nanocore | ceb348dfa61b34bebce021fa783b0afdb874ea7205f75e7fb42b01898439be75

Resubmissions

13-12-2024 17:44

241213-wbgxeaxphq 10

13-12-2024 17:15

241213-vsrmhavpgs 10

13-12-2024 17:14

241213-vshdtsxjhl 10

13-12-2024 17:13

241213-vrge5svpc1 10

Analysis

max time kernel
1009s
max time network
1006s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NanoCore 1.2.2.0_Cracked By Alcatraz3222/PluginCompiler.exe
Size

75KB
MD5

e2d1c5df11f9573f6c5d0a7ad1a79fbf
SHA1

b32bf571aca1b51af48f7f2f955aaf1bbdc5aa2f
SHA256

0b41b2fcd0f1a4e913d3efe293f713849d59efebb27bac060ab31bed51ac2f6b
SHA512

9c9ae7baa504dd34311f5730280f6a49e10eefdb145d2d29849e385a7da47c8f2c182cd6f39949f5904ef8462fc5c3dfaf1bc4cc8bff50c6750c9edc886192e0
SSDEEP

1536:iyVzgm8NqToL6n975lw8FDx39EhPKu4iV1Y:iyVMLUTos5SAx3ChPKpiVe

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsv.exe"	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UDP Service\udpsv.exe	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
File opened for modification	C:\Program Files (x86)\UDP Service\udpsv.exe	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NanoCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 55 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	PluginCompiler.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616193"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	PluginCompiler.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	PluginCompiler.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Mode = "6"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	PluginCompiler.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	PluginCompiler.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	PluginCompiler.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	PluginCompiler.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	PluginCompiler.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	PluginCompiler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	PluginCompiler.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	PluginCompiler.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	PluginCompiler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	PluginCompiler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	PluginCompiler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	PluginCompiler.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	PluginCompiler.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	PluginCompiler.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	PluginCompiler.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	PluginCompiler.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	PluginCompiler.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	PluginCompiler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	PluginCompiler.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	PluginCompiler.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	PluginCompiler.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	PluginCompiler.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\LogicalViewMode = "2"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	PluginCompiler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	PluginCompiler.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	PluginCompiler.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616209"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	PluginCompiler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	PluginCompiler.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\IconSize = "48"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	PluginCompiler.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupView = "0"	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2252	schtasks.exe
2136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	chrome.exe
2440	chrome.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1444	PluginCompiler.exe
2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
2356	NanoCore.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeDebugPrivilege	2604	9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: SeShutdownPrivilege	2440	chrome.exe
Token: 33	2060	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2060	AUDIODG.EXE
Token: 33	2060	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2060	AUDIODG.EXE
Token: SeDebugPrivilege	2356	NanoCore.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe
2440	chrome.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1444	PluginCompiler.exe
1444	PluginCompiler.exe
1444	PluginCompiler.exe
1444	PluginCompiler.exe
1444	PluginCompiler.exe
1444	PluginCompiler.exe
1444	PluginCompiler.exe
1444	PluginCompiler.exe
1444	PluginCompiler.exe
1444	PluginCompiler.exe
1444	PluginCompiler.exe
1444	PluginCompiler.exe
1444	PluginCompiler.exe
1444	PluginCompiler.exe
1444	PluginCompiler.exe
2356	NanoCore.exe
2356	NanoCore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2032	2440	chrome.exe	32
PID 2440 wrote to memory of 2032	2440	chrome.exe	32
PID 2440 wrote to memory of 2032	2440	chrome.exe	32
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 3008	2440	chrome.exe	34
PID 2440 wrote to memory of 2264	2440	chrome.exe	35
PID 2440 wrote to memory of 2264	2440	chrome.exe	35
PID 2440 wrote to memory of 2264	2440	chrome.exe	35
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36
PID 2440 wrote to memory of 2384	2440	chrome.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\PluginCompiler.exe
"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\PluginCompiler.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef76c9758,0x7fef76c9768,0x7fef76c9778
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 --field-trial-handle=984,i,11176330486957065181,8725224079208684214,131072 /prefetch:2
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=984,i,11176330486957065181,8725224079208684214,131072 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=984,i,11176330486957065181,8725224079208684214,131072 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2244 --field-trial-handle=984,i,11176330486957065181,8725224079208684214,131072 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2272 --field-trial-handle=984,i,11176330486957065181,8725224079208684214,131072 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=984,i,11176330486957065181,8725224079208684214,131072 /prefetch:2
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2900 --field-trial-handle=984,i,11176330486957065181,8725224079208684214,131072 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 --field-trial-handle=984,i,11176330486957065181,8725224079208684214,131072 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3640 --field-trial-handle=984,i,11176330486957065181,8725224079208684214,131072 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4012 --field-trial-handle=984,i,11176330486957065181,8725224079208684214,131072 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4044 --field-trial-handle=984,i,11176330486957065181,8725224079208684214,131072 /prefetch:8
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3152 --field-trial-handle=984,i,11176330486957065181,8725224079208684214,131072 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4220 --field-trial-handle=984,i,11176330486957065181,8725224079208684214,131072 /prefetch:8
  2⤵
  PID:588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4212 --field-trial-handle=984,i,11176330486957065181,8725224079208684214,131072 /prefetch:8
  2⤵
  PID:3068
- C:\Users\Admin\Downloads\9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe
  "C:\Users\Admin\Downloads\9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "UDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDB52.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2252
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "UDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDBD0.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2136
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1432
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1052

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2212

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x178
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe
"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:2988

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
898cc539529123e8c5ebc8c37b70508d

SHA1
b4af2c2eaa29c4a2ca8261fc64431ab78c00205a

SHA256
779335bdaa38632cff86340b3e3116e4a04576e0784dba7b8da08e850136bc75

SHA512
b367969b763c2916517bc30308364de50f6362ba13101db51132816d2d96b8cc1a3dee6e7be340fa95cf0091ed6ecafd59ea7fc6531ead0b4cc7776322cfb5f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
345KB

MD5
547fe94559e9197099ce529cd93e4fec

SHA1
49e8426682a45984a99107ea1125575432cd6122

SHA256
0516d5f108d64f5ce91bb2831e3d027a2f37844621cd90bfe3de5a9da3b74f2e

SHA512
f79981fe97c52047ab1c66a0ef7e28c3cdacee41764a130aa0199dc15964ab32d358a881728e41d9a0df4758b49534fcd5032ed36bfd88f3dfb94bae2a1f3617

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ea759496-54d7-414b-8810-854d0503b1c1.tmp

Filesize
345KB

MD5
0f3cb15f0848642022c546fb7f0276f1

SHA1
08b48729904e1d855f22d1814834e55d44b1eb2f

SHA256
4b4f917547a79d339d71868709c6b2af5ca8d257d69a4d77e361d784f7cd6053

SHA512
655d3f8f2ab800aa8d90552443eff251a3a3bf4ffe2976db8cdce118a16f4ebf7c79c9fa6cdb78cadf2809f7d04a285be46e1d5a8c0fb88501ca7ba3e63a126e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB52.tmp

Filesize
1KB

MD5
e4c2936fa97d9f65568a87f189458e78

SHA1
3fe9c79ccfb78f315947d254380009587d617ff5

SHA256
85d0e87c0e614a760ae064e813c2a59901226dcba2da11c7f5d5e78c0eeb8cce

SHA512
a027304e8aa70ba0a26160cc18afcaa680516d2f1917c3256954339d18b96304ccace6397971fd31bd9685507ccb534826b9c80b23e0f9d53d0ea0906d06d63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDBD0.tmp

Filesize
1KB

MD5
0a24db62cb5b84309c4803346caaa25d

SHA1
67660778f61bb44168c33ed3fe56ed86cf9583e8

SHA256
38d38647af394a04ee6add9f05c43244f04e64a6b96257f4b241a5038efa82df

SHA512
d25d9df063f44595d5e0bf890755bd387655131ff369eeedf3d11ffcc6202ca4455bbb33a8a926dd06839cbd1ddec3d06809b3c66a82c6518aa14beaa469a548

Download Submit
C:\Users\Admin\Downloads\9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7.exe

Filesize
203KB

MD5
7bfd65662896e081e2d09b7003f6ce1e

SHA1
2a87dc5e33a1218ef0d4d2e0898d5e34112ab20e

SHA256
9bb01a230d012b08173ceb4de9ada1f8e09bf53d3f9db3365b5e0ae1a33415f7

SHA512
d9b37ff0a110a627e65a4347f0670c81bfc5841c8326d3e2f9acbb41963863596276d4080525d37993f4a5cb8157b058d481b5c0751b4bfdaee37235bebae757

Download Submit
memory/1444-5-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/1444-11-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/1444-9-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/1444-8-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/1444-7-0x000000001F1F0000-0x000000001F200000-memory.dmp

Filesize
64KB

Download
memory/1444-6-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/1444-0-0x000007FEF526E000-0x000007FEF526F000-memory.dmp

Filesize
4KB

Download
memory/1444-4-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/1444-3-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/1444-2-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/1444-1-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download