nanocore | hxxps://ufile[.]io/h43d2m4a

Analysis

max time kernel
1796s
max time network
1789s
platform
windows10-2004_x64
resource
win10v2004-20230221-es
resource tags

arch:x64arch:x86image:win10v2004-20230221-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
22-03-2023 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ufile.io/h43d2m4a

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

gato113377.sytes.net:54984

127.0.0.1:54984

Mutex

28bdc928-20fe-4c81-968e-8e815b5adcd0

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
buffer_size
65535
build_time
2023-01-01T06:09:20.983553936Z
bypass_user_account_control
true
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
28bdc928-20fe-4c81-968e-8e815b5adcd0
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
gato113377.sytes.net
primary_dns_server
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

auth-nuevo.exe

pid process

324 auth-nuevo.exe

pid	process
324	auth-nuevo.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

auth-nuevo.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAT Service = "C:\\Program Files\\NAT Service\\natsvc.exe"	auth-nuevo.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

auth-nuevo.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA auth-nuevo.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	auth-nuevo.exe

Drops file in Program Files directory 2 IoCs

Processes:

auth-nuevo.exe

description	ioc	process
File opened for modification	C:\Program Files\NAT Service\natsvc.exe	auth-nuevo.exe
File created	C:\Program Files\NAT Service\natsvc.exe	auth-nuevo.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133239365624250387"	chrome.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

chrome.exeauth-nuevo.exe

pid	process
3584	chrome.exe
3584	chrome.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe
324	auth-nuevo.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

auth-nuevo.exe

pid process

324 auth-nuevo.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

3584 chrome.exe
3584 chrome.exe
3584 chrome.exe
3584 chrome.exe
3584 chrome.exe
3584 chrome.exe
3584 chrome.exe
3584 chrome.exe

pid	process
324	auth-nuevo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe

pid	process
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3584 wrote to memory of 220	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 220	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 2624	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 384	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 384	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe
PID 3584 wrote to memory of 1840	3584	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://ufile.io/h43d2m4a
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ff9855f9758,0x7ff9855f9768,0x7ff9855f9778
2⤵
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:2
2⤵
PID:2624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:8
2⤵
PID:384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:8
2⤵
PID:1840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3216 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:1
2⤵
PID:3344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3204 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:1
2⤵
PID:4080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4568 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:1
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3516 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:1
2⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5104 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:1
2⤵
PID:1708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5252 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:1
2⤵
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4580 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:1
2⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5200 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:8
2⤵
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5964 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:8
2⤵
PID:1256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6232 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:8
2⤵
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:8
2⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:8
2⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6448 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:8
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6260 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:8
2⤵
PID:3012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5356 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:8
2⤵
PID:2768

C:\Users\Admin\Downloads\auth-nuevo.exe
"C:\Users\Admin\Downloads\auth-nuevo.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5084 --field-trial-handle=1816,i,163113395022136959,8796143357357419446,131072 /prefetch:1
2⤵
PID:4436

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e
Filesize
160KB

MD5
f22f07ee02fbeed3958345c90b52b818

SHA1
2aa44ea19d580589c06c2170103b4d0505e18cdb

SHA256
dc1eadf37f70bef92766d0c316d1da7af283b84e5c309a4732d8ed35d7bbfb84

SHA512
8473f7cef3e9289f355047689f5a2b82aafc49501c65f118e5b0632a6a690e542eeae45644e77fa5b869df17b05ed138b4183cc93364935b1fa7d89e32fe5d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
504B

MD5
a718f66f0ab5a9bd96848a497d312574

SHA1
399c0dad463ee9de3fa037b015712b8c4bb7dfe4

SHA256
e67fec66d1472097c1baf61fc13eb35b5d11f3b961663d0d5c5d832999f9c000

SHA512
f769854aa0c98988cb17a61a8894f804506be0a566547bbd89b3f7319901fc7c283bd182e3dcde3fe57cafba8f96795e1e73767ecfdd4d23ede988850747a650

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
5KB

MD5
b59d529098920ed3ffce6fbcdb375c46

SHA1
5f2d63b4f929f3bc1dc359dfa0e06d7e90a866c6

SHA256
f366b72442f9127124a9a191046382431ba2efd77868374f16058fcd97187106

SHA512
aee305bce14ce3edf0de8e47b5f62551e2bdd8d9b568ba75c762f307063df0130de1e53cae48622d3f7062e5e046d2de27418f4ba53dcb1cca2d34cc610290c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a9de9e47e6202a1412c98287595f85d3

SHA1
6652f9daf76f457e8399d606917a76fa114ba59a

SHA256
cdb317269fe69c320d27c94c6801ae60d91a524ec27368e6cf2edcbeb80b49d8

SHA512
7bf99e996bbbdbc8a3921a83c39e9d409b73ee3d674735081fcafcb41f02600b3254229b6dd177cd2da59b1b57173324072a3bb51d50ba64725c1d5e08ffb032

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
4666da3f3c10c6cdc72ccfce0ac49397

SHA1
f886574e53f57556c179b2caf4e9738b8ab738da

SHA256
826a9e0d389e0b010522b7b1863f3639a8965dc04c9c1f912c0c4f00270c3242

SHA512
a080bad31d6f8721c626acf0c8c38682e409257e8ebd7023d573e483de788c5c96155249e17f4a52d2e1eb55e0f1176053bb43a14a4cad5ba4c7f906af6ed712

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
81a03bcab354cb03f3ed3a12ce7a808f

SHA1
6a85d0200900771be2995b78193e2069f5cb830a

SHA256
1d8d0160cdb18559c97e168c9995534bc8b2da6074f2cc9ad27efc28c355dcee

SHA512
7bc733e88378a86ce43180a93528768a17370e105a6fc46cf596198871ea62fed6fc83d39399c62c4138215b5eed35b0857cb3720dd75885abbeb03df045bcc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
95859f9f9feb74d505aef1c300a63901

SHA1
59cb57a361bf45ec15b4415c0c31f03c0bddbe9d

SHA256
ffb5c768548971b95692975cb780789131b108f31fd83594a12db5a53c201b7d

SHA512
bb020ef954b9d6de7456eb36299e3f7e91905dcc4de25ed374bef151799377ea7d45b62771fb1d687ad942d1f1c733e6c9658480fa925c2d84b9c48418f7cce7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
3db6b1a237c9ecf669f233e142f60b41

SHA1
1cb5567ae9b1e746bfea6ae39962110262b0d5f9

SHA256
544434068564fc66f79fdea074a103b947301368d7ec94766120459a073fdcbf

SHA512
bf23e0a90e4e37a984813b0261d77abf202e46c89f478475476443b17d3447fca853bab61d81ff789e6b796f49918eff75716bbe0f5d0f2dc763594d71fc04f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
b14a12a015c8f36f5f192c129636136d

SHA1
2bde3886daed5b6912250ee1c1dcac3de793c43b

SHA256
ab7f55a6e55318a3e9dce045a73d51fe67009fbec40396665660c46cba7a49a8

SHA512
04af9d59fe4affde5837720eddc56eed8fd70f64c3e148961be9a2f498739f5f256769b6c51e6a8f3761d09411584c5101f14fae05d2015a332e0f7a585bcac4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
9b343a2e6d8f322c62b1e54541af43d2

SHA1
630f0792812da824d123effeb25eb7b09c2d9243

SHA256
fa6737e89f254b362b2788b64dadb74337619cdf9b8e43af6257662d0e36f168

SHA512
221921fdfdaf54dd59279cd95f29e9a68a61673ae874b6a0f5524022f43e9b34d01c96488031dc291b6d12454db1b3066ee8199b5f3dac6d7ae28d422632add1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1
Filesize
264KB

MD5
34ba474ffcc6b5543433e05d78905a9f

SHA1
4788dcf124d3a849058083c6e59cad6fcef9561b

SHA256
505cdd993571013b158b2017c144ae1c2effcfe959123a74d513e8c191e23da3

SHA512
99260c8af6d80fa13108889fd1130aa001bbddd1464f5603028f06dfe0f5f9baebaec5840dff2d2aeef4580180f35e9f60ee5019f310a262f11203de5bfa4b9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
b4d3960607b337d2d2a194eb45fabf0c

SHA1
1454080bf2e8df88d018bc3712116ca77423c256

SHA256
86d0397c026e83aab83aee09b89f3fdcdf921caf232475cba09dae11b41c1ac0

SHA512
793daf6c024421fe49ba7d7fd4ecc5cf231616e0f8ae769f8fd2897604f829cfc48c22a8976102e66a8c57d73746c033b7f2c636485cb850be2b58f992d7acee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
5d5fc1c07c95ef12e9c8adfdd7252617

SHA1
a149d4d320cced36ca720dfb925fce54ccc349ed

SHA256
09908356742fbe35d5c134aa72c17c2554b693f828cbaba117ec527a4fa18527

SHA512
6cb1fea87bbbc5ee42e136b7969cf5008088eef2c3c8ef1f4ae03e78c3fc7976f76cca5ad2f2e5fe98214d4c33c80ad848c47cc472861f3fff47075e5f82997b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
0bd124a56c811553805d299ccda67346

SHA1
af685b11641a778e36e808c4e619f2b1f87129a5

SHA256
c26b607f1e3be13d26bd03c32573c0d671b8d7a07e34f0365e889d61f7c70dda

SHA512
847036b84206a27cd48216077d59690569a55de691e73a16e1437e098f6a3aa69cdee9b17eb2174b2501521594af6c5ce06b27e3b64f3fedf5f84e1c6719e9a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 408217.crdownload
Filesize
553KB

MD5
1984142b49c99c4cd6a10431f9e13b3b

SHA1
9f1706802416b82301a4e048d6417ece8dfe772d

SHA256
843ee7618229c3c3bb78892c6e963cb9aa546b1e972cbba002ce4f50c16e1b1a

SHA512
bc21088cc5abfbceb2d3302febed93ff6928673d11e3dd24a2e30af9f867ec4c27b6000ca3dfca8803d0f0a3eedb6ea798cae664ab73adc07b41df181453007b

Download Submit
C:\Users\Admin\Downloads\auth-nuevo.exe
Filesize
553KB

MD5
1984142b49c99c4cd6a10431f9e13b3b

SHA1
9f1706802416b82301a4e048d6417ece8dfe772d

SHA256
843ee7618229c3c3bb78892c6e963cb9aa546b1e972cbba002ce4f50c16e1b1a

SHA512
bc21088cc5abfbceb2d3302febed93ff6928673d11e3dd24a2e30af9f867ec4c27b6000ca3dfca8803d0f0a3eedb6ea798cae664ab73adc07b41df181453007b

Download Submit
C:\Users\Admin\Downloads\auth-nuevo.exe
Filesize
553KB

MD5
1984142b49c99c4cd6a10431f9e13b3b

SHA1
9f1706802416b82301a4e048d6417ece8dfe772d

SHA256
843ee7618229c3c3bb78892c6e963cb9aa546b1e972cbba002ce4f50c16e1b1a

SHA512
bc21088cc5abfbceb2d3302febed93ff6928673d11e3dd24a2e30af9f867ec4c27b6000ca3dfca8803d0f0a3eedb6ea798cae664ab73adc07b41df181453007b

Download Submit
\??\pipe\crashpad_3584_DXMQORKJQIPZLEOS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/324-288-0x000000001D030000-0x000000001D03C000-memory.dmp

Filesize
48KB

Download
memory/324-282-0x000000001C8D0000-0x000000001C8E2000-memory.dmp

Filesize
72KB

Download
memory/324-285-0x000000001C860000-0x000000001C86E000-memory.dmp

Filesize
56KB

Download
memory/324-286-0x000000001CB40000-0x000000001CC40000-memory.dmp

Filesize
1024KB

Download
memory/324-287-0x000000001D020000-0x000000001D032000-memory.dmp

Filesize
72KB

Download
memory/324-283-0x000000001CFF0000-0x000000001D00A000-memory.dmp

Filesize
104KB

Download
memory/324-290-0x000000001D250000-0x000000001D264000-memory.dmp

Filesize
80KB

Download
memory/324-289-0x000000001D040000-0x000000001D04E000-memory.dmp

Filesize
56KB

Download
memory/324-291-0x000000001C740000-0x000000001C750000-memory.dmp

Filesize
64KB

Download
memory/324-292-0x000000001C850000-0x000000001C864000-memory.dmp

Filesize
80KB

Download
memory/324-293-0x000000001C8C0000-0x000000001C8CE000-memory.dmp

Filesize
56KB

Download
memory/324-294-0x000000001D260000-0x000000001D27E000-memory.dmp

Filesize
120KB

Download
memory/324-295-0x000000001D2A0000-0x000000001D2AA000-memory.dmp

Filesize
40KB

Download
memory/324-296-0x000000001D2D0000-0x000000001D2FE000-memory.dmp

Filesize
184KB

Download
memory/324-297-0x000000001C930000-0x000000001C944000-memory.dmp

Filesize
80KB

Download
memory/324-284-0x0000000001530000-0x0000000001540000-memory.dmp

Filesize
64KB

Download
memory/324-307-0x000000001CB40000-0x000000001CC40000-memory.dmp

Filesize
1024KB

Download
memory/324-308-0x000000001CB40000-0x000000001CC40000-memory.dmp

Filesize
1024KB

Download
memory/324-281-0x000000001C720000-0x000000001C72A000-memory.dmp

Filesize
40KB

Download
memory/324-280-0x000000001CDA0000-0x000000001CDEE000-memory.dmp

Filesize
312KB

Download
memory/324-329-0x0000000001530000-0x0000000001540000-memory.dmp

Filesize
64KB

Download
memory/324-277-0x0000000001520000-0x0000000001528000-memory.dmp

Filesize
32KB

Download
memory/324-339-0x0000000001530000-0x0000000001540000-memory.dmp

Filesize
64KB

Download
memory/324-340-0x000000001CB40000-0x000000001CC40000-memory.dmp

Filesize
1024KB

Download
memory/324-276-0x000000001C670000-0x000000001C716000-memory.dmp

Filesize
664KB

Download
memory/324-348-0x000000001CB40000-0x000000001CC40000-memory.dmp

Filesize
1024KB

Download
memory/324-349-0x000000001CB40000-0x000000001CC40000-memory.dmp

Filesize
1024KB

Download
memory/324-275-0x000000001C420000-0x000000001C4BC000-memory.dmp

Filesize
624KB

Download
memory/324-274-0x000000001BF50000-0x000000001C41E000-memory.dmp

Filesize
4.8MB

Download
memory/324-272-0x0000000001530000-0x0000000001540000-memory.dmp

Filesize
64KB

Download
memory/324-273-0x0000000000B50000-0x0000000000BE0000-memory.dmp

Filesize
576KB

Download