Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-12-2024 17:36
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.paypal.com/signin/?returnUri=*2Fmyaccount*2Ftransfer*2FpayRequest*2FU-49N824651S491790U*2FU-4U978694X6449594V*3FclassicUrl*3D*2FUS*2Fcgi-bin*2F*3Fcmd*3D_prq&id=LkJAkV5ggkIrKoPazAK-wJr9yqAp7XurjjjDMQ&expId=p2p&onboardData=*7B*22signUpRequest*22*3A*7B*22method*22*3A*22get*22*2C*22url*22*3A*22https*3A*2F*2Fwww.paypal.com*2Fmyaccount*2Ftransfer*2FguestLogin*2FpayRequest*2FU-49N824651S491790U*2FU-4U978694X6449594V*3FclassicUrl*3D*2FUS*2Fcgi-bin*2F*3Fcmd*3D_prq*26id*3DLkJAkV5ggkIrKoPazAK-wJr9yqAp7XurjjjDMQ*22*7D*7D&flowContextData=R2EckoGqt3OYnvNtCQT5svw9S965kQC6bMtwfzo3BGja3xxPIMV0jHYrktoEvtvl2zxMzYw0KSbAqLubZxvYUwDWGsORuAlLpJG9DkIDivBfyRS-Ik5umFbGwwQzFO4w7iyUUQNVhP9OgvbXlBUJptbiC4GyX5wW1_guQg091IzSRGR1NjiI5aLCG035BaOCh98RwrXd-XyKciSASMiR--X5p29g7U08DxtsQmehKPuu-PybYepI5h6DOWnuSMAWJeoCPnaqHLZnuFHlh8taQj_xFVJZxQ_al8a2h6lv5Qs-Lqz2iZ-xVRzra2mTrLwRh7VfovNxI5na2e61PWzvyG3S0RXZbkeyRefE6tM9lY3VMal6naXd537Gb4n-fyC_AODmGbMpvxlLUe4VEJMO1whDLe1jv0sGnVi61BQ8RhPByI1O19J1FKvifC-ek2Mmg1dfIW&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=bd8c31a6-b156-11ef-93ab-51747d0c16e7&ppid=RT000186&cnac=US&rsta=en_US*28en-US*29&unptid=bd8c31a6-b156-11ef-93ab-51747d0c16e7&calc=f607380584773&unp_tpcid=requestmoney-notifications-requestee&page=main*3Aemail*3ART000186&pgrp=main*3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585*2C150948*2C104038&link_ref=www.paypal.com_signin
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
https://www.paypal.com/signin/?returnUri=*2Fmyaccount*2Ftransfer*2FpayRequest*2FU-49N824651S491790U*2FU-4U978694X6449594V*3FclassicUrl*3D*2FUS*2Fcgi-bin*2F*3Fcmd*3D_prq&id=LkJAkV5ggkIrKoPazAK-wJr9yqAp7XurjjjDMQ&expId=p2p&onboardData=*7B*22signUpRequest*22*3A*7B*22method*22*3A*22get*22*2C*22url*22*3A*22https*3A*2F*2Fwww.paypal.com*2Fmyaccount*2Ftransfer*2FguestLogin*2FpayRequest*2FU-49N824651S491790U*2FU-4U978694X6449594V*3FclassicUrl*3D*2FUS*2Fcgi-bin*2F*3Fcmd*3D_prq*26id*3DLkJAkV5ggkIrKoPazAK-wJr9yqAp7XurjjjDMQ*22*7D*7D&flowContextData=R2EckoGqt3OYnvNtCQT5svw9S965kQC6bMtwfzo3BGja3xxPIMV0jHYrktoEvtvl2zxMzYw0KSbAqLubZxvYUwDWGsORuAlLpJG9DkIDivBfyRS-Ik5umFbGwwQzFO4w7iyUUQNVhP9OgvbXlBUJptbiC4GyX5wW1_guQg091IzSRGR1NjiI5aLCG035BaOCh98RwrXd-XyKciSASMiR--X5p29g7U08DxtsQmehKPuu-PybYepI5h6DOWnuSMAWJeoCPnaqHLZnuFHlh8taQj_xFVJZxQ_al8a2h6lv5Qs-Lqz2iZ-xVRzra2mTrLwRh7VfovNxI5na2e61PWzvyG3S0RXZbkeyRefE6tM9lY3VMal6naXd537Gb4n-fyC_AODmGbMpvxlLUe4VEJMO1whDLe1jv0sGnVi61BQ8RhPByI1O19J1FKvifC-ek2Mmg1dfIW&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=bd8c31a6-b156-11ef-93ab-51747d0c16e7&ppid=RT000186&cnac=US&rsta=en_US*28en-US*29&unptid=bd8c31a6-b156-11ef-93ab-51747d0c16e7&calc=f607380584773&unp_tpcid=requestmoney-notifications-requestee&page=main*3Aemail*3ART000186&pgrp=main*3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585*2C150948*2C104038&link_ref=www.paypal.com_signin
Resource
win11-20241023-en
General
-
Target
https://www.paypal.com/signin/?returnUri=*2Fmyaccount*2Ftransfer*2FpayRequest*2FU-49N824651S491790U*2FU-4U978694X6449594V*3FclassicUrl*3D*2FUS*2Fcgi-bin*2F*3Fcmd*3D_prq&id=LkJAkV5ggkIrKoPazAK-wJr9yqAp7XurjjjDMQ&expId=p2p&onboardData=*7B*22signUpRequest*22*3A*7B*22method*22*3A*22get*22*2C*22url*22*3A*22https*3A*2F*2Fwww.paypal.com*2Fmyaccount*2Ftransfer*2FguestLogin*2FpayRequest*2FU-49N824651S491790U*2FU-4U978694X6449594V*3FclassicUrl*3D*2FUS*2Fcgi-bin*2F*3Fcmd*3D_prq*26id*3DLkJAkV5ggkIrKoPazAK-wJr9yqAp7XurjjjDMQ*22*7D*7D&flowContextData=R2EckoGqt3OYnvNtCQT5svw9S965kQC6bMtwfzo3BGja3xxPIMV0jHYrktoEvtvl2zxMzYw0KSbAqLubZxvYUwDWGsORuAlLpJG9DkIDivBfyRS-Ik5umFbGwwQzFO4w7iyUUQNVhP9OgvbXlBUJptbiC4GyX5wW1_guQg091IzSRGR1NjiI5aLCG035BaOCh98RwrXd-XyKciSASMiR--X5p29g7U08DxtsQmehKPuu-PybYepI5h6DOWnuSMAWJeoCPnaqHLZnuFHlh8taQj_xFVJZxQ_al8a2h6lv5Qs-Lqz2iZ-xVRzra2mTrLwRh7VfovNxI5na2e61PWzvyG3S0RXZbkeyRefE6tM9lY3VMal6naXd537Gb4n-fyC_AODmGbMpvxlLUe4VEJMO1whDLe1jv0sGnVi61BQ8RhPByI1O19J1FKvifC-ek2Mmg1dfIW&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=bd8c31a6-b156-11ef-93ab-51747d0c16e7&ppid=RT000186&cnac=US&rsta=en_US*28en-US*29&unptid=bd8c31a6-b156-11ef-93ab-51747d0c16e7&calc=f607380584773&unp_tpcid=requestmoney-notifications-requestee&page=main*3Aemail*3ART000186&pgrp=main*3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585*2C150948*2C104038&link_ref=www.paypal.com_signin
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4248760313-3670024077-2384670640-1000\{849140B6-E272-4B08-836D-06AB11E39BDB} msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 5056 msedge.exe 5056 msedge.exe 2916 msedge.exe 2916 msedge.exe 880 msedge.exe 880 msedge.exe 1100 identity_helper.exe 1100 identity_helper.exe 4108 msedge.exe 4108 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe 1740 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2916 wrote to memory of 1904 2916 msedge.exe 79 PID 2916 wrote to memory of 1904 2916 msedge.exe 79 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 2904 2916 msedge.exe 81 PID 2916 wrote to memory of 5056 2916 msedge.exe 82 PID 2916 wrote to memory of 5056 2916 msedge.exe 82 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83 PID 2916 wrote to memory of 2940 2916 msedge.exe 83
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.paypal.com/signin/?returnUri=*2Fmyaccount*2Ftransfer*2FpayRequest*2FU-49N824651S491790U*2FU-4U978694X6449594V*3FclassicUrl*3D*2FUS*2Fcgi-bin*2F*3Fcmd*3D_prq&id=LkJAkV5ggkIrKoPazAK-wJr9yqAp7XurjjjDMQ&expId=p2p&onboardData=*7B*22signUpRequest*22*3A*7B*22method*22*3A*22get*22*2C*22url*22*3A*22https*3A*2F*2Fwww.paypal.com*2Fmyaccount*2Ftransfer*2FguestLogin*2FpayRequest*2FU-49N824651S491790U*2FU-4U978694X6449594V*3FclassicUrl*3D*2FUS*2Fcgi-bin*2F*3Fcmd*3D_prq*26id*3DLkJAkV5ggkIrKoPazAK-wJr9yqAp7XurjjjDMQ*22*7D*7D&flowContextData=R2EckoGqt3OYnvNtCQT5svw9S965kQC6bMtwfzo3BGja3xxPIMV0jHYrktoEvtvl2zxMzYw0KSbAqLubZxvYUwDWGsORuAlLpJG9DkIDivBfyRS-Ik5umFbGwwQzFO4w7iyUUQNVhP9OgvbXlBUJptbiC4GyX5wW1_guQg091IzSRGR1NjiI5aLCG035BaOCh98RwrXd-XyKciSASMiR--X5p29g7U08DxtsQmehKPuu-PybYepI5h6DOWnuSMAWJeoCPnaqHLZnuFHlh8taQj_xFVJZxQ_al8a2h6lv5Qs-Lqz2iZ-xVRzra2mTrLwRh7VfovNxI5na2e61PWzvyG3S0RXZbkeyRefE6tM9lY3VMal6naXd537Gb4n-fyC_AODmGbMpvxlLUe4VEJMO1whDLe1jv0sGnVi61BQ8RhPByI1O19J1FKvifC-ek2Mmg1dfIW&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=bd8c31a6-b156-11ef-93ab-51747d0c16e7&ppid=RT000186&cnac=US&rsta=en_US*28en-US*29&unptid=bd8c31a6-b156-11ef-93ab-51747d0c16e7&calc=f607380584773&unp_tpcid=requestmoney-notifications-requestee&page=main*3Aemail*3ART000186&pgrp=main*3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585*2C150948*2C104038&link_ref=www.paypal.com_signin1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2af3cb8,0x7fffd2af3cc8,0x7fffd2af3cd82⤵PID:1904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:22⤵PID:2904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:82⤵PID:2940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:12⤵PID:4644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:2588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4476 /prefetch:82⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4592 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵PID:4780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵PID:3432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵PID:4516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:12⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:12⤵PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:12⤵PID:3316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8248414987681525501,12745276776502138692,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3692 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1740
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3724
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1960
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD55431d6602455a6db6e087223dd47f600
SHA127255756dfecd4e0afe4f1185e7708a3d07dea6e
SHA2567502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763
SHA512868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829
-
Filesize
152B
MD57bed1eca5620a49f52232fd55246d09a
SHA1e429d9d401099a1917a6fb31ab2cf65fcee22030
SHA25649c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e
SHA512afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8
-
Filesize
215KB
MD52be38925751dc3580e84c3af3a87f98d
SHA18a390d24e6588bef5da1d3db713784c11ca58921
SHA2561412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b
SHA5121341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize936B
MD579ece883e204ed4a64338ac76b202f1c
SHA1d964ca2f15a61c6f8712cb8e8ee70d8dd0f65318
SHA256d29f164e82ff45b6ad2bb82e04600827f3d718cf25e1f333b9f68c9223657e58
SHA512d792b6f822d0b4999c1c9492be77b53af07ae46a565e5e0007e77bcc7e8743956f33947dda82b20fd057688d41dc7e54ce2f6c5e3c2e512307d19ee17e387177
-
Filesize
1KB
MD58a232bc0caf4da032d781c045bfb9ed6
SHA1f5b7efc20bf8e0b7b08edf6eaa3062ba02e8be5b
SHA256f1a2ddba3f0600da56f51711b8769d7462d25ab845a1d775577e23380d5d6b16
SHA51241d08173834020505c07376f7ec8b956e0f1e6b2767be49f40c49b3bef97e70d4eeb6928f4a1ab0aa6ac96353652b2010078427dada3d5ac04bede483c3ff20c
-
Filesize
6KB
MD5c9064a78ea9e5e456a40c9135f858934
SHA16af280e6d3de2d605a2fc350af4c3f88b4751e27
SHA256e6bb7132ad84fdda1a917e30a2cd7f68b4c78f547fdc9b7d70132dae6f99c780
SHA512babe5831c31d87a6bb6703009edbec7826e312d94c411707f964679b09a8a4e01ed04114b8d3e855f7af9cb33abb7d7bc6f9708dfcdf6ebd71f9edd01845a119
-
Filesize
5KB
MD5410e352f96d685a7ead93ee2f4e07e29
SHA16d6bd56952a12822ab104a74694d0ace409d94c5
SHA256aba0ccf6d4a3749ce3549a2c9a313bffde53d2478b2fb74bc705a97a88fa80b4
SHA512a2db01a98c3e9f831a670dd2465fa1e3e004c9d6f5d03e07607ba314cedeb2988fc98eab7c0de84aaa8e7ae58fb621de22f163d63badf3d012e4e3d815de74f1
-
Filesize
1KB
MD57c17842bb9cc668a14e93f7e34afd77d
SHA1a9adc98ee38911795b82135e7b1f540ed48e8f09
SHA256fd802b8af3ad4851d3e9c4e88b49a195d53e694291eb967f11efd7f15af42ad6
SHA5124f626e5fdb7048158879eaaa6d33052b8a1f3a3285ad44ef9c6c7a219aaadd083bce37a1f75650903c0b85112a12a555af2e7b9bd8cfa904e084422ced440de2
-
Filesize
1KB
MD586231f20e7af17eef0031b3579d63072
SHA10b574aa1497a743797590112bf5db6003322da04
SHA256c6fefee42a3b207b3fe2a71950fab1106d94a0f036357d2933dad6b0297634ee
SHA512e4120243c0c70661fa018e51e1b430f5b7ce6d480f83a25374c246a6d6aa4f78fd15be9a029e1b35a2b9cd26f70f3560e3812d3323e58458492311ab0729036e
-
Filesize
1KB
MD56e9968fdb0bcb10fb713152672076bcc
SHA16d6b4484e898260b0c25c6065409d27e8d986750
SHA2560f9f7df606e4c12fbd06a3a4519bc9eae0ce01345fad59180c6afbbb0841618f
SHA5121cd53b96d91d864508ef23ea6c864454959250ad4232848b60dcb07163919c9f3afee3092ed9e31e30802d0821edc88b48fefc2ccd5a8ec9a30e49fd0964d508
-
Filesize
1KB
MD5a4c7ac2608525ff741c5fa38af21cfaf
SHA10ee769ae638b12ed91f8bd0aac02972482e42452
SHA25695bf4a37813e1f00f6bb435285ecd91da9ba3e4916584ce4896d522ff0a72cc7
SHA5121b10a09d1bc3fcc9a9a0c9f37a8fde1b965489727d17a30e7930dca6e36ec62919c475ba36a9354fdbd50a8c119cbc1841c6a80fc933030b0a7761af898d648b
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD5ee8e54556286df2747a9d7c177b6dbb1
SHA1981bd28f7697c6c42e3d959c15bf3b952c653e8e
SHA256607f58f4bbe07104cd791a46aa0f3078c27728013b72d8ab73523561147a0054
SHA5126ff7783aef2b91151c70157df8e987b3abbba4656588eb1ba949bc5648c7194e5001c31a5993028d92a2be9da9de2401e8826767ba1b5f3e0d310d7e609c0c40