nanocore | hxxps://gofile[.]io/d/Dmq7NE

Analysis

max time kernel
130s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/Dmq7NE

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
3976	XtasyExecutorV1.0.exe
4556	XtasyExecutorV1.0.exe
5144	XtasyExecutorV1.0.exe
5784	XtasyExecutorV1.0.exe
5820	XtasyExecutorV1.0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Manager = "C:\\Program Files (x86)\\NTFS Manager\\ntfsmgr.exe"	XtasyExecutorV1.0.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XtasyExecutorV1.0.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe	XtasyExecutorV1.0.exe
File opened for modification	C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe	XtasyExecutorV1.0.exe
File created	C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe\:SmartScreen:$DATA	XtasyExecutorV1.0.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XtasyExecutorV1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XtasyExecutorV1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XtasyExecutorV1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XtasyExecutorV1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XtasyExecutorV1.0.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 429668.crdownload:SmartScreen	msedge.exe
File created	C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe\:SmartScreen:$DATA	XtasyExecutorV1.0.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3568	msedge.exe
3568	msedge.exe
2840	msedge.exe
2840	msedge.exe
444	identity_helper.exe
444	identity_helper.exe
3116	msedge.exe
3116	msedge.exe
3976	XtasyExecutorV1.0.exe
3976	XtasyExecutorV1.0.exe
3976	XtasyExecutorV1.0.exe
3976	XtasyExecutorV1.0.exe
3976	XtasyExecutorV1.0.exe
3976	XtasyExecutorV1.0.exe
3976	XtasyExecutorV1.0.exe
3976	XtasyExecutorV1.0.exe
3976	XtasyExecutorV1.0.exe
3976	XtasyExecutorV1.0.exe
3976	XtasyExecutorV1.0.exe
3976	XtasyExecutorV1.0.exe
3976	XtasyExecutorV1.0.exe
3976	XtasyExecutorV1.0.exe
3976	XtasyExecutorV1.0.exe
3976	XtasyExecutorV1.0.exe
6012	msedge.exe
6012	msedge.exe
6012	msedge.exe
6012	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3976	XtasyExecutorV1.0.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	XtasyExecutorV1.0.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 3900	2840	msedge.exe	82
PID 2840 wrote to memory of 3900	2840	msedge.exe	82
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3472	2840	msedge.exe	83
PID 2840 wrote to memory of 3568	2840	msedge.exe	84
PID 2840 wrote to memory of 3568	2840	msedge.exe	84
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85
PID 2840 wrote to memory of 3832	2840	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/Dmq7NE
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1a8146f8,0x7ffa1a814708,0x7ffa1a814718
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6420 /prefetch:8
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3116
- C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe
  "C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe
  "C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4556
- C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe
  "C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5144
- C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe
  "C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5784
- C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe
  "C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6865267263061312159,9283416137726573171,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5848 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\XtasyExecutorV1.0.exe.log

Filesize
496B

MD5
5b4789d01bb4d7483b71e1a35bce6a8b

SHA1
de083f2131c9a763c0d1810c97a38732146cffbf

SHA256
e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

SHA512
357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
54404a7e7cc455106a492a939a6ad2fe

SHA1
3b426274001752bbd68dedafd078cd754717cac1

SHA256
8e034b3fe011ece135afc3187227dba678b6fbe576b6ad1a23de4fc68454ffa6

SHA512
02735b38f8336f035dbac03b300ea2e80959c24d79dd64502cd267059a83da9b1b127602c5fc0a56be5aafdbe993e86eb4e1fc114667579a79dab020053744c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
5c859d9288a60d235b3cad2c36ab5670

SHA1
e51cad875defee4028accce6de5bde1b6ca94dc6

SHA256
3f28f1593628cfb46518b9252683e3a8b0bfb921021be4c6ae413f114ccbb517

SHA512
24c6cc4268ceff420cc3026217c35566680a05e584498278e7c479a03cf55f8461135c607a849600a117e1d59719e7eb6e289087575689556d90ca0a9671ea8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8a71aefbc524eb7e36b10ba94b4ae77

SHA1
7c110137b39bece99fa5a6abecbaac7ec162298f

SHA256
63229709d8e71c47abf44a6ce776cb69325a7f2973554d39cbcc5e3eb9b77b44

SHA512
8353ee4a357ca7390f9e696e8cbdf292e82a68c91eb5821e660e4602b26585eeed8b61f540807a1b66253b994efb123e714ceadeee29ce0a65fe0dc8320dfcac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2b70580fec91cf950660a04604304f02

SHA1
559ce26a9da735f294e33fcdc36cd4fce81b3fb1

SHA256
5f7b8ed2ab3849b3646c2ad3c940012a3d700d8ad826d277be0ca7fb5ffe50e3

SHA512
24e2b0b5b147c698942cae373924f7ba8e7b9c2516aad1ec39a6ade93125fa9f35c25dd004cca37b265edcd11d620e7e304515b99719ed99696443165eeb6f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0fcd363eecfcbef3a0775be438a3e821

SHA1
fc042e02141021b6bd44fd61be208f151760f7e4

SHA256
4a2c30d302bf9f08a4ff1d464e5e97c7c0b8eff2b9a94a2e42741531aee7f862

SHA512
950ce24deeeecf9b76411f105826a05bd75d24619ee42b6dc42cb14537f76e2036ea8d5dad0bfb75d354901da4ae4de8482b3835f9be6fe6edfae47498ff726c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\efed2bf5-7487-47f7-920e-6cfc3e3d50d3.tmp

Filesize
10KB

MD5
9c15c1619ef610f70d652c0449945f7f

SHA1
bf7a2448009565a570c8178d222dcf39aa5c381d

SHA256
f552856ce840c33c08b618f7da50c93ab2457bd4d043748437160048399d2d0b

SHA512
8e6497c58d588390a9a0696fe03ec547bcc70928a3233bebc57e77fe51b3b1ee05c7219e486368db8ef6f1c0572831e43b7d3f2d5e49a49753d43baecc1b32f3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 429668.crdownload

Filesize
203KB

MD5
b8fb078ab0ff9ca107d79112a1a56255

SHA1
cebcb36d55bb63688bd9ffbf7d372ba41b0e959e

SHA256
2d73aa44284a435c2cc78b6a80a4326f42a28dfa598e5dfd20ba3f612afdcd37

SHA512
1a817eb1043122eb183821558cd9541f4a34f76551f52040f8c2e3caf8dd082a88d80799be868bbb84fdf339cb462a63bb14bceae869345485b565a19d01f1f9

Download Submit