hxxps://www[.]paypal[.]com/myaccount/transaction/details/2JP26695R4894282S?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000298&utm_unptid=a74012d5-b0c3-11ef-84c6-7ff9b516007d&ppid=RT000298&cnac=US&rsta=en_US%28en-US%29&unptid=a74012d5-b0c3-11ef-84c6-7ff9b516007d&calc=f953038129690&unp_tpcid=email-standard-transaction-unilateral&page=main%3Aemail%3ART000298&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1[.]294[.]0&xt=145585%2C150948%2C104038

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.paypal.com/myaccount/transaction/details/2JP26695R4894282S?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000298&utm_unptid=a74012d5-b0c3-11ef-84c6-7ff9b516007d&ppid=RT000298&cnac=US&rsta=en_US%28en-US%29&unptid=a74012d5-b0c3-11ef-84c6-7ff9b516007d&calc=f953038129690&unp_tpcid=email-standard-transaction-unilateral&page=main%3Aemail%3ART000298&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&xt=145585%2C150948%2C104038

Score

7^/10

paypal discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing
Detected potential entity reuse from brand PAYPAL.
phishing paypal
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{702CCA43-5249-473B-9483-89896EAE0602}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3212	msedge.exe
3212	msedge.exe
3152	msedge.exe
3152	msedge.exe
4012	msedge.exe
4012	msedge.exe
4260	identity_helper.exe
4260	identity_helper.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 3048	3152	msedge.exe	82
PID 3152 wrote to memory of 3048	3152	msedge.exe	82
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3412	3152	msedge.exe	83
PID 3152 wrote to memory of 3212	3152	msedge.exe	84
PID 3152 wrote to memory of 3212	3152	msedge.exe	84
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85
PID 3152 wrote to memory of 4348	3152	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.paypal.com/myaccount/transaction/details/2JP26695R4894282S?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000298&utm_unptid=a74012d5-b0c3-11ef-84c6-7ff9b516007d&ppid=RT000298&cnac=US&rsta=en_US%28en-US%29&unptid=a74012d5-b0c3-11ef-84c6-7ff9b516007d&calc=f953038129690&unp_tpcid=email-standard-transaction-unilateral&page=main%3Aemail%3ART000298&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&xt=145585%2C150948%2C104038
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0a3c46f8,0x7ffe0a3c4708,0x7ffe0a3c4718
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6428 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,856753993103348410,13315071028717260730,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
24KB

MD5
b37a53936d7389f2a2e055ede0c3e5b2

SHA1
2afe81360be9872da3f6144927f4fab2141d9070

SHA256
eb4e27f9ccb1d9ced22f07b30aaaae2cf7c4f3f6968f9d2be4d75ae9ace68a34

SHA512
aff3a3d1096c5bda3ffdf6b7b64b9c65085c8866d5898f3af943a0a6237499a700800f122b867817ce9db637cd345a2cad66b97f4caacbbe93203dfd95c1679d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
31KB

MD5
4209a6187bc58debe1c391bacb754c18

SHA1
58953c4296930f1239e951a3dd5d32c1d2e28a8a

SHA256
836dfea35428547d9a521c25236f3ed853650ccf483e2932960da000e5287ef6

SHA512
4826d76a95df92b26c348e9efb4b3bc070c91c5c70db598b9a50168dbcc6a429dfd273d5a41338571de18ffacc54346913ae659279dce4b5a5909c4c4d79b05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
47KB

MD5
71a948874fb937a672574a29ef18ee90

SHA1
adfad9db35d9707917286b38086a97f538f6bd76

SHA256
b50de42a5947b63f7bb048adcbc894d50928bedc7072bb6e35d9e41d22f5032c

SHA512
fee0165035dbeb56367a2f6dc0c1850879206f48ac3fd86038da73c87ebd3b0140f0f281bdb5b6ec55bae7de8162ca8e27a367fe47512fc85a5242d2f53fea66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
41KB

MD5
e319c7af7370ac080fbc66374603ed3a

SHA1
4f0cd3c48c2e82a167384d967c210bdacc6904f9

SHA256
5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132

SHA512
4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
215KB

MD5
505e09c540405320839973335aaad8d3

SHA1
561984af748d012a17097f0217aed1cce9df9b5d

SHA256
73725bbd9a7e1963f9661d2ea919fde145bff986774535d28ba06b0265c6e5f8

SHA512
aaaead5b0d3a76d51618bfac3d9675fe9d70be5f9ab1c5a1945335712ec7dfdf6801674c4d8ebc88d8c5866d766d4ed9e7cecab5cfc7d7da07563a33fac7ad96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9a08c38acc8e011e_0

Filesize
14KB

MD5
fd58597507a340439b7a658aa5399d67

SHA1
fca0633fdb65fa5ced2461b6c66bb3b502dc02e0

SHA256
ee636258448e3c1d3a6524a42517646afb2b9650f231e3165ec7011ab460bd81

SHA512
e2f2ffcfc5f24179f930ee09c66a1d74cffd0be45b4534014017cbb4056786b86db424b1713ef886d6469b56e99dd4a803e9e367cc8f1a9c5bbda477b193c2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a3fccd7598f80c87444999e6340cca85

SHA1
d1fefd642293f44fe544086a53507a209f0df74e

SHA256
1a8d3e879cbf8960c9c1bebd382c61b2478c8ddc50863a6d62d077cd0c95d759

SHA512
f4d1d6febd797806e4f5d805cce4ac2a78f9828c3de90df60ac6d93dcb30e71e81d0387a8ef58fcf8cf17c1ab95935242a3c70bda3cb9069db362e09569d2bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
269a3fe32f325afcc4e00aa67e8d03ad

SHA1
4c343dd90717088e6b3600394388dd5cd9d2bfb0

SHA256
24c83036a685ccc911df536bb47fe7d76e12dc99d62752a3ca5dfe86499ad642

SHA512
c380378041131d03af4cd19261494900231da896d8d5816a3d79e901c6dbe53fb4e9e6b71c88acb7347810a388bb1b25aa4367203a3850f7c108476a9e0dcd00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3aacc01794478c03bc7a0811e4ede634

SHA1
56988bc810cf0aeac33cb6dd42f2ccef5ec03a0a

SHA256
5c1e02ef5689803c6a7048812acf9c2e0f9a7f01e48635733409464578258c34

SHA512
1706dbc2ba426065d349aa24f31f22bbc198427b6630fac453cbcd3cd1b7ee695f9623495f15c6971fc2f793e7a231dc9510dd71a5076806ae9e8cab03ff445d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1bb91259d987d32860fa9d33019daae5

SHA1
90be927ea497bd98f5550c34b3880a56dd1a79e8

SHA256
f34ccb08057a48f74f98f9e07a382a9b70a3959d452d6bf6b882ff6f2b5694ea

SHA512
527c225f987a168913b6fd79acbe74e0abc2ca3c1ad49df17095f75695397abb5c43bd3b837c2f5967e458cf39d542bc2ce8e09b5ca4e94d330a41385031997b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e2c36e1eab71473267ce18afbce233e5

SHA1
d3c2852eb77bb51d6449a4fa9c0d950928758eb0

SHA256
8cd34acacd4e52dc55df95a9a0fc76229405ee12c0eb2c71480fe8d32cd0c825

SHA512
184390e033cf7417e8a6ba068f94dc143acbbaa506e598d63ba5d0ba749adb5d5e15fb75700cc31d6d3580a1a8a31497f46ca546bbadd11588715c9d7cb13984

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a069240800a0a6172b08223c734b636f

SHA1
69f8f0f57b922d5e63f59e4d50197754b653e46a

SHA256
4f6fcf2495c8ef4a76eca0de106895fc730cc8d0252000912cabe7c1d331fd90

SHA512
879bfeb60d3b4a12daa4e80427edd8e03067986d453ee4a28a54d18573be280e081e14ed1eeb65535817dca73b92c09b6b4b3093356ef565b33930061d14e08b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
147036a5033c54a616655e9c47504c2c

SHA1
1600d041e8a7fc6e12c93adec3106edbafce8e0f

SHA256
f0522b4118c886e096c86113a09abffdb3cff7df5ecb5b3ff46e3f43ff0c1182

SHA512
f393841db8187cd111b2e973a237aef344788731e2a061380a04e37dbe241bfabf7d46d4ad0799f9de99f124b604910114ee484796d9b69e76313a011bf6ad40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6145165c311e48e29e1baeb0ac137a70

SHA1
7ae8c28df5bb15dc23cce81afaa97d21da9c776c

SHA256
b6381d7239f449519cf0abadf69819133cfcbb777a87a03df7530b8d64a7b379

SHA512
5c19b886b600e6c914b28e5bc761c1cf1bdeff5f1910fb2dc39975eb5acc79a9213c26a089fa95ee689aabb908c692972bdfc07cedd04f0539e20c28b7a6b0d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f7fd684af6a252b741975adb1c806bda

SHA1
5326d8930dddc3897582769c1b5a1727c98383d6

SHA256
b0b6fd472ecaeb47a62d1410e667522accfbdfc1df67c898b3ac2911c7493e25

SHA512
5e5c823903168fe80bf217b89cf9d5c57b30eb78e77f316e64119dbae04fb9c404211e8e99f45971968f093137ebf5a5c62af94a40b5d4271ea5770ce5933939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3034aaa05e4323dfe6346abb24dd32a1

SHA1
a55e24775220448e6349f53e957e4a4bcf34ce4c

SHA256
9129355b9f6be45be48b2c0d8e599bcc67ae0668e8be20a2290e013f946cf548

SHA512
94b0b497bf513d4ef925f9a283a20252f3d360842d23dc75c6e935ecf517e43f74b3bc2e065da14b3d6c9f3a755fe683af972c8960d70ab7b9b496fb97a9f097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5455db6977e285e8e754c13baa37eccc

SHA1
79438395a10e3607c08a925364494c249d27ce6c

SHA256
3b4bf99a3578262367db55a5c17a5fe6ab2ef841b214c9a2ad4a4955f37c53df

SHA512
2e999cad95f135b8dec07c6bdb9d8f29549fff6498a80f9691e90a603b8cac3b953642fe4d4da286e050e3e37692361fb9e8eda0c2abcead104d99cef19ee08f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
709d926c07adddfb335b21136a81e0fe

SHA1
6822189fdb21e409a1237eb9eef8dd27a3761f57

SHA256
c1d13a535e538e4c260c961d548a5a1bcb259bc7d527b064ea451ccbe2a39545

SHA512
e99871c47ac824dc619b78b2674cd0d1df0983526dcf9c8f05b98bc16761e3cf73675f36a0b883bf0b24767e0ae55578d55afca754ae6f9605809ed2ca9652ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
01d4d178a669365d08fa690ddf573f04

SHA1
a993205124fcbc1877a0b8774c2e4193a1614168

SHA256
d5e2392d0a9ee292af69233dec4809f7a735a9b28bbe8850ff1f01613b95daf3

SHA512
80103b0153f3722728d04a384f129f2213e6acc2560165d599c94ac30baaec41feba3db7457bb1bfd49f5700c3e8eebdce402038c45089120b22423c3b0e90dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8747e418dca9ca92daf4b8ba3690a693

SHA1
09bd3cd7682234853581a64ae52287b23961bd80

SHA256
fb35f5e2d6d42377cf206a62f02dccac07e00595760b8a80b03c2c495c345754

SHA512
e4d64ba8bdc5b64c4a5a7c7ef6c0c48ef9c775836d48c95f4de93b9c9234fb78fca3bcc151995c735b8a8eb8f162c3e6b01eb268189b64edb99bebb1d99d5727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
113fcd3107643d2619cbc51abd303828

SHA1
3dddee47a9cb1117d82975db0c57451b5e3479b6

SHA256
81930a52d4f952422aaab0502fd0fbd4723a261cf2845f884dad50cb20fce2b1

SHA512
137067fb11a0fc8d91008b7170846000707a7d14f094b27e8038b8f8e6cc07c73f0d7bc356f03098d6359ff5b32ef1ad15ff69e0af7cd0f33ac683a1517bbf6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1bac0363cd320bbce6c70b14f8211c24

SHA1
446aa5a5e1b349e0e74016a0197c65d8ff0b44cd

SHA256
8dbe347153acb6b4f4057d423018c48dae8682cfd2aba19e75c12c1dae343854

SHA512
fa40190320eddc6dc60b7e1b7d82cac912e84bec85102da9615308d0bc3c6f203dda6ff8284d4f8e58f5190e3056ee5dbc144e7ac39a96df7c712b9bd231d559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
85862bd7a2ca40467b9dd0f4259b7377

SHA1
6a85c9f6ba67ff5e7906baab11692fbab628ba12

SHA256
92e1134f8c25f0467b63a0d71480a6b33f5feb1f1664d37d70add57aad08e08a

SHA512
f31c89f112376d9063053229a475156368edcef00a602f9e69459c6a4949f866f69a31b84143561b1439ea75210ef0d319d1b214584706d6e24221ea8f25ec82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e03e.TMP

Filesize
1KB

MD5
d7ebf370547697671413ec86b918000e

SHA1
ee679ba10fc48244a034766122da13d07b020b31

SHA256
eb1ca5bba7f2b6e6fd17af6315e1673b951f376780a58e1a4a2734c3392bb6ba

SHA512
f84974157b788992bc250b84e8046543d8c0b635c8dd245b6c03a8d8ab88282f2da0fea9c0e60d5074637dabdabe1b36f7b9fc4742c44110d75bfc8dbdd06a4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a75492981e2bc952d2521a2f95604fae

SHA1
a6196986945ffedf96a32f3883a11e2b4a0970b0

SHA256
d8499ef163f126a117e6a3a25863dd11bb787f093d6fe9f1d5cab00b10ecef08

SHA512
eec32662cd9b97703e9c51916d98af82c5f7da1ec1b3f8caaf2a6235afdd9dc31242e1cb4c4914f98d7f1d2b3c6b36e2e4373ee961d66547443c8e574b1a26d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit