hxxps://gofile[.]io/d/QCP9sI

Resubmissions

04/03/2025, 17:17

250304-vts7qawpv5 8

04/03/2025, 16:45

250304-t9cn8swj16 10

Analysis

max time kernel
444s
max time network
436s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
04/03/2025, 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/QCP9sI

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
37	2028	msedge.exe

Executes dropped EXE 4 IoCs

pid	Process
2224	winrar-x64-710.exe
3324	winrar-x64-710.exe
3152	winrar-x64-710.exe
4352	winrar-x64-710.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-710.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-710.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\XWorm-5.6-main.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 724890.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
3384	msedge.exe
3384	msedge.exe
464	msedge.exe
464	msedge.exe
4716	identity_helper.exe
4716	identity_helper.exe
664	msedge.exe
664	msedge.exe
5080	msedge.exe
5080	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe
3384	msedge.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
3164	OpenWith.exe
2224	winrar-x64-710.exe
2224	winrar-x64-710.exe
2224	winrar-x64-710.exe
3324	winrar-x64-710.exe
3324	winrar-x64-710.exe
3324	winrar-x64-710.exe
3152	winrar-x64-710.exe
3152	winrar-x64-710.exe
3152	winrar-x64-710.exe
4352	winrar-x64-710.exe
4352	winrar-x64-710.exe
4352	winrar-x64-710.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 2344	3384	msedge.exe	80
PID 3384 wrote to memory of 2344	3384	msedge.exe	80
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2164	3384	msedge.exe	82
PID 3384 wrote to memory of 2028	3384	msedge.exe	83
PID 3384 wrote to memory of 2028	3384	msedge.exe	83
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84
PID 3384 wrote to memory of 692	3384	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/QCP9sI
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcd0423cb8,0x7ffcd0423cc8,0x7ffcd0423cd8
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3728 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Users\Admin\Downloads\winrar-x64-710.exe
  "C:\Users\Admin\Downloads\winrar-x64-710.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2224
- C:\Users\Admin\Downloads\winrar-x64-710.exe
  "C:\Users\Admin\Downloads\winrar-x64-710.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,17148589303374977576,5872992561866989766,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5708 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2320
- C:\Users\Admin\Downloads\winrar-x64-710.exe
  "C:\Users\Admin\Downloads\winrar-x64-710.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1152

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3164

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\59be16fb74634a6fbd7931c48e11b33f /t 2172 /p 2224
1⤵
PID:4248

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\4a709491c0104b8e913c62dd2740a033 /t 2324 /p 3324
1⤵
PID:4256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1360

C:\Users\Admin\Downloads\winrar-x64-710.exe
"C:\Users\Admin\Downloads\winrar-x64-710.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b98903eec4d4ba62d58ef15c040a098c

SHA1
edbfd3947a194ddd1ee2e2edb465eb7a57f27cb3

SHA256
698d9fcc6775ee16a41017cf13ccd9614001c681b8a4da741a1851f1b9f48def

SHA512
ee53739c6c098c48a594768bbbbada27d9728034b85e0e67220be097007348162f257a31f0669bcd17ba142b10b110680c3b5b18f9c40b37e5fa1fe8124d27e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
afe073f7cd46dc621114e4f8757336cc

SHA1
2063f15f773ff434b375a1fe4c593bc91b31f2e0

SHA256
e54fed17731c51a64a17e37dc2511159e55b308f0a67939477494c15166ebffd

SHA512
bfe0b1bb10d93def5ed5104e8aac1d74991de2ad64042ebcb35ad43e3dc3bfdb47d126a3c6632238e68c8e227187ba05f81192b50843162134222446fdb0b25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d2131a9b8802473b5621c298e1cd90e6

SHA1
67c0608e128bf4233b1874a16e3332ce18ebbebe

SHA256
66903560caa0c71bc4c01b5f2311c34f56ba649a6ccf9f164b3c835ed5b96198

SHA512
8373c06380b596a50678eb27e5bbf9ee937e606a6426971086eadcb6a70546f928e2ec656385c699f1a1809dd11cc5b875e9ae9e7500da846fa72c8cda69acc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
1ae9aaa78b20c2ed937d424c8533de28

SHA1
48841e39eed748b8c698d53adacc52b575158fd0

SHA256
69416161ccfa7c41b8a7ac74478366dc429f65160d053629ee48137a92b21892

SHA512
a1032bca8c89c0849fe370beb9c1cda8ee9381106588bc0779c8c4c3031091f29d06f0fde05a73401aeebffad9aa7dc8851c1517dfec15babc64abe43aaa8ee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
833B

MD5
14ee8b19868df0363966ee21d7f907cd

SHA1
7cd660e6f8fa3bd2fceb25319f933e635b59aea1

SHA256
437fe2796193ccfe7dfd174df909b17c42dc2a556dde619cc12118879ebaa462

SHA512
849dba98c15817a0a2f3595637e210e845223f6d73b2298b537539510d2bbd21129b600844362c7f1cabe20f831468bb8cc6a29839f13a484ac04b140a20de81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
abbeb8b7dbd826915fcbe93259990e0d

SHA1
c62ba95c737024d6e5ac9ef3d313d50f2391e1c1

SHA256
f2e0e280301230783f49a7a84bfb50940b605eb9a441d7c333ecc57e670e9658

SHA512
ef674d45056e8153d034f95caa5781bed5e014ffdb3e873e0b3a625a3141575f412e7686820a57d4a944693fefd30b51acd5e0d3600cffa44055b5f242c153ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bfa723538c07ac54984687c96313f5cd

SHA1
cbcc9dc2ac72218120d7d82edb10784876e8ca19

SHA256
e9069213a6288e716d41a0696a405670586a10c8d0bec25158c7f8f4a4175686

SHA512
f1b509dc176015e0652bc614fac28388c9f566db8b514b0426903e7936e2ae481442a5a9d13e78945806018f8c38290e234ecf866d5799ef6f987f4e7083c3b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7cba6bf2e45bbc35140dc5c888c51756

SHA1
dd1f0b763a4eb2866951e47f9c268733a3c63c2f

SHA256
7fb570f46381ef5490135950ee169d5d2fb2455f15b0d5b6315494c6e5f814c2

SHA512
0d3937caf0da185789a8596937a92d66f5ef4b37526d329718ece71dc82dfac9c7598c38de8acaa37b8a84d19138f063e04941544b26905732313356a3f13615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d2a2eeed5537106fe23afa544cce39e7

SHA1
feb2d0c4a34fffca3dd337c918267a43d5cd3e4b

SHA256
f6ce96ffa8e27b4633b27d4e788de0007e9e9ac149488790fcff9ad00b73594f

SHA512
cceace8cca80bf721156b1fff7fb15675cece7d709d6afbc6dbab2a6687a712b47cc549cc92e45f904c3b606a02057889bbeca5c311895295ce897ebfb6c552a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
20b9e4f41c0d1e2b2c6baa2afe98f3ae

SHA1
ecdf21de0bd4ac662690491eda8deaef794690f7

SHA256
f5d222eae998a2445299326053e79b3388117b4234b2b3c02dee7a434af5fed4

SHA512
430a555ca6633bfa8f545f9b07a6af612754898e7103a86df15de28a1c1afe33262064dbf4394961ac06ff5d88c574b268311c7f33d9bcbd6063bec3cd8556dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6e6fdac90e039cb170515aaef855c0ca

SHA1
42375dc2b4d47504840c6aaf292e9b31ae7af076

SHA256
d79f53502565b6619ade71b81da93afecee8160a37a7f40e83df598d63e3712c

SHA512
41aa66ba343ec7b89627c5486b1252a52a0ddd226044bd561e3a60f4b4ea211440340c2f3e5f4b8fd9241f2df0dcf8ade517766150c44f1bfb129872da366425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
79c6223b91b69430496fcbbbd669cbd5

SHA1
8e4176e4cdc5e15f501d35041f525f3326af3109

SHA256
2cef865a029407857a5c81091560fdde6c0e7f7a201ae15243e2547720cd81a8

SHA512
753054a81b16a1146c29e872d41b087895625c526045d7abbee949465c95f41beb78ceed5de26ec6068f9cfd2dac78d8dda52bd41495c7f955f7880b306dbe72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583d81.TMP

Filesize
368B

MD5
2e97982741c8314c4ddbad937ee920d2

SHA1
c9a4fc9e05e9a1da3683651f1339de833e57f7a6

SHA256
52272247d02f40733aa9dc0d0dc78540458f544e33ff7ef1f782849133d483b1

SHA512
d3034e04f00082466fa63fdf7110755f2850533c7e801ca69a657779db3d7125f46f81e83bcc9614c3868cb360b10c713fd05e907b5afe121cb34b3870794ab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d21b6f8db2c144de89f5bb983a4388d4

SHA1
6876c492d167d4469349c86f3964238f46bf10f5

SHA256
c6248c5fa04943b556e07cfbda1a57467d89293179e3178da099ce52f5c76e82

SHA512
5db3a5936520208e47456112f0863e3af9224a96d325a23f86ce92b0a59b7ab2153a7fbfb6eb1abd1deaffa6b8d94c1bcf7a281f31d01006748547a0440d8a55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6928c8ef6d53fe173f14b930d2a13088

SHA1
1f005b5a05f74d87dfea8bb0f871fc4d2c96fb6f

SHA256
e6676ed55dd72882d6b671da178b7b255d077f48255263f4c779132e0ab06652

SHA512
0549a32f790e1931c76cbfc85dd0eab7a5ed21b170ba3fb147ac7f15a8c41022635dc2333e8a10438210faf71110d7a645376849bc3222ea6626ac47783afdfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d7e101679c635deb04095af5eb6c65d4

SHA1
79fc1f143bace43bfcad00e5c684b414d4338145

SHA256
d5f5165fa2ed1a9f99a30c7ad0f7d726c56c1a5fb59900fd8557e4c1f0bee937

SHA512
56e24d7ff112407c7f16619d5549cae8b0beb5d534131c6971c82bea451dd915c74b658fe26e98ab4a51e34f0d9a58401f97201ca40ac50042059a8901bf6725

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 868153.crdownload

Filesize
21.0MB

MD5
c76d0b2c5d8f7e6f6290ba80b807f7d6

SHA1
9750324f412b4b67ff0b8bdf86ccbb56319d1ac8

SHA256
9eaec7ec71dac1b9bcb5e27050e432e485923f0d48a27670d42050de80baf0e1

SHA512
76dc742fb91bf8265124adf7b10b4eeb5215669e6379501033a12a341a96cb178c393125e79e3925e0bbcf57f8224c79783da81ae2f35f8a5a5a20304f9b71e7

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\winrar-x64-710.exe

Filesize
3.6MB

MD5
32595caa2a6bbbf58e9cc3c145e2aafe

SHA1
a85f67867e000d7bb3a074bb2b84fa3a143d0663

SHA256
d9fc9e75e174f309efbbb0a4fe13ea27e50c0d1eac65e0ddc858a80a3a4c49a7

SHA512
151748c2c0971d0c9cebc9e4cf3dc0f36e72d9a4f288fff1979729851e6e4ec1ba41e6c4e20f5e13448ac1b9e940a3aa2bc2b097800e9640759f442c95eb4017

Download Submit