Malware Analysis Report

2024-12-07 23:00

Sample ID 231219-yd7a7aghc7
Target 876edffdbb97362ec417169555cfc3c1
SHA256 8c391d79f207b9dba64ca4df4cdbecf1f48db1cc522730902511f4e710d71704
Tags
nanocore evasion keylogger persistence spyware stealer trojan paypal phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c391d79f207b9dba64ca4df4cdbecf1f48db1cc522730902511f4e710d71704

Threat Level: Known bad

The file 876edffdbb97362ec417169555cfc3c1 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan paypal phishing

Nanocore family

NanoCore

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Detected potential entity reuse from brand paypal.

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-19 19:41

Signatures

Nanocore family

nanocore

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-19 19:41

Reported

2023-12-20 08:06

Platform

win7-20231215-en

Max time kernel

158s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\HTML.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files\\TCP Service\\tcpsvc.exe" C:\Users\Admin\AppData\Roaming\HTML.EXE N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\HTML.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\TCP Service\tcpsvc.exe C:\Users\Admin\AppData\Roaming\HTML.EXE N/A
File opened for modification C:\Program Files\TCP Service\tcpsvc.exe C:\Users\Admin\AppData\Roaming\HTML.EXE N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 601fe7281b33da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5282D301-9F0E-11EE-8CF2-CEEF1DCBEAFA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd76917334189000000000200000000001066000000010000200000009068858c59e1f741986a5e51c507dfe527173f1e29a25a75202630659249b1b8000000000e8000000002000020000000a1fbeb6033c5ba0bb14288603a8c642a061f1124e9514a16bc870c0a3976a19190000000cb6b86b9f79959b2ba8dc70c0dde6375f66a706fd2833d1e30422b1a242cbff8e5f0fc68ba8baee2f1258760b20bcd5810fe7d3fa48b6a2932b6899bab5225bd4d93e482bc3b5ab214b4ab66201827f3b305e099604c4ba04f66c0fd7403ea5f9f5bedf8571d89424ab82d1c99310467800add8d6311c9fefb03e4fac91280e59fbc2ca5f6ddf736c1a9e0e8ae4a619e4000000041e069d8607d48e0c7c3deaa8c75ceb8bbb3b98303a61f7e152d1af2f13e7c8b8e0c72e2f2784b1d46655bbcc08d7477e2a8a8feea41f2ec6614eb975cf69159 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409221306" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd76917334189000000000200000000001066000000010000200000004019cdee1d5f79f76d88fae89be27bd997b7837beeb61105f1cb2a35f3f47d8f000000000e8000000002000020000000aeb1f35cde71dfe76c4cb78f4acbcdc76d41f8ee831250b8275d7b1a3a0f86712000000066211be33055615d24a2cae0cbbd3496738253096fb2c9088c36092cfd49b73d400000000e24f364c7dac99e628a7d0a6a19ffea53e7d2a81af2d3a0857cebdbeda4832d480d0013f4b52fd6d726028f9aacbc1bc074f9aa2a7136c0fbb15b6ad442f23a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\HTML.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\HTML.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\HTML.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\HTML.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\HTML.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe C:\Users\Admin\AppData\Roaming\HTML.EXE
PID 1512 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe C:\Users\Admin\AppData\Roaming\HTML.EXE
PID 1512 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe C:\Users\Admin\AppData\Roaming\HTML.EXE
PID 1512 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe C:\Users\Admin\AppData\Roaming\HTML.EXE
PID 1512 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1512 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1512 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1512 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2848 wrote to memory of 2744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2848 wrote to memory of 2744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2848 wrote to memory of 2744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2848 wrote to memory of 2744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2352 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\HTML.EXE C:\Windows\system32\schtasks.exe
PID 2352 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\HTML.EXE C:\Windows\system32\schtasks.exe
PID 2352 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\HTML.EXE C:\Windows\system32\schtasks.exe
PID 2352 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\HTML.EXE C:\Windows\system32\schtasks.exe
PID 2352 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\HTML.EXE C:\Windows\system32\schtasks.exe
PID 2352 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\HTML.EXE C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe

"C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe"

C:\Users\Admin\AppData\Roaming\HTML.EXE

"C:\Users\Admin\AppData\Roaming\HTML.EXE"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\PAYPAL-LOGIN.HTML

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:2

C:\Windows\system32\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp71B7.tmp"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp739B.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 www.nexus.ensighten.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp

Files

\Users\Admin\AppData\Roaming\HTML.EXE

MD5 e830cadaf96baeb8bdd213f838620f86
SHA1 632fb1b179e0b1e07bb32517c2d867aed5524084
SHA256 29b9b419d7963264dfbe6d61a3fb34c5d6aff6cca13891b029df000d2ea8b27b
SHA512 07db188bf6f6e6ded0a41df32eb1043b8ce1fc1ff8ba2b6de45373975b6f8b26b52c978060612325966399032a17580d1c511075cd3b040f810446c38eebfd88

memory/2352-12-0x0000000001FD0000-0x0000000002050000-memory.dmp

memory/2352-11-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

memory/2352-13-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

memory/2352-14-0x0000000001FD0000-0x0000000002050000-memory.dmp

C:\Users\Admin\AppData\Roaming\PAYPAL-LOGIN.HTML

MD5 6952fe039569ec7e147076c7cb4d0f8a
SHA1 504bdc08afb1cc99e639342b800362aa4fce61d0
SHA256 648605009eef3c4fe7ec6adb64a169e119d2e5bfe4a9321020b128239d7301ee
SHA512 2b57561b339a505b12dacf58cb6356b9be3e5316c33e7b4efb8678b99928fefb6c45c4b04e044abc9451cc9bd27928a4d7c6fdd1b622e9d179994420d80a041a

C:\Users\Admin\AppData\Local\Temp\tmp71B7.tmp

MD5 670354bb4a04e1a012e0f1d7e1ba2f15
SHA1 57ca4bd03304af6d1fbab6c1912170d79654f214
SHA256 d485bd5cf2b589afecad94cb1443aead858f1fad41b8d7060ca7582d96a347cd
SHA512 8ab15190daec573e9a1669f98fc8a8fb8540e5939dc853a163ee1072589dcc8a6e7475ed1ead7d5af1abd069dbf82cbb697225c9f0f2b60b8adc563312c560df

C:\Users\Admin\AppData\Local\Temp\tmp739B.tmp

MD5 bcd62151136ed0830ef8ebd62aae1ff9
SHA1 9ecabf4740f2d0c29870ee66e7d1f7ac3aa765fc
SHA256 f3bc62387f2dc130cbeb763f9114068642b3589b522c93a319147ba7f5ba8d5b
SHA512 2b47d73ceeaec013452838c9716c0b91a1270311a5c814b289f59eb32335af1e7da384ca03f0678c1fc59e204517b7cff781bb8f75b8e82e69afa249b1743572

memory/2352-23-0x000000001ADE0000-0x000000001ADEA000-memory.dmp

memory/2352-26-0x000000001ADF0000-0x000000001AE0E000-memory.dmp

memory/2352-25-0x0000000001FD0000-0x0000000002050000-memory.dmp

memory/2352-24-0x0000000001FD0000-0x0000000002050000-memory.dmp

memory/2352-41-0x0000000000290000-0x000000000029A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab759F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2352-46-0x0000000001FD0000-0x0000000002050000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar767E.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f161a8875ecc2aaa7e7e349ff9767e2
SHA1 e67ec6a7bd653b89b79e1f4c2b76715057981fb8
SHA256 3e08cf3b53e765a09ce2ec78e78e536afabe0f5c3db1ffe34c92bfe8db7734d9
SHA512 32168f5f87baf45baac137a37f4f73401efee9bbd1309185a8eb5e3b8986af7ebac9c4f9bf75d0469247eff996188c277d391b22a0fd60d99a4b18dd55fa6941

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5cfdb0565dd0f49b5f4e6fc5da053429
SHA1 856a50dd706db163653be954af5d65f602fcda4b
SHA256 1362ce9e03287645df4966de81dc6578ac52779ff6e074548358694fa5612228
SHA512 42948b05975eae10f182e58f0b7f7f7a3a1a226def1ad73188cc6a42ed705483e8d657f7051569bf27b33a136b81f02e74670819f850dec991139d76913daeb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7307be28f46db6b3632bde94608577c
SHA1 1e935497549e256e643bf413731d5d699f905f0a
SHA256 ce168d7c83bef3b9000a8fe600fbb00fef15fa8ea737b7a95041eebfeb18e45e
SHA512 7e70156f1bc216b05f6b6ab447fab6ffaaac92dd341fa050907d59cd8270328e6d8ffa0b0be2006623c1718e0327c42263004099e127a5bd2aa3fa87399343d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 edbb57da2c51883f4f7cae3709dd2d8c
SHA1 a659f3b24d80b4081d746f101e715b46090bdecf
SHA256 9ad7cecb0fded3bb3631913a348acc62133480a3e0791a857459da27f01c0c2a
SHA512 d2ea421ee747bdec98edd96af124122b52df941539c93a71bccf214ac8c9ae46b2b048539fed26b1d6c9e4fd0f1ac55c34720bcae03290ffbd9b1bc1f50a53ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e032866fcbb563d6f1b88bca6e12459b
SHA1 7d507ffe035f7467c4453f017ccd4f4e28bf2628
SHA256 60a1838238117eb05242d56ac33f6b508b06e7e46f3a53170c084964830e2893
SHA512 107b6acb91e6a7847d7a1371157e25000f4f86cfaffc24a8117500b27906cffab294736356712c3331ef7056fea2847423744915078a33fb100829f4b870af00

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 318bae132b0c8d7492fe15505ea86ddb
SHA1 09bda49d288b0895adec6f15258d5e271d300988
SHA256 6754ac5e4ba0217cf0a9a0297e0836d4e342c9ea17f34d9175c676c6de9acc12
SHA512 e4a9cc554a19ce8bc88da84205dd7df59f530fe90a57262b40c25eeb8d8d7198c7026106c525044383dbb19ceeb35e0c36b5ed6e06b4b5f2b620af715d4c4870

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d84afe15a3ba30aa8ff8df85205eb7f4
SHA1 bd478ec1b5a64f7877f317ffa404fb9080acccb0
SHA256 deca4959ab36f671b70ab47046512cc051ab79a81100084c7420ce00a7af04a0
SHA512 6a1926602b65f42c710d16013cfc7603e31dac3ebf8a6962a2602bdd2ef448c8ba2c5694416071b4b602b738f5047e61e75d25b12ad681f15400519d4b6c6713

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aca00848e96268bee026380ba0918866
SHA1 b9862d42dca342dcfc9e07b0760cdede8f644b8b
SHA256 48ab75c71a4ea42663742a07020f442999d7daadee6e7f260b6fb24e0e627e0f
SHA512 1296b5b08fb4475c183ff7209c02c764bf13d9c9b39692ec19c8cf4be57a866584db0ef5226e83ad365878d42461c6705f9850655ee072bfff1beba1d690e2c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 250b988c720f75cf212ba7c8aa1e86ee
SHA1 f160045ee667af933325b81548121138ecbe322d
SHA256 669f4b11ffe7c5c14a1cc9463460a0f90cf36c8a7fa7884eb30407156a8dae02
SHA512 7d8eaa66e0b00d0ec9c1546bf614400129e01679822921b586abcfd9fd7971f021ae7e765568bbd6e1f2a2c7174d0dc13b3cd1a20e29536bcb876dda70a8bbd8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1f4d79f2d0849c0e7a06f4c9f76120e
SHA1 46ab104f282a92f9f88a1b0e0cb7d19371cd9df9
SHA256 c0f578bd49280e0e2b219e45a4de611a37cb14e8a4e8c81b5f4fd63b544ac183
SHA512 9504598b5a0570f5e24716e5d761747436581de3158c1cfc6fc25936e85c3921f267f2b207eeea4517ada9a75e3a7882e96b67de8ebf893d1ad9d0cb09d4b5f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e935ee90c9fa2c82118ef66e0ac48240
SHA1 d0e2076c7a0eb4dcde06c579a4272ce5f2135ada
SHA256 b789767408b3489921f589c7aa2c2876bf30a2f4646c295ece3dadd332115b1a
SHA512 cc1a5a11929e8c0af6138e07bac1092d5f64da97af7db22b9fce9c72491868baad4e673993dbe9a670d3bb3fbce90accdba173c0640073b27751f1eedc5e11e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1cb4c1c13bbce7217956fbde6aae705c
SHA1 dc2d8ee86051c28d7f860a1fc6fe06d341dea3d8
SHA256 8e26ddf1e98b9bfcaab5f53c12561326f49e3b91246dbd2356c36d745ab8bfc8
SHA512 f2f4bfd60b1fadcfe4d290389897fe571e6c7def0f66ed17ebb38816cee62b740d80e8b658f64033683cbcbc2c31f195e0ede207063820a8046426b1c88da5fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80d537ed0e3bbb258a42b2211bf87d2b
SHA1 24419b716ac003127947b1bfc05afe52c915b32a
SHA256 940883e06021a4a8d7c9b56fbd41e3fbaab2974e7ec0f5b03a05c11b71fbb1e0
SHA512 0f003915284a1894f92d846f73439fda4a691dfc0afe4d705a9533de4b91fa46d4e29ffb9ef9c4a2eb0ee8fd9975d84c5ab5cafcd8e0c255bfd7c6ad98759532

memory/2352-517-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

memory/2352-518-0x0000000001FD0000-0x0000000002050000-memory.dmp

memory/2352-519-0x0000000001FD0000-0x0000000002050000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26febd73b879cb7f7e1efc1c501d4822
SHA1 d172956b37e2b813104116b72b7fb688f9617105
SHA256 758550bc433a6ea27683ec333e05e8857ceb29fa6fb83efa2ee21e8d167b88f1
SHA512 abce411d2e8587bf3a6a71a87eef4c7085b0909f97b48f842a24170d7f6444adecda741d0f44e49c19719b382da2afe5cbc48b1ee950b326d198d52b0e81d65b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ce4f44efef4537231121674c8a60e82
SHA1 cbc5191a765152aed70fdc40724d28d00dfcce9c
SHA256 8f53b25a0a11d86cd076b018288852befbec9a1e5c1dca6856a280aacb49f775
SHA512 e65a7bb98f80614007b6933dbb5274a628985ec4aec034ee5c67cdfdd193941d11cd37dcf994208045a9dd099c20da39ef5c173f0002e1c62626d36a2c436e3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af9b2f819559a0a9c557db254afb8d6f
SHA1 5431b18929c243f0baa6b46436014c6a2242baa1
SHA256 c6564609b7d221c782afe337e90f54456fc80b90a4113cce2ea9655379515203
SHA512 67ccb83a481f07b02932e33b72972b620acb70b2573641190be8e3f061fde476ea3f3c5344656ea90d505ff8cbae846c847bfb8d1045af859cb7add4d09a7499

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c82380d74837a864884981ca812aac5e
SHA1 ba276885a18066b19ff15f0b0c11232bae5886c2
SHA256 e886b7d83452e38bded94f97e6e3820fe978c310ebfec2798e6f59492f55574b
SHA512 7739297cec6f56a66d9b0832d466af6e2909ca17423fa3fbf4600c4fad0768917eedbe0a0222bd057fffb4f4d5be9ea2cbe6b8587535b6730ba0fc30a5777315

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00b9ac63f4b64c1f7ac3df151cf4500d
SHA1 f2b8d2dec34de1c8211d23c8bfbbe2047565ee15
SHA256 aa5bcbbf0f59238eaa6f669f0dd168389f50fe7d2b838943132b38cb317d2b3a
SHA512 42b50806fd3227b47117503f47c6906c28eaafb426a0e5a7b056f97fc17c36e41f0da4df14cbf011e0f9328e623599056d70943f64a7a854f50beb0d5b44b302

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 382dc902d6ffdc8798535e0e57dca757
SHA1 73d3ed4e625a476e94ddb7c34e00aee9c50ebd3e
SHA256 1aeba314e18346ae882a2cb86ccc22f01e4e7661362e67a6e73de0f05c5a3c71
SHA512 83d799601a3576d52e911fc0cf84f185e3c17329220378b157e3bbe93227992e20bb4ae520514a5df6d8944b9d3b3991b59bcaf6e38e79b1fa2cf88aa054aee9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e98221fa47fc20c33c9cc9875f9a4527
SHA1 d078cd2947cdacddd0853676f3c66c3fc9f83708
SHA256 b4b7940a27edf7e2fae923faab487a90eba6a0ae71892b03f0d259f9905be610
SHA512 6566804a47ffe3baa86473d86ba085ca392c3c3ea4fec6b8b7bec73be0cc8383d80d704a94f5bc329e8d9519817a8739866506fd14edfdd30720fd637988c955

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0952d70f7dab836a52ce6ad29ea471d6
SHA1 87f5f105b9110e4a850376ba87877d23ac709db2
SHA256 a40daac4433915ba94569ad204b094b5f3379cc8e2d78f2502c6835dd0cf329d
SHA512 18f7a0af2fb1431667c0dbfb2f1fd42593ed4456427ea18d79c259f46a0d376f4168f8b583c4c58af7f00e38c276f6551a8d6a1205425943227248b165c6ee17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c471f2ca63c705509c5516c30d39138
SHA1 3533c76831554b28aa57772d620c1a899666ec68
SHA256 b609fcd25acbcc9c2ecb71ecce0b40e9067f0552eae54b4649e13d53e0e0b265
SHA512 f88bea2673d563bc5a423847f57d768d1202aa3e287ccbe7af422a5d1a36c12b8248eea284778650f293e9c0309a06e88225fa3869d0d116877bb29ed2f5aa9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea2e7057d0684a0f1bc79e6242ee092a
SHA1 99f6e758eef700640d973284b15772129aab2c11
SHA256 8b10676515a27fa8d531ae1938fc325567cdd5fd647f872a3c53ff0eca14ad7e
SHA512 ff4ad92b7cd8f4e4de0714de7a6a39b6d7501e799457c0fcdc77dbd7f3bc9d1ade82721902d432af87b62671510618fbb0b0ed1f33bdcc4f407efd8913ccf406

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12b34c6ad9187e1737e42a1f108804ee
SHA1 fd1e6164a015511df1ed7b0d60fc8a6967fc5d40
SHA256 8601daa0289ddf98608d5cbc9e19d6c0910c7ef2167f6c9ca9540fede3cfef7a
SHA512 35f5bce98572cfd9fcd12e0050da0ab52b8161a4ba05a290210e9d6ee8e5df63aed89903f224422f4e7118b2a74af950b51a649923a2250a466b72884325f5b0

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-19 19:41

Reported

2023-12-20 08:06

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\HTML.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files\\AGP Manager\\agpmgr.exe" C:\Users\Admin\AppData\Roaming\HTML.EXE N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\HTML.EXE N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\AGP Manager\agpmgr.exe C:\Users\Admin\AppData\Roaming\HTML.EXE N/A
File opened for modification C:\Program Files\AGP Manager\agpmgr.exe C:\Users\Admin\AppData\Roaming\HTML.EXE N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\HTML.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\HTML.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe C:\Users\Admin\AppData\Roaming\HTML.EXE
PID 1556 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe C:\Users\Admin\AppData\Roaming\HTML.EXE
PID 1556 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 1156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 1156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 4592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 4592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1284 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe

"C:\Users\Admin\AppData\Local\Temp\876edffdbb97362ec417169555cfc3c1.exe"

C:\Users\Admin\AppData\Roaming\HTML.EXE

"C:\Users\Admin\AppData\Roaming\HTML.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\PAYPAL-LOGIN.HTML

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9324546f8,0x7ff932454708,0x7ff932454718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,3370836969488569170,12201815318192495716,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,3370836969488569170,12201815318192495716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,3370836969488569170,12201815318192495716,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3370836969488569170,12201815318192495716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3370836969488569170,12201815318192495716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp47D6.tmp"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp48F1.tmp"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,3370836969488569170,12201815318192495716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,3370836969488569170,12201815318192495716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3370836969488569170,12201815318192495716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3370836969488569170,12201815318192495716,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3370836969488569170,12201815318192495716,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3370836969488569170,12201815318192495716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,3370836969488569170,12201815318192495716,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 www.nexus.ensighten.com udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.8.8:53 DrFalamin-61658.portmap.io udp
US 8.8.4.4:53 DrFalamin-61658.portmap.io udp

Files

C:\Users\Admin\AppData\Roaming\HTML.EXE

MD5 e830cadaf96baeb8bdd213f838620f86
SHA1 632fb1b179e0b1e07bb32517c2d867aed5524084
SHA256 29b9b419d7963264dfbe6d61a3fb34c5d6aff6cca13891b029df000d2ea8b27b
SHA512 07db188bf6f6e6ded0a41df32eb1043b8ce1fc1ff8ba2b6de45373975b6f8b26b52c978060612325966399032a17580d1c511075cd3b040f810446c38eebfd88

memory/2908-13-0x000000001BFB0000-0x000000001C47E000-memory.dmp

memory/2908-14-0x0000000001400000-0x0000000001410000-memory.dmp

memory/2908-20-0x000000001B9F0000-0x000000001BA8C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5e77545b7e1c504b2f5ce7c5cc2ce1fe
SHA1 d81a6af13cf31fa410b85471e4509124ebeaff7e
SHA256 cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11
SHA512 cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

memory/2908-12-0x00007FF922F30000-0x00007FF9238D1000-memory.dmp

memory/2908-21-0x00007FF922F30000-0x00007FF9238D1000-memory.dmp

memory/2908-22-0x000000001C630000-0x000000001C6D6000-memory.dmp

memory/2908-28-0x00000000015D0000-0x00000000015D8000-memory.dmp

\??\pipe\LOCAL\crashpad_1284_TIBNYWRDWINUNNST

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2908-35-0x0000000001400000-0x0000000001410000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 57d30c2dfadc82ca897e6a38b8b1c184
SHA1 59feea3f5452c4ee1a5e3914696b6921508cc9c4
SHA256 171eadd6b8fa5230e42b0d34119852e17820139e0f185669a334348457ae3cdd
SHA512 208b10e81dd893a41757d7c43631db24c251fc8224fa7378ebc63e25fcd3743973acc250beb73086151bb1b02d70c3246ca0920afd072e02986e6d0c914fcac5

C:\Users\Admin\AppData\Roaming\PAYPAL-LOGIN.HTML

MD5 ce6e688185185becb9884fa64c27fd13
SHA1 45ed60b0db22e322e3284cf32a755e8e8bdb8228
SHA256 9447c943ed57efddba5cf2e4bcab3e50e8d3242b3d35e18288c64a3776f802e8
SHA512 097f641d40de8157b036aab8f1e00514b7c8c67fbd74bd2a1ba9f25736f79775525bb92c2ac9c1ab467607921be5964fae954816ecda9a9c6aca7d3b28e1020c

C:\Users\Admin\AppData\Local\Temp\tmp47D6.tmp

MD5 670354bb4a04e1a012e0f1d7e1ba2f15
SHA1 57ca4bd03304af6d1fbab6c1912170d79654f214
SHA256 d485bd5cf2b589afecad94cb1443aead858f1fad41b8d7060ca7582d96a347cd
SHA512 8ab15190daec573e9a1669f98fc8a8fb8540e5939dc853a163ee1072589dcc8a6e7475ed1ead7d5af1abd069dbf82cbb697225c9f0f2b60b8adc563312c560df

C:\Users\Admin\AppData\Local\Temp\tmp48F1.tmp

MD5 f556f62f0e063d44f448e11d03cebaef
SHA1 2b86053a501354481a1df15ff43822a93ac045c2
SHA256 4075cb101a2a52ac2d736c6fd665a6c80b81cea6b31aad9f034c726abd60998c
SHA512 cf1c81b178d746f94c4d7fcbe3a6bcc584190ba79203066e7833ab42b5dce698cff595c4414ab7b7fe2ddc278ecb9f76644475d62a9520b83bb1fa53c8d4c49f

memory/2908-58-0x000000001CEB0000-0x000000001CEBA000-memory.dmp

memory/2908-60-0x000000001D0D0000-0x000000001D0EE000-memory.dmp

memory/2908-59-0x000000001C8D0000-0x000000001C9D0000-memory.dmp

memory/2908-66-0x000000001CE40000-0x000000001CE4A000-memory.dmp

memory/2908-71-0x000000001C8D0000-0x000000001C9D0000-memory.dmp

memory/2908-72-0x000000001C8D0000-0x000000001C9D0000-memory.dmp

memory/2908-73-0x0000000001400000-0x0000000001410000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d997f3d2dc78813293f02071fca7e25e
SHA1 68bfabbb5e60665c8896e1f030fa089cfc278907
SHA256 505ec7723bb936972fb5b514a616339ad82b1af118370201859fb3aa1ebf9a2d
SHA512 f81e972e66e0c3b516337129e15fdad3e07272509b962167e7fa63dc4beb06f6da79abff1f9728e1b0ebbdc44afafd20327ec41959104dc5913ae3417bc23844

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0b081329a05d09a6a09b7c8c27df4463
SHA1 2790624f77a7187c360de8d70a5271d2597e6713
SHA256 82c59fa6bf8901d2e1e7d61c77650a08bcab779cec3e98ec9e9d7392b3b63c41
SHA512 1bd9087e074dc874ef07619a12f4b35249332bde71a90445d32bb61a15cd5f9599f75c26480275ce03832304dd03abe94a2cf1285dab118f43891978c5973394

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 6db2d2ceb22a030bd1caa72b32cfbf98
SHA1 fe50f35e60f88624a28b93b8a76be1377957618b
SHA256 7b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4
SHA512 d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912

memory/2908-114-0x00007FF922F30000-0x00007FF9238D1000-memory.dmp

memory/2908-117-0x00007FF922F30000-0x00007FF9238D1000-memory.dmp

memory/2908-118-0x0000000001400000-0x0000000001410000-memory.dmp

memory/2908-119-0x0000000001400000-0x0000000001410000-memory.dmp

memory/2908-120-0x000000001C8D0000-0x000000001C9D0000-memory.dmp

memory/2908-121-0x000000001C8D0000-0x000000001C9D0000-memory.dmp

memory/2908-122-0x000000001C8D0000-0x000000001C9D0000-memory.dmp

memory/2908-123-0x0000000001400000-0x0000000001410000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 efd079652ad21c50d69ad30ccf61a40d
SHA1 000bc74057bb6ab42d2a160349e1597edb211bc2
SHA256 045646bc1a87f1ce57c87ba8a6ed5332e36f71e667ac712be1df2fef80385f8f
SHA512 35f643af8bb12bb445e3e6ce7577376dc69010ddf8d7e76752d703cb50f091bdeb9947b9718baa6e9e286d69df19a794522e446f29d58dc26dfea571045f51ab