Malware Analysis Report

2025-01-02 03:47

Sample ID 231213-3rtdpsbff2
Target https://www.paypal.com/invoice/payerView/details/INV2-B5RL-XDLZ-CT2V-YXTC?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000274&utm_unptid=4316900c-9886-11ee-8176-3cecef47c1f3&ppid=RT000274&cnac=NZ&rsta=en_US%28en-NZ%29&cust=&unptid=4316900c-9886-11ee-8176-3cecef47c1f3&calc=e1949c5806cbb&unp_tpcid=invoice-buyer-reminder&page=main%3Aemail%3ART000274&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.218.0&xt=104038%2C127632
Tags
paypal phishing
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

Threat Level: Likely benign

The file https://www.paypal.com/invoice/payerView/details/INV2-B5RL-XDLZ-CT2V-YXTC?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000274&utm_unptid=4316900c-9886-11ee-8176-3cecef47c1f3&ppid=RT000274&cnac=NZ&rsta=en_US%28en-NZ%29&cust=&unptid=4316900c-9886-11ee-8176-3cecef47c1f3&calc=e1949c5806cbb&unp_tpcid=invoice-buyer-reminder&page=main%3Aemail%3ART000274&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.218.0&xt=104038%2C127632 was found to be: Likely benign.

Malicious Activity Summary

paypal phishing

Detected potential entity reuse from brand paypal.

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-13 23:45

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-13 23:45

Reported

2023-12-13 23:47

Platform

win10v2004-20231127-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/invoice/payerView/details/INV2-B5RL-XDLZ-CT2V-YXTC?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000274&utm_unptid=4316900c-9886-11ee-8176-3cecef47c1f3&ppid=RT000274&cnac=NZ&rsta=en_US%28en-NZ%29&cust=&unptid=4316900c-9886-11ee-8176-3cecef47c1f3&calc=e1949c5806cbb&unp_tpcid=invoice-buyer-reminder&page=main%3Aemail%3ART000274&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.218.0&xt=104038%2C127632

Signatures

Detected potential entity reuse from brand paypal.

phishing paypal

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3644 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/invoice/payerView/details/INV2-B5RL-XDLZ-CT2V-YXTC?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000274&utm_unptid=4316900c-9886-11ee-8176-3cecef47c1f3&ppid=RT000274&cnac=NZ&rsta=en_US%28en-NZ%29&cust=&unptid=4316900c-9886-11ee-8176-3cecef47c1f3&calc=e1949c5806cbb&unp_tpcid=invoice-buyer-reminder&page=main%3Aemail%3ART000274&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.218.0&xt=104038%2C127632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82da846f8,0x7ff82da84708,0x7ff82da84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=4916 /prefetch:6

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6168 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6312 /prefetch:6

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2404711417721813350,17503788047673717353,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3916 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 c.paypal.com udp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 b.stats.paypal.com udp
US 64.4.245.84:443 b.stats.paypal.com tcp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.200.3:443 www.recaptcha.net tcp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 c6.paypal.com udp
US 151.101.1.35:443 c6.paypal.com tcp
US 8.8.8.8:53 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com udp
US 104.17.209.240:443 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com tcp
US 8.8.8.8:53 240.209.17.104.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 api.sprig.com udp
US 3.228.185.195:443 api.sprig.com tcp
GB 142.250.200.3:443 www.recaptcha.net udp
US 8.8.8.8:53 195.185.228.3.in-addr.arpa udp
US 8.8.8.8:53 62.22.156.108.in-addr.arpa udp
US 3.228.185.195:443 api.sprig.com tcp
US 3.228.185.195:443 api.sprig.com tcp
US 8.8.8.8:53 www.google.com udp
FR 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 208a234643c411e1b919e904ee20115e
SHA1 400b6e6860953f981bfe4716c345b797ed5b2b5b
SHA256 af80020ae43388bbd3db31c75aade369d489a30a933574dea19163e094d5f458
SHA512 2779b96325234c836cbb91820ee332ed56c15b534ec0c7770b322a5c03849ec3ee67b0ec7978e1fab563eeed1cea96f5155d7b942702555d9352ff6711a548d2

\??\pipe\LOCAL\crashpad_3644_TSBXWAWJIMBDGBBN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 919b77e9ddb89dbc0dfdc2052f5ddcef
SHA1 6e44b6d6926389177c57d664ae59474b027582b7
SHA256 49f9648fd2d5822f8532706c69238aabda0663a9545320030cefa561872d057e
SHA512 a81e59838cb584a3f915a2261a2aa9f11f6b964d76e7b6f48cb053b469f3f3feaab20dc852b96831eb820ebb579656ffb1ddde03af77d3ca0ae38981c1862e4f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6665ec7354a10ee0521ff2fd1caf7aed
SHA1 84593147a8657cbe79b1ba7729b3180937140870
SHA256 4d33ae0ae2fc780c216bc3acb9c18dbce441b40d9050b512fb177c4902082a91
SHA512 86591e47f6d3ae1c9873b8aa288a6e6a85fa12e03b1bb155b572f8236c24441a39bafefe4b11a3219e37743df07710bc5396b4e30c27b142ef4062338c2019e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 97d2d27916c75873cc4212a985d04357
SHA1 db30867130a8ccb1f422239effc1447f442078c1
SHA256 0e8488e41ca6fea844cfd453af9b88debc759fd99f8b743aae2f43905670a70c
SHA512 7d2f9c902f5a889ebaf2d6bf4c3015f34e00cd7242e26eb74fdd115fe1be13f2f61f6354236932ed56ed47154315c14423ab4ee384917e3071a2e13bfcb8e646

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 5a6206a3489650bf4a9c3ce44a428126
SHA1 3137a909ef8b098687ec536c57caa1bacc77224b
SHA256 0a9e623c6df237c02a585539bffb8249de48949c6d074fe0aaf43063731a3e28
SHA512 980da83c3142bf08433ec1770a2ec5f5560daf3ee680466f89beae8290e921c0db677489daad055fbc1f196388f8bc4f60e050600381f860b06d330062440a78

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

MD5 b3ba9decc3bb52ed5cca8158e05928a9
SHA1 19d045a3fbccbf788a29a4dba443d9ccf5a12fb0
SHA256 8bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4
SHA512 86a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a64f04f2b95b616d6e9899b2d29487bd
SHA1 7cbacd58bbd1c27cc1eae29acdd122ef66a8735e
SHA256 f7d4ea6abe659cd01b941f7ecf391ffdff98296a50c06bb39093d52dc97692c2
SHA512 460cfdb492e12306677ff988b2facc8549aeb9a3f9797d786030f6f108f32b013a0ae98676d7f1c14df40f661032d9ffb0734f5be80204a37e44cdbf7719763b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 037d4910ab7f2a7dd9b3f339c029efd3
SHA1 5da5cd5c6a915b97ee014e1a03af0c90feb908fe
SHA256 bab8ace2eb8af83571dd67d806ce09b8e3b7fa52ed858ce08461fdbe8bce3316
SHA512 282708a5284a6bc7845f0f0516164096247f0239e3df527262fc1dfe022dd91dab54e08c0155e443525283013adacb37f2317b1beb5dde8dddfb6653d6d83121

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58ad42.TMP

MD5 7b7abe31a9504da2d8984b9593c100c3
SHA1 b549d424dfb4013fa092e95e595b3f3288ca6c6d
SHA256 55db425758b6d92891ccd5ca5b07fdfe71a3e73fec179e12ce1269dbcfc1e33a
SHA512 b4df3a836151582b2b0be68f070e1494d366fa0f5b72bf5f3a938905640aa5230cdccf697e2de4edd63125ae5c16fef8df6686eed9bb3a7d897b37a76c1c4540

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bfd2e6b444ae058612653d1dcc662522
SHA1 2334014c8cb23338feb2f34d39610077ed62165c
SHA256 c53c7dbaf675a7ca5d94d1176d55afd5cc8cc37dfd298d7f6d6f394ca7044a50
SHA512 b085271db67ee8de1b65bf34ca78e9f7b7d0114bb782f24da3d29954539c84d388f731baca86bbd6e6cefa61f57a2897eae41e23cd22f4f8611ad702514a2bf3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 4d9f0a27f9981af17bf0c97ca9f7b28c
SHA1 de8e73fde6774661e8da2a9375d7a70c2e638c64
SHA256 8e6dbd99bff3f0c7a31a4ef67833df15a4d0ac717e587cb2dbed42813a329d09
SHA512 a66a368493ce164a4f9ad500896c49af6994460229557ab2fdb917a3d23a762bce46658894ab553ae67fa474529cd08df588b7a83c918b8c5c0acad0e8ff501d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3a7c791442b94af5f471e220ecef36f6
SHA1 b371ed5ea3b2c400dfe2345212cc24655ec9de59
SHA256 056e2028ed4af50b341b3639cebbec76d04de3b0a7f8f26c51a09211563e76a1
SHA512 4d2390b879b506290ae65c928d2fc16f61df3d290becc5f2079f5824798a03b8431fbccbc93a64e6d193874d374897f2ea84cb8ed90627ec1d272a4d84235f6a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b2168b16e2ce95d2c87d7029bf9af93c
SHA1 8ee7cc12ca3e8e93e7afd6be901ae48829ab85db
SHA256 d1f2abef10729ccc1c5c160e461b66bcca550e8b574104309f175714a4ce6c8d
SHA512 7431ff8dacce6e3847b163ddecd1ff1e99f08a0dfc96e2d00c4a2adffa5bdb0e3df24f65aad0d8f2f17e6d946d4ae224701a020108a8c6f945f973ba02ab91f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1d18e2d3c3073831da86d92b6029c21d
SHA1 7cf0eff96a1f772bf356242ac27f13d24afaa1df
SHA256 4c46341ee38114fea5ea5d438363509714f3fc00178277bb478e28724b228d16
SHA512 c7b64f529ea65e337d7c65fef0b41232da2aed4e5d9d16d7b564f6a8a6165d18ff93c8424aa72eb40be4d1e30b2179d61c2a1c219bec23859d4749e6fe201f39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 afe344040f79a79622993837b57a2d82
SHA1 e8c0dcc49e10c62e5473126dff00bcffe17c3767
SHA256 9cb93a9258d106dc5a6b234b9cafdafa4189a61af8b5078f2b627c936bef29f6
SHA512 e8abab723982c8b595fef030fdf3b2d94335cca0c602d8e23b0052bfe19e79102e7aa34205c8ae347074544d8ef1987474e1a7b5f14f8af80a8a379637f3b441

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 357ac07d85a01478874a0d1fb28f6f86
SHA1 f964e211a3d290d4cec0a2c51a6232dbd65ae4da
SHA256 f8acdb6e3a451d92687616311b297f37f44d582c01c26aac6cfa2e6a568d0b65
SHA512 30011a739f1983f17f72f5a7d50247e910dac1767ef0da005d30e0aca6367a69cdbd396bd0ddb0ab1c63475e19097af708982c3787394f8292959fcf68da6733

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-13 23:45

Reported

2023-12-13 23:47

Platform

win7-20231201-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/invoice/payerView/details/INV2-B5RL-XDLZ-CT2V-YXTC?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000274&utm_unptid=4316900c-9886-11ee-8176-3cecef47c1f3&ppid=RT000274&cnac=NZ&rsta=en_US%28en-NZ%29&cust=&unptid=4316900c-9886-11ee-8176-3cecef47c1f3&calc=e1949c5806cbb&unp_tpcid=invoice-buyer-reminder&page=main%3Aemail%3ART000274&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.218.0&xt=104038%2C127632

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AD0280C1-9A11-11EE-AAF9-668C7AB8514F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "37" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\paypal.com\Total = "131" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e822323fdc2bf44b8a0ddc077ebcc96400000000020000000000106600000001000020000000fe54caaee8089e163b4c6535952fcb263392e8d32d5d2f8024917115056c8dbc000000000e80000000020000200000008fd105d3f2a1831da9988e4a6ffd5c7f5efbbd6dc4ece561f0e406e7557162ad90000000c2c647e1068702ca8e4cbb0c34cab4b5aba5ed653591ddadbdbd6d83a570b5cc473c05c421aec804c29a645d168d057cb90bf9bbd526887f202f71a8a15b18452f4a238cace809efb05a0e93a3c711a05c4ab44fb4c443b25c1fc3c6f92fa1d1af1603a95ef571e981c0e74a4efd5981fee56ed66f1f0c383e06ac108dc1a4e17b0a822133498d2f3985f835fd8d1c8a400000000afb59e2996d334ba9168f0c922c2dc66f340fd02daef100d52ff3c7baa6e0a51106713326924ab301741e9f56b3230ea952912a4c94f8098106c4f656e56a1f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\paypal.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "115" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e03157821e2eda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "230" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.paypal.com\ = "26" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.paypal.com\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "76" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.recaptcha.net\ = "99" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e822323fdc2bf44b8a0ddc077ebcc964000000000200000000001066000000010000200000002220728d71eb2bd196081ce1445c3a64b6dbc9a4ca939928c2f955a33e81f377000000000e800000000200002000000096acf4f4e013e354655f0d28188ae90b162863e958a9bfe693081ef9ecc944fe20000000942c87b204a60dcdfd30425e7b6fec579a33597fde879f7f28130bbc2d72f3ae40000000948ba41d11cac6d95be0c6ffc65e62496278a6439c4a8d0e21a4bb05ea494c1a54f70713a963fbef2278a55af79ff4a36495dfae99b68a2aa0cb6341ed103663 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\paypal.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "16" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\paypal.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.paypal.com\ = "16" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.recaptcha.net\ = "268" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\recaptcha.net\Total = "99" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.recaptcha.net\ = "21" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.recaptcha.net\ = "60" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "284" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "408672987" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\recaptcha.net C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.recaptcha.net C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\paypal.com\Total = "16" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\recaptcha.net\Total = "21" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\paypal.com\Total = "26" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\recaptcha.net\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\recaptcha.net\Total = "268" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.paypal.com\ = "131" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "26" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.paypal.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/invoice/payerView/details/INV2-B5RL-XDLZ-CT2V-YXTC?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000274&utm_unptid=4316900c-9886-11ee-8176-3cecef47c1f3&ppid=RT000274&cnac=NZ&rsta=en_US%28en-NZ%29&cust=&unptid=4316900c-9886-11ee-8176-3cecef47c1f3&calc=e1949c5806cbb&unp_tpcid=invoice-buyer-reminder&page=main%3Aemail%3ART000274&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.218.0&xt=104038%2C127632

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 c.paypal.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 151.101.1.21:443 c.paypal.com tcp
US 151.101.1.21:443 c.paypal.com tcp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 151.101.1.35:443 t.paypal.com tcp
US 151.101.1.35:443 t.paypal.com tcp
US 151.101.1.35:443 t.paypal.com tcp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.200.3:443 www.recaptcha.net tcp
GB 142.250.200.3:443 www.recaptcha.net tcp
US 8.8.8.8:53 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com udp
US 104.17.209.240:443 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com tcp
US 8.8.8.8:53 www.google.com udp
FR 216.58.204.68:443 www.google.com tcp
FR 216.58.204.68:443 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabFC1B.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarFCBB.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e966629f686b326912259b902e8ee34
SHA1 71e7bc7cef6e10bf1c29eec125b6c9f4a03dae75
SHA256 f85482bea36263834d001805b1e20d3d607cefb67b42cdfc695309cd9703ebe2
SHA512 24e46abf214f3478c9f92d9cd40cf7c735bb3130c5da44419653e535ffc037560c5741903832bfed1b196f7ecdc7b2a4289fa2f0212c5d82666f31278997f4e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0d3e2684dc4f875bb54330e8149c596
SHA1 1ce16c4fa077e1e40120fbebd0c7ddb1e3b8c0ce
SHA256 6cbfc44653659cb6b231472f760b2b263f2f902e3291783eca9b4264726bbfbd
SHA512 68760c88db6f4016fab45fa0d4f53c4f2f91e3d1b1d29d5bfa43b3d8e51bdeca7a09fa466d776e3b2fec1362bca7aca640648d237b771e3f481d075690d69684

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\Q5SWFYJT\www.paypal[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PBZ1TWUW\favicon[1].ico

MD5 e1528b5176081f0ed963ec8397bc8fd3
SHA1 ff60afd001e924511e9b6f12c57b6bf26821fc1e
SHA256 1690c4e20869c3763b7fc111e2f94035b0a7ee830311dd680ac91421daad3667
SHA512 acf71864e2844907752901eeeaf5c5648d9f6acf3b73a2fb91e580bee67a04ffe83bc2c984a9464732123bc43a3594007691653271ba94f95f7e1179f4146212

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\occ2pb6\imagestore.dat

MD5 eae376d0e6f23d0bc866fc7997aaa3c3
SHA1 42631daa76d542d865575dbc11a1ef4431274b37
SHA256 521c2bb1505812c0144a7195378d0c11741ffd96737bfc36b9fb704a8f84476e
SHA512 ee169edf990585145c952283338ad044ce609d7736a695a4eca3aa9c9d330e4ac72b47c0757604f9dab39d537b2f7d3fdf785f4b5b9df2e9cb9122cec3922ff6

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\Q5SWFYJT\www.paypal[1].xml

MD5 16c360cb99e10fbe3337221976dc73e7
SHA1 66f59be18d4e760f5875063d53cc0ab3451636a9
SHA256 01ed6837214ab9b4da5736d4dc0a1641bf40f2c17e163ae83f24c9490861c7bb
SHA512 77eb8f3002e5e43d69a5ff449750d4bc7dade936a89e8ed73eeccf85f9c0acf38dda706c81f9dbb0f34376835a587762ea74154dd85b9bfba65e6c1ba9926745

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EZ4NMB2U\recaptcha__en[1].js

MD5 af51eb6ced1afe3f0f11ee679198808c
SHA1 02b9d6a7a54f930807a01ae3cdcf462862925b40
SHA256 6788908efcff931e3c0c4fb54a255932414a22e81971dcc1427c8a4f459a1fbf
SHA512 e561a39733d211536d6f4666169221ca52b3502dd7de20eadba2c0ccd6f7568e3037fa8935d141993529ac9651ed7ecff20f5482de210fa5355a270dabe9221e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca66d37f01f9fbf31cdc6a0b14a48e9e
SHA1 0348af5cac8be4989426b2ee0cb7cd7e97218fcf
SHA256 72265dd1c73038b9a4eca7141c43e3e4a924478de34d59c122031dcd2c01b967
SHA512 d9392df3062550647bfbfd6ac5b60ce11dff869724365311f63d308871657c3b61aeed7c0e28c763346b55e3f55bcc70c78f5107c3afa3b04a22daa611858dd3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73c3785efc22fd439519c4064e825d3e
SHA1 af27ce10aaa93ab699d96723f9593e8bab767e18
SHA256 e6f4285664b2f818754b97fe3b158ef1f72b59f5ed042503a3b20ba2b1abf2db
SHA512 90e2595777ed8e24fa608e170ca90c07d20f017dd00bafd1c49c4f6dd8d72e89266bc4318c4cc04b2ae79510369a8c80d8cc11b1dbc9c89ced01d77ac96d3249

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 543bd4c7987f824d10d0e22ca6e35652
SHA1 e2383c8a14bd77a2052bcc3390a1bc4568e53939
SHA256 2b990f52f498cdbd7dac4db0f3d152018c271310b683f45868050f29ded3c8f7
SHA512 daba145602f6ef267e57de03c269a6c40299b4528ec3167fd3b7d33a0b3f730515dde0b37c764c8660650bb1f8d5c3a38eaed2efa4fd062536c91e2f00836a4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0bae3635ef55d447457b4e89a8f1e5fc
SHA1 046ac1f6305c3d7de2ebfd6a9911f8e6cecda0b2
SHA256 ad7ea4fa41983845b6fced9884ebbb94f720dfd968c65261d00a99019be8f910
SHA512 cbb87e1c8ab46f19e7d4601e5a963deb50bdfd6aae95234f4f7272a715295bd37854d35fe4336ea29b9ff74762e48baaccd8b2fb1150262a6b76d944a462a489

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 629d8e27edbe567436924529146fabcd
SHA1 e44d1559d5d2b2134be6ca7dd7b17f787f3a9574
SHA256 03ad98bd8f18a2756224612ea63e5f14f3b8308814116709840123364a9c1b01
SHA512 877ecd23764e63b8ea11aa204f14b64623072631153d61a41b48961ab19a74d8c6c190f109f0c84f4148c7b5d043d39c89f3e7eb95296c3bb7b061558f0a83f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98455a6876282fbedbf86cc0430ed8de
SHA1 63e763381e1b9abd0578f5d937b2398147c48030
SHA256 a6a3e9961856be51a09219be6d1c888eb44ea111a884a4c86ce7c0c9a5dfbafc
SHA512 558c2b5ca3a5ef1fd57976d9c661a6fb55d865c6e5707a052b2e40cac272713b3478e33a4a300691fff3d1e4566d14fb1dfa2a51b576982729f39baece4f61f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f7405e01def190897f8f002680ebe29
SHA1 c72d8167f169fc0f3360e455e6f3e8925b10fc14
SHA256 e6b37dc0b023333ff9597662b7820dff04245fa4e25194210ad1d81fcdacba8f
SHA512 18dd25c6d04ad988e440a4ab88eeaa7665b336d4eb5a2677bcb11ee15a07842680e7100c67cd264a8aaff17650c992ccaba6368e6c61529e13c19b8fb83e4fa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb66d2444bfcd24e6e13eeb467435e79
SHA1 33f371e5ba2b4e47b014ced8e22c64640112f8fa
SHA256 a905223843e2c020224c8a243446af7c44a9149c866fa0ea29e2ed190c0ef109
SHA512 31d67216448ac51481a95e1d6e40487e527f0c84da521866dd8696470bb3c69e6dcbf8577983fc008da184a2183947f87678bcc68dc16cd9c753fe6e75b9e2ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59f670c0b08992fcea11bfb05f64b239
SHA1 66f170e91ab4e30521298f614c0d328938547921
SHA256 3435e3da447d3c44aaee39668bef020407ca46c35c6bcab7f28e2861d18637ce
SHA512 182e20bcf883e882e02f0cec28b659a49057fc4cf001ae98de614a51c267e36e0e0c57fadbf9f1384948881259f8c8b5657a7cc0beda1ffcb3a547695fcbb5e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2eb9bda854f5a57515ae303c0b5ec55d
SHA1 04a36b1769555c345cb6eff6023a08ae9ed2c428
SHA256 35f571897884a20e128644ca804eb868e8ab4e1b5aab490e755f551f0d1a683b
SHA512 17a3338f7834d935dbda39514ce732d909d5079ea777ca7b5bec1817658e571bb929d1fe3bc4f09f77e0d13a2f40e7113dd045ce53cbf01b514d4439c75823c8

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\URHGXLO2\www.recaptcha[1].xml

MD5 3abf28f1049e436d7153565965c5e7f6
SHA1 81c7c76f4e2c9a8b716f24a9c6e915269279e3e3
SHA256 c9a71785491ce764f1bb2167def1c5c03cbdc336dd133207cf3359201dd63598
SHA512 2790c37efe2979ccdeec32ad520aede62470d693b95d34ac3c26791fb77d5833b5e68bea9916511a23eef73493d408ecc92fa1d6588892b800747692a95b9111

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\URHGXLO2\www.recaptcha[1].xml

MD5 9ed560e686cc9b632df13c4cb3837ff7
SHA1 f25280f958c24c2bbb73b325375857e60eade853
SHA256 4051afbc72841946107cf6ae595879cf7ec310cbe12c19934270ad3c31614fe5
SHA512 f3fb0a2b3065e4ee07416e103bc7dcc8f9e1b15b3e21e2955cc13ee9fb7635944feb9e6fb8b11e1e09b76705bf9bfae392090648cbb131ec2604f68c5af34b94

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\Q5SWFYJT\www.paypal[1].xml

MD5 2342495dc9f001bc6b2d3117796ef286
SHA1 55a1f27481390718a24a58648596f7f7fe382ca0
SHA256 5ada474e8753af87a3ed0a6f00b50a4b341d53ee680d152468ca90a7ddb2d46f
SHA512 6c92e57f251b84532259e2563d5e564e45e660696b1dbdb8c9aa417a81730a6cf2d4fda0ec4262e727bc00e7d32760e285a8d9c2c3a0d0dfe07baa0a637a915c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08a4ad43e4f4b87eacfbbcfd7653b1b1
SHA1 b95b134febbf93594b8dea6085e7b6fedc89d9ad
SHA256 20610d5928b7448eafbb52aaebb61863070b582cc5ac9912934a2b74bf343c8c
SHA512 e1118285bda39370c6b48e403a68a55635b50962f7c13f56c9d98f82faeba04e4b35685801417fd700a8ce7aeca0b78c9984aab3b803c19390df25ad8855cbb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e601500600810b3df4f997ccc3aaf8eb
SHA1 a9797d66ad945b5ec25f08073b59ee1c616d9169
SHA256 8b8794d5e8d411a3c879c4834746075ac9155e18d2fe184fc5bfbefe846f6da3
SHA512 b37a826697f3bf60446ba0bc4b5f12ccc1901be99b6f334a9db36f00d30fd9c806a117699a0dd22a337e2411b36b89916dd5a6c125e47876223eb264c71ee833

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 109f5f5a336f082c9b632ffee64f55b2
SHA1 71ff68d44538bed95c8ebc0282f363f4c1ed507c
SHA256 be966bc38fda4284c74d5f471022660550f5cca82c1fa40091635591b248b286
SHA512 d8288f54c67d749a0ee4adc313d9c8cdbe700f58e6603e8e751e56e8db60be5c1cb738d58649d4abde31a39b9d68107f16d3652085a2285616127df887a4a769

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5744473b56b8639365fb5e839a28c763
SHA1 771ca2a44186ebd3afe1c0f6458a7bd491568bd8
SHA256 5df726f137e435129e0edcc5306a9dc19d3cb6b015c379a58e39d46f11c038da
SHA512 72e5fc6dfb2e84f8444c43c6df06cd2df8e2a7fd5862114be84116d830b7e0f2fbf1b1127435e314025ec051c54f76d6a31ed2b3a47375ab494f7d54fbd5161f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfae9d3df5ae1d7448048294459669ee
SHA1 7c751f1e9eb493a0d74869f41200464d895b9a89
SHA256 785bb6334ebe0c95bd34801f24778f86c315343f3f635e35a1e90a6ed9d5ac50
SHA512 e573466b0025164b616f74b2e2c18eccb055d728844730f040abd5d4dccb166b9480897992e6177233270769f8d8e6adacaf1e729ca0a2cac4e3fca1945bab81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a6d0342255ef6d2591826775ef0df50
SHA1 9ce7367c1f4d874213f5ca137f824f738739a2e9
SHA256 2d0e402dd819834b7e7e31a889c9a84e05740cd8322b163c2671ec8c3b7a5d0b
SHA512 9e7441ee444e7f1de034e667672193809e0fd94c659d61808e25eb94c0ff6db2d485cef472c0cbe4e26e1aab9a91ea4b14cb41204b934c77ca775c9d604f3c39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aec1854357355dfaefdae2b993c49984
SHA1 a581227389c3507dc8a26b1cb008198082fa423f
SHA256 198ddea85d61c0dacc46eafe89c66187e255019792de03c3df14a3c67b4ced86
SHA512 c131b2a2292e34bd8353f2ae732bd0423674a5cc828f60fe62218b7d22e96ba116fa11002e3ca20bab0e3cd40617ea795cd2f637708242c34a4c6112e9ec2dcd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d89d910c295a2e6a1e4061b58e2badd
SHA1 2143460d448e0dbf8940e199047ac81adf47cbf8
SHA256 060a8faee347bd4a68b4779f13e4beca479e7ba95b09398245537e0af5f9bf0a
SHA512 d44383fdc2c4e8e7e432d4e55af8077f92595b7bf8a10eba83dcad302482d9693fb087dcfca28654978bf0ea23e1c15139cc2aa65add09f1e98bddc594c36ef4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 617204490210ec534a8704399ad288e2
SHA1 413881d70fd6c8776a0460f911b94cf90b86bde3
SHA256 5da506e0279d877fc24b5354c66bb1320c1fa0fd53512fb8eeb9837d17cce9e5
SHA512 e08a271d6cb1fca17b409be4f89e23072ce177e822e74b8aefe4684a1415d1bc21aa3fcaff9f08c5895681993def33e6b193901bf1354a3850057e0b58967b9b