Malware Analysis Report

2024-12-08 00:12

Sample ID 231218-vy21esbhar
Target https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-849803765A568852C%2FU-6PL99754A59833350%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=fw9t0CTVboWisxmCamp0JvI5rs-fE-guHyA8.g&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-849803765A568852C%2FU-6PL99754A59833350%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3Dfw9t0CTVboWisxmCamp0JvI5rs-fE-guHyA8.g%22%7D%7D&flowContextData=i82ckSim03e4YP4tJzxZlgdQH_Q4gSfBWmoboxQm6cCG97m_nd-aDBKrRmuJGv-1RksiWk7Ykd9dp5gRi2nyH0lkxge2ZpJIiEiKutBmZs0NIjNrdd3fGpnlYAwiYff2KpxioGnKKIUHublokp4ZZ_1_7Ii87Hu9fzAyZrsygfiy1vH0OlbHkHRcGKRrj0WLzIAmCtY3OggjwMu6a6_gdDI4Eb_ec7jH9ta9uG&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=b74a4258-9dc1-11ee-8a28-506b4b4b668a&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&cust=&unptid=b74a4258-9dc1-11ee-8a28-506b4b4b668a&calc=856abf808c510&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.220.0&xt=104038%2C124817
Tags
paypal phishing
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

Threat Level: Likely benign

The file https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-849803765A568852C%2FU-6PL99754A59833350%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=fw9t0CTVboWisxmCamp0JvI5rs-fE-guHyA8.g&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-849803765A568852C%2FU-6PL99754A59833350%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3Dfw9t0CTVboWisxmCamp0JvI5rs-fE-guHyA8.g%22%7D%7D&flowContextData=i82ckSim03e4YP4tJzxZlgdQH_Q4gSfBWmoboxQm6cCG97m_nd-aDBKrRmuJGv-1RksiWk7Ykd9dp5gRi2nyH0lkxge2ZpJIiEiKutBmZs0NIjNrdd3fGpnlYAwiYff2KpxioGnKKIUHublokp4ZZ_1_7Ii87Hu9fzAyZrsygfiy1vH0OlbHkHRcGKRrj0WLzIAmCtY3OggjwMu6a6_gdDI4Eb_ec7jH9ta9uG&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=b74a4258-9dc1-11ee-8a28-506b4b4b668a&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&cust=&unptid=b74a4258-9dc1-11ee-8a28-506b4b4b668a&calc=856abf808c510&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.220.0&xt=104038%2C124817 was found to be: Likely benign.

Malicious Activity Summary

paypal phishing

Detected potential entity reuse from brand paypal.

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-18 17:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-18 17:24

Reported

2023-12-18 17:27

Platform

win7-20231129-en

Max time kernel

133s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-849803765A568852C%2FU-6PL99754A59833350%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=fw9t0CTVboWisxmCamp0JvI5rs-fE-guHyA8.g&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-849803765A568852C%2FU-6PL99754A59833350%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3Dfw9t0CTVboWisxmCamp0JvI5rs-fE-guHyA8.g%22%7D%7D&flowContextData=i82ckSim03e4YP4tJzxZlgdQH_Q4gSfBWmoboxQm6cCG97m_nd-aDBKrRmuJGv-1RksiWk7Ykd9dp5gRi2nyH0lkxge2ZpJIiEiKutBmZs0NIjNrdd3fGpnlYAwiYff2KpxioGnKKIUHublokp4ZZ_1_7Ii87Hu9fzAyZrsygfiy1vH0OlbHkHRcGKRrj0WLzIAmCtY3OggjwMu6a6_gdDI4Eb_ec7jH9ta9uG&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=b74a4258-9dc1-11ee-8a28-506b4b4b668a&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&cust=&unptid=b74a4258-9dc1-11ee-8a28-506b4b4b668a&calc=856abf808c510&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.220.0&xt=104038%2C124817

Signatures

Detected potential entity reuse from brand paypal.

phishing paypal

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409082152" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\paypal.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{55C3CCD1-9DCA-11EE-8D15-FA7CD17678B7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\paypal.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "26" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2024792bd731da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\paypal.com\Total = "26" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.paypal.com\ = "26" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000033b2baa7c38bc34eb000abaaaac06d7800000000020000000000106600000001000020000000dad5a448f957c1a2163479896e9503b36d0a5899ee43f6e80ca71db059624377000000000e80000000020000200000000bafad57a32c263ddc205ab2d503e56c39a11b43c94e2beca9d987247baf8cd9200000007346154f50b36f6cd15e15bf60dd61f36737b1c5abcd67b98dd368e918536a1d40000000cd7722e0c89161fbffd2ef36e3a0407f6c13ab83395eeef1a3f427e51f7b1b9c51fb531abf79083f67b58c1eb58511501c8e8f4c92cb700ed7bf57f12a6635e8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.paypal.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.paypal.com\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\paypal.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000033b2baa7c38bc34eb000abaaaac06d7800000000020000000000106600000001000020000000c3df8ac4342124a92f5405a6b1b1210c44270b50139a46b08809a379899b1a73000000000e8000000002000020000000311289653f9799bb94616c3f8f8ef38f3b9ad4f8257ea079e191d83c83ec5503900000002aeaa2ccc291da88c46645a9c708c73bd1cefee54cb670585343e0140c54edf501a79d3055339ca070b6b6913a9d10bc90115c87352df239f1990d14ea31113df86c1ef7f5d7dd42d44bf5740f815e7c162baece8f214d1854e30ac354349e317c2e7dbc484603ab5f3e977d52f96e60e989b08ba81a9f84245010cb8e384d46fae6e2a02c3e26699e6f82d7d61b7bfe40000000dd74be4c3612ed8c40c8d6424aac0579d2fce110f655cb44e1c0b05e0f31783c75f7d0218fce5cc9debd748e63e6beb50eb32e9e9174d1148f3b3545dccaf76d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-849803765A568852C%2FU-6PL99754A59833350%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=fw9t0CTVboWisxmCamp0JvI5rs-fE-guHyA8.g&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-849803765A568852C%2FU-6PL99754A59833350%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3Dfw9t0CTVboWisxmCamp0JvI5rs-fE-guHyA8.g%22%7D%7D&flowContextData=i82ckSim03e4YP4tJzxZlgdQH_Q4gSfBWmoboxQm6cCG97m_nd-aDBKrRmuJGv-1RksiWk7Ykd9dp5gRi2nyH0lkxge2ZpJIiEiKutBmZs0NIjNrdd3fGpnlYAwiYff2KpxioGnKKIUHublokp4ZZ_1_7Ii87Hu9fzAyZrsygfiy1vH0OlbHkHRcGKRrj0WLzIAmCtY3OggjwMu6a6_gdDI4Eb_ec7jH9ta9uG&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=b74a4258-9dc1-11ee-8a28-506b4b4b668a&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&cust=&unptid=b74a4258-9dc1-11ee-8a28-506b4b4b668a&calc=856abf808c510&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.220.0&xt=104038%2C124817

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1736 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 c.paypal.com udp
US 151.101.1.21:443 c.paypal.com tcp
US 151.101.1.21:443 c.paypal.com tcp
US 92.123.128.164:80 www.bing.com tcp
US 92.123.128.164:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar1E8D.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0870f98aa6eb60858e7a5964dc7c21bf
SHA1 4d0490af90cf096aa8cda9a678bdc9f9fb2c27c3
SHA256 2655bfddb1293cc13a2322e7d3dee8670a5d10f56ab195d7d6bee50eb7f35499
SHA512 94fdf988398bc67eb0f458658757e6cf12cca6ae11c0cb5ee90a7bd451ff3c4bd23ddcfe3e51eab1971397dc75ef8ef04dc4ae5d85d5d011cf963bf3206f7d10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 6bd0bd75bf91e5ad60b2e998b413b8b6
SHA1 56c32f3f6e4d245a7f8484f4f51f4ed87ba355fe
SHA256 6064a36b07003db4cfca2cfb85638c2d4663eb2ff92509c76124ee4eb0318a5f
SHA512 1cead97a005020c32ad5198a1f42d021bf51cb623b9a1132885e5e7fb478c237d1a13c062dbadd6ec08f4e8ad2c8e5cd1dd819b3a16c783a69796a2c39578b7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f6fd01932b029f5d1f02d5d657786d1
SHA1 45e1ef0802087fea763bc5f680eb7f7ed62cd90f
SHA256 948a21da5091fea7ab96aeb854a2e6701b8778b1c3a62de3f5b574684fdcccee
SHA512 8d92c76cc810c8eed5c6947c05b47db8cf2828dec1cb208920ce6393d2f144d3a2f2210ad519c714d98d24554fb9eb99fd6dc6dc39daab4613d6beb1cc11a7c8

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZC9YH0TF\pp_favicon_x[1].ico

MD5 e1528b5176081f0ed963ec8397bc8fd3
SHA1 ff60afd001e924511e9b6f12c57b6bf26821fc1e
SHA256 1690c4e20869c3763b7fc111e2f94035b0a7ee830311dd680ac91421daad3667
SHA512 acf71864e2844907752901eeeaf5c5648d9f6acf3b73a2fb91e580bee67a04ffe83bc2c984a9464732123bc43a3594007691653271ba94f95f7e1179f4146212

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s8rbov0\imagestore.dat

MD5 9e92c3f469bd2446a2944d44735b882b
SHA1 8e2f414f4ffcef239d962e04b064ba3bae0880cb
SHA256 3e96480df0b7caf6e4b0deeba0974f604f222d26029803a35c7e8266350fbedd
SHA512 597601e76a19fa97281e05cbbd741d1c32448e29457eaf066b6b90884b422d8a196fa94a8a6a3da1595016926accc9c5d3a6ccbd8ab1841a142339f1320cd3ef

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\ARNNOKDZ\www.paypal[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6edae4b073a3f2d8587a8a4915bcf180
SHA1 0795175ca7da54fbec56d7ae5fd5d06e158946a0
SHA256 119aa255d58f6c2eb37f5bdcdcb893310972bc3f36228bf799c26eda1f4e51be
SHA512 f3cab4309765d63619ed48e8605571e8e6cb67c2d3a992cae5a879db2cb55ad0c9fbd1f5e3ab71e17d31a6842855ebb66fe6a7d5a5e1825869e3ea5b842fec08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e128a0c711f2cfca65b013dd90206e4b
SHA1 b4e9f74d54d465733e29d5245d2cb5c5d6d222cb
SHA256 a4008f41342f8aa8db3de37b4286adaaad3f6c8877b92bef0cefbdafb76781f9
SHA512 4955b77d5fe61cf71491346809a84e54db66d3a17bd469994e383d047261c2489a8a0a2bcd150939e06c68aeca49eac131f5bf2574e9dc9ac7e4c3b8d4e0d432

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69677b64b71a85c65dda74d0866e6bb2
SHA1 ba82a7a5be0dd85bb429a98d56807542ca1cbcf6
SHA256 79da2c7ecf695dfefdea535d1827c5e6ae4da377e815375fff85f010cfc5ebab
SHA512 ebe973122597413c5f05c71fc615d08d97f3773b4a65f0477131aa7392271ad51cf885855d3a54e3428f9f8e7934f66fff13d3d2c6f263570ea976265e30056d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 793ed0ae36e77ab7bf9eba2d1247e86c
SHA1 e22fe9f51936c1e8234409d7baf2047a7c49edef
SHA256 aef0f44d733fc00fd33f5166bc9d6c4f167bcda77d732a70aa0df39061ecc442
SHA512 c77eb8d0ca3efe2824a6304691281e5ab15a316b12c42347b64ed0e888d68679fce8243b018f416e77bef07e1035fc0f3a38965ac5c427a383c35750c7314cd7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94ffc8940bb15466e8ccf3127c094215
SHA1 54a5b69452cb4328be7bb117656ac457776a7069
SHA256 0d4d9a370e2f5c030f5d50b262b1c2cff874ed3a25e86ff407ee510dc4f12c60
SHA512 6f55988d4c96682f57b9b9faaa19ce58134382b31a4ca6ab0a8bbf4a6da9000dcb05397df54e11e7da1e037ca8b9570e9be89f4f48635b733d324bf882a5d61e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15f3376ea1b6e2846522d8433991140b
SHA1 0ff9d1d70cb1452b6b8e89fe6433767bd49771dd
SHA256 d2f66ecac0d578653345a5107a664ac929a0b1a3c534f99a2f2b2ac0d853b1c0
SHA512 9673b478002e1682684b89b42875ba2e125271499cae4f2ceb19ccfe07b1a20fd827c23c999a123cbbac8a962f29377f218f05d9e5ba6d83eb09f845dd888b89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96d3a8b96cd12b28a1c0cb80b217ed61
SHA1 e847ddaeca8f48c5d39e9371b2b5c33e4d6140fb
SHA256 0e4ffbf19b70d95479f3921ca919a6f7ffe00aabeb4b1d1b3d803de99f03ccba
SHA512 111a7029e5e9be26ab0f75b2861c43083537048090c0c38f9d6088c3747e9867f83d841460c2080684fb4ea9507074feeb6528f108c912cebf9bcc8c98095980

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 16f3a6393fb21e54fc0c8a89a0fbff79
SHA1 f2cd7c484606f33ad07f7c504543a837203a65b0
SHA256 8a19d5d867337194c90d765b6af08e47bc860e0fc23bbc435b31a680e62cbfc4
SHA512 130b1d617c608f294859d6468b15a57cbc7ee0836d608ce9fbaec8fe88ac4a9debb58ceda383d4fff2344c0a4f10220ef0c67717520b3e95d5378f846b9c4dfa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b7a6c4b5bc60604fe265329f7b3645d
SHA1 98a72679fb3dbd6644f67864a97c8336ef65a672
SHA256 86bcdbecd3c0005fbaeafd39453c79bc2eb1312402335069f5d8552576f531ed
SHA512 f7912f8f395ebee2e8784cc344972df1662cdbd33266e2360158988912d912954ede30afed789c8a2e71af2520e0149b46765c9e39c8cf23490c78eb3fad64f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 067fa37fd699f6183106b6bd633ef202
SHA1 7986e3ccf2f429491b89c5baf43a8be3bf561ae5
SHA256 5622de71a77e9b0dd8d7b5419ebf3b9da3b9347aab2a15617180866c0a2c3944
SHA512 2920bd52f3708c7fcaef99672156cea8dccc04212a1a69f03dbd99d1e5e0949ba9697bd662e5ca7cfccac9cfd12b8c614e8e62906942469c9224f29d0f686001

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 67d8eff966a61b67eebafa629578bc7f
SHA1 0c637f3fd140a905cfd386110029ffa24468d706
SHA256 b66664d97793aa4e099d532e776e5aec461e11f78f0608e02e776844df6e6695
SHA512 ed49527998f6e6c36d2e217788066eaa8d365b8eac859b946f3e542579266986c3642f25f6f762c9d94b37864b0f1c6202ab2436fa7dc089582c32c1947a04bc

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a58829d624a59e8bbc944d473aa8b67d
SHA1 738a955f65fd88f8623c78584e29654375606abe
SHA256 633e953993dd77832996a6bea852068d6ebb951db1ae046632c925a46ddcfc8d
SHA512 659e25bc68ca0068d8aacf46efebdd81c9270c119c8dc2ceaaabd75411728cd1c25a1f893cc6e0a207344c54fab081f8c1336814c09d7fba88d8fec802d48ec8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72804188223c270798877d466035e008
SHA1 783ac4a746e10bee5d4aeca839a12674aad3a835
SHA256 bf8fb36d782ea9aafeb3c65d7f81b9e82dbcd9388a22e11e58e2808be542277d
SHA512 8c6ca2806e395ab60e96e302c8b4930e281e8b636d88767517b6f47fefbe124d25bb15336cada8ab296fe47f811bb9b82b673d488a6ec52309411363cb58ae18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8c91008bbd04415b9b251fc524411cd
SHA1 63144c0b57e8752a651a457224c38ca6aba45519
SHA256 2e62904f05a583d6513e037e11b6d511f90f4b554e64abd3269beb8e528abfc9
SHA512 7937a801d69b83ce2ccb7d1c8d001103bd54cb6c49bd131a372db0deaf076c5e85f094bf7aebc772985c38cc98ee3c8b6cd7a9e470c045a88d8c73f0a9a768a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e45eca64d2cceedbb70a62791ce7c881
SHA1 346b7f4a4fac1ad87ccf3c0dc0af427ce6acaf3a
SHA256 5de5d6dc2db61430f2a0c06edfe4731b85133e29cf655c2169264799616a81b7
SHA512 68d3bc74cb3b6faf12829ce5d816040818a433cc9a144ff19e4bd4fbd36f10f371b6051dcf8ad363db9c401a3fdad1f5d9f42576802d09cd739e60691c998323

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34cc8caa551c627942d79c4a8f1c481f
SHA1 9a19a66fc1685acd15774b6c79523b1628b3a8b0
SHA256 595aa271e3dabc8be62113117b33eaaf6b1d9a54940b72c4f4243218a009a780
SHA512 684009eda1c61d8b8ff07fc203c4065bb09607768c26cd9fb6b57b6d239e414ffae9600addf2f438db44271b1f7cedaf32c0b62cf993608aa5bf4fe5fd2222ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e92dcc6cb915ff6db7ed18b81a25f20e
SHA1 40a761cafe49184a826d4fe44de01b97b63b865b
SHA256 a099fd23586d6120c472aa42d9198930b035048860a1ca234bcf250d5c77966d
SHA512 3efa8606fb94217accb732c77a6d34b6f99bd626b3b7fb66cda8ceb7d9169e2f8f4e56971a2c49eaaa24b266c9f2355f74866df5a3820f2999da8a52404a7397

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d78aa313e01a95772a7f226bcfa9b382
SHA1 f796d3cfcd9e8d4ae6168f83ccc1b3d48e5226ee
SHA256 c5432fe8871bca0c9c0fac48f283bee0e51a7565dec2a92f6b1fb91f4d21552e
SHA512 26bc57c3ebcc8b63056140bf8a42c383fabee2a6762e09872e9b3226eb5184f7b27ac63f5d929914edfe078f4c3637b9be06bee7ee4da79a1270fb81c2b07ec1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83da95ba1cb03ea93039b586a1b59e84
SHA1 3121e8460213119e9d6b91dec5de1f843815cb62
SHA256 c1840c768eab6c89a3efc6723e9da8c903d071882c774876addfb3e7699e8dc3
SHA512 9538dea944923532cb09e53c669a998bc4b4d6f90a8b7d3990d597a8ae7aced08a57251b8279343e0679a0ebc59439c8fa35a15d962585c6e9c4d79d71e01775

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0aa3b0b39619c461a28782f7910532f
SHA1 1a617054e83c0ab24cbd5ce48284f54f9e457b6f
SHA256 fcb9476a7b5d7b54135efeeb8c3f37bb5980a40b7d2c3c7b86fec02fb097fddb
SHA512 c3d9f889f1a19c47f03332b6ac5b945e0027bfe400220834767bd778f9f667bba849d153128537604a017f5c04c1ef946a3c90e6769e77660e8d37344007f0d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae7f169c81b6258c2bc9148ac99cdda7
SHA1 5a4f199115731b7278e719fa14345c1e5b7b0f90
SHA256 8ce295af5e07c2713258b6f695fb478773499d6962c4f1b2ac8d97ac311401cf
SHA512 4b7f47b2b04f6fcd72200e83af9552f0db22f7c03c81d84f9cb2684b4b3604163aeb9e261c633353a0414995cd4560aba67d5731dc507678c117748fd73c2199

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-18 17:24

Reported

2023-12-18 17:27

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-849803765A568852C%2FU-6PL99754A59833350%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=fw9t0CTVboWisxmCamp0JvI5rs-fE-guHyA8.g&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-849803765A568852C%2FU-6PL99754A59833350%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3Dfw9t0CTVboWisxmCamp0JvI5rs-fE-guHyA8.g%22%7D%7D&flowContextData=i82ckSim03e4YP4tJzxZlgdQH_Q4gSfBWmoboxQm6cCG97m_nd-aDBKrRmuJGv-1RksiWk7Ykd9dp5gRi2nyH0lkxge2ZpJIiEiKutBmZs0NIjNrdd3fGpnlYAwiYff2KpxioGnKKIUHublokp4ZZ_1_7Ii87Hu9fzAyZrsygfiy1vH0OlbHkHRcGKRrj0WLzIAmCtY3OggjwMu6a6_gdDI4Eb_ec7jH9ta9uG&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=b74a4258-9dc1-11ee-8a28-506b4b4b668a&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&cust=&unptid=b74a4258-9dc1-11ee-8a28-506b4b4b668a&calc=856abf808c510&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.220.0&xt=104038%2C124817

Signatures

Detected potential entity reuse from brand paypal.

phishing paypal

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-849803765A568852C%2FU-6PL99754A59833350%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=fw9t0CTVboWisxmCamp0JvI5rs-fE-guHyA8.g&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-849803765A568852C%2FU-6PL99754A59833350%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3Dfw9t0CTVboWisxmCamp0JvI5rs-fE-guHyA8.g%22%7D%7D&flowContextData=i82ckSim03e4YP4tJzxZlgdQH_Q4gSfBWmoboxQm6cCG97m_nd-aDBKrRmuJGv-1RksiWk7Ykd9dp5gRi2nyH0lkxge2ZpJIiEiKutBmZs0NIjNrdd3fGpnlYAwiYff2KpxioGnKKIUHublokp4ZZ_1_7Ii87Hu9fzAyZrsygfiy1vH0OlbHkHRcGKRrj0WLzIAmCtY3OggjwMu6a6_gdDI4Eb_ec7jH9ta9uG&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=b74a4258-9dc1-11ee-8a28-506b4b4b668a&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&cust=&unptid=b74a4258-9dc1-11ee-8a28-506b4b4b668a&calc=856abf808c510&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.220.0&xt=104038%2C124817

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9131346f8,0x7ff913134708,0x7ff913134718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,5293754000999661173,9481229486227416245,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,5293754000999661173,9481229486227416245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,5293754000999661173,9481229486227416245,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5293754000999661173,9481229486227416245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5293754000999661173,9481229486227416245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5293754000999661173,9481229486227416245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5293754000999661173,9481229486227416245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5293754000999661173,9481229486227416245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5293754000999661173,9481229486227416245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5293754000999661173,9481229486227416245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5293754000999661173,9481229486227416245,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5293754000999661173,9481229486227416245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5293754000999661173,9481229486227416245,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,5293754000999661173,9481229486227416245,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 151.101.1.21:443 www.paypal.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 www.recaptcha.net udp
GB 172.217.16.227:443 www.recaptcha.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 c.paypal.com udp
US 8.8.8.8:53 b.stats.paypal.com udp
US 8.8.8.8:53 c6.paypal.com udp
US 64.4.245.84:443 b.stats.paypal.com tcp
US 151.101.1.35:443 c6.paypal.com tcp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
GB 172.217.16.227:443 www.recaptcha.net udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.123.41.162:80 www.microsoft.com tcp
NL 104.123.41.162:80 www.microsoft.com tcp
US 8.8.8.8:53 162.41.123.104.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 t.paypal.com udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 efc9c7501d0a6db520763baad1e05ce8
SHA1 60b5e190124b54ff7234bb2e36071d9c8db8545f
SHA256 7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a
SHA512 bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

\??\pipe\LOCAL\crashpad_1556_UIZSSIIOJDFNWPRY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4044b5bd32ec8bb8fa564bbbb9c95fc1
SHA1 4854c2c1254891055dc4a1bf2b7ecb1a81f24904
SHA256 9f6eb5d6083713d676e3de27f4829479d761e625ebb9b387cfa4f29acc997ac7
SHA512 fa40114aefc10ee66a5d87573fb9b7d4d901ef40c3dd816cb42da3a9cfd53b2f251b768a94e5faafeca5290758a35aee933ddbca2553251972607b866476ae28

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 e3038f6bc551682771347013cf7e4e4f
SHA1 f4593aba87d0a96d6f91f0e59464d7d4c74ed77e
SHA256 6a55e169bc14e97dfcd7352b9bc4b834da37dd1e561282d8f2cc1dbf9964d29a
SHA512 4bee876cea29ad19e6c41d57b3b7228f05f33f422e007dc1a8288fd1a207deb882c2789422e255a76c5bf21544f475689e7192b9a8a80dc2e87c94ee0bc6d75f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\9baaae70-ab6c-4199-ad17-c00669480607.tmp

MD5 4616ee8e53f539f5bb5e54d40f93f540
SHA1 129ab0cce212cd2a54c8f5a7d10eb41625ecdcbc
SHA256 5806d7b7bcb38e17218f4aee1fd67ecaecd15e3049dec9aa01c9794145a6fa17
SHA512 183e9a64262a07438c1518da6b288747334645c528d5714808cd4d4ba83e432ed5fcc788fad3d22242f550d76d8b3a578db2ec8a6645b54458961b5698995ad0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5b8d1d3f328def24aaefdea06e6f518d
SHA1 b4fc4f13edfa422491ff8bce3f1cd3d9ccb403d2
SHA256 814b02a23c2ed11fc62d8d82a6f3b97bdd5c385c67e7334bb55053bfd6b70684
SHA512 6469b648a8e8f703aa2f0d79bd515f44c750f3bb7ee9334a462f41e149bae30f00a205b3228080c194c1fbbf12c7823f5d4bdbf8bb49c15fdb36a9f90b48d9ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 121510c1483c9de9fdb590c20526ec0a
SHA1 96443a812fe4d3c522cfdbc9c95155e11939f4e2
SHA256 cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c
SHA512 b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 78ff0be3b927fe27ac4ee6cfb156e20c
SHA1 d45ae1a9de3b6c59b4ceebebcacd3a6c99808199
SHA256 f46a4ea12ab5092f5eb73949e8d238a72e1ff11d20e7cf1ca91a1ca9bb4c76c0
SHA512 ddcdb74369785266ba9fce76cb8230dd71873862c38fd716327aea9e44ff04b33ffce98a3bd7c0ed852aebccdbff9cfcd7b6c7117e167b2ecf8195089c349a5d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580b55.TMP

MD5 ef5698bb7f524e620183a917c5043c71
SHA1 3a094d5a5c8fc974ba537f40a00f260629993c23
SHA256 bde1dd33c5bfd8ef0e524d47f90a05a8d53fc2ea0830752602a72f3aa5f8d10b
SHA512 ab833a0d5bccf947eb3417512825d6681861ced69489eb09b2e6859cf06fce9780909deb0b7468546514dcd3509e2dffcada6b9b8ac09ee8123d1eef155b3d98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6a9eda1bf5a5b16cfa53aaf7850e1a69
SHA1 a26a93d2b82a80130b62fa841ff31082110f3214
SHA256 4b64d84e915d7810368010fb5bbc7419c9ee282c939a70ecf7a8f2a39387bf6c
SHA512 408b559ae803943b9c4fa52762edf29f99b679258632fbd6a6bf7c39f881d6573245ea3e742a4f4e07a990db23717df43b5196b73056ef5a9acff89be668b564

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a61b33c42044a46565f14a64d303543e
SHA1 54ec5e20fdf4607196ea8a74ce26d6264e57da29
SHA256 14438610f0b204673ffd9c3331023964eadf75f18eed01df772de648d095eb4b
SHA512 2b75fa640ba976d7e9b78a5869400ad9195633d0ea1e3ec3138a39dc203e9a931e36085636041e8837c9c33b585c6f155931c77ae1985349d3c5b808b1738dc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f69a1c5f32cc9c819434bcd027b153d0
SHA1 703102decc34bba1d38c2e45c9a1e9aa95e8d7c1
SHA256 b805d069d28716413bd6ceff4ee914cbb4567ec5ab6717a9d1172ce8a4fd3b0b
SHA512 e23fc22d2570996f123a14d7b56c3796abb1a42eb1f54fa8c80a1625ae1a9a835e513d37d82523439d41f3aa81ca4b53469c0e92a154505c717a225f9a3d93ea