hxxp://ydlp[.]gnovestol[.]ru/J14w5E/$test@sk[.]com

Resubmissions

11/03/2025, 20:09

250311-yxgvmsvsey 8

11/03/2025, 20:00

11/03/2025, 19:50

11/03/2025, 19:37

11/03/2025, 19:33

Analysis

max time kernel
480s
max time network
490s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://ydlp.gnovestol.ru/J14w5E/[email protected]

Score

10^/10

google discovery phishing

Malware Config

Signatures

Detected google phishing page 1 IoCs

phishing google

flow	pid	Process
98	4048	msedge.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4048	msedge.exe
4048	msedge.exe
1288	msedge.exe
1288	msedge.exe
5032	identity_helper.exe
5032	identity_helper.exe
5600	msedge.exe
5600	msedge.exe
5600	msedge.exe
5600	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 4052	1288	msedge.exe	85
PID 1288 wrote to memory of 4052	1288	msedge.exe	85
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 2852	1288	msedge.exe	86
PID 1288 wrote to memory of 4048	1288	msedge.exe	87
PID 1288 wrote to memory of 4048	1288	msedge.exe	87
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88
PID 1288 wrote to memory of 4536	1288	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://ydlp.gnovestol.ru/J14w5E/[email protected]
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x9c,0x108,0x7ffce12246f8,0x7ffce1224708,0x7ffce1224718
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Detected google phishing page
  - Suspicious behavior: EnumeratesProcesses
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5032 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2156 /prefetch:1
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1184 /prefetch:1
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11581172934725881525,5838640855096399195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:6088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:208

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d6b4373e059c5b1fc25b68e6d990827

SHA1
b924e33d05263bffdff75d218043eed370108161

SHA256
fafcaeb410690fcf64fd35de54150c2f9f45b96de55812309c762e0a336b4aa2

SHA512
9bffd6911c9071dd70bc4366655f2370e754274f11c2e92a9ac2f760f316174a0af4e01ddb6f071816fdcad4bb00ff49915fb18fde7ee2dabb953a29e87d29e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a4852fc46a00b2fbd09817fcd179715d

SHA1
b5233a493ea793f7e810e578fe415a96e8298a3c

SHA256
6cbb88dea372a5b15d661e78a983b0c46f7ae4d72416978814a17aa65a73079f

SHA512
38972cf90f5ca9286761280fcf8aa375f316eb59733466375f8ba055ce84b6c54e2297bad9a4212374c860898517e5a0c69343190fc4753aafc904557c1ea6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6bdd7b9eb064ee462860270937b56081

SHA1
3a14cdeabdc3272fed3e83670b516fea5c3230ee

SHA256
81e7d09b88ab264eab592a784b3572bc9e9084deefa90ec17987025208514817

SHA512
a029a2c17ad66fc37ceae794aa34de87942972b8e92f32e00288cdfc558f31a496f2be9c8db33d613b7b63a93a827bc8f818140956077b1376f419317106f58f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
754a9764fafbd10b7df410ddbc4c3af7

SHA1
080bc3fce77fa33b4e4b4c8476a525d88a56f549

SHA256
2f5a938b60f6feb2c2e628e6cbc8a04f79da8235cef06a282686905d279eb38c

SHA512
2f4d3f3a2c502ae140f43e2db751a3e729abbaa407e735fba08a023ce540f30c6a2a20254264747f5981d06e4c2944e8d55b05c331f715463dc059998179070c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
8ea20c314bef796007e972425bada2bd

SHA1
f681c9a6c0a166b4133914b08a0e51135cb424c3

SHA256
d8b11f1c4d13581c05beffd4d105b91dcea429b36164db081dbcf3d0cf05b892

SHA512
6cad51d74efdfda112b430531606fd7d502dd8e0bf9449b95ebb49caf0746fb19b5706274df6b243effd8ec069393d88c3b6bf922acc55c39e0fb159ee8bc828

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
570B

MD5
40afea195eaaf8869ba5d1ff256bcba8

SHA1
96c9522f9b398c75d9f510c99f7c36eec5514ab3

SHA256
e7dec086a6e6509659cf8995e22b38f606637c67ded4ea1ca0a79751cbfdba39

SHA512
eb5546bd1938d20efcaa8faf2d84847e0d565260a3d9c25ad23b11a33bd746cb928ca2b630a069ee86685494fa70d2dbfd3cf218106672b327d83e73e2cba102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
2d79b19da4abb52f28480488387222ca

SHA1
b8a5e838febe24aaea84f7592f397da15119a9b8

SHA256
e92f74bbe78371735d69fdcb1e24fa9fc365282ea2c33685da6120b4e27a9479

SHA512
07a8c35ac35b60d4577a035912ba1d0e42aca109386b0c1d51b84576a9084a35f2c587d7232b0c0f658ab626f00af573dac06a1b7d5658e47986948e90ab9f91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8fd868bb33951d01d910606fd0aad8e3

SHA1
d2885c7ed35ad921995d396395dd34be4ed76cba

SHA256
6b7a0217d0eb257bd3de817d98640796423c08e10d5699aec51a8dfcfee7714e

SHA512
03bf22f007ac994b2a3640af42901af626faa20091c3228763b0fab16810a4ea23c26a819e6b184ba3bae08ddf63894e111b7f29e5026fe23fd32a7068df4395

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
75429c7e782b7623c9c75a5dc5b179dc

SHA1
d27c32cf62fa3631a832269a67a305db8f2cfc80

SHA256
55f5525ff87851c680ff161b1a4211c4a557024cb0404fb154315bc00d01e964

SHA512
31c40967a5261d59d1ac50c67dc35d3a29c9d4373e0ef06d1278af60c53ab6fdfae8a779fd04eb5170d94a544b4624d134fad63fe1947bd24373365578c30bdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
444f16e0220c68955698352979a188dd

SHA1
275bee018bbf2a2afb5096033377e090720bc05a

SHA256
50a30dfa854273ffde4a27e4d3972659324fe96b7c250945b1047f9cdf7062ab

SHA512
340104d0e927bb69a43f417054022c627d4323650517259cd0bd94985add6692b980e78e9e9fea2060402737172742ed93ebfc141c8a6c45cf169b6680e13f25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d90835cbd5b731f7a4abf72667e7f9a2

SHA1
8d5be00a7e8538fc44f93d77a883a9f0d0180f58

SHA256
ad90350898e0bb72197c5802b87be4b8ed3441efb1a91e27dbc03544ef707b8f

SHA512
63c51021dbce145c2fc56bf0ed7db872629a822df5f4f6a00fd613ed616c321a8d486603bbdd886d8b55d8607035d25da1b8f1a5cfc6bb411fd0410703c5fa75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c236d3a68353cc0088ba17c9a6e41c3f

SHA1
cfdd496987f0ca66d32122860e794d4c556dc0b1

SHA256
265ebbc81d1f0bfa91aa10ddee7b56ac48ec5d6ecb5f804cb54d28c98bfcd131

SHA512
ca41b88430dd0b834348ee86c6df42467d61b7a78f151cd24a140c1639aa4e59c9ae24bff5f2fa201a53018495ed057f6ef85b974563faf812e13a054118d9bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ede1b6c6384592ff5be0bcb333405886

SHA1
fd98025f435c814483e0af4e50c0b593a3c7693e

SHA256
5f8adbc31b130c7b3d2dcaf91cb75d8d5fcd2081fae4fd934cecec4572b0654d

SHA512
729568ac31c58d7b97506798b50b1723e8f93a7da59984a792b53268f5fbae0207f632253f283170c8822a72c5c8faeccf09931cdde7d004387655d38879d619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3c8a61c4e521f3a395d4e6aedfe730f6

SHA1
021fe371342c66e95b04a1cbcc6c55a51c47bb8a

SHA256
746aa91d3ec2b58b51bf1ae98cd7f741bdb1e3b5898100f3b2eeebd0e98157c3

SHA512
1d3ed13214da7281b732b6113ac697694a77fc682a423939aef788fdd1e5275448c4659896ebd6d24e573455c57c5267c7500649ff87c817e29d5bb10a28964a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c9b906efb3010552f78c9868a958c074

SHA1
aa2192cb09d837c7d3bfdf5d4fab85f31ab26f55

SHA256
8d4c60056f81e64102970694036e6e936605e6bdbb79e5ebace3f3ed68d83448

SHA512
8c3256fd20bfb95317263f6e38f514b7ac601a5db956e4ba81b89bced4071119e024ae39eedbc76f65e07692b9c371419bd3709cbb142c6ba8ccb023089ad865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ce5508243cef9c6c2be816b662386b27

SHA1
ec639495a0085732dedef859a5bd03dfda70092d

SHA256
fc7d356aecefb181e450824c38baa90eff3da29d8b23b5f646bd074bbe6d1758

SHA512
94243131cc8667c17cfbce0daf8fa09411ca898ec78cd88e1aafbb2b43b76694c819f86da5e7534587771a235a93096b5caec5fcc0ac54e37be142a8ff972523

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8ac51ab7ea22d96e88360abcc8da0c0d

SHA1
e898715e468fd32febf608d5c53459b54be39f39

SHA256
b4a56d1d33771ff19ebec9bce1f66928139c8a50b854b4b19998539229828e58

SHA512
3110480a510ec3845db638528e7607c056c60be133867e0cba0d9b950bd9a859865fc6189af5fe9bbd572dcf786e514975bf350c09bc1b0cb543c15cc3a1cd26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c146a.TMP

Filesize
372B

MD5
0042dc41a6cdba512c9063c9dad8eb62

SHA1
6288cdd5341b7b89c9b78847cfef98f8af2755e4

SHA256
88767be38e60d81b04d8e601f856bd030ef47bc684b632f80eb5dcacfb27263e

SHA512
5b29e2a37e1ccd0bc43f1a14cb25d7086f87a88fd4dec423a5bbd1435a3705344e029e542e9e485cafa6099ba7aa72e3635c268f0c55a259f2aee1c3aa62a085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
734fc56866540e9b1b6f2852bdbf3b0c

SHA1
fd3273179a5a97f932e4eef6532f35b53b74ba2a

SHA256
92e36ad9becbb2ee17bebfd7689b65e066e14356c19d4bd3be4beb2cee818664

SHA512
499ce7e686a57fe18066acd67df52fc3c165192e04dd3926e6f44a39429add6de142d031281b6cdaec019b266deb50a616dbe9a1a07d7d79360a806065aa3053

Download Submit