Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 14:00
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
darkcomet
IDMAN
arrivals.ddns.net:2323
DC_MUTEX-391X2ZJ
-
InstallPath
MSDCSC\IDMAN.exe
-
gencode
CUWbhGwmWBMb
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
IDMAN
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
CRACKED.EXEdescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\IDMAN.exe" CRACKED.EXE -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
IDMAN.exeCRACKED.EXEdescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" IDMAN.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile CRACKED.EXE Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" CRACKED.EXE Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" CRACKED.EXE Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile IDMAN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" IDMAN.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NanoCore.exeCRACKED.EXENanoCore.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation NanoCore.exe Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation CRACKED.EXE Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation NanoCore.exe -
Executes dropped EXE 7 IoCs
Processes:
NanoCore.exeCRACKED.EXENANOCORE.EXEIDMAN.exeNanoCore.exeCRACKED.EXENANOCORE.EXEpid Process 5428 NanoCore.exe 5580 CRACKED.EXE 5640 NANOCORE.EXE 5820 IDMAN.exe 6032 NanoCore.exe 6108 CRACKED.EXE 5016 NANOCORE.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
CRACKED.EXEIDMAN.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMAN = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\IDMAN.exe" CRACKED.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMAN = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\IDMAN.exe" IDMAN.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedw20.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
Processes:
dw20.exemsedge.exedw20.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 495610.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid Process 1284 msedge.exe 1284 msedge.exe 1956 msedge.exe 1956 msedge.exe 3032 identity_helper.exe 3032 identity_helper.exe 5312 msedge.exe 5312 msedge.exe 5652 msedge.exe 5652 msedge.exe 5652 msedge.exe 5652 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
IDMAN.exepid Process 5820 IDMAN.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid Process 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
CRACKED.EXEIDMAN.exedw20.exeCRACKED.EXEdescription pid Process Token: SeIncreaseQuotaPrivilege 5580 CRACKED.EXE Token: SeSecurityPrivilege 5580 CRACKED.EXE Token: SeTakeOwnershipPrivilege 5580 CRACKED.EXE Token: SeLoadDriverPrivilege 5580 CRACKED.EXE Token: SeSystemProfilePrivilege 5580 CRACKED.EXE Token: SeSystemtimePrivilege 5580 CRACKED.EXE Token: SeProfSingleProcessPrivilege 5580 CRACKED.EXE Token: SeIncBasePriorityPrivilege 5580 CRACKED.EXE Token: SeCreatePagefilePrivilege 5580 CRACKED.EXE Token: SeBackupPrivilege 5580 CRACKED.EXE Token: SeRestorePrivilege 5580 CRACKED.EXE Token: SeShutdownPrivilege 5580 CRACKED.EXE Token: SeDebugPrivilege 5580 CRACKED.EXE Token: SeSystemEnvironmentPrivilege 5580 CRACKED.EXE Token: SeChangeNotifyPrivilege 5580 CRACKED.EXE Token: SeRemoteShutdownPrivilege 5580 CRACKED.EXE Token: SeUndockPrivilege 5580 CRACKED.EXE Token: SeManageVolumePrivilege 5580 CRACKED.EXE Token: SeImpersonatePrivilege 5580 CRACKED.EXE Token: SeCreateGlobalPrivilege 5580 CRACKED.EXE Token: 33 5580 CRACKED.EXE Token: 34 5580 CRACKED.EXE Token: 35 5580 CRACKED.EXE Token: 36 5580 CRACKED.EXE Token: SeIncreaseQuotaPrivilege 5820 IDMAN.exe Token: SeSecurityPrivilege 5820 IDMAN.exe Token: SeTakeOwnershipPrivilege 5820 IDMAN.exe Token: SeLoadDriverPrivilege 5820 IDMAN.exe Token: SeSystemProfilePrivilege 5820 IDMAN.exe Token: SeSystemtimePrivilege 5820 IDMAN.exe Token: SeProfSingleProcessPrivilege 5820 IDMAN.exe Token: SeIncBasePriorityPrivilege 5820 IDMAN.exe Token: SeCreatePagefilePrivilege 5820 IDMAN.exe Token: SeBackupPrivilege 5820 IDMAN.exe Token: SeRestorePrivilege 5820 IDMAN.exe Token: SeShutdownPrivilege 5820 IDMAN.exe Token: SeDebugPrivilege 5820 IDMAN.exe Token: SeSystemEnvironmentPrivilege 5820 IDMAN.exe Token: SeChangeNotifyPrivilege 5820 IDMAN.exe Token: SeRemoteShutdownPrivilege 5820 IDMAN.exe Token: SeUndockPrivilege 5820 IDMAN.exe Token: SeManageVolumePrivilege 5820 IDMAN.exe Token: SeImpersonatePrivilege 5820 IDMAN.exe Token: SeCreateGlobalPrivilege 5820 IDMAN.exe Token: 33 5820 IDMAN.exe Token: 34 5820 IDMAN.exe Token: 35 5820 IDMAN.exe Token: 36 5820 IDMAN.exe Token: SeBackupPrivilege 5940 dw20.exe Token: SeBackupPrivilege 5940 dw20.exe Token: SeIncreaseQuotaPrivilege 6108 CRACKED.EXE Token: SeSecurityPrivilege 6108 CRACKED.EXE Token: SeTakeOwnershipPrivilege 6108 CRACKED.EXE Token: SeLoadDriverPrivilege 6108 CRACKED.EXE Token: SeSystemProfilePrivilege 6108 CRACKED.EXE Token: SeSystemtimePrivilege 6108 CRACKED.EXE Token: SeProfSingleProcessPrivilege 6108 CRACKED.EXE Token: SeIncBasePriorityPrivilege 6108 CRACKED.EXE Token: SeCreatePagefilePrivilege 6108 CRACKED.EXE Token: SeBackupPrivilege 6108 CRACKED.EXE Token: SeRestorePrivilege 6108 CRACKED.EXE Token: SeShutdownPrivilege 6108 CRACKED.EXE Token: SeDebugPrivilege 6108 CRACKED.EXE Token: SeSystemEnvironmentPrivilege 6108 CRACKED.EXE -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exepid Process 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid Process 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
IDMAN.exepid Process 5820 IDMAN.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 1956 wrote to memory of 4788 1956 msedge.exe 83 PID 1956 wrote to memory of 4788 1956 msedge.exe 83 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 5104 1956 msedge.exe 84 PID 1956 wrote to memory of 1284 1956 msedge.exe 85 PID 1956 wrote to memory of 1284 1956 msedge.exe 85 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86 PID 1956 wrote to memory of 692 1956 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/daedalus/NanoCore/blob/master/sample/NanoCore.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe080f46f8,0x7ffe080f4708,0x7ffe080f47182⤵PID:4788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:22⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:82⤵PID:692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:12⤵PID:952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:82⤵PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:3692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:3724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:2572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵PID:848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5452 /prefetch:82⤵PID:2996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵PID:4056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6236 /prefetch:82⤵PID:2380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5312
-
-
C:\Users\Admin\Downloads\NanoCore.exe"C:\Users\Admin\Downloads\NanoCore.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5428 -
C:\Users\Admin\AppData\Roaming\CRACKED.EXE"C:\Users\Admin\AppData\Roaming\CRACKED.EXE"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5580 -
C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exe"4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5820 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:5876
-
-
-
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"3⤵
- Executes dropped EXE
PID:5640 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 11364⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5940
-
-
-
-
C:\Users\Admin\Downloads\NanoCore.exe"C:\Users\Admin\Downloads\NanoCore.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:6032 -
C:\Users\Admin\AppData\Roaming\CRACKED.EXE"C:\Users\Admin\AppData\Roaming\CRACKED.EXE"3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6108
-
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"3⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 10804⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1740
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,6725421692444289032,17528627265941602019,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5652
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2076
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4860
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD52a70f1bd4da893a67660d6432970788d
SHA1ddf4047e0d468f56ea0c0d8ff078a86a0bb62873
SHA256c550af5ba51f68ac4d18747edc5dea1a655dd212d84bad1e6168ba7a97745561
SHA51226b9a365e77df032fc5c461d85d1ba313eafead38827190608c6537ec12b2dfdbed4e1705bfd1e61899034791ad6fa88ea7490c3a48cdaec4d04cd0577b11343
-
Filesize
152B
MD5fbe1ce4d182aaffb80de94263be1dd35
SHA1bc6c9827aa35a136a7d79be9e606ff359e2ac3ea
SHA2560021f72dbca789f179762b0e17c28fe0b93a12539b08294800e47469905aeb51
SHA5123fb0a3b38e7d4a30f5560594b1d14e6e58419e274255fb68dfe0ca897aa181f9ce8cb2048403f851fd36a17b0e34d272d03927769d41a500b2fe64806354902f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5de6135b767e520359b45cdfd704e7b27
SHA13ffe1fd0d4b23472ba821a9dcb253c6feeb223dd
SHA256247be5a8fdb0726bbfecbf641dabfb423126a0ba2a69da18ee2dd876ac274ea4
SHA5121801b8ddec4783bfeaeccf1d8d00dc2cdda421437ded04207031ac8322f246acf0586d1cb7c86cf7a6398702e972c5efd1f1fb14b849549540ede84fd822d2b9
-
Filesize
492B
MD559aa14ea0c391d6890a2516ac416fd07
SHA1e64e016535d5351fa71f24ddf1c5f217a1e6c37d
SHA25615f30f6b0889c6c689486cc09799d04573de19c749364e62844b5b19fa28685e
SHA51259ec83dc2936b127c308ae152dd79d99679712456b40410793ace8e94a48c6299de83eae3d73c3e4df273f169390ed05c1617774f277343fcf109dd04d2f55c5
-
Filesize
6KB
MD55a7c08006cd70788643e580463236175
SHA115e582f42bebc57abdc04051ab8d9f99f3ade021
SHA256221db60dd8779743c60729ceffe1e5d08558ee43ac147c0e15d9cb6196363bf5
SHA512521601392f5b8e25437a2641c75798fe149518f52007f170e651f874ca5afb598fa3023e9ae7fd3d2c3f7a9d3f7488154da55a83aca83deeb087845790a3838a
-
Filesize
6KB
MD5e3298208a9c2a9680a5cf46a6874ffe4
SHA1597c69fd203de3d38b5fbeb07780500c67d76987
SHA256b4d1b449eb0397914644edf7335fe257eaa75d1d303235dd73db570fb7f20290
SHA5128a53f989d76ffa8a22785ec0aa31eb3774a3509701ff3f944f11adce04aba1c35272d52f546fac682506895693730351f4cfec56d8db0a7a118ac3a906b12412
-
Filesize
5KB
MD547d59f00cb2538c4ce0a4dd0f95d89eb
SHA128742f577bf00e536139275554c94948e0de16cc
SHA256d03d890ac3cad536d9d08d21d649f779b9458f3ef46a4d3c2e65ee1ea6e4946c
SHA51252a59d429f7019da58bfa4dfe1c699939296b17478b5d4e532cc5ad3fb1e066427241ab448bfbe49fc82ef613661e400e26fee09b6ce47605441551630c8809d
-
Filesize
864B
MD5928330a4a20983404626f03efa42c98a
SHA186b4911ccf79ec7c25605ef76c8debbfbdf198f6
SHA2569cab63360ad2b9f0f0ea057d5f2945bd809bedbbc433ca8d5999cf43e645eead
SHA512137f0ca13d6819e61bfbe2491270b2889da9370ee6a77ddae36d4fb38b3f772704837dd60b08c8e33bfccd5ee981f62bcf5ddb4694c0ed0b7d6fddec42a61b44
-
Filesize
698B
MD522a26766a70671eca7fc9ae1fd8d3d30
SHA13e4a40cade2010f5fb904f9c685e6acb3fb4c068
SHA256467749774796f754466d391566a17bfbc22dea46609e6857352cb32422ab08d3
SHA512bb8fdcceb056e22c0e64b0d3e3f17c563128d78f216007110fa305cdc74b85b66cc973a453f4f2115760b714bcb12a75cd91f4ff963e064e1ac314ec647a911f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD58e8b1afa25ca13b9b649163f2ef5b23b
SHA1e49ef4ffb42a309d4d57e56907470627ec8479e8
SHA25640e23ceea8cfaeab7153181ec9a3b55b7bca620515466ea0958d501efc9ee07d
SHA512f557b9c3acb8ae7323bd23b259e014b030abd9eb364c544302f4e0db44f5a1e7edb94d95d54d8169dfac2c2c731869fbf894377dee266221c143821833e216c9
-
Filesize
11KB
MD507e82dcd7f522a01bf27eea81d108be5
SHA1ac3973254959d73f4f3ad661a235cf8ff354b9d7
SHA25638c1717be14b9028c117be635d9f2ea49044354222126ca43a61bd6a6ec00c0e
SHA51223dc1df6e6d89612ec53f7c603c9b5c10ac5d8ec9f0a3f59e003ae3a1f9e4127289536cc7e74e58b45ba0bc3a4324650231a35541e401f6a1629376d432f5c35
-
Filesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
Filesize
403KB
MD5d902fb22b92a7455eeac95712e9c2179
SHA18e4e0d0965055517c1ddef8442cf74c4f3d700af
SHA25658f962401b52e043325cec66d88ad73032165cd0b8c3de1ec95292d83416b81f
SHA512d097b22e30c20322c30f464dabf5bffeedc3e3728b82911db5f3ba79735915a3bb0fbc4bce65a153f665dc5e04ba93b6000d4230f8610bd17dbe3d625dff4269
-
Filesize
1.1MB
MD5e4aeb7b31d677a5a9a58a4762fab1321
SHA1a5e7279b6d59236296031ff87976e33fbd8cf34d
SHA2561111f013a010a57a6739a8d4d0891728547cbbf80e45e77369a05d3423a28915
SHA512964dda5030a54493aeebb8b478a76ccd98456184224332e66d5b693d311c83da11c360355c8d73e539ebc7b6ed0d0d2e78f65eef0f75d48c64a63cf10411e1fa
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e