nanocore | hxxps://gofile[.]io/d/Dmq7NE

Analysis

max time kernel
135s
max time network
133s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-12-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/Dmq7NE

Score

10^/10

nanocore defense_evasion discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3736	XtasyExecutorV1.0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Monitor = "C:\\Program Files (x86)\\DOS Monitor\\dosmon.exe"	XtasyExecutorV1.0.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XtasyExecutorV1.0.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DOS Monitor\dosmon.exe	XtasyExecutorV1.0.exe
File opened for modification	C:\Program Files (x86)\DOS Monitor\dosmon.exe	XtasyExecutorV1.0.exe
File created	C:\Program Files (x86)\DOS Monitor\dosmon.exe\:SmartScreen:$DATA	XtasyExecutorV1.0.exe
File created	C:\Program Files (x86)\DOS Monitor\dosmon.exe\:Zone.Identifier:$DATA	XtasyExecutorV1.0.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XtasyExecutorV1.0.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 815230.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe:Zone.Identifier	msedge.exe
File created	C:\Program Files (x86)\DOS Monitor\dosmon.exe\:SmartScreen:$DATA	XtasyExecutorV1.0.exe
File created	C:\Program Files (x86)\DOS Monitor\dosmon.exe\:Zone.Identifier:$DATA	XtasyExecutorV1.0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
1968	msedge.exe
1968	msedge.exe
1896	msedge.exe
1896	msedge.exe
1508	identity_helper.exe
1508	identity_helper.exe
5016	msedge.exe
5016	msedge.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe
3736	XtasyExecutorV1.0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3736	XtasyExecutorV1.0.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3736	XtasyExecutorV1.0.exe
Token: SeDebugPrivilege	1832	Taskmgr.exe
Token: SeSystemProfilePrivilege	1832	Taskmgr.exe
Token: SeCreateGlobalPrivilege	1832	Taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe
1832	Taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3396	1968	msedge.exe	78
PID 1968 wrote to memory of 3396	1968	msedge.exe	78
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 2712	1968	msedge.exe	79
PID 1968 wrote to memory of 4324	1968	msedge.exe	80
PID 1968 wrote to memory of 4324	1968	msedge.exe	80
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81
PID 1968 wrote to memory of 3776	1968	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/Dmq7NE
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa781f3cb8,0x7ffa781f3cc8,0x7ffa781f3cd8
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,12958053884625449315,10952887486397473203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe
  "C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:3792
- C:\Windows\system32\Taskmgr.exe
  taskmgr
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
925fcaca1078d4a1a3ab790b3e101aa8

SHA1
b6729fd9698d13f6e33b7b6d69a1960826e53010

SHA256
86b90e3a2f2756a15f9ff7d0845414143606ac1905b3925343b46ad034c15823

SHA512
b1e5cb73f83f75e80367bdb528bf2b03a5a6a5973a7c4248e42df402c77b8895a6d2dbdeb1b92095bf42a1c39ae81bcbc184e1754969524ab0a5c85f8cb7d2fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
5c859d9288a60d235b3cad2c36ab5670

SHA1
e51cad875defee4028accce6de5bde1b6ca94dc6

SHA256
3f28f1593628cfb46518b9252683e3a8b0bfb921021be4c6ae413f114ccbb517

SHA512
24c6cc4268ceff420cc3026217c35566680a05e584498278e7c479a03cf55f8461135c607a849600a117e1d59719e7eb6e289087575689556d90ca0a9671ea8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
30afcb8c66c57cab9de04b50da6524a6

SHA1
4c1228894dac7d90815e77beed251faaad2e57ee

SHA256
a84ceb2aa8bc8eb351740df9f86e3996c724e6200371f7b7dce54bd2fc3cb1a2

SHA512
8cf5ae7a2fb134abc12300e5c6b00236c602fb9b4d3ee89571f00f5b86d84155e698de0859b7244e8c759b58f0fdcff9ac6ade2d6cef66ad0172af273958a8fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ca482f6899e1bf40f866e425d073a950

SHA1
4dc0e90ba1377cec196218fb34506a5bb75ef61b

SHA256
30e9601752503e10090b1952ca8d59afd6f9f315cd1f6ba47fe93111c22431ed

SHA512
e53776f50e7372f73bad5f7ccfd1e7b119c146c184893ebf6a7d79dfb6c06e14c0d2364cb8828fb4535fafe06913365159a538b7879a2f9e4964f6f608c160be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
91713f6d5ae5b8daaccb144015589dcb

SHA1
234e74f2b9c32c7b7c52c7e66e742785238fb2d1

SHA256
ef55630fe4605fb269624c9414390e6e8d56cee798b3214d290468863d7387f3

SHA512
65240b33245daab1e14471f43f28b6b00b9f3db2d239fcc511117a4e5425bc7f3faf97992527c4d582f6bb14b4192bb1d1e258bf9b031984adfe2173a4aa3ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
16bf4e65d0d4af649af38bc3bd90025a

SHA1
5865cd25ed4f69a11f4c19a9eafbbadf9ae1208f

SHA256
b629e2db15099b3b445242f4d90225ca8bd7e63358dfde33c2bfdbce769ffb67

SHA512
bd2f331a490c984657154a4bb87c766c7a77ddb83a8f4f2e66aeb2c0874783dd998f98dd8a3f5d9320449ffbc72466a687821e0972c832e0bc274bd7d7526ccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
89e874270b9cfbf2fe7e946bc5500a28

SHA1
4f14cfe642b9117c99f676a99151b95c3b310650

SHA256
8f7faa0f70f13d62601de971c5fb01f5d1da3a64fc3718cd4fccb2d35acdc8c2

SHA512
cc89173ef15c182187b93eb02aad8763edb3123a95bcce0a05905ec331ad77bf917b4eea2d78a6b2cd3be58d59911ecf2ac62bd28a11f51e90710b9cfcc6f170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ce9c1a6b37767e02ca1f594eb970e1c0

SHA1
79fc180e95151af7e01c47a6efb2228469bd8fbf

SHA256
29f39d08f7e9ad54be79ee48318fe9ffeba4a389f6b1acc2d56683dc5c6c5614

SHA512
88f0d951653f9f1c61cf8d2aeda45b9bf475735806c8a6aeb93d1aee267fb12e13bc3e395158bb2f6282b56b65751231147bd2aa10bc23713dcdebae932a3d0b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 815230.crdownload

Filesize
203KB

MD5
b8fb078ab0ff9ca107d79112a1a56255

SHA1
cebcb36d55bb63688bd9ffbf7d372ba41b0e959e

SHA256
2d73aa44284a435c2cc78b6a80a4326f42a28dfa598e5dfd20ba3f612afdcd37

SHA512
1a817eb1043122eb183821558cd9541f4a34f76551f52040f8c2e3caf8dd082a88d80799be868bbb84fdf339cb462a63bb14bceae869345485b565a19d01f1f9

Download Submit
C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe:Zone.Identifier

Filesize
164B

MD5
47156a9afc16ccda14dc240d70f281f0

SHA1
454e52cc45d9e1ee1e85378d9ef357ec2692ec02

SHA256
9cd7919c8db4ac3f6d7df6af05627289698b3c2364e1ae0d012eee9ba8800128

SHA512
ec34543c71df6de31f9b5f2380612476e77bafc2c0f6f8e77b3cf0ef9919dfc3942fa90f16ce7ca059eba3e31e21207f65de465ac11f2a633d3b7deca059cddc

Download Submit
memory/1832-280-0x00000267D8ED0000-0x00000267D8ED1000-memory.dmp

Filesize
4KB

Download
memory/1832-278-0x00000267D8ED0000-0x00000267D8ED1000-memory.dmp

Filesize
4KB

Download
memory/1832-279-0x00000267D8ED0000-0x00000267D8ED1000-memory.dmp

Filesize
4KB

Download
memory/1832-290-0x00000267D8ED0000-0x00000267D8ED1000-memory.dmp

Filesize
4KB

Download
memory/1832-289-0x00000267D8ED0000-0x00000267D8ED1000-memory.dmp

Filesize
4KB

Download
memory/1832-288-0x00000267D8ED0000-0x00000267D8ED1000-memory.dmp

Filesize
4KB

Download
memory/1832-287-0x00000267D8ED0000-0x00000267D8ED1000-memory.dmp

Filesize
4KB

Download
memory/1832-286-0x00000267D8ED0000-0x00000267D8ED1000-memory.dmp

Filesize
4KB

Download
memory/1832-285-0x00000267D8ED0000-0x00000267D8ED1000-memory.dmp

Filesize
4KB

Download
memory/1832-284-0x00000267D8ED0000-0x00000267D8ED1000-memory.dmp

Filesize
4KB

Download