Malware Analysis Report

2024-10-19 07:05

Sample ID 240805-d1l9bazbrd
Target NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222.zip
SHA256 517f321c489f68449571c735e9c1cbae5d3241a6872972b687be97d2b5d04903
Tags
discovery nanocore xmrig defense_evasion evasion miner persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

517f321c489f68449571c735e9c1cbae5d3241a6872972b687be97d2b5d04903

Threat Level: Known bad

The file NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222.zip was found to be: Known bad.

Malicious Activity Summary

discovery nanocore xmrig defense_evasion evasion miner persistence privilege_escalation

Nanocore family

xmrig

XMRig Miner payload

Modifies Windows Firewall

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Enumerates connected drives

Drops desktop.ini file(s)

Indicator Removal: Clear Persistence

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-05 03:28

Signatures

Nanocore family

nanocore

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win7-20240729-en

Max time kernel

117s

Max time network

121s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222.zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222.zip"

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win7-20240705-en

Max time kernel

122s

Max time network

128s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\core.sqlite"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\sqlite_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\sqlite_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\sqlite_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\sqlite_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.sqlite C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.sqlite\ = "sqlite_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\sqlite_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\sqlite_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\core.sqlite"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\core.sqlite

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\core.sqlite"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 61f4c9429a96a147c829ef85dc6878d8
SHA1 224d62adcc965b855b30d92150b67697834f43dd
SHA256 89f6565f6df86f806de8c67d00ac6ff809da19c7bc83e7bc33bc0211c91a7759
SHA512 f6b28c03840239eeb136b5f761b9f35f959eb42b79617a152ac487013bfcb903e7ce28dbab2f478da0fa69e4be6828783ff0e500811c4e4f4e4c3f96d7552f33

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win7-20240729-en

Max time kernel

102s

Max time network

20s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\network.sqlite"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sqlite_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sqlite_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.sqlite\ = "sqlite_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sqlite_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sqlite_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.sqlite C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sqlite_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sqlite_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\network.sqlite"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\network.sqlite

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\network.sqlite"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 138a5d6f12f5533d689325c3fbaed5e9
SHA1 0a58b22e8c7b9571ae0f977d25ae721229006d2d
SHA256 5319d1f2bb48cde5610a0122320e576a74eaea62e856257cef4285f819720a0f
SHA512 ebec34531f7b440a5c2d7401e98f4794947ed8d5106806676c8d0dbc2f9797b7c5401e6291bde5d3cf5bac7f6575db13cf009f48bf83cf65d7b440e0f34b735f

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win7-20240704-en

Max time kernel

106s

Max time network

20s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\ManagementPlugin.ncp"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.ncp\ = "ncp_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ncp_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ncp_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ncp_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ncp_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.ncp C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ncp_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ncp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\ManagementPlugin.ncp"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\ManagementPlugin.ncp

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\ManagementPlugin.ncp"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f6e9a15e083e6f328e7f5d8af3bc2450
SHA1 0ddaa84ab505529778db0699aa628b3ea8850c67
SHA256 46b6ecfe99aadad81932973da7937d2f0b8a4c1c1233b2fba3776529ef287d2f
SHA512 b1503487526a5e6d3c8b1cfd992d0822a6760119027f41216fab6b8b0863d351dcd04eadb29d2651b206e2fb8509dfc33548ba34c751f1468fa2df6ba4c0fbf5

Analysis: behavioral22

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

152s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoNana.ncp"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoNana.ncp"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
N/A 20.189.173.11:443 tcp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

100s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoStress.ncp"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoStress.ncp"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win7-20240704-en

Max time kernel

120s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\geolocation.sqlite"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sqlite_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sqlite_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.sqlite C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.sqlite\ = "sqlite_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sqlite_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sqlite_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sqlite_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sqlite_auto_file C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\geolocation.sqlite"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\geolocation.sqlite

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\geolocation.sqlite"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 07b519b5a6740233814864be53c5b731
SHA1 aec74dc003e708723e714438ba6c6a54e4c9df7f
SHA256 1ae1400841d9c14dd82db637a964c67a0c5d150054443e11dfa34ffa57c08e73
SHA512 660ac7fce88def9b184df71c324b59e9feb1b2cdb7e28efaf894553a1905130aefddeab7db397e18339e9993dce312c03a36b7d3fb0a605c366b1e8467982a66

Analysis: behavioral26

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

140s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\SecurityPlugin.ncp"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\SecurityPlugin.ncp"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win10v2004-20240802-en

Max time kernel

91s

Max time network

139s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\core.sqlite"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\core.sqlite"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win10v2004-20240802-en

Max time kernel

127s

Max time network

136s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Resources\Audio\notify.wav"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\unregmp2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{9B271F10-45D0-4333-AADC-B6162437ADB1} C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Resources\Audio\notify.wav"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f8 0x4ec

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 musicmatch-ssl.xboxlive.com udp
GB 95.100.244.7:443 musicmatch-ssl.xboxlive.com tcp
US 8.8.8.8:53 7.244.100.95.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

MD5 90be2701c8112bebc6bd58a7de19846e
SHA1 a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512 d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 563088ad0f20fabf9dd62c6ba8ae1636
SHA1 f9cd2fd153afa1a12ff990cf27c32b8c9c44e878
SHA256 eb897bf202d32f067728f1b666eb16e9926557efa8676b72db11411013030184
SHA512 8229dfb1d96b6a34b91b1e5c463833e7859331be880f585c48af1ba0ace0465ac755c7f22a9e6f30284266165f850e8f85af76157eea8136b2d6f79db02d3092

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 b0aa5aa192286ee76418249b8983e75f
SHA1 5fc29dd8657df370ad5ec8ea9dd74c0523b878cc
SHA256 2ee8295dc53ea4872fa03848f16142ad8d47bd0e11281af86de853c3538a37bb
SHA512 6f4287e22b26157a57645cb5290436c9714627e7a197d0bdab80a469f53c1a2089c5977492a0dc17706cf120b98e3d4a46aa9a11eb1459fd2e2ea3133c2c6f62

memory/3672-32-0x00000000048F0000-0x0000000004900000-memory.dmp

memory/3672-33-0x00000000048F0000-0x0000000004900000-memory.dmp

memory/3672-31-0x00000000048F0000-0x0000000004900000-memory.dmp

memory/3672-34-0x00000000048F0000-0x0000000004900000-memory.dmp

memory/3672-36-0x00000000048F0000-0x0000000004900000-memory.dmp

memory/3672-35-0x00000000048F0000-0x0000000004900000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 452da9585faa947d46e0cd022a68ac87
SHA1 8c30b6b44f061a1cc8a062405fd66e52cdda2ad1
SHA256 6cc68f6012ab3831924947cc5642fff54291db3b14b2eaef8d5679d796cad30d
SHA512 bba223b0feaa83e7c9553d0d762a83ef77d51bf049b7ded7581a3b213f3ff807433c092f8c8167dc8a6f4a305dc2b0ef8274a2444f4ae03f47917ae4efe6552c

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 0167700793cbb26994eb7e5a8ae41720
SHA1 39f428405137788ea418c3ab92f6b04553ff22b6
SHA256 c62469be39c61101083cbb9f8015177bda6f1566842dd1cbb13b50c564679eeb
SHA512 49a4e0c7398c92e8d74e0ba6e8fb2d1eaf4a5e6209675c38c5124534de05ec2ad752e3f6cf03efa8d61d0b01e9159b564c10d7c55464ac5f1825bc444eac513a

memory/3672-51-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

memory/3672-52-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-53-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-54-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-55-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-56-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-57-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-58-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-59-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-62-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-61-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-60-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-63-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-65-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-64-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-67-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-68-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-66-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-69-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-70-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-71-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-72-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-73-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-75-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-74-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-76-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

memory/3672-77-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-78-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-79-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-80-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-81-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-82-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-84-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-83-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-87-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-86-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-85-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-88-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-90-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-91-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-92-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-93-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-89-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-94-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-95-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-96-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-97-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-99-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-100-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-98-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-101-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

memory/3672-102-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-103-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/3672-104-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-105-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-107-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-106-0x00000000074E0000-0x00000000074F0000-memory.dmp

memory/3672-108-0x00000000074A0000-0x00000000074B0000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win10v2004-20240802-en

Max time kernel

125s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\PluginCompiler.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\PluginCompiler.exe

"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\PluginCompiler.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/2412-0-0x00007FFBEEAF5000-0x00007FFBEEAF6000-memory.dmp

memory/2412-1-0x000000001B640000-0x000000001B6E6000-memory.dmp

memory/2412-2-0x00007FFBEE840000-0x00007FFBEF1E1000-memory.dmp

memory/2412-3-0x000000001BBC0000-0x000000001C08E000-memory.dmp

memory/2412-4-0x000000001C130000-0x000000001C1CC000-memory.dmp

memory/2412-5-0x00007FFBEE840000-0x00007FFBEF1E1000-memory.dmp

memory/2412-6-0x0000000000F60000-0x0000000000F68000-memory.dmp

memory/2412-7-0x000000001C340000-0x000000001C38C000-memory.dmp

memory/2412-8-0x00007FFBEE840000-0x00007FFBEF1E1000-memory.dmp

memory/2412-9-0x00007FFBEE840000-0x00007FFBEF1E1000-memory.dmp

memory/2412-10-0x00007FFBEE840000-0x00007FFBEF1E1000-memory.dmp

memory/2412-11-0x00007FFBEEAF5000-0x00007FFBEEAF6000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win7-20240704-en

Max time kernel

118s

Max time network

124s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoBrowser.ncp"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\ncp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\ncp_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\ncp_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.ncp C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.ncp\ = "ncp_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\ncp_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\ncp_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\ncp_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoBrowser.ncp"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoBrowser.ncp

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoBrowser.ncp"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 9edc6c77fb97d0c6cc6c73669f7a0eb1
SHA1 4a234d24aa13bea56177e493c1e51f67b5accd7e
SHA256 406a0fc4889ba55d1dd3f4c0521d692d1148b87113c620b0e6914b2d5d6402ca
SHA512 ae34341337eb2ef08450265e08d72c19322e5ee732da8968fd8294ab1856085ae72eaceb9a7fd70da37b0953c97ad487133a8c240fd726f34218d75680307cc8

Analysis: behavioral21

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win7-20240708-en

Max time kernel

119s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoNana.ncp"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\ncp_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\ncp_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.ncp C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.ncp\ = "ncp_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\ncp_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\ncp_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\ncp_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\ncp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoNana.ncp"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoNana.ncp

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoNana.ncp"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 bd6cde7cca81d4f2dd9b480357f74ad5
SHA1 2dadefcb926e5e95334fdd813578b4eac753a86b
SHA256 8cfbd9b35907c36256751f95ff48d4183df20a8a810404acdfdffafd748d5d6c
SHA512 4dc8f96726cd4c75b78277807835215a2d68fc27240c6945bf225aa1cf0d98396e07d2ffa1a11745425e058e2f1c801b85f5ddf343e70a50b6379498872ece45

Analysis: behavioral28

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

155s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\SurveillancePlugin.ncp"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\SurveillancePlugin.ncp"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 59.189.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win7-20240708-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\PluginCompiler.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\PluginCompiler.exe

"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\PluginCompiler.exe"

Network

N/A

Files

memory/1172-0-0x000007FEF5CEE000-0x000007FEF5CEF000-memory.dmp

memory/1172-1-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

memory/1172-2-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

memory/1172-3-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

memory/1172-4-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

memory/1172-5-0x000007FEF5CEE000-0x000007FEF5CEF000-memory.dmp

memory/1172-6-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

memory/1172-7-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win7-20240729-en

Max time kernel

102s

Max time network

18s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\SecurityPlugin.ncp"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\ncp_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\ncp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\ncp_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.ncp\ = "ncp_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\ncp_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\ncp_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\ncp_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.ncp C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\SecurityPlugin.ncp"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\SecurityPlugin.ncp

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\SecurityPlugin.ncp"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 b0ccda05d470c220865e699ac62f8495
SHA1 23e3476f9ae33fd5045800327e204af78df87b96
SHA256 b4faeeb9427e93fa6e430aa772ce580fa74659ac822accd6898559ba970793f9
SHA512 a3f4333a315aeefa9c7ccd8ac1f1cfaede305b4162ddb761e9483a81b0d6a455b89e0a511494f3117d5d8967c6cc87e9c6ef9ece3acdf20270cc657e92647b08

Analysis: behavioral27

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win7-20240708-en

Max time kernel

121s

Max time network

127s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\SurveillancePlugin.ncp"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ncp_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ncp_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ncp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ncp_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.ncp C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ncp_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ncp_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.ncp\ = "ncp_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\SurveillancePlugin.ncp"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\SurveillancePlugin.ncp

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\SurveillancePlugin.ncp"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 190c504ee043d0c244473a96e3285cf9
SHA1 7ebea03b3e6795c3739b671da2be862cebb6cf92
SHA256 65bb70228c75dc74871acea0cc8b12a70f3e30f8055eec70d4f867afc2306b6b
SHA512 f0702304e22cb5ab6cd345098aee963a342e8e056e92eb80d114d1af0d28aaa9922a1fe80aeb6c0d86e9b87a3a2945aa2b41801d100e6313570291b2ee71c5f2

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

153s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\network.sqlite"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\network.sqlite"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

100s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\ManagementPlugin.ncp"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\ManagementPlugin.ncp"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

154s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\VisibleMode1.1.ncp"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\VisibleMode1.1.ncp"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win7-20240704-en

Max time kernel

105s

Max time network

20s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\VisibleMode1.1.ncp"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ncp_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.ncp C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.ncp\ = "ncp_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ncp_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ncp_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ncp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ncp_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ncp_auto_file\ C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\VisibleMode1.1.ncp"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\VisibleMode1.1.ncp

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\VisibleMode1.1.ncp"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 883644eb21cacfce2f792b8527fdb1a1
SHA1 90753dbcd2244094b8addbe70b921e5dd18921f5
SHA256 c482924cfdffcec542615cc6e9425dbe584bd84932fae8c96df2dc6c54d03c79
SHA512 0e1835cca19dcb4499ce32602774eb5d772d40295a3c7c3846958202ba45dc9ea3715f64cc983b983113c7ebb8766ac2cd115e5b5e257cea2417374fc140f8ba

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win7-20240704-en

Max time kernel

137s

Max time network

137s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\ClientPlugin.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428990487" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000bd00148589f020b485dd136dcffd478c378f475b561a3b6ac6838619921b6b55000000000e8000000002000020000000ad5f5eee3a4159ab8179d9662e48cc163c9cf1d9042e12d92e0854e1b1098b6220000000d41457958dcefd80b7b22596da50bf92e797f8d30d783571414763b43f78d62d40000000595d8e5cc792e50a8f00a859cba7e9fd4acf5cca1cf1d60cb005c3d362c76c55e78891e7db2b6e53a4b33fd50164edf2cbe86a1119a7703831f78ccf2a0ffa36 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000386c3e41eca4712a5c1b606fb34f27db168e2ea3ab0dac12ceb5201fa3891c7b000000000e8000000002000020000000ccdde7f4207c027fb750bf94943201252f36057253bcde956d4ce0931702f85390000000412ed801041cfd6d6ab0036ae7633ef3c1277f2659cf5a934b5657dda7415a18d252764c62fcaf30aab8293ca82afdfd0f022ff1c78ff3e8dfc2aa55016e4790dc4072175d125384548a6518242be9df661c33cd32a010db67dc4df31f73b3c6e998512d3b19defc6d7976c6ca40093bca7e7cbd1af80517a27ba2c2b5072e168294af617696d6756dc4f09aa06e0989400000004470e0e9ebbbc75062b0452e3365f36d7a1c749ba123ebb89f690112a76859f041cf1a2f0b50deb65c045bcd5be008c2f689bda60887bb43a7d466ce60045221 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09BB9311-52DB-11EF-AEC5-4605CC5911A3} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7092a0dee7e6da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1876 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1876 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1876 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2116 wrote to memory of 2656 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2116 wrote to memory of 2656 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2116 wrote to memory of 2656 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2116 wrote to memory of 2656 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2656 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2656 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2656 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2656 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\ClientPlugin.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab2C9D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2D7C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3939227a6c95d77d30b67e6b3fd1d04a
SHA1 ac8f11e1a71d7e5434e19963ef6f9af8023b43c5
SHA256 d8e236d0cfc76a58af4ad5933d30fbef3ae22d4c82f05b329c8f845e9c23a40f
SHA512 318f00c48d9d350d6efd22ceb29f5ba2f5e42ae0e87546c998e6a945f1bc627516fcc4658b5af5eb3b3924693ca1514e7ecdafa1e9604ebf1167def2d07f2db5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfa37def74c4aeded0335f85d0aadbc8
SHA1 553306b389bd107f1d9c5ad0ad0ad4e5b161138e
SHA256 f8568a290ff5796f6624dd912ca76765d397d53e2c6367eef5c4f8bcda239ada
SHA512 1b21ce06c074eaa6dc9b23a4977b4f9ed8194aef3b312540bc8f543d633919afd12ea1d44713f4af31922cf17f1e6f78581461d2a57dba148484e1c33a00b262

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7c7f87667fdc3eaa3155a36851ff370
SHA1 0afb82ea08f089e65c74f926a9493120c0d8d969
SHA256 6e31a76289e914fc8a3a45222f48335383e027f19590c4cea4060eb160fe96dc
SHA512 4ed82610914567b22dea39dbfb1a4915f9561fce1bf3a92d346d4ec233383bae141bde7c1ff61caebad537c150771aac64281ae7ab834ad8f415511be888c841

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a5c046ee07f7d2d68e8e75e18ef43a9
SHA1 b5b9d90875ce3d93674957849bb241c72bd5e4ce
SHA256 2972cb521cd50e97b04b6179a613d819ccf242feeb6ea4beb5a744a582122064
SHA512 176df6407e626917d8f0b7186eda9ce8061662c42ff826f8fa0898eb1b98bbc9b94db983b35a3172522dbe3cd5b4151a5f7baee7198b7b03e6836ce00801cfc9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6886be79b8af8209558541c7304d177
SHA1 612c4fa8193c6e73f1b544ecde1bfc5e33b73d97
SHA256 65cfa7e6b90b51936bc40892f01a5ae5291550c69a710686eb19228d15294941
SHA512 f4ea4213dd93226dae9070c5f5c73dd605786d4546e9945e351b84f16e6374506dda0aba12a34761242d43434d8936a388204a611a1c9a2e7f881e8052442d60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f520116d1cc665518329226e7c21b705
SHA1 26eae553efad1ea348034f8c2e5a5f21fb734bbf
SHA256 b6164557bc99ee86dc6371e11eac72f87790a3571840a6659321130493953857
SHA512 c8c3c980515e118156da805931b46fca3a587dedf9a99565e080c954dc5c6ade93ae404c8e568742d8a2f5c0ff8259b6bc5389dcebaa3c0dfc4e5e4f48bec132

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d3d23691315e0db6dffcc61323da424
SHA1 ac53e79533e634208084c9f9506f5348f8ee5083
SHA256 4905e667fe0df434dd7c642f029eee0fbacc74780dda696f0413fc61db8d0265
SHA512 a8a4451b1ff2b121ccedab32e7fca9a0aa250b7bcb36b224f31986a125cf843e68d5a59379add9a3cb78b5f93738892ebf1f19d60660ddf809ce5739bf50ac73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffb0fe73aa0894b428bab94aeee82d69
SHA1 c1f5bd848f74ec3d5ec9e7d49ccec8e7a42c23e9
SHA256 94d249d7fa8c8d18c9bbedf4685386fcf0f8ba70cbd37fcb57827114f6a98013
SHA512 2fc0d7aa4c9ca59b33d679fcd9b9988d7b68eefc6dc1ae8a550239b40958582690e5f137e6c9e76c88cd939d5ba5708153e812bb5ce5cd6f91033aaf87373680

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ee9f15eb61eed379bf49a16b4c6b3b1
SHA1 e01577d7a7597a48e5867e0b4eeb126401ab0b52
SHA256 b0ec2d0ad6e75f3d534505cfb0bcf74c61f34775efe66e26731fdecb3277d52f
SHA512 bfdb2c944379167edddfc9cded28d63d8fb4487d8ff8bf20214a8a777f7d92467407a242b168762eac53eb2a822f3ce54573fd2ddd0d3b2cea6896a8c7e1f278

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eea58aca5a416d90eaa91956c6ddfd71
SHA1 68808eb962b247ab80a8454ede4e462f44063d06
SHA256 94ba55cf873d71bdd40e7687bb323428648cf23c5569ca028934564eda39730f
SHA512 8d090e857de5a981303b1d490ed50ca8c51402201b4b5104af0ce834cc71632a3b3c6d57527b49ed541cc6dcbbc815a06825c6fadbae7284d9a34375d81e4426

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 924a6510074d1e8f610da85b18e9bc30
SHA1 14087f6d3c0667ae7f34b79c583ea2a9f62e5cb6
SHA256 4e8089715c58b69bb23f8c5ca8efaa39700cc5d52b27bf7175fa2adc074bf729
SHA512 1694252cc6f0e8409c2e6c94efe6b10a054c28fb24a6ad4778e85dc895cb172ccb44866cf82fc266449ed26f7e4e276859fc655ef1f95d3c37789ce55a6e3647

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36d82d28a1431614a03a33f8f7de7538
SHA1 11f7d19830f9f14e024d12be6b029f56a1c233ae
SHA256 b5befb603ccc8e49dc5b603c90dce1e68329671b543c96019925dd2f86b3c72d
SHA512 c3a7e885c7dcc262080d42599b2957a79a015fd602ef64f71885249ce8bb08f1ef05c92ac74475bb06f225de18fbb94761dfe9abd1f44d882ae95ea5be506307

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2615ec29572db9c70afed5cd58df5ac6
SHA1 8dedb3b46fd539c48104da3249fe2216975ee8be
SHA256 3032695e87b4635bc30108aa05c67bcbd4c6ba06e69bea0521284a5cc127bfae
SHA512 d73416925a61ff71bc003385d3d80b50116ca7802a765d66547befa0c3355daeb576871e3fdeff9b2f7e086785e222880cd4938dd33453565dc7dcc7575671bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc3ab51e983fa0e064293947b2f59ff8
SHA1 c06f901c1f9c1b0f618f4f981244500208324644
SHA256 62dce365fead1bed935c7c07d9c14966d04c489a103bab15a7eb7f4c5b774cf4
SHA512 f4ff5e25522a7a83bfc56932f01e50a1070d405cc2c3b2e4fd0463336e5438979c3dbb0c31cfca0f73caf90bcb2810f21a36ed46ffbad2e5be026cc8e5adad70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba69a28a0d8882b04da43e00eee227da
SHA1 a424b1524cc450fe7e5f07310e3bb0abf1c27ff1
SHA256 d4f4214db19bcab742e459a65630af6dc18885fb851cd483949684e83dc12424
SHA512 7c4fd85d47599fe518a230ccd931ee38c07420911b31b8f1d33eefa42ace69ebd798b6928d418937472e993734aed3c10fae0c3e1435471f2f229fed997cc2ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd0a54ead065a5d82b940aa30063fdef
SHA1 02143cc91beac7f83907d327fc2e9b5eead9dda0
SHA256 24d7c0721a2e90bdc9a4b0f1c1951437b5f6d7d6f1846dfe3264e3d0fff01120
SHA512 7fbf3c4592f298a1ba4581c409d74314ed4f4535d313025bc334e9361e7a11d37009c5ab09fcbeea87bf48904da2c714680dd0b302d7bf0df0f98bd056e73891

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8233da5db192efe06bbc26c9bedd1c82
SHA1 17212a393c17d6dce2afbd799642cab46491f722
SHA256 14962e8fb8d459f5d0c15707cb055a56d13528c7d64b6fee2c065fb6d9df04ba
SHA512 fedae728d573abd8f101c508a63db28d08044c2e5e0c3e18eb62ce43261f1e514ebc9b0a55fc7cc065a9361ec6c496acf7fc9f4db379635688f402679f4337b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 615c867e686b56ab04e56ab0a0e9a4e3
SHA1 70f144a3b7ebf2bf0c533f5aae415d2e39b8129c
SHA256 a0b3d913d350348380fef74069305cf18f269d5837b6298ad150deb893055a70
SHA512 6f35c0036f079b00f469dbfd3c5fdf344814a3fcf86895c6c0da187d59e96214b31c3ee42a5e028c3fc51d75fe2c7f02c849286966ffbd08ee34289e5ca57fb3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f6914c03ce259e2265ff9042b43f0a0
SHA1 a62a7513494ecb3d8e5a1a44b8440471a6cbcabe
SHA256 1b65a13d768cc41bcd6b3d9c12f62974109ae5e66d593f886989f00dd3118e7f
SHA512 3a6489d6436f87fd4ee7aa9d31c1ef6dc768e7e45da3fd19c189bc7f2d07dbd732fcf80ec75473fdcb7aac7786618d5d3549088d69d019c33093c5c21f226d9a

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win10v2004-20240802-en

Max time kernel

91s

Max time network

148s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\ClientPlugin.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\ClientPlugin.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3276-0-0x00007FFE49810000-0x00007FFE49820000-memory.dmp

memory/3276-1-0x00007FFE8982D000-0x00007FFE8982E000-memory.dmp

memory/3276-2-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

memory/3276-3-0x00007FFE89790000-0x00007FFE89985000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:31

Platform

win10v2004-20240802-en

Max time kernel

57s

Max time network

59s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\TiWorker.exe C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe N/A
File created C:\Windows\SysWOW64\config.json C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe N/A
File opened for modification C:\Windows\SysWOW64\config.json C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe N/A
File created C:\Windows\SysWOW64\MicrosoftWindows.xml C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe N/A
File opened for modification C:\Windows\SysWOW64\MicrosoftWindows.xml C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe N/A
File created C:\Windows\SysWOW64\TiWorker.exe C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\TiWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 660 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1216 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1216 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1216 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 660 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3116 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 660 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 856 wrote to memory of 4384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 856 wrote to memory of 4384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 660 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 5040 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5040 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 660 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 4712 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4712 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 660 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2152 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2152 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2152 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2152 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 660 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 1948 wrote to memory of 3420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1948 wrote to memory of 3420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 660 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe
PID 660 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe
PID 660 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe

"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit

C:\Windows\system32\schtasks.exe

schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"

C:\Windows\system32\schtasks.exe

schtasks /End /TN "WindowsUpdate"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "WindowsUpdate" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit

C:\Windows\system32\schtasks.exe

schtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"

C:\Windows\system32\schtasks.exe

schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"

C:\Windows\SysWOW64\TiWorker.exe

C:\Windows\SysWOW64\TiWorker.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit

C:\Windows\system32\certutil.exe

certutil –addstore –f root MicrosoftWindows.crt

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe

"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 lazyshare.net udp
US 35.212.156.187:80 lazyshare.net tcp
N/A 10.127.0.1:5351 udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp

Files

C:\Users\Admin\AppData\Local\Temp\autBCD8.tmp

MD5 ecede3c32ce83ff76ae584c938512c5a
SHA1 090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256 366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA512 61ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d

C:\Windows\SysWOW64\MicrosoftWindows.xml

MD5 b1cbfcc7b7a5716a30b77f5dc5bb6135
SHA1 5c397ffd7a845b2fdf9e82ff73698784a91a2fb9
SHA256 96f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430
SHA512 d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7

memory/4748-19-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4748-20-0x0000000000400000-0x0000000000DCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindows.crt

MD5 1bb617d3aab1dbe2ec2e4a90bf824846
SHA1 bbe179f1bdc4466661da3638420e6ca862bd50ca
SHA256 1bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580
SHA512 ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52

memory/4748-28-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4748-29-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4748-30-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4748-31-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4748-32-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4748-33-0x0000000000400000-0x0000000000DCB000-memory.dmp

C:\Windows\SysWOW64\config.json

MD5 3da156f2d3307118a8e2c569be30bc87
SHA1 335678ca235af3736677bd8039e25a6c1ee5efca
SHA256 f86ab68eaddd22fbe679ea5ab9cc54775e74081beffd758b30776ba103f396eb
SHA512 59748e02cc4b7f280471b411d6ca3c9986f4c12f84b039bae25269634fc825cde417fe46246f58538668c19cca91e698e31d9f32df69aad89e68423f86bb00c0

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe

MD5 1728acc244115cbafd3b810277d2e321
SHA1 be64732f46c8a26a5bbf9d7f69c7f031b2c5180b
SHA256 ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
SHA512 8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034

memory/4748-51-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4748-54-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4748-55-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4748-56-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4748-57-0x0000000000400000-0x0000000000DCB000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win10v2004-20240802-en

Max time kernel

125s

Max time network

144s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\MultiCore.ncp"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\MultiCore.ncp"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3852,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

96s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoBrowser.ncp"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoBrowser.ncp"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win7-20240708-en

Max time kernel

117s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoStress.ncp"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ncp_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.ncp C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ncp_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ncp_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ncp_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ncp_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.ncp\ = "ncp_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ncp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoStress.ncp"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoStress.ncp

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\NanoStress.ncp"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ca5c9e2ae165da4f12c88936c33ae63f
SHA1 977fae1fc612c99d1fd34314c09cd6a440702f9f
SHA256 256eaf0a5af99b28066b95db9a20055b6794cb03e65e18e0fb1ddb6355df16ba
SHA512 3766b658be5d676f1758bbbe206bdb1cee341b99f95cb373f7ab4fdd95e6b9cca0840923c94031f54b4697519b44d24f47ceb8a0dde4c6c859f1c9bc0806556e

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

119s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222.zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222.zip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

155s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\geolocation.sqlite"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Databases\geolocation.sqlite"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:30

Platform

win7-20240708-en

Max time kernel

39s

Max time network

26s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskeng.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\TiWorker.exe C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe N/A
File created C:\Windows\SysWOW64\config.json C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe N/A
File opened for modification C:\Windows\SysWOW64\config.json C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe N/A
File created C:\Windows\SysWOW64\MicrosoftWindows.xml C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe N/A
File opened for modification C:\Windows\SysWOW64\MicrosoftWindows.xml C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe N/A
File created C:\Windows\SysWOW64\TiWorker.exe C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\TiWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2780 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2780 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2780 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2780 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2780 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2780 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2716 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2696 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2696 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2696 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2716 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2704 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2704 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2704 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2716 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2588 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2588 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2716 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2320 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2320 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2320 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2716 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 572 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 572 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 572 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 572 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 572 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 572 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2952 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Windows\SysWOW64\TiWorker.exe
PID 2952 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Windows\SysWOW64\TiWorker.exe
PID 2952 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Windows\SysWOW64\TiWorker.exe
PID 2716 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Windows\system32\cmd.exe
PID 2180 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2180 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2180 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2716 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe
PID 2716 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe
PID 2716 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe
PID 2716 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe

"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit

C:\Windows\system32\schtasks.exe

schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"

C:\Windows\system32\schtasks.exe

schtasks /End /TN "WindowsUpdate"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "WindowsUpdate" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit

C:\Windows\system32\schtasks.exe

schtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"

C:\Windows\system32\schtasks.exe

schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"

C:\Windows\system32\taskeng.exe

taskeng.exe {905FA39D-201F-4B63-93D5-F9712B7240E3} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\SysWOW64\TiWorker.exe

C:\Windows\SysWOW64\TiWorker.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit

C:\Windows\system32\certutil.exe

certutil –addstore –f root MicrosoftWindows.crt

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe

"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 lazyshare.net udp
US 35.212.156.187:80 lazyshare.net tcp
N/A 10.127.0.1:5351 udp

Files

C:\Windows\SysWOW64\TiWorker.exe

MD5 ecede3c32ce83ff76ae584c938512c5a
SHA1 090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256 366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA512 61ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d

C:\Windows\SysWOW64\MicrosoftWindows.xml

MD5 b1cbfcc7b7a5716a30b77f5dc5bb6135
SHA1 5c397ffd7a845b2fdf9e82ff73698784a91a2fb9
SHA256 96f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430
SHA512 d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7

memory/2952-25-0x00000000015A0000-0x0000000001F6B000-memory.dmp

memory/1504-27-0x0000000000400000-0x0000000000DCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindows.crt

MD5 1bb617d3aab1dbe2ec2e4a90bf824846
SHA1 bbe179f1bdc4466661da3638420e6ca862bd50ca
SHA256 1bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580
SHA512 ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52

memory/1504-30-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/1504-31-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/1504-32-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/1504-33-0x0000000000400000-0x0000000000DCB000-memory.dmp

C:\Windows\SysWOW64\config.json

MD5 3da156f2d3307118a8e2c569be30bc87
SHA1 335678ca235af3736677bd8039e25a6c1ee5efca
SHA256 f86ab68eaddd22fbe679ea5ab9cc54775e74081beffd758b30776ba103f396eb
SHA512 59748e02cc4b7f280471b411d6ca3c9986f4c12f84b039bae25269634fc825cde417fe46246f58538668c19cca91e698e31d9f32df69aad89e68423f86bb00c0

memory/1504-35-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/1504-34-0x0000000000400000-0x0000000000DCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe

MD5 1728acc244115cbafd3b810277d2e321
SHA1 be64732f46c8a26a5bbf9d7f69c7f031b2c5180b
SHA256 ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
SHA512 8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034

memory/1504-55-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/1504-56-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2952-57-0x00000000015A0000-0x0000000001F6B000-memory.dmp

memory/1504-134-0x0000000000400000-0x0000000000DCB000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win7-20240705-en

Max time kernel

102s

Max time network

18s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\MultiCore.ncp"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.ncp C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.ncp\ = "ncp_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\ncp_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\ncp_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\ncp_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\ncp_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\ncp_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\ncp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\MultiCore.ncp"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\MultiCore.ncp

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Plugins\MultiCore.ncp"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 6c1f46ad47d5844164febfb8319b5848
SHA1 aa7387ef20f06d510b5ce4dd9c4c3dc83b14a39e
SHA256 9da64c5cd47eb6022b219a08f29ee95f8e7b64fca5626b55956c5df552df6a92
SHA512 cb4ce3b059209ebf98fc124fa1093cdaac37a1f274dea684c36df95597e00db663f038d74e4f6a6ed2860818cbf2132f107047f0b2e41e5872a85761dd879d14

Analysis: behavioral31

Detonation Overview

Submitted

2024-08-05 03:28

Reported

2024-08-05 03:32

Platform

win7-20240704-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Resources\Audio\notify.wav"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\Resources\Audio\notify.wav"

Network

N/A

Files

memory/3028-5-0x000000013FEE0000-0x000000013FFD8000-memory.dmp

memory/3028-6-0x000007FEF7EE0000-0x000007FEF7F14000-memory.dmp

memory/3028-8-0x000007FEFBB50000-0x000007FEFBB68000-memory.dmp

memory/3028-13-0x000007FEF7CD0000-0x000007FEF7CED000-memory.dmp

memory/3028-14-0x000007FEF7CB0000-0x000007FEF7CC1000-memory.dmp

memory/3028-12-0x000007FEF7CF0000-0x000007FEF7D01000-memory.dmp

memory/3028-11-0x000007FEF7D10000-0x000007FEF7D27000-memory.dmp

memory/3028-10-0x000007FEF7D30000-0x000007FEF7D41000-memory.dmp

memory/3028-9-0x000007FEF7D50000-0x000007FEF7D67000-memory.dmp

memory/3028-7-0x000007FEF6250000-0x000007FEF6506000-memory.dmp

memory/3028-15-0x000007FEF6040000-0x000007FEF624B000-memory.dmp

memory/3028-16-0x000007FEF7C60000-0x000007FEF7CA1000-memory.dmp

memory/3028-25-0x000007FEF70F0000-0x000007FEF7108000-memory.dmp

memory/3028-24-0x000007FEF7110000-0x000007FEF7121000-memory.dmp

memory/3028-23-0x000007FEF7130000-0x000007FEF714B000-memory.dmp

memory/3028-22-0x000007FEF7150000-0x000007FEF7161000-memory.dmp

memory/3028-21-0x000007FEF7170000-0x000007FEF7181000-memory.dmp

memory/3028-29-0x000007FEF7030000-0x000007FEF7041000-memory.dmp

memory/3028-20-0x000007FEF7250000-0x000007FEF7261000-memory.dmp

memory/3028-19-0x000007FEF7C40000-0x000007FEF7C58000-memory.dmp

memory/3028-38-0x000007FEF4D50000-0x000007FEF4D7F000-memory.dmp

memory/3028-40-0x000007FEF4C90000-0x000007FEF4CA2000-memory.dmp

memory/3028-39-0x000007FEF4CB0000-0x000007FEF4CC1000-memory.dmp

memory/3028-37-0x000007FEF7020000-0x000007FEF7030000-memory.dmp

memory/3028-36-0x000007FEF4F70000-0x000007FEF4F82000-memory.dmp

memory/3028-35-0x000007FEF6B90000-0x000007FEF6BA1000-memory.dmp

memory/3028-34-0x000007FEF6880000-0x000007FEF68A3000-memory.dmp

memory/3028-33-0x000007FEF6C40000-0x000007FEF6C58000-memory.dmp

memory/3028-32-0x000007FEF6BB0000-0x000007FEF6BD4000-memory.dmp

memory/3028-31-0x000007FEF6C60000-0x000007FEF6C88000-memory.dmp

memory/3028-30-0x000007FEF68B0000-0x000007FEF6907000-memory.dmp

memory/3028-28-0x000007FEF6910000-0x000007FEF698C000-memory.dmp

memory/3028-27-0x000007FEF7050000-0x000007FEF70B7000-memory.dmp

memory/3028-26-0x000007FEF70C0000-0x000007FEF70F0000-memory.dmp

memory/3028-17-0x000007FEF4F90000-0x000007FEF6040000-memory.dmp

memory/3028-42-0x000007FEF4AF0000-0x000007FEF4B03000-memory.dmp

memory/3028-41-0x000007FEF4B10000-0x000007FEF4C8A000-memory.dmp

memory/3028-45-0x000007FEF4A90000-0x000007FEF4AA1000-memory.dmp

memory/3028-44-0x000007FEF4AB0000-0x000007FEF4AC1000-memory.dmp

memory/3028-43-0x000007FEF4AD0000-0x000007FEF4AE4000-memory.dmp

memory/3028-18-0x000007FEF7190000-0x000007FEF71B1000-memory.dmp

memory/3028-47-0x000007FEF4A50000-0x000007FEF4A66000-memory.dmp

memory/3028-46-0x000007FEF4A70000-0x000007FEF4A81000-memory.dmp