nanocore | hxxps://github[.]com/kat15/NANOCORE-RAT

Analysis

max time kernel
113s
max time network
116s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
02-02-2025 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kat15/NANOCORE-RAT

Score

10^/10

nanocore defense_evasion discovery keylogger spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Downloads MZ/PE file 1 IoCs

flow	pid	Process
21	684	chrome.exe

Executes dropped EXE 2 IoCs

pid	Process
3156	NanoCore_Portable.exe
1856	NanoCore.exe

Loads dropped DLL 13 IoCs

pid	Process
1856	NanoCore.exe
1856	NanoCore.exe
1856	NanoCore.exe
1856	NanoCore.exe
1856	NanoCore.exe
1856	NanoCore.exe
1856	NanoCore.exe
1856	NanoCore.exe
1856	NanoCore.exe
1856	NanoCore.exe
1856	NanoCore.exe
1856	NanoCore.exe
1856	NanoCore.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
21	raw.githubusercontent.com

Probable phishing domain 1 TTPs 1 IoCs

Phishing

T1566

description	flow	ioc	stream
HTTP URL	54	https://www.hackforums.net/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=90b631563a48f1ae	5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NanoCore_Portable.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NanoCore_Portable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NanoCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
3568	timeout.exe
3304	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133829310303575039"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0	NanoCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NanoCore.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	NanoCore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	NanoCore.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	NanoCore.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	NanoCore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	NanoCore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0\0\NodeSlot = "4"	NanoCore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	NanoCore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000000d38ef0b5625db0158825bf85c25db017de55df85c25db0114000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	NanoCore.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	NanoCore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0\0\MRUListEx = ffffffff	NanoCore.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 19002f433a5c000000000000000000000000000000000000000000	NanoCore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	NanoCore.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0	NanoCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0	NanoCore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NanoCore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NanoCore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	NanoCore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NanoCore.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0 = 56003100000000005759f67112004170704461746100400009000400efbe5759f671425a4d062e0000003e570200000001000000000000000000000000000000fc433d004100700070004400610074006100000016000000	NanoCore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\MRUListEx = 00000000ffffffff	NanoCore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0\0 = 4e00310000000000425a7306100054656d7000003a0009000400efbe5759f671425a73062e00000053570200000001000000000000000000000000000000ff353800540065006d007000000014000000	NanoCore.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	NanoCore.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NanoCore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Key created	\Registry\User\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\NotificationData	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	NanoCore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	NanoCore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NanoCore_Portable.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1404	chrome.exe
1856	NanoCore.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1404	chrome.exe
1856	NanoCore.exe
1856	NanoCore.exe
1856	NanoCore.exe
1856	NanoCore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 2740	4320	chrome.exe	77
PID 4320 wrote to memory of 2740	4320	chrome.exe	77
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 4080	4320	chrome.exe	78
PID 4320 wrote to memory of 684	4320	chrome.exe	79
PID 4320 wrote to memory of 684	4320	chrome.exe	79
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80
PID 4320 wrote to memory of 3844	4320	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/kat15/NANOCORE-RAT
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd9aecc40,0x7ffdd9aecc4c,0x7ffdd9aecc58
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1712,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1740 /prefetch:2
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2136,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2396 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4596,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5052,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5000,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5072,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5084,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5092,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5540,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5552,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5160,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5096,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5176,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5672,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5124,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5212,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3248,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=3544,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5340,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5104,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5772,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5028,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=4932,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5376,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=5828,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3080,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5796,i,2389692471093118876,1721791495542170194,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:4516
- C:\Users\Admin\Downloads\NanoCore_Portable.exe
  "C:\Users\Admin\Downloads\NanoCore_Portable.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TempDel.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4268
  - - C:\Windows\SysWOW64\mode.com
      mode 30,20
      4⤵
      System Location Discovery: System Language Discovery
      PID:4788
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /nobreak 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3568
  - - C:\Users\Admin\AppData\Local\Temp\NanoCore.exe
      "C:\Users\Admin\AppData\Local\Temp\NanoCore.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:1856
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /nobreak 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3304

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Phishing

T1566

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b52e959d2346c39c6664f6b775feacea

SHA1
b33af45227021ff27f3cb4f69c2fde79baaab6c0

SHA256
b4d88bb14fefeddafd30b3f8fac80ced6cdadc996263806264a19a71ea856034

SHA512
1eac169cb9cc38e08e2499dd222377c3f413b7f1ee58019b08f2cd6db11d742829cdd51e22e41bc36103b67b4d1225e32c7e75c8c4ee64a09a4b2fa1e3e8fd41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f384f5f4b3f2071087f81b5697333593

SHA1
0358756c88f0e77378933e6c7e96a8279ae819ae

SHA256
347423b5a27ea68dbcd603cb7fc6668505694a2f8b1436732c9ad32f67ae117f

SHA512
5e16e55033553c7613d23d6edf221c4ff099a81fa70458f8e837ca86399f348bf193f6c5b2b507099ef61d6ab5de72fbe21dcc5a67438f273a5469b3e7f42c6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a25cf8699eba85cfe4ee6cabe055d4fd

SHA1
53f95961dfcf3a93d0f05a8ef929e742b62cf23f

SHA256
e6aa36f42e55a28d86693aa2711251f22acb98708fb1646474a5141dbcbb3b29

SHA512
9e250d5407bfb9424f098b0697492de3a7d4c737e73ffbd1c904394f18e1e1614db996988c61062e44d089bf06b60625eb3ee0ddef5dd07d436c00e551eb6001

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
d3bed350858d03c88bd4a89ec890f4e0

SHA1
bc9adc6491dea317055aa73e222f70755924c1bf

SHA256
ec529dcc0b0750dbaacdaa04245b371dfbbe7eac7e665d123da6a46827ed5305

SHA512
b24c59cd88316b44ba4605a5e5ca9bafdd975626d3fa8f7c278bf98e0de69fa9d67dbefa0e669b17dc6e6f00f7f6a42f7b573194f13d1b41aa3a5de261b30f6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
8cb5de289725972a668e1b1df214f012

SHA1
b367d66449298c73fd48abf8486831ebc8fab611

SHA256
04fd120b36001cf97bd01427201dd1ec033ab8658260b98ee4d48322c47318cd

SHA512
1add95bd83f238fa6f28793c440309432fda18497d2d2bf3dc1f046fcc281934fe981374081cda4f1f0ac21bf8dba08c354b553b7a2344291b1085bcd8520a95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
df0cd68cd371af2e8ce4a1f54642a4e7

SHA1
d9ababa143f9289fa60ec17ed0f020a088224bc3

SHA256
60f25cdfab640c432f03274a2bf46c31d8e29e19adb2b87379447d9ddc970e22

SHA512
f9c5ab217a5ad0d1c193692891a38774873a5ea2dc6a6ca8baf1a0c2507ee602a37da1ea5049505542892f70e588e1562ca70cc58550e748bd971dce9c18bb3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
62183729d769008784fe72569bda8040

SHA1
2760ede631b06289db4116bc5f4442de27dd15a2

SHA256
e238550cb3aaa496683dccbd75d158c3dc9ea2362c69898a247928d00bf48d98

SHA512
4e414ae8c07a4529381fb3127ca4338e8a2c11831b62e2538b4a5e9fb06aff858677ec2ff2897fab4394f37634ec74212e5b555a57b254a1e44e1451ae8ebf8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a096155c0058530f5242d6a589c94d5b

SHA1
d5bd41770254538e5cf7a737e582c80e88adda15

SHA256
f367491f2b9c1127bdea8f4a9e839c55f000a5d6441a0af892a4ce0692b94a58

SHA512
df34e0b2ee9f6ee15844b7bb1ee9636527b20f0b03d339029a7851e78361cafc3f8ec1e3256ac6769e823d35448e8bcf238674e0995e80786e399a597b5ff32f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0fb68ad6ae964f0f1c50efcc1d113d15

SHA1
972fca07abe119b27e0f82e5b74dcb6a2ff2e1a8

SHA256
7972c9e6c9625909b9b1d72d13340e0ee80fddb11958f829620fea50c1779cea

SHA512
0c802a2a2c36bbdf2497397a2337a903ad422323c5955678c6a87db687d7887cbf4d27546e626a84fc8a74aa729f317671312cd4089c92dcf9fb2272b8e103c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6dd96b758ae6490718f232ff41e24f3f

SHA1
3b68ea1e0790d7920bde645b290ce688248b2862

SHA256
24cee475f0951778309188253a14e1774701a473573c2d9fc8c00bfb8e769eee

SHA512
ace40a4ca3365248768027d846a8c887491e86174b4a392ab45fe316f11228f77159d34b84d627ad3bf60971dbfa9af427a05c2c363c89ab1947c13c24a58079

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
91cc6fc92f25994933316077f6952373

SHA1
158dda54a178516b4a5d1c268a4b644baf7a3199

SHA256
b6365631226e36514355a39c3c8e2df705d0cb6b60cb7c9da82f553089b5d3c2

SHA512
20e9985a16c9ef865ee318ab34ef4f4bd0faea0d5d671d787b47b76ae8c0b84028e5b67642ed130c12e482b011994e416fe05a5d15b200e5a45b6f65c8562e0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
64c7a9a7db66822dcb155b4de8576074

SHA1
968b6150cc79d1285931e2ff5313b2011e74116a

SHA256
8dba5d2ec2fb6d619e6cdb76651c1a5a38c46ef09f3df4b89df69203c487772c

SHA512
b5da405ce6a446e706b71f57b0f810d83dc4a15cacfaa58d9fd1e5badf7bcd69e027cd57ab28310d3564e1071a739fec7f745d84c60f458c9b7c698f94bf5a66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
78b3c068e3f9fb7b0afcbac742302516

SHA1
13c5a99a8621bc9fc7712719161e7316195aaed4

SHA256
5bb906ee8b6ded93d4bf8914bc2f553c3b17f755ce9f703543dd327a7515ad14

SHA512
c2a1f40a685b097c2aaabf8b92d9579e6edfea925326956fa1cb0bff282d7970f927c2b0da046b118fd658471a07276280b11f6e2b9e8652a814396530b5dad7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
749bcbbffe9a615b90ef9189c7d64252

SHA1
5cfb41f12b1ab00c56859cb08cdfa9fd99b3315c

SHA256
b1c8fa5ecf9bcbfeb5c0a2e76e6b1a6051413f3c285013b05ecf0601f29c8a4c

SHA512
41d95ff5a19f9a7d55baafa7b7175bc6f648cc770648c8a911d107644a5980c05113e0e34371e5aad94571ff8dd4f9ab4b7939a5b3ae4e6bc6c8b1cc2c6ce14d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
92197c1ce147a9737006eb1bfe732b52

SHA1
c22346dfe274d1820cb3913a1291960f3e15b626

SHA256
f0c9daa230478bdcc972739a5ec45c07d478be6d32f94768e674caa63b4f5227

SHA512
9cd86ba4fb7afb8b336ccc0ce2fdcb017a8e576cc8204619eeb89ca5b1a6b129fd818e77c445a34934790b01504243c3b4231689760b6da4c482bd5f75d9b9bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e8ae0d538e1359f7f4034b16fc68050f

SHA1
846dcd79f10b581162d1055bc56686b19eeb6bfa

SHA256
3e2e3a95bebdbd309b50ad3266050ff8fcf8fb088a3b1aef94c4227957a1d5dc

SHA512
270b2dbc7e9460691cdd06e95608369418695507cc3b8e6566ff9786699bf613bb1ce3445ead2a476d846512b112ea6640389159dcd5560affc68adc68a214db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ef8b1ee0af8d92a36089019585382b9d

SHA1
7c36cadc6c7344f185df2a8b3c04380765a8872c

SHA256
7c0c7b6a880b487184e131271cd777c341f50bf7dd5314c43287132056f4d0ce

SHA512
5c41f2f833dc7462aaeb2b3c03f813cf891f432690b6ba2fba309424e61a548cad4b41e19c4c4d97a8c26b5056b9359b52ca9104f438a5fd8137b78e8a849f75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
f5634d58d90f70c06640e769f5b31dbf

SHA1
172763d38c88b07a8f5132a459ad4125d5026b12

SHA256
7432d050226c467afd76bddb71ef0d478b113ce6f9f7404b65aa1734089aa8f5

SHA512
d3141373feb1168629f7b8ad5d0e2d535234611cba2c86557ae42de31c4e682e44480ada0a1bfe6a47e15e2ccd00903113a95e0386111aced14622b338131828

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt.tmp

Filesize
80B

MD5
2dc0b84b2103f11cf8bc1bef7df8e77c

SHA1
a58cd2043b903f77144d979e393706929c73b647

SHA256
fb5266e9456e1f26c26249a8203eeb0ccd6cbd440de4a41cba5ff4e09fa6b65e

SHA512
1a110eee0b47e2aec97d6917de5c2ec35aaba61e7e20128b8b331a32c3a298917bda0c322098361c85cb183370b4caef24a8faed716580dc38f6d7a7bd921687

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe58c87b.TMP

Filesize
144B

MD5
2b570831a1870d8b1b8ae6ac302470e3

SHA1
d14b3a3b49dacee511a7c9e84f4181a14b6c7a4b

SHA256
f5020a2a6eeb5f6b0879f415d1078d1c69e372e0b7cc5bb26e53cc3b5a0dec1c

SHA512
a42a4083d77409c0e2c7b5fa1fe5b9440e0b323e783e8ef57f2d5e41da1d2a981be3dd05a948e128fdd387df4e3d51d5cd631e8f2f942d2b0f525faf953a9639

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
1303976e9320c274e693a146908362dd

SHA1
74bb82899e02a4a7131b75212c2dcc00fe99fd5a

SHA256
b1946692f897590e3f87a7c74a0c11cdf0612b918f02fa5fd2f4d6f386ce437d

SHA512
4693424743efef88e647af91c37a7062a7d604e83ff611ea7d318e05c9916cd8d3c51dda2c9aed52cfa024a60610df0d62c777295e1f3e94689168f0b4802574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
73d3951e1814c9f8ceb4741bc279a8ff

SHA1
b86d7815762080c631441363b9cbafe2d7f15333

SHA256
1d3e293e393ea7520a3382658345c3f2d51633f55c7f065d4fb0111ad1870b28

SHA512
a10c02bfe25d8a5619c91c08fd09f3a48c0ba979ef5fb567b854f5d2fc9c8e4bb2de8ba0ea0aae44de68dce5895fe7fd2286e723c222e06478bfc63697e1e3a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
3647044e1e5101791bc17220609b5363

SHA1
1cdfb1456302e9f7f73a41a9c5f81f6aedc90112

SHA256
7b3dea9b56b61974b64c0f5667c4ed54068937ec586554d4e3d04e800feeab1b

SHA512
68b7b39aaa6d63f998ec8b9d2b4a6556b8ee42d94d3aec8549b9e81b724358bf0caa6b9839f97f7b8e308a89b988ba40c31788e5773e83463e2d1236ea4e119e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
a00eba83bbabcbe82a6c83f22c14b53b

SHA1
f204003fd9dd3de0890cdcfe9cc8f5283bd8945a

SHA256
8ea08840871f7baea2b89b0da8aee3d42efbf60281a7beb379d733ec2d264365

SHA512
4f7ba8c8971b8efff019a20d778b9ea5f499c6d349ff1fd8df2adb06c573e998d3e65b834f2ead58486857a61a3f9a34f8870fcf392c6dd313f47537c0af84a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
3b29efd451cc29b0bc14f4ca9840f419

SHA1
b671b219185bcf93b155c207cc0b446abe0ecef2

SHA256
e975eae23c2d3723422f4fb4795d4040db1fc0647d024f3829a5c5c85681a5d9

SHA512
dad054eb93e65e7ff27c42bee58faf54d3ea6529f4290f48732bbdce816ba4303ba5cc16441b63da9b7e0a297f76d3b2cfd637d05c126700e52ef74ebc05d5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Databases\main.sqlite

Filesize
15KB

MD5
ea522fc387e8e1c1c65e946c9118e2c7

SHA1
0d3fe3c0f59b651f4b9210ec4d7324e7686b5a21

SHA256
ae429dbfca9416cfc6832aed1190fa7b9eb90127328136a249de024349fd3b3b

SHA512
52161556c3d3a1e12fe8de217aab806ac8e8e47135d57f057c257d16576ec08b13bc37aeb7f7234042d89d6deb594a635e0764675f4e04f7abb94836fac1d921

Download Submit
C:\Users\Admin\AppData\Local\Temp\NanoCore.exe

Filesize
1.4MB

MD5
1728acc244115cbafd3b810277d2e321

SHA1
be64732f46c8a26a5bbf9d7f69c7f031b2c5180b

SHA256
ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b

SHA512
8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\CorePlugin.ncp

Filesize
119KB

MD5
7914e7302f72d330aa5f6c5c8c26df43

SHA1
8c411f3fe5297a78cb018539b44df87c0a51606a

SHA256
f66985518b1e56a04f512d110f5b79f21ed91cbcbf6bd3e17eba3dcdfb85f9b5

SHA512
8959843f282162ff0c59d890d04012c4f62dc36058aa7095d708a97a34313082cd4ca5ea5df5623cd2d6b8b91c527297168cab08ec59c1ec48fafac5983ad012

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\DucPlugin.ncp

Filesize
73KB

MD5
5eca68a8368e0e144b7016e30b85515c

SHA1
0ba48b49974156e5746958aeeb1c2a26c916b3be

SHA256
e2ce89b3e68b003cb27e2c5652ccba073c8938bef194e51830539b2464a3f676

SHA512
ea1d1363fb072a5c646ce070184855588124be42392dc492ce86c88fe93eae78e23f5de4f2df75fb5b0e8d67bf08ff192dd163ed3c62a1ccfb0b8436ae1df644

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\ManagementPlugin.ncp

Filesize
300KB

MD5
b612c2c9a6d361a5db14c04ba126119c

SHA1
d2b29e235b0f45242088b78313438bdfd51209dc

SHA256
b86fe4e126a9748a383a34d615b9598c715f2380c0aad957495c66923902026c

SHA512
194d4688935235f3ca686868c9ff53c7945d4e076d4a51fdcbc254bfa1461494766480794c65715bce314256c7cc5268bd6547c937984d3010f54f5a3db4ba9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\MiscTools.ncp

Filesize
66KB

MD5
78e3006fc6468eb7dfc7761072b84ac6

SHA1
e46cae768d2754f48a29b7e424a9bddf0d67bcd8

SHA256
3a3a3b105eefb45e3b70cc1592e484df02df7020d5154e8c2e5d7d439e295e46

SHA512
0daa1cc9ddae70f442ee5eed784523dc1378b9d095edfaec1df95e02f00d09b461d60ee180f716f7ba755543ef7b0c87d791a454cf254dde0033b8615b2841e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\MultiCore.ncp

Filesize
236KB

MD5
becb82e1e914e906be158e3f9dd658ac

SHA1
725d3d658680ca8dcb610d998db4b28733b5ee52

SHA256
5494adf651fc64e3aa6c08e38165d8dbfec52056cdf4fadae90b76b0e6816a33

SHA512
1d67e7d5686ea225262501afb572bec23e35bbd33c660a57e84b9cad7adfadbe457b128af0059ac705d53c6b65798f5525fe4ed3c16537b0c085414cdca74174

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\NanoCoreSwiss.ncp

Filesize
49KB

MD5
fcb5afd01e75aca8ed9fbd35a46e54f3

SHA1
94b69f8612d31fc0698089d5e08aea1cafea52e7

SHA256
bf0386f6e9b4a35fefe5fe917e2be7c64867efe24521f18e4567f8af5f6dd5e5

SHA512
b587dd23eaea6de486c30864908f8603451c459153cd21b86a5e43bb9c2cca7cbc015daf620808fad76a4d56bbc4e57e127059c8e73be6c85bf958781c1343fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\ListIcons\flag_ap.png

Filesize
351B

MD5
b841c2ebdca6bb23c15c98da4aa671d7

SHA1
42f562132fe6e9a5029247a2b9666395dd5ad9b0

SHA256
b668f1a313e57c97a5abd0212631ea6211aace15b10f1ca82484f23f7d6924b5

SHA512
e093c2c454e8ceb318df0629f5f7e8494213e69caef640dd4554f3c250029e8a06b4c5add9c13e457f901c3d328738b66db524a8404617e486fd8c564dd04c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\ListIcons\flag_cx.png

Filesize
626B

MD5
fbf02dad6f60392ce777d006d5762248

SHA1
f9d95e6e5e25b83953e4f898bf99636d85511709

SHA256
45203a04468ff78fb3434f46799ca630172e04f97c566f8e143539a80c48bfc5

SHA512
9f5b7b5399cb7c8b41cda202eac5a344524f135fd2e32a5f312917c7684ee13a94976984154355297bb31fd06435efe91456e189bb5f1c9d6010dfad01415b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\ListIcons\flag_gp.png

Filesize
546B

MD5
5ac0d15234533136bf6ec230686a4aa5

SHA1
2f208a8baf30d13aa23382d3821cc73c4aa466f0

SHA256
5cceb033c0262b5905f88d5905777471e9f1b0b0d9cb857f2361e88ada73610d

SHA512
d6215183f13e36a268b849056fe1479ebd36eab4b6f175cbdd3a4ecd4ba4df7734189a2f9e9d69ee344ca63baf2c9ef10f62663cc721e9c9c59775d5e84e2268

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\ListIcons\flag_sj.png

Filesize
562B

MD5
4f82c2e83eab05d2bd9baaeff6c81a96

SHA1
e1cd3981d14653bf5df976ece649120134e88546

SHA256
15493361692068154ac1b1baf8878c179b353996dcda4d63e0322ea37f998f9b

SHA512
b69030fffb689094952eb472b272e1d18b40d0f11e3bba647c9b01226ccf072d276cc31ce3a1ffcbc84c5de82bedfe7fc2466fb060ff50e528f7c258179e626d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\TabIcons\builder.png

Filesize
303B

MD5
d2d498dc06990b948ef42c479c4c1f94

SHA1
eb380e6d156f5cc2ab28baa5add2ba8acda088b3

SHA256
ce8e344d1975972fa3f1b54383ab01cf522217e83b4e01f5c5b8563641bf6550

SHA512
fd9f99b7489507d8208432847085507e5d1823f1eed5d3c7e644c59bc5e5b36d8705d4add01a0c291240029458b25d72894fc05efede8b795bb6872e1e5f9ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\TabIcons\clients.png

Filesize
462B

MD5
0331dbac2291c05d567461b58654d350

SHA1
1f89cdf7199983e788fd1f22b873ab9b0500952d

SHA256
8d1339e002540de132326aeb1d17c66a9a60b0af7e3daca9bc40df17e9c96542

SHA512
2d12a85226a21670c49038e4347b39227b8d8bca07b8eb66f2adae0ccf1135270f5ba5f16a40bf526477c70c00c1ca572bfb973306e6eb8dd057600de38da161

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\TabIcons\home.png

Filesize
343B

MD5
0a482ce7f891fe7a64118bbb34a34b9c

SHA1
2aba3c06942273aebc5e616602620e4b2526ebe7

SHA256
76d3e6c51702b37227b73a4f84771e44d7c1a8551b4c1fdd90e341f03a805346

SHA512
0e900eff9109ac2f32137d9d18993a29ed6065299ef96554f2288128fe07d1e8db1a0dac29b39b0eb05bb8a9bdca5f083da8e25dec3c880ef155401fd649107b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\TabIcons\network.png

Filesize
230B

MD5
48780574121d519661c2e0bc51b25b68

SHA1
89d8d5e42fbae3d95c8036c1738656b8e6343091

SHA256
28f4c682d85fb4ef531a71b7fed8f0d7ef548f1126da378aaf60349219a681d6

SHA512
7f0d9b6e18b812350b9d57439069ebb9140365830ea6fa247527f793cc58271ed7743c514d7488f026064b6d44afaf93717192bcff3ea8a3b501f2bf7718ff30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\TabIcons\system.png

Filesize
273B

MD5
9993c66f33d16d11e701abbabf5a5db8

SHA1
415a0069f21dc5fcbb7bdaa7f17a679eb18e6b1e

SHA256
24c4edf86254f9e2359508909ba52dd683e1f6af0d8c1a52f875c472fc73bd40

SHA512
7a3f0546f4fb12e72fd774f5c4446e8bcc2a26c762aad91675c3bc10931c1c0ac2c40d66a25afd0a376ab665427164367c1cf398c22811eedf88c90ce51a23e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ServerPlugin.dll

Filesize
28KB

MD5
952c62ec830c63380beb72ad923d35dc

SHA1
6700baa1fb1877129e79402dfe237f0b84221b69

SHA256
2e5fbfb7932b117a2f6093dc346cdee4a5702e39739d9c40d27bfd1580f6f0d7

SHA512
5dc19d7d6ab7670ded766f357e481328c8df4a96ac3c2a00194a5ccea8c34bca0e34cfea3d9d17934db384d302446be2fec9853438371561d70580665bffe121

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
256KB

MD5
dd3d6f00b1aba3f1d9338d9727ab5f17

SHA1
faf9364a7ab15f27c93a6e6f97fa025030c9dad7

SHA256
f0d4beab24e94e61f219df451d90dbba3d0f48539f9b6a448f91e0c94b4e80c4

SHA512
0794d850a133a98affe627e3023114b229b982e507d366895ece6a1ef99b42d708554c64b52f0f2ed63673e1c5aeea7e794085d45f0797159e21ba4efdf23cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempDel.bat

Filesize
204B

MD5
3b2fb2a8ccaaa86a5fbcab338e641ff1

SHA1
bfd7df0e383c404d6c5cd58687954426a43acd7f

SHA256
34cba91daa5d60239496f52d4da9c526a0ed7680adf8f4fc491b2ddb32d48208

SHA512
cf00ac00845f1ac0cde6a18507c8b629c95a4391170dc1297e596406e0aa5802090b3631aa2bc3dc8632fe6c85c3d33557f9235cb43a833cbb4d8f3d84bc4443

Download Submit
C:\Users\Admin\AppData\Local\Temp\builder.log

Filesize
22KB

MD5
0061a98407086fb3106b61fe5d0fbb27

SHA1
c5882467e947fa1cab30dd45fe337b23bce1712a

SHA256
054dbc3e14992bea750e1f366c16f6b0c861bc9db2617be91cbf7306fd25219a

SHA512
b4e0f10067b2a5b7865b404c63be1c93cbda482ed3d20e618ede411fe7f9bc177792d0ab0bb7c13730809f9630ba5160f485a38590096ba8cb8104ab189f2c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\client.bin

Filesize
130KB

MD5
906a949e34472f99ba683eff21907231

SHA1
7c5a57af209597fa6c6bce7d1a8016b936d3b0b6

SHA256
9d3ea5af7dc261bf93c76f55d702a315aa22fb241e4207dc86cd834c262245c8

SHA512
29fd20ae7f1b8bac831c0bb85da4325a62e10961989e14299f5f50776c8f7e669cc1527bf2c3868bd7230e73ac110ba8b1f0491ac0f2923d79d7a2871c7c961d

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugins.bin

Filesize
240B

MD5
5e709fc806e8ba3385487699004f6d29

SHA1
2f32547ed5b9db3b33969fb4858945610aaeedb2

SHA256
9ecbf989dedf1403db953fb4e5955c9f63415cbe1f6492c3246bac405a4d036f

SHA512
a6706c9f76d837a7e0ab12e3c1c6d94fedde9dc52d4fecd02befd8850752155e2bf801cdf0488a98e49c50c4f0595a3fc4916950badba9bb83a5b7a35d3ffaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.log

Filesize
103KB

MD5
ac6285562e5e3e4e98feb7fe8df884a4

SHA1
4b7fc4ea7c39b95efa7d4e1d68b9b3994c38683b

SHA256
51d9e422386e5e64eadc212bff06b33c2a163bfe355ce98d756ce00afd76ae2a

SHA512
6db244bf0e1948626e64b2b8636b9bf71fa4b2bbe5e7c4877a444da00bcc7964efa9f01f6e4c90963961a3a8bdb3bb8ff7d28660596e6f468b53313ab5e3453b

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.bin

Filesize
280B

MD5
daa76574a834b950a015d191e410c400

SHA1
c93dae186bb23e7fc052b6cbc4626c58bc0f60a5

SHA256
c4c2bb97d9abf6e224897855a0f6699d8f886ca816811ea5bfeb8e71d72b7d4f

SHA512
9cd119d3f55a172036fd625738c3ebcd45b534255da36c208b594605eca32a58470ea4d0493026d160e062806d015cd878c44521e2450247eb5a8ae203a8fe6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dll

Filesize
792KB

MD5
9b19dcee960dc215e64b1d82348707a9

SHA1
9c1e0f76673eb385787120e17404df179316ca2b

SHA256
3515f704b0012c01fc8be5b717905c0587b29255fc9eb7ad3f2b66a130691d38

SHA512
cc1304ab171feb2ac6df941f4b35aab8ce7b503f96b5539b366b39268cce8b21ea2fdbce16eff809a9a121a60a65ebbd0f59f75360800f541b9e5f93e729a55d

Download Submit
C:\Users\Admin\Downloads\NanoCore_Portable.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 27509.crdownload

Filesize
6.4MB

MD5
d8097b543928f1ae74e17ae06e941366

SHA1
639cbf9d926c767a850d349dc09d2947ddb50ab2

SHA256
59e59bdde6e394e14326f693cba8ab7604a20e7f3df9806f539844d499a701bc

SHA512
48a25a1799376f1d2b754ebb00203ffde7f28208debbbddcefa6f77b34d7ae95271f8894725aab546d254678954fb918c3cef87f8899b31121b5151c777d6ae0

Download Submit
C:\Users\Admin\Downloads\banananana.exe

Filesize
130KB

MD5
423cabe446d4237fdcbdf5feb49b8bdf

SHA1
df7ee92276dc72b05526310c109b9251482fed28

SHA256
b78d8e18706d3be968b34b0a26a9b068bb1d7684e186b669bf141e78a6401dbe

SHA512
6ff7854ab7198d448f017d2f40ca447ca0d45746df74c13fda999a5c134968aba5ce0a59ed5a16f8ccc88cac900c3f49e4149df432dbfb92dcb555c4048525d1

Download Submit