
SHA2563e29af6f5e66f12daa70b58518f4c831ff85bd03049f3aa0cba6043df9133699
SHA512a48a1223a2a4e9b5910eda753cc54cf402c34f434f17587c6f29fca2c970f603ba51168c3abb2f9d971f957393b4a7eae43b8029938dad21f45920808a469711
-
Filesize
1KB
MD5e811a59fc5e8ef6e79000d0865b646cc
SHA13db5c7bd49264338c96321b32e32dfcd7dbed67b
SHA256dd7c3a6e08e349bed7d3c0b4290ef091eaa6516d15a7610fc33a4bd7e5a5a700
SHA512b81e55f2b26d333ba58b398dd1be13383b7c93b3793e3b4609f687e7e02dd49429407e16f78647c46d26593821f4fa4cbdc082684c4538a1dfaa6d5318f25beb
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5ee924393b530c437b8d6ca0153591d17
SHA1e18d18916e19e0f01257c326bf877b24c8f7f3a4
SHA256dde41a4dc09c5fb6616376e7daad24d1d11b7f0ebb2733700a898e31c028905d
SHA512ddb1e2df5380b35e006561c6e57841ffd5ecc3fa44e5b7b1d3020dd3c73306d8d27a69f4db8df7039b6695f894bf513eb830d8578cd2fd5c5c5ec3b7e0e74238
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e