nanocore | hxxps://gofile[.]io/d/Dmq7NE

Analysis

max time kernel
98s
max time network
139s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-12-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/Dmq7NE

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
4232	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
2192	XtasyExecutorV1.0.exe
4764	XtasyExecutorV1.0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Service = "C:\\Program Files (x86)\\PCI Service\\pcisvc.exe"	XtasyExecutorV1.0.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XtasyExecutorV1.0.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\9956c160-db81-4393-81f4-b1fa40d4ceb9.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241217221540.pma	setup.exe
File created	C:\Program Files (x86)\PCI Service\pcisvc.exe	XtasyExecutorV1.0.exe
File created	C:\Program Files (x86)\PCI Service\pcisvc.exe\:SmartScreen:$DATA	XtasyExecutorV1.0.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XtasyExecutorV1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XtasyExecutorV1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XtasyExecutorV1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XtasyExecutorV1.0.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 795056.crdownload:SmartScreen	msedge.exe
File created	C:\Program Files (x86)\PCI Service\pcisvc.exe\:SmartScreen:$DATA	XtasyExecutorV1.0.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4788	msedge.exe
4788	msedge.exe
4984	msedge.exe
4984	msedge.exe
664	identity_helper.exe
664	identity_helper.exe
2076	msedge.exe
2076	msedge.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe
1208	XtasyExecutorV1.0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1208	XtasyExecutorV1.0.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	XtasyExecutorV1.0.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4668	4984	msedge.exe	80
PID 4984 wrote to memory of 4668	4984	msedge.exe	80
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4432	4984	msedge.exe	81
PID 4984 wrote to memory of 4788	4984	msedge.exe	82
PID 4984 wrote to memory of 4788	4984	msedge.exe	82
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83
PID 4984 wrote to memory of 1152	4984	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/Dmq7NE
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd54cb46f8,0x7ffd54cb4708,0x7ffd54cb4718
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4056
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7483d5460,0x7ff7483d5470,0x7ff7483d5480
    3⤵
    PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6240 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,13683487856350179848,14958928102102823067,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  PID:2964
- C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe
  "C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4232
- C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe
  "C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe
  "C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2192
- C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe
  "C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\XtasyExecutorV1.0.exe.log

Filesize
496B

MD5
ecbaa939f4cf8a3c2c4070882a0e61b5

SHA1
5d3733a1386294a95406ade7803c954efe300f0d

SHA256
6f4ae1353d3c20efa457b72225566ee4e50b1c7ce19115faead0ebd6c9711644

SHA512
1cee74c6a3ba57a9d6f6e3d08de07f72c349b308551b2cc25110f077dd3437968b7042a4a5817ab286039d3c74b94b51176317d5d4bfc0d748a03712a7895a87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3b681f1b553061b1d406dca73509e1

SHA1
1d0902a780b041766c456dca466ed6dd88db979a

SHA256
45099d50c298e321f628997d58aff82c1f91aa302cb6a46f5c8a2819a53685d2

SHA512
b6e59b2da8bce61cdb2f0bdbe6dd0486c68bb583a1066cafb979314c4c1baeab4136d9d958e9e9ef3a36b1d7988ae8518080b8aff9748c102d05646aea914283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
165b9ab5b6100e149d42942970795741

SHA1
873ef2b7bb080cee1f9eb80920edb54a235fc326

SHA256
fd01e423cf1b8c61bbc4e1c63f3cd70a81586a9d03a88eebd6ec3a16a1910364

SHA512
5ba31ba647b158325e7282ff6dc83e683b62895a1e3ebd5445a1f121d6d5fdee4b39164514f7c442bf67dbefcc7965c3ee946333e77047ced40df144aebef9ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
203KB

MD5
b8fb078ab0ff9ca107d79112a1a56255

SHA1
cebcb36d55bb63688bd9ffbf7d372ba41b0e959e

SHA256
2d73aa44284a435c2cc78b6a80a4326f42a28dfa598e5dfd20ba3f612afdcd37

SHA512
1a817eb1043122eb183821558cd9541f4a34f76551f52040f8c2e3caf8dd082a88d80799be868bbb84fdf339cb462a63bb14bceae869345485b565a19d01f1f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
4d654151ce7878a232e9b63790148aec

SHA1
1e3501604359cbd18b3b3a424e45dccff8b6319f

SHA256
1701780f6c77fd7b8985574db9548ae305a0266174f0d3460ab5948c0f006361

SHA512
98de385f033bb22c14f429a5b065478a4f49a6b4dc6ace03b00459ee320952f094cd080caa023a21c66df5ce9ac42a023dc46276e740a58ea839898349b99af1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
69d3103c59e0f2cc3b22403e16e19493

SHA1
ae97bf0b89c11d52f0618b885e867438da564c3b

SHA256
df4d7056461c329754b4233ad83713f66c1c6918ab485ba0a39f348fd03a32b4

SHA512
84a6194009ef94c16962292310807612f7c8bca110921671b0f223d5505591b8f14b8d96df5fec2f0fc25ba3f2c3b428e3b7d95b39d3b11408688acf07328907

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
5c859d9288a60d235b3cad2c36ab5670

SHA1
e51cad875defee4028accce6de5bde1b6ca94dc6

SHA256
3f28f1593628cfb46518b9252683e3a8b0bfb921021be4c6ae413f114ccbb517

SHA512
24c6cc4268ceff420cc3026217c35566680a05e584498278e7c479a03cf55f8461135c607a849600a117e1d59719e7eb6e289087575689556d90ca0a9671ea8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1cfad739957b5f97d93d1f780e59090c

SHA1
c982b1a866b75b54d6b7d8447d659040dfd1c21a

SHA256
8d0a26d437656f70c7bd809655ec9b561a328b66f0cee9c735be5fd2e83ed321

SHA512
b2afe9d0284bb9db79bb4a63518c272659c3047ebf18e8483afc976c938a189cd095ec8b057db2d334b5038e592e18f885140c99af9eb1782b0bf649482312ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
073cd6934a1ccd79d20eb1f1a91eab51

SHA1
cd4413379ad16409c4ab1480a0637ee65513f404

SHA256
9a8d3f27114d95b2d3a0263e80dfceccad620e47bc08d331ef515886e43724db

SHA512
4ecce2093d1e4a8e2f150cf8a296a1698d57bbfb85ce5dc14c200a00a117341a4cc6eecf479155d482fde5d256cd2d37e49471a6c7d207c5b025b4071d048e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e7a8bce040eed9863f6956b6c2af80f7

SHA1
0417ab1d7f431c21b7880b7365468ffaf5ae9ff4

SHA256
b3433b9a19c0a119b4e673176332ad02bfa7c03b4e92b873ce0d8394619f1a97

SHA512
87df7251c342ee8392a39aa8eeeab85e27dda612dbe1d554ffdf7c2b884989cff14f93c937765486ec905f6552fd746bcac9b6752a64d5eed0d0627c7c53aef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4632c1a252221af9d98aa837a250517b

SHA1
e5bdbd82df545aed6f028a2e53edbe8737ef43f3

SHA256
a0e18360dcc26bc12433fd6532a68c35d8794ca6829aab614be1fc2788a0cdfc

SHA512
98e1dbaea499c5d598f9ebcf6d4994eaccb31c34d0017f21a08f1ecec22e39cf5080425405968ea90ecb790fc918b1afba07b538ef5f3378f1b7b4ff5eb01344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
524c0eba78201e8faad29c29d0a611ff

SHA1
b8d23f3f70313f9f0f8c1e293e70a3f8173adea9

SHA256
693ac11a04057152b30e8d26dc646186c3e54bbe397122b457374d92620fde52

SHA512
5481d83540551f9999d6dbbe94c7ac200b53bb81e5d9a5a94761274332a0b4e4aad05a9689fed5b9ad6fb2c1d06f91e2730eaa4f53950f8e14cef5cf2af452ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
eeec2e8fdb3d10926be7f7f005a6add4

SHA1
ef91d915a57451a526ffde4634f1152c6a751104

SHA256
3a35c99ef359936c246b01412cf6c3bd0a7b190fbfefa584d62cc27e6f6522b1

SHA512
c2044601211d75abf5bea962e73760289ec660326f7e8fce5a588a6a7672923682fa45a0876f197ec75c943d780bd06649d1810edb8331a293365dcc415cb4c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
35d6c6f0d516ab38c28588ba6c630cc4

SHA1
040f977028d5edd6fafeb2eee5a5fdde8b98c737

SHA256
7fd29c3e4d620cae3b9b8effa8a90ba608909c8afe4f077409fb16780d46683e

SHA512
3c894fed1b64d9e30c71ede6784f03462f9b73cc9706f25454a446dd72aa49824711d9fc8628cd7248a223cd63b1506200bfad5b1f206e164390a88ed8f75a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3e2961ca3a4dbd4feb7873186aa0b133

SHA1
18f13b926fb0cc0a1873865ca6013201801f9f91

SHA256
4b34d3fceb98519b38f512d56c38a7e01f72fb2a43f1a338b8cd14d018eb561d

SHA512
19349f2c8ae873dffa623d399aaecadbe566dccd5e895e942fa6b4ff9204dac15785fe1baf7c527e05a0f7b5d150287109e457aee7b5d5e8f8b50028a8f26331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d4a2c4a4ebb14e4ecb39f9857ebe84d2

SHA1
f78f472db778491cb389fd021df4eafb1241e446

SHA256
57398846cd630f09fe438f2ceb68bb5ff08277642418c1e379454b0a1280b773

SHA512
7382e7d9266e3d33a29412035b4793868be8aeb45ac3917208440bae7c4565636c50ef5a26e6ee169ed282756645b2d334121a13b6da617e49512ed359f9fac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
37431e7d568df16af08e1670670d5dbd

SHA1
bb225f903afb3a0abff06f91896816ee9e3221b4

SHA256
951966f95535d70b597def079799bff295b52f084b0a93a7b8c6f5b7e9d9e8ca

SHA512
849f638d816962dab643bab34e2615819591843d8c88c52a1e912b9be8205b3042802f35d06b3be3549fc3dadfbcb75d5d580d0e01e8c76e9aa7ef38fd0fefc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
338d4b1e57132e4088f6279e6e3cc5e3

SHA1
0f6e2ce180f05cb0173f70ab4753ff95127ca6bc

SHA256
34d2c7f332d278411e0bbf654c9478b3e00d83da3d496814329dd09544664588

SHA512
469a96e718de019adca18109a24b83f7fe8e96cb9cca720af185f5490b99832a70e9bd4d3d3b2116714506695883457c30f589da05bd046b3ed92136cdf3b968

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
ddd46bf64e2b5fd2c47fea9153afada9

SHA1
19c2b01cac9fa726313c5731a093f0bc4bd5d218

SHA256
6bae672e6d375bfbfe290e8d34534aa66d6cc84e7c5872507c55518fb388807c

SHA512
e5f110f54755d8d39e8a5af0c06135e01422f3d6837633c8dd15c1291439be1f72c9f67e4cc7790a5fb204610d1840bf2056686d70245e79b2884299d8a3eba7

Download Submit