ceb348dfa61b34bebce021fa783b0afdb874ea7205f75e7fb42b01898439be75

Resubmissions

13-12-2024 17:44

241213-wbgxeaxphq 10

13-12-2024 17:15

241213-vsrmhavpgs 10

13-12-2024 17:14

241213-vshdtsxjhl 10

13-12-2024 17:13

241213-vrge5svpc1 10

Analysis

max time kernel
801s
max time network
803s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 17:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

NanoCore 1.2.2.0_Cracked By Alcatraz3222/NanoCore.exe
Size

1.4MB
MD5

1728acc244115cbafd3b810277d2e321
SHA1

be64732f46c8a26a5bbf9d7f69c7f031b2c5180b
SHA256

ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
SHA512

8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034
SSDEEP

24576:d7dOT1b7eAJzjSTUd+21nm3kEvpqZ0vSxmfexX6shz07DTl/uz:d7dqVw2+2KkS4PmGX6og7

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Monitor = "C:\\Program Files (x86)\\SCSI Monitor\\scsimon.exe"	Alcatraz3222.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NanoCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alcatraz3222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133785850773077080"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "234"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3712	schtasks.exe
1384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1396	chrome.exe
1396	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2456	NanoCore.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	NanoCore.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe
Token: SeShutdownPrivilege	1396	chrome.exe
Token: SeCreatePagefilePrivilege	1396	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
2456	NanoCore.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe
1396	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2456	NanoCore.exe
2456	NanoCore.exe
412	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 3004	1396	chrome.exe	112
PID 1396 wrote to memory of 3004	1396	chrome.exe	112
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 4548	1396	chrome.exe	113
PID 1396 wrote to memory of 2232	1396	chrome.exe	114
PID 1396 wrote to memory of 2232	1396	chrome.exe	114
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115
PID 1396 wrote to memory of 4412	1396	chrome.exe	115

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe
"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff0038cc40,0x7fff0038cc4c,0x7fff0038cc58
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,17183782315530060399,12643056877741292642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,17183782315530060399,12643056877741292642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,17183782315530060399,12643056877741292642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,17183782315530060399,12643056877741292642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,17183782315530060399,12643056877741292642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,17183782315530060399,12643056877741292642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,17183782315530060399,12643056877741292642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:5088
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff651344698,0x7ff6513446a4,0x7ff6513446b0
    3⤵
    - Drops file in Program Files directory
    PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,17183782315530060399,12643056877741292642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4904,i,17183782315530060399,12643056877741292642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4652,i,17183782315530060399,12643056877741292642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4384 /prefetch:8
  2⤵
  PID:412

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3220

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4292

C:\Users\Admin\Desktop\Alcatraz3222.exe
"C:\Users\Admin\Desktop\Alcatraz3222.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3056
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "SCSI Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2E0B.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3712
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "SCSI Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2E69.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1384

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa388e855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6ba18a2ebbeb7978d7611dba96b00981

SHA1
44d614ef3858a04e029fae572f47dda111ccb2a5

SHA256
0e84bfbbd006ea69e6635fa7cb51a5aa59372f2a542a835bfef7639184cb8950

SHA512
5e45c59a97eba13bd4259b45b0bb691f2bd064e26a86e3a38b9913b14f18f758d0d260730425aa1014fd11b41a92813701b1e848f779909c0eccf2f26f054d65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
98d0eb2a6f323f128054be29ba8de642

SHA1
490d124fb17a93ade85ea1bfb101fc98c8622e38

SHA256
f022716c726762f9e6a39cce0fb32956e59af5b5768cb781556a65cdcb577c4d

SHA512
c39200023efc6812a28f2cc2986791476dcad0f2e6b1490bd718b81201288b129be2a1929773bc8fb4335846a129d0715ee95c4fc2f066f3efb5940214582c0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b207b3905421ca84fd5f0aabc9a48571

SHA1
d364e5536501fceb3633466b4cc94cb0b7a84a71

SHA256
f5cec627e497138fd537c8a7fef8a950977a94547e9a30489e813bfdaf2d1c62

SHA512
2b71405c2ed38fd71bedc45ad62c4d41cfa097790cc6744f56d7b1d322805071036575614709c8a7078b9c2f949af345d97e4edc68ed304d670f982cee5b524a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cd3372c7524930861e26200d45df6f03

SHA1
4b360b74942cf3b84e54afb72f897a006b567572

SHA256
5da2d31de79f50fd0fa54fd1c905880998e5069a57ffb064c591d56c2aabd0ef

SHA512
c456fbed3e9db9d6863d96aedcf6e2d1149fee8b1076708db945959ca6efb52fbea9ced4e773fc626c653669f07206d103398c53600b699d644d5b3d5ac8756c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ead1a4aa3b90f2bb212cfc7c774157db

SHA1
6bde270d7cfba6d55050b50f4859cfdc2a9d4367

SHA256
8180e4fe0e8b039551b9b55ed130a86167164b34d51d3a4bdf505c8dd328f39e

SHA512
f72287c21b3a067769ae671202970120493004829f160d59d8fdbee4bbc1fb0b775614935bf95e8d82b33afdebf2e9ca85234a4612e879cc5f64f637c80f2bf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
e5947aac3e37c4b45521824407d3785c

SHA1
23359044e1a6c23bd6e9d014bbf732b1096a6c11

SHA256
5d8ba8fbe5c3c11b9aa058bd0d02396fe9e0b07ea62aabeb8fa990eb12887699

SHA512
19b303024f682398f2e6e5370f180ac6fa803316019d22ca0907d05cd3f2d0d6c0c3481f76ae4ee6da19be952017d1a7d6b40c4f948a4fbcc12218f4e7a67441

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
7454f5980f269ba84295624040447608

SHA1
6c6f849b53d1dd1f091e829c7b0d7ceff2c73603

SHA256
af4e7dd4040c775777eab756ed729ab8dbfc42a0a762b0bec0dca444ef21fc14

SHA512
4916406da15558a99205d33107ec409c503d8b5ac598fa9f66250602ef47e4b2ce88862cd2708337f4bc1bb05fdbbe159028aba1f6f794e15f9e9e7b7dddc0dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\Downloads\alcatraz3222.zip.crdownload

Filesize
156KB

MD5
8f4d07c6b62acf696fe4aef50c563d4c

SHA1
1e8084c0f5efe4ef30fe8c29cdc70fbe150b6aa7

SHA256
85170c50e8284a2edb8cbeae0bbe3b953c4ac4b83ff3795c232db1bef018f7da

SHA512
6e4376a6dfa5c9aa2aa8d1612a751ebd26299e886bb3a37f4e16ed102b1884729427faed423a740e33a7ece18698000204f130702b200fb8e6ae219dbba47474

Download Submit
memory/2456-8-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-17-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-21-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-22-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-23-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-24-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-25-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-27-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-28-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-29-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-30-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-18-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-16-0x00000000745E2000-0x00000000745E3000-memory.dmp

Filesize
4KB

Download
memory/2456-9-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-0-0x00000000745E2000-0x00000000745E3000-memory.dmp

Filesize
4KB

Download
memory/2456-7-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-6-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-5-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-4-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-3-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-2-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-1-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2456-283-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads