nanocore | hxxps://github[.]com/kat15/NANOCORE-RAT

Analysis

max time kernel
1352s
max time network
1141s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2025 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kat15/NANOCORE-RAT

Score

10^/10

nanocore adware discovery keylogger persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
75	4356	Process not Found

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 13 IoCs

pid	Process
1004	NanoCore.exe
2064	setup.exe
4120	setup.exe
436	setup.exe
3464	setup.exe
5088	setup.exe
1520	setup.exe
4764	setup.exe
5072	setup.exe
384	setup.exe
1172	setup.exe
2592	setup.exe
2420	setup.exe

Loads dropped DLL 13 IoCs

pid	Process
1004	NanoCore.exe
1004	NanoCore.exe
1004	NanoCore.exe
1004	NanoCore.exe
1004	NanoCore.exe
1004	NanoCore.exe
1004	NanoCore.exe
1004	NanoCore.exe
1004	NanoCore.exe
1004	NanoCore.exe
1004	NanoCore.exe
1004	NanoCore.exe
1004	NanoCore.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\pt-PT.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vcruntime140_1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\af.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\ro.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\en-GB.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\msedgewebview2.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Dev.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Edge.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_stub.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\cy.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\notification_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\delegatedWebFeatures.sccd	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\setup.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\icudtl.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\it.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ms.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ug.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\mip_protection_sdk.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\eventlog_provider.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4423a49c-e985-46f3-9873-a368d6eab6af.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\EdgeGameAssist.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\bg.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\fil.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vk_swiftshader.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\lb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Social	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Edge.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\metadata	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\manifest.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\kok.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\mip_protection_sdk.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\Logo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\or.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Locales\kok.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\de.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\133.0.3065.59\Edge.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\gl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\VERSION	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\EdgeWebView.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\mk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\webview2_integration.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\learning_tools.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ca.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\lo.pak	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NanoCore_Portable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NanoCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1448	MicrosoftEdgeUpdate.exe
4228	MicrosoftEdgeUpdate.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4220	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133839658609626213"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationName = "Microsoft Edge"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer	wwahost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff	NanoCore.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	NanoCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NanoCore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	NanoCore.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xml	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NanoCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage	wwahost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	NanoCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LoadUserSettings = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationCompany = "Microsoft Corporation"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\AppUserModelId = "MSEdge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationCompany = "Microsoft Corporation"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\MSEdgeHTM	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 5600310000000000475aad8312004170704461746100400009000400efbe475aad834e5a30022e00000063e10100000001000000000000000000000000000000ceffa4004100700070004400610074006100000016000000	NanoCore.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	NanoCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\MSEdgeHTM	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\MRUListEx = 00000000ffffffff	NanoCore.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	NanoCore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NanoCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NanoCore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	NanoCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf\Extension = ".pdf"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NanoCore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NanoCore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NanoCore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NanoCore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NanoCore.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\ = "Microsoft Edge HTML Document"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\Application	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\MRUListEx = ffffffff	NanoCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\ = "PDF Preview Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content	wwahost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2500	chrome.exe
2500	chrome.exe
5088	setup.exe
5088	setup.exe
4632	LocalBridge.exe
4632	LocalBridge.exe
4632	LocalBridge.exe
4632	LocalBridge.exe
4632	LocalBridge.exe
4632	LocalBridge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1004	NanoCore.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2712	chrome.exe
2712	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeCreatePagefilePrivilege	2712	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe
2712	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1004	NanoCore.exe
1004	NanoCore.exe
4740	wwahost.exe
1004	NanoCore.exe
1004	NanoCore.exe
1004	NanoCore.exe
1004	NanoCore.exe
1004	NanoCore.exe
1004	NanoCore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 4080	2712	chrome.exe	86
PID 2712 wrote to memory of 4080	2712	chrome.exe	86
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 1708	2712	chrome.exe	87
PID 2712 wrote to memory of 4396	2712	chrome.exe	88
PID 2712 wrote to memory of 4396	2712	chrome.exe	88
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89
PID 2712 wrote to memory of 540	2712	chrome.exe	89

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/kat15/NANOCORE-RAT
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xdc,0xe0,0x100,0xd4,0x104,0x7ffff3c7cc40,0x7ffff3c7cc4c,0x7ffff3c7cc58
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,13201066399723249562,11317939226998661537,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1500,i,13201066399723249562,11317939226998661537,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,13201066399723249562,11317939226998661537,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,13201066399723249562,11317939226998661537,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,13201066399723249562,11317939226998661537,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5060,i,13201066399723249562,11317939226998661537,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5844,i,13201066399723249562,11317939226998661537,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5840,i,13201066399723249562,11317939226998661537,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4996,i,13201066399723249562,11317939226998661537,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=1044 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5264,i,13201066399723249562,11317939226998661537,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2500

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3784

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDUxNDZBNTktNjNFQS00QUM5LUI2N0UtNzRCQ0IxOUQ4MDZDfSIgdXNlcmlkPSJ7NjE5NkNDNEUtODg0MS00QUY5LTg0NkUtRTg1NDM2NjQ4Q0RCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RkMyN0ZFMjMtRTM5Ny00Q0IyLUI5MDctNzVGODU2RTU4ODhBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI2IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDM1MjI0NzgxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2924

C:\Users\Admin\Desktop\NanoCore_Portable.exe
"C:\Users\Admin\Desktop\NanoCore_Portable.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TempDel.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4348
- - C:\Windows\SysWOW64\mode.com
    mode 30,20
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1236
- - C:\Windows\SysWOW64\timeout.exe
    timeout /nobreak 10
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4220
- - C:\Users\Admin\AppData\Local\Temp\NanoCore.exe
    "C:\Users\Admin\AppData\Local\Temp\NanoCore.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1004

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B0EC835-C41F-4C1B-83B0-EAC0357D29F5}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B0EC835-C41F-4C1B-83B0-EAC0357D29F5}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
PID:4548
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B0EC835-C41F-4C1B-83B0-EAC0357D29F5}\EDGEMITMP_C467E.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B0EC835-C41F-4C1B-83B0-EAC0357D29F5}\EDGEMITMP_C467E.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B0EC835-C41F-4C1B-83B0-EAC0357D29F5}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - System policy modification
  PID:2064
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B0EC835-C41F-4C1B-83B0-EAC0357D29F5}\EDGEMITMP_C467E.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B0EC835-C41F-4C1B-83B0-EAC0357D29F5}\EDGEMITMP_C467E.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B0EC835-C41F-4C1B-83B0-EAC0357D29F5}\EDGEMITMP_C467E.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6939d6a68,0x7ff6939d6a74,0x7ff6939d6a80
    3⤵
    - Executes dropped EXE
    PID:4120
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B0EC835-C41F-4C1B-83B0-EAC0357D29F5}\EDGEMITMP_C467E.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B0EC835-C41F-4C1B-83B0-EAC0357D29F5}\EDGEMITMP_C467E.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:436
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B0EC835-C41F-4C1B-83B0-EAC0357D29F5}\EDGEMITMP_C467E.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B0EC835-C41F-4C1B-83B0-EAC0357D29F5}\EDGEMITMP_C467E.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9B0EC835-C41F-4C1B-83B0-EAC0357D29F5}\EDGEMITMP_C467E.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6939d6a68,0x7ff6939d6a74,0x7ff6939d6a80
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3464
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6cc376a68,0x7ff6cc376a74,0x7ff6cc376a80
      4⤵
      Executes dropped EXE
      PID:4764
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6cc376a68,0x7ff6cc376a74,0x7ff6cc376a80
      4⤵
      Executes dropped EXE
      PID:384
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    PID:5072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6cc376a68,0x7ff6cc376a74,0x7ff6cc376a80
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:3900

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4740

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ECDE1BFE-EC23-4328-A05C-88C17D01D4D4}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ECDE1BFE-EC23-4328-A05C-88C17D01D4D4}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
1⤵
PID:2452
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ECDE1BFE-EC23-4328-A05C-88C17D01D4D4}\EDGEMITMP_C7BE9.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ECDE1BFE-EC23-4328-A05C-88C17D01D4D4}\EDGEMITMP_C7BE9.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ECDE1BFE-EC23-4328-A05C-88C17D01D4D4}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --previous-version="132.0.2957.140" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2592
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ECDE1BFE-EC23-4328-A05C-88C17D01D4D4}\EDGEMITMP_C7BE9.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ECDE1BFE-EC23-4328-A05C-88C17D01D4D4}\EDGEMITMP_C7BE9.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ECDE1BFE-EC23-4328-A05C-88C17D01D4D4}\EDGEMITMP_C7BE9.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff74bfe6a68,0x7ff74bfe6a74,0x7ff74bfe6a80
    3⤵
    - Executes dropped EXE
    PID:2420

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDUxNDZBNTktNjNFQS00QUM5LUI2N0UtNzRCQ0IxOUQ4MDZDfSIgdXNlcmlkPSJ7NjE5NkNDNEUtODg0MS00QUY5LTg0NkUtRTg1NDM2NjQ4Q0RCfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins4QzhDMDdCQi03RUQ4LTQ4MDgtQTc3RS0xMDA5NTBDNDQ3MkN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjYiIGNvaG9ydD0icnJmQDAuMTkiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iNyIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7M0E3N0FFN0UtQkVEOC00RTA1LTg2ODgtRDUzQ0RGMDlCRkRCfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMy4wLjMwNjUuNTkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iNiIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgzNDIyMjk4NTI2MTgyMCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTEwMjgyMzM4MCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTAyODIzMzgwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NTg3OTc0MTk4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZmVkNTU4MDUtMmU4NS00MWQ4LWI0ZTMtNGVmNmI1ZWJmNjNhP1AxPTE3NDAwOTcwNzImYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9QTFyV2JUM3pXTUslMmZxZlFJSmgxNGxGZUM4U0olMmZLVGYyb2NBWHhRNnRQRFowZ3FXbU01RGRmTTdMJTJidWFrTkxaWW9sWWp4bHVEQk51V05Balh4VXN3RHclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMTkiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjU4Nzk3NDE5OCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZmVkNTU4MDUtMmU4NS00MWQ4LWI0ZTMtNGVmNmI1ZWJmNjNhP1AxPTE3NDAwOTcwNzImYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9QTFyV2JUM3pXTUslMmZxZlFJSmgxNGxGZUM4U0olMmZLVGYyb2NBWHhRNnRQRFowZ3FXbU01RGRmTTdMJTJidWFrTkxaWW9sWWp4bHVEQk51V05Balh4VXN3RHclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzg2MDQwODgiIHRvdGFsPSIxNzg2MDQwODgiIGRvd25sb2FkX3RpbWVfbXM9IjE0MjE3MyIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NTg4MTMwNDY4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY2MTI5NzQyNDIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjcyNzI5NzQ3NjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI0MTYzIiBkb3dubG9hZF90aW1lX21zPSIxNDg1MzEiIGRvd25sb2FkZWQ9IjE3ODYwNDA4OCIgdG90YWw9IjE3ODYwNDA4OCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNjYwMDAiLz48cGluZyBhY3RpdmU9IjEiIGE9IjciIHI9IjciIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins3MTNBQjhDMy05QkQ3LTQxMTAtOTlERi1ERTk4MjNFN0RGMTV9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iMTMzLjAuMzA2NS41OSIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjYiIGluc3RhbGxkYXRlPSI2NjA4IiBjb2hvcnQ9InJyZkAwLjcwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTAyODIzMzgwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjcyNzI5NzQ3NjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc3MTY2MDY4NDgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9hNDcyZWNlYy1hZTY5LTQ0OWUtYjdhMi00ZTg2ZGZlZTU4YTk_UDE9MTc0MDA5NzA3NCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1qOSUyYm0lMmJmclo0Slc4VnAwdHVlRVJPcG44YWc5WTh3V01tNm9vRENCZGpGQUhIU1pvc1ZhWWw0SG85b0pxMWRZVW9rcWRIYlFYbFVGd1JvdEF2Q3kzVnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NzE2NjA2ODQ4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9hNDcyZWNlYy1hZTY5LTQ0OWUtYjdhMi00ZTg2ZGZlZTU4YTk_UDE9MTc0MDA5NzA3NCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1qOSUyYm0lMmJmclo0Slc4VnAwdHVlRVJPcG44YWc5WTh3V01tNm9vRENCZGpGQUhIU1pvc1ZhWWw0SG85b0pxMWRZVW9rcWRIYlFYbFVGd1JvdEF2Q3kzVnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSI1ODQ5ODEyOCIgdG90YWw9IjU4NDk4MTI4IiBkb3dubG9hZF90aW1lX21zPSI0MzcwNyIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NzE2NjA2ODQ4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc3MjQ4ODc2MTEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjgyMzM3OTQxNjYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI0MTYzIiBkb3dubG9hZF90aW1lX21zPSI0NDM2MyIgZG93bmxvYWRlZD0iNTg0OTgxMjgiIHRvdGFsPSI1ODQ5ODEyOCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTA4OTEiLz48cGluZyByPSI3IiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9InsxMEY2MjI4QS0yOEQ4LTQ5OTUtQUYxRC1CMjJBQUQ0RUM1RTl9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\setup.exe

Filesize
6.8MB

MD5
1b3e9c59f9c7a134ec630ada1eb76a39

SHA1
a7e831d392e99f3d37847dcc561dd2e017065439

SHA256
ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

SHA512
c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ECDE1BFE-EC23-4328-A05C-88C17D01D4D4}\EDGEMITMP_C7BE9.tmp\SETUP.EX_

Filesize
2.7MB

MD5
1a59a8af3c58b30ff0fe71db2196b24b

SHA1
6b0e5ba36f4fc5328ec494272054a50cafa13e68

SHA256
ba25974b29a25cb7bc1f58a0990a8ce758354aa6ec5b8b8af210f2c1466ba49d

SHA512
f173fe15db8d7aeef4f6fa62a41246550ccee207e6388095a5f87036362d4c95da646e1a7c68764054556e024da80b749646425076e9bfac42fb77be8f2c0355

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
092da10c2bb1a41b70db506e1ca03bc9

SHA1
9c7dd7679a649a4f59617e4c55021ee29fe4512a

SHA256
7f94429d1c0513c4cff70cf505f06aafc98471b7a116b607d68af13dc7b35f6e

SHA512
a718699774a53c1d595c22c1f77ac25805e7221801c2acd886096b45c301a678103df674deb0b8b2ec7ac2964e4d870c75d3e80754b0e5ff63c113518c03d72b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
b0c5e30dbad7defc2870db918a752577

SHA1
7363c5edb913bc0f1a82b1c42a0a802244592d5c

SHA256
d58193243bafcb664c727aae1a1dc30bb2a54f638455bb5a5f3c92be1983e62e

SHA512
fa70282c47dd806eebcb5c7224542e533c3632bdd145d973363dfb989282e9fbbb68055bf8f86a22d51949dfa0607fc328e8980716fc2a7d9466a6ef0fea22c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a4dcabd7e6510ff4a9d47df8a0142532

SHA1
a9408f8d03f1d927498e8368d5f0d436508f3bce

SHA256
98d81081fbd9867532ae1d2aa0a07868064014873809844a10916c6ce3cf5c8d

SHA512
10131ba4e71f402d7a7b4c8e3d13fdf52ddb10e80e76c5034d316d453fb01fc17083244370ea84ef46819e903aebc4f4f57194eb69eb527b721a3f011447d38d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
49eda047f49e86cd4d80b28313dce8c9

SHA1
97bdb9b03f63593c7c3db7727118268619b89d3f

SHA256
c376909a7f4969856eefa7248b1a84c6b2be239003e6b62a127223a0d9545792

SHA512
0cc22371a3787e49ef12023f1f298ff3fa40607cd2a96e14335e3ea19932d6dbe662c66e87d2925aacf4c6a71160e83aaed2731c95f029aeb5c7b10d1baacd80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
46bca3373dd31d0c99a4413fbb5a310b

SHA1
5d8104ed6b7c7e42fb7cc3278f5a75fcd70db90a

SHA256
019c82cb0467e67b45288f9dc91cd45e7bbf04eac3892b00f13e0c25c463aaa5

SHA512
6a9d6313bfac80083f2f93fd4b0061808690878a8d30830abae65acafbbe5120d729b67e19befcb942d6fea8b9f29be2c43b36f321ecda2609081fec98ab6f66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
e1e69aa8c054cb08888963004a3343f9

SHA1
4e3e64080cea1f5ffd7369cc61779858078e14a0

SHA256
226045d3e10b7992826e67d951b278075e7c96077026729b72629d2426e3fd78

SHA512
61eebb69d160c9193b253da0c5db720b87506c60da81de1d756834bc3a82bef8efcbdf4970cc36b7a7d313ed7568ee85d9f6366b96b299a2b0494b65277ef94a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bfc75d87598c67cc5c1768558ad4d1d1

SHA1
a50c3eb49f3cd7bc6e0fc680aa17d737e1b5a591

SHA256
f68b9a6bb8acd6f889bba4b0baf7cf1b70ea55ee3e552de48811c5038690a999

SHA512
819ee37ed2a51e87d78c865be7b56daa058d3789fd71503caf468d9712addc82e92ff6ba07227ddccd34b455363e85242f8dd308ce3728f1750406d82a94d716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fcd5833218477a410da762d82b916890

SHA1
6d7d6cb5ecad8b850d4eb45322367b50767b05e4

SHA256
c8d4dc412b14d6b946e482ee50ca61b9b0df2678d55ba1129de5b8f44925c1e9

SHA512
524c34a6b002e52e473f31ea413f00f3873c2f54c9d10a73bdccbd527d95210b4a46191f48bf16fcef433e21f87e01b79e2fd0a00d15cf7742379d5b1cc7e329

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
adcc19a87a47abf5edecaf4a1850311f

SHA1
312fcf5429e15a261047fd51330f4125212ad3b3

SHA256
d0aad08d1824f67d558a4c79fe796ef56f00a6054d152720ab7092baade69965

SHA512
49525f1e4d8ee59f977431d18cd96cd016175c907e571ec32ab3dfd83f91de213e72a34afdfe728ff14294927748f67bbb38f502bded2295997351c5f380fca8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a2f97ea2c7e33351b96ef631ad1caf5f

SHA1
fb3f50b60529118816db0e25b5bcab82e485b8a2

SHA256
d748d1e108ef74cd8b038d3c8f6722d82afa8679ff1cd2c7ee389b0b0bbe23d2

SHA512
ba05b4934de6ee8bf6f654f3e2a130d9ce02ee9f729d79db0854877b812b416c7f2bd1ee40ca4c43ead23bc829d21cad83a7f991ef68f372bd402a0abba4211b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
560e28dbc8dabd6df7f9a4c28f37c601

SHA1
f9d807ec6915347a0c7884a2d01b254de9dacf0d

SHA256
401fa4e7b14973df87be7b94f032c3525a0d3234f3127dfa81dd33747bcd397d

SHA512
f133cae090912cf9ea77bda1b66b6a34ad24f6a8310c148a6c4a2adc0a72c9916e9bf73b0a8f6f79eac9e42fc1ea983d9561d25c3d14f9608c8789f0d577d185

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0a5af908c2ee57c48c2a6bf95526342e

SHA1
d75289e2d89cb5e562ad609922f29cb54cc89f63

SHA256
6c46804bd67b95267f1acc77bf10170dbe8ad9fb653756b3af0f8911093c65ab

SHA512
032eca2204d903009d916374ab16a1ae82ad42b7f5e1b8e8ae00a6cc2bafb8fadb9dad1e5b4bbb68821c405634c9b5dd8c980bec988f23d657968cf005fc2a49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d39ce12d1afa099c538801d76f74901a

SHA1
b1363d1d87c042129c8ba8759865a9a057ae02ed

SHA256
ecbd4bb45260c47f9c01174853001dc1c6350497b7df376f428441b585dba8ec

SHA512
b3a47540e67437448ef2ae3cd514d303ad2e53aacc063870327254d34d8467397a33eecf1d23fa9d5b26a9cdf5265eae7507f05133db51811c80f1cc177752ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b29561fbff22f33c33180bd1f0f988b3

SHA1
2fd04ca4131ad8c6824bf9e483fee7bafc650a35

SHA256
541f2d45c656660e4f657eff33a7aa9711bbf924ad5e37ff35784eef97e763ba

SHA512
af59a8884e521c62ca8c9b43e8ec4dc84f6cb3c409db1a3536995eac4b8439fb0cf52fb207a7386bb319f02db82a3b0668870fdd1b630c3b4193894f10d840ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4c1088975e63edaf56fbc872c0639ea9

SHA1
c6c98646fb92550e430bc7e828acebd0e3ed40b2

SHA256
f98758073e0ee0d1e73c343a13bd94d94a918632790b9fa1c324a1db0f647cf7

SHA512
ec7d754550160a41b258b6c0d17246e6be41225effc48acf4d596391ccb3462306234906a092f9254839ad2b45631926ba48eebfa70296c71d3ee1c335c72a2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
da9fffcb7b02cf2fcd1b152d6d53428d

SHA1
bef3bdd921d1210880afc6ea95591c8c521d20b7

SHA256
1b26459e68a77a3f5a26cbedb1edc0e5f1ea0b22445e65433f1df2b07ebc06c8

SHA512
5e2ddb90532f40367e1596ac85f74ea6637a6478cd2556e979640ab8c6883ca0d0b7c2d3905a79d0feb4ba9ebae04e1be7e7b3bf8dc5b1d5d8b9909f3a22bb38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
37256f93def106c9831e322677b59e11

SHA1
8808d683f6684e2fcabc2df3403e13ac40b0c27c

SHA256
f237b7ffbdae9d16c3c3d08ad6b030c3a4b92ed3b04e7db663a29b343a62fa97

SHA512
de1f818adfe07a3ff15edff05879e528c2efe33669280a8f03195b3ee1d38c1b5728f040943401dc4d785a0c95ff1b0906e5a573a050e2e460012d930032e971

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
f957316a57d59db5f0d947bdfa6181a6

SHA1
79736a56c26a90f092461cfa4abcea72ff73d36a

SHA256
9b62b0179148facb443cba37abc6b75e1f4d243be4a217a4bbbe8b555108ab18

SHA512
160f7696c99706bbae1acd8601da7abb33e26d16f2ad33be9b53244ee2e100e9ca49bdc2d3037fa9d8d9fbaa39c683eb414014822e4c8a4063cd2217243092ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
de872c29a40bb2a9354a2a97b0465bcc

SHA1
e96d0d69adbde8878d345215c342ae66678fcbc1

SHA256
57ab69259d48bdf2e67d75f19f2e075862d3d3295489045021e503525cb9e495

SHA512
40235e2bbf0b89576d84307029a1ac28326fd70ef21b2c8416bcdde43d9d1b8f98b6c7aa235ee744774af1df79456a17ff8a936bbd709fccbd4bb67a7419cabc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
ab494f3db2f60b1bbc50cebd732a44ec

SHA1
9a7e5ea93d09f4fbae9ac592c47a462514ac5b84

SHA256
452bf170dced0635b05e729a4d8c28aae0e324ef5a926cc9cc747f0ffeaaefde

SHA512
f98d620d96733ffdb59cf9e6563ca1b1b30d037ef6e63b7100ddad02480eeb616662bdd746de7fb20393936ecc56362b8248f42b76cc8348ea6ceddf92cbc8a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
fe74cd4da36f11739b1a3586c44bf824

SHA1
8dad85a0bd138e023716f6c308b442fac167baf6

SHA256
fe66e7d9dadd44a16a599af4a40a3a86154ee91254003708761fdb9a79c55c7f

SHA512
c24636e4accfdf2ecdf88c98fe0e24289dd0c4dfbc3f34f7103c3adb4c6b426de2fdd962da9cf5a14de8879e5befec607af0e23cf9c507dd1fb9d7b4c28a25d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
18916ab1d11adda43695b7208c7718b9

SHA1
24ab6bd55aca2b40d1ec10a9eb22859a4be68e30

SHA256
d01d3307aff4c506c4661b54295b90ac26668d739cdad59b6e6c591c46b837d6

SHA512
78995e759010b875b57c1d45ef21ceed3531d714f16ac90b3a6d8ad1cdd6a0421061dc8836ea6336b811edae27b857c140c9d359c217160f57a9d014d56f72b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\fa19a54e-e972-444a-bba5-cdbc297204f5.tmp

Filesize
134KB

MD5
68971cda5b96f4431b2477f919f00ca8

SHA1
574818272a8049f64628a8b2af40a3c290667cbe

SHA256
58817fc1531f7260e6785a24e237daa50f3fb389df30492500448943e9021171

SHA512
be3b7e4d928bae3502ee198ab5683878ca0e8951c6ef3637b898590fddbd4a27180cfc3eeb3e415cdd09ba297419886fb98615ff82870a5a71eade00f74f5827

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClientPlugin.dll

Filesize
19KB

MD5
bdc8945f1d799c845408522e372d1dbd

SHA1
874b7c3c97cc5b13b9dd172fec5a54bc1f258005

SHA256
61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403

SHA512
4fa0ed4ef66e4c442f5fc628e8bfc8a4f84cb213210643996d9387027edb619c054f6104ac889ae77cece09f0304f95d5f20e14d66847e2d382ef51eecec0962

Download Submit
C:\Users\Admin\AppData\Local\Temp\Databases\core.sqlite

Filesize
3KB

MD5
3732df3263fbaa868bb866bcca1f402c

SHA1
f247dc7dfea7bcbb69116920d48af2dabf85b444

SHA256
716d9992711b5b17eca841836ba5a63db0a62251bd056a92db96deccfa887b41

SHA512
bb99cfe2be9488c6d7e57991b2bbc4e593ade8c8d2c79e4b7056ec5be60fd5e0b88467f65dca71c269540b800f0c3319e4e849e7e77069a6e9b1b89a2d4807fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Databases\main.sqlite

Filesize
15KB

MD5
ea522fc387e8e1c1c65e946c9118e2c7

SHA1
0d3fe3c0f59b651f4b9210ec4d7324e7686b5a21

SHA256
ae429dbfca9416cfc6832aed1190fa7b9eb90127328136a249de024349fd3b3b

SHA512
52161556c3d3a1e12fe8de217aab806ac8e8e47135d57f057c257d16576ec08b13bc37aeb7f7234042d89d6deb594a635e0764675f4e04f7abb94836fac1d921

Download Submit
C:\Users\Admin\AppData\Local\Temp\NanoCore.exe

Filesize
1.4MB

MD5
1728acc244115cbafd3b810277d2e321

SHA1
be64732f46c8a26a5bbf9d7f69c7f031b2c5180b

SHA256
ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b

SHA512
8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\AIO.ncp

Filesize
17KB

MD5
60c274ccb344da9e3d77449f6068d253

SHA1
ab25eddf3ddb61ef52104a01e5c9b8a23451c764

SHA256
0a59aaee013c57f3b6190d683160d88ca1c5868565cbf5acbb7b17d3e925c602

SHA512
9600d852b56557f31a5a18a6aa2cb76cf4fabf36ae32bbeccf82677f64737542234e2fb06ac8d917f9839120320b7db212d76e8dea24445f13096d86a474b9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\CorePlugin.ncp

Filesize
119KB

MD5
7914e7302f72d330aa5f6c5c8c26df43

SHA1
8c411f3fe5297a78cb018539b44df87c0a51606a

SHA256
f66985518b1e56a04f512d110f5b79f21ed91cbcbf6bd3e17eba3dcdfb85f9b5

SHA512
8959843f282162ff0c59d890d04012c4f62dc36058aa7095d708a97a34313082cd4ca5ea5df5623cd2d6b8b91c527297168cab08ec59c1ec48fafac5983ad012

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\DucPlugin.ncp

Filesize
73KB

MD5
5eca68a8368e0e144b7016e30b85515c

SHA1
0ba48b49974156e5746958aeeb1c2a26c916b3be

SHA256
e2ce89b3e68b003cb27e2c5652ccba073c8938bef194e51830539b2464a3f676

SHA512
ea1d1363fb072a5c646ce070184855588124be42392dc492ce86c88fe93eae78e23f5de4f2df75fb5b0e8d67bf08ff192dd163ed3c62a1ccfb0b8436ae1df644

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\ManagementPlugin.ncp

Filesize
300KB

MD5
b612c2c9a6d361a5db14c04ba126119c

SHA1
d2b29e235b0f45242088b78313438bdfd51209dc

SHA256
b86fe4e126a9748a383a34d615b9598c715f2380c0aad957495c66923902026c

SHA512
194d4688935235f3ca686868c9ff53c7945d4e076d4a51fdcbc254bfa1461494766480794c65715bce314256c7cc5268bd6547c937984d3010f54f5a3db4ba9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\MiscTools.ncp

Filesize
66KB

MD5
78e3006fc6468eb7dfc7761072b84ac6

SHA1
e46cae768d2754f48a29b7e424a9bddf0d67bcd8

SHA256
3a3a3b105eefb45e3b70cc1592e484df02df7020d5154e8c2e5d7d439e295e46

SHA512
0daa1cc9ddae70f442ee5eed784523dc1378b9d095edfaec1df95e02f00d09b461d60ee180f716f7ba755543ef7b0c87d791a454cf254dde0033b8615b2841e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\MultiCore.ncp

Filesize
236KB

MD5
becb82e1e914e906be158e3f9dd658ac

SHA1
725d3d658680ca8dcb610d998db4b28733b5ee52

SHA256
5494adf651fc64e3aa6c08e38165d8dbfec52056cdf4fadae90b76b0e6816a33

SHA512
1d67e7d5686ea225262501afb572bec23e35bbd33c660a57e84b9cad7adfadbe457b128af0059ac705d53c6b65798f5525fe4ed3c16537b0c085414cdca74174

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\NanoBlack.ncp

Filesize
107KB

MD5
794ab16c092ebf2b1d812d6cce158537

SHA1
6dd9edd26b50265d5af4642f9d1f1f8703a44805

SHA256
7919b7998d6b359d7cb700018dc2d69ff6ffb45bd01c9c190b98fb4c9ff4beab

SHA512
e639bb0f7d309344c45ddff3d7f91212b3c6a9db6970d06db35f6bac228b389ed8c32dbda75ae23ad1359bb60f678b0b891caa3ed07245aaad21dcb3ea4a5347

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\NanoBrowser.ncp

Filesize
102KB

MD5
8b13fdc96af0a84c152f5a601dcc6b06

SHA1
1250db70fda8a2c32f37bbdc5638074c6dc171a7

SHA256
997c41b05150480bcfae9abb3132fc807f6c6b511b810b554fdb5aedf89f5db0

SHA512
536d4e1b9e7c95ebac762d0a438106a5409c69e990940d3411709364783f957015d4a5dc0651b33591e37dcda8549e689a87b853e32f3ad065391a2d8190a552

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\NanoCoreSwiss.ncp

Filesize
49KB

MD5
fcb5afd01e75aca8ed9fbd35a46e54f3

SHA1
94b69f8612d31fc0698089d5e08aea1cafea52e7

SHA256
bf0386f6e9b4a35fefe5fe917e2be7c64867efe24521f18e4567f8af5f6dd5e5

SHA512
b587dd23eaea6de486c30864908f8603451c459153cd21b86a5e43bb9c2cca7cbc015daf620808fad76a4d56bbc4e57e127059c8e73be6c85bf958781c1343fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\NanoNana.ncp

Filesize
157KB

MD5
c5d40b767bd6b97f88ccce13956d0ad8

SHA1
ef7f7fdd9d5ea0b55ffbb17c171ee6a46b347100

SHA256
a3c39444ac74bb91f14f3f2ae6918d9b1d368268e137aca310450fefbc8983aa

SHA512
3fcb5a6afdc7de59bac645d8b4dc6368b0405a51985ff86c95fc8cd579bd59bc423cab940dc0ab3de9a0cd0d9e04dad82e380ef18030330d72b2e72936a95ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\NanoProtectPlugin.ncp

Filesize
179KB

MD5
e51af633e5f5f4a817a54773fb90d337

SHA1
0cb8a7965f9f042954b1f318ea1026b76e12f8e0

SHA256
b37602dbb924bb94df0d9745d13fcace8a6642397fb738fbe02a88f667f3ab66

SHA512
6454305121597073d4ea2b8f57a4bb4a4fe7fafbd05336c91265534faea5a5cdec7504c1329ea0c8cb344a4f32d59c60af5348dfd89375876ae95ee2c15f0c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\NanoStress.ncp

Filesize
117KB

MD5
ba6f59df971d6db7a8951edbd5d6691b

SHA1
ed766de1fb4ab0889b3fbc8127f1393eb3cddc15

SHA256
6b33a572e019266749a3e04966e2c57822e247c5197f6f9bd6a4bb8792633581

SHA512
bbd50d7cb2b2799055b8864da3d3d6037bbac41312ce8582c4627611ef856ae38ecff67dc4223e236d1b555bf02a7c0c7284a76ab90007621a2f2997b6bc5dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\NetworkPlugin.ncp

Filesize
319KB

MD5
70e5b02349742a550fbfcfb5bb78c906

SHA1
2319b68398af74fe08b6a3a7d6943cf700240a4e

SHA256
160030b8444b6fa86775a11d1be35df6a75252070fc5661055884d3f8b07296d

SHA512
bbb5d2fd6eff637da303a4ab2fdb02f781619ffe25c5795c5b9e514214227717771a98ce6c3becc87b29c15303ac4373ee3847060ad5755a2455362e6e26932b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\SecurityPlugin.ncp

Filesize
74KB

MD5
44bd68199bb393d0eeb7ae83b56d9b9f

SHA1
c6cfa069a17ace16c651a11945bd54f4ca6193d1

SHA256
25b1b0836838740d394cd35eaefc660e9eabeb611a701a451eb1119f6427fc12

SHA512
a02b82e40f66dc925de3324c03e8a0a497bfdb6ed44549001efbf86f2e5381aaf9259978908cce9ecc7798f083d3691f007b207ea301a9dc73f2430662146bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\SurveillanceExPlugin.ncp

Filesize
423KB

MD5
195fbe66986564288c3285935fe87b27

SHA1
2fe84fbbf109b3e4c7c63b414689021ba847b568

SHA256
a2ce9ed783b26d01d58e07b9c97bcfecace9ced72960cf3ecf471fbd008afbae

SHA512
552161e555d07fdf7062a4c0d3738819b13ad4c9a5c54f09db48dccf6faf49b014eb043037500abdac7af0210ed118c5232d8d54be367d8a4caccfae7904332e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\SurveillancePlugin.ncp

Filesize
352KB

MD5
ed3edf12bac989d1dd6edf7146feb805

SHA1
776a667bf2341b43e199c3601856ac223b86d221

SHA256
3301f9fd4700458a18589956fd2bb6e5101b15c14f52d5e079ae1c3a008da040

SHA512
e6873a5d1caada8954907bdb3120aa2c60a4137fb9d04abdbb74ade58f35ada1ff87a447cf6a35f5798dbd0e1e0ed813d62e34d98de8d6402b6432746aa80413

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\ToolsPlugin.ncp

Filesize
130KB

MD5
699eb468e7d6bee9c429923b5b477545

SHA1
80bc420c3e441c9b9c3813ac05ea9e168cca1e3a

SHA256
d753bc28d842e44ffbf6cf99314febe5ed7759b25a74ca34a47fdd153bf2a6ab

SHA512
5d82a98e918ea3eb024dbb7552e5cdecc317b49635a5789029e7a0035d2f0cb2a3c47ef53e603217afd17d6f59fc78a918e2e5f70266119c619e41b3b647aac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plugins\VisibleMode1.1.ncp

Filesize
49KB

MD5
37c2ef6e5214600396ee87c4168a5664

SHA1
69b6e1f612f5a3435fab05074cffd3ebd1c232fa

SHA256
4a8d45e13a38c502a3109d2ea17a81905fb9eabbf643ae611b62f62ef11f09b2

SHA512
667ad370f48470d60dbd437b0601eb05de421ab59b281adcf9c6f54b9c6fd272d3aa34c35e7e6df889771dc5fbdfa9bc683a4bf156727827595edf6eb2fe8cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\ContextIcons\arrow_refresh.png

Filesize
674B

MD5
9b1a30ac871af0684baa0e4e76911d48

SHA1
c1bf620aa2e493ed63d96729842c650b62c26ab3

SHA256
6141eaf716680ef3030c0db1252bb39bf3145e4a17225d787808c7731ba9358d

SHA512
22c6a8d27ed029cde7812b5cc0442c8e6733fa00f1f62506f6f94cec48026709e0c444fb72dd123b37182c791bb9358d00cac899bd65480c9d05d4b8ce80758d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\ContextIcons\computer.png

Filesize
715B

MD5
c0dc4d56147b86b211c7419f727be0a3

SHA1
71740927a6e212b9caaf30a04eba86ad549bf63c

SHA256
b0b606f3f84b5e1f8c7f8558dd3f092adce374f5c810613845276d47a6401d58

SHA512
a1e89366800e611979fe693cc1a87d75d3e0e9629523b2d19a222b87a4f80e813319f861fd972cb861cf227de272d701f7bac508fb48c8f2d025485fe8b75a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\ContextIcons\disconnect.png

Filesize
661B

MD5
560aa223ee6d663270b49df9fee84d7a

SHA1
5e177aa1e3180cccc15fc81bce5d23ae32ddef6e

SHA256
d79ca587e71fa6dc2fe27b2fb678b84b01b0509a1956ee8bd852417e860d5fa7

SHA512
7a2295769cd2ed15ad9491afda427a7584fe206fe1158caf01d5d229d7d223820b92fe6b804ed0a5681f0cfd25ba3a2a7280b4180a985c0ba67cd3eca2c37487

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\ListIcons\flag_aq.png

Filesize
351B

MD5
b841c2ebdca6bb23c15c98da4aa671d7

SHA1
42f562132fe6e9a5029247a2b9666395dd5ad9b0

SHA256
b668f1a313e57c97a5abd0212631ea6211aace15b10f1ca82484f23f7d6924b5

SHA512
e093c2c454e8ceb318df0629f5f7e8494213e69caef640dd4554f3c250029e8a06b4c5add9c13e457f901c3d328738b66db524a8404617e486fd8c564dd04c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\ListIcons\flag_cx.png

Filesize
626B

MD5
fbf02dad6f60392ce777d006d5762248

SHA1
f9d95e6e5e25b83953e4f898bf99636d85511709

SHA256
45203a04468ff78fb3434f46799ca630172e04f97c566f8e143539a80c48bfc5

SHA512
9f5b7b5399cb7c8b41cda202eac5a344524f135fd2e32a5f312917c7684ee13a94976984154355297bb31fd06435efe91456e189bb5f1c9d6010dfad01415b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\ListIcons\flag_gp.png

Filesize
546B

MD5
5ac0d15234533136bf6ec230686a4aa5

SHA1
2f208a8baf30d13aa23382d3821cc73c4aa466f0

SHA256
5cceb033c0262b5905f88d5905777471e9f1b0b0d9cb857f2361e88ada73610d

SHA512
d6215183f13e36a268b849056fe1479ebd36eab4b6f175cbdd3a4ecd4ba4df7734189a2f9e9d69ee344ca63baf2c9ef10f62663cc721e9c9c59775d5e84e2268

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\ListIcons\flag_sj.png

Filesize
562B

MD5
4f82c2e83eab05d2bd9baaeff6c81a96

SHA1
e1cd3981d14653bf5df976ece649120134e88546

SHA256
15493361692068154ac1b1baf8878c179b353996dcda4d63e0322ea37f998f9b

SHA512
b69030fffb689094952eb472b272e1d18b40d0f11e3bba647c9b01226ccf072d276cc31ce3a1ffcbc84c5de82bedfe7fc2466fb060ff50e528f7c258179e626d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\TabIcons\builder.png

Filesize
303B

MD5
d2d498dc06990b948ef42c479c4c1f94

SHA1
eb380e6d156f5cc2ab28baa5add2ba8acda088b3

SHA256
ce8e344d1975972fa3f1b54383ab01cf522217e83b4e01f5c5b8563641bf6550

SHA512
fd9f99b7489507d8208432847085507e5d1823f1eed5d3c7e644c59bc5e5b36d8705d4add01a0c291240029458b25d72894fc05efede8b795bb6872e1e5f9ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\TabIcons\clients.png

Filesize
462B

MD5
0331dbac2291c05d567461b58654d350

SHA1
1f89cdf7199983e788fd1f22b873ab9b0500952d

SHA256
8d1339e002540de132326aeb1d17c66a9a60b0af7e3daca9bc40df17e9c96542

SHA512
2d12a85226a21670c49038e4347b39227b8d8bca07b8eb66f2adae0ccf1135270f5ba5f16a40bf526477c70c00c1ca572bfb973306e6eb8dd057600de38da161

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\TabIcons\home.png

Filesize
343B

MD5
0a482ce7f891fe7a64118bbb34a34b9c

SHA1
2aba3c06942273aebc5e616602620e4b2526ebe7

SHA256
76d3e6c51702b37227b73a4f84771e44d7c1a8551b4c1fdd90e341f03a805346

SHA512
0e900eff9109ac2f32137d9d18993a29ed6065299ef96554f2288128fe07d1e8db1a0dac29b39b0eb05bb8a9bdca5f083da8e25dec3c880ef155401fd649107b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\TabIcons\network.png

Filesize
230B

MD5
48780574121d519661c2e0bc51b25b68

SHA1
89d8d5e42fbae3d95c8036c1738656b8e6343091

SHA256
28f4c682d85fb4ef531a71b7fed8f0d7ef548f1126da378aaf60349219a681d6

SHA512
7f0d9b6e18b812350b9d57439069ebb9140365830ea6fa247527f793cc58271ed7743c514d7488f026064b6d44afaf93717192bcff3ea8a3b501f2bf7718ff30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resources\TabIcons\system.png

Filesize
273B

MD5
9993c66f33d16d11e701abbabf5a5db8

SHA1
415a0069f21dc5fcbb7bdaa7f17a679eb18e6b1e

SHA256
24c4edf86254f9e2359508909ba52dd683e1f6af0d8c1a52f875c472fc73bd40

SHA512
7a3f0546f4fb12e72fd774f5c4446e8bcc2a26c762aad91675c3bc10931c1c0ac2c40d66a25afd0a376ab665427164367c1cf398c22811eedf88c90ce51a23e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ServerPlugin.dll

Filesize
28KB

MD5
952c62ec830c63380beb72ad923d35dc

SHA1
6700baa1fb1877129e79402dfe237f0b84221b69

SHA256
2e5fbfb7932b117a2f6093dc346cdee4a5702e39739d9c40d27bfd1580f6f0d7

SHA512
5dc19d7d6ab7670ded766f357e481328c8df4a96ac3c2a00194a5ccea8c34bca0e34cfea3d9d17934db384d302446be2fec9853438371561d70580665bffe121

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
256KB

MD5
dd3d6f00b1aba3f1d9338d9727ab5f17

SHA1
faf9364a7ab15f27c93a6e6f97fa025030c9dad7

SHA256
f0d4beab24e94e61f219df451d90dbba3d0f48539f9b6a448f91e0c94b4e80c4

SHA512
0794d850a133a98affe627e3023114b229b982e507d366895ece6a1ef99b42d708554c64b52f0f2ed63673e1c5aeea7e794085d45f0797159e21ba4efdf23cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempDel.bat

Filesize
204B

MD5
3b2fb2a8ccaaa86a5fbcab338e641ff1

SHA1
bfd7df0e383c404d6c5cd58687954426a43acd7f

SHA256
34cba91daa5d60239496f52d4da9c526a0ed7680adf8f4fc491b2ddb32d48208

SHA512
cf00ac00845f1ac0cde6a18507c8b629c95a4391170dc1297e596406e0aa5802090b3631aa2bc3dc8632fe6c85c3d33557f9235cb43a833cbb4d8f3d84bc4443

Download Submit
C:\Users\Admin\AppData\Local\Temp\builder.log

Filesize
22KB

MD5
0061a98407086fb3106b61fe5d0fbb27

SHA1
c5882467e947fa1cab30dd45fe337b23bce1712a

SHA256
054dbc3e14992bea750e1f366c16f6b0c861bc9db2617be91cbf7306fd25219a

SHA512
b4e0f10067b2a5b7865b404c63be1c93cbda482ed3d20e618ede411fe7f9bc177792d0ab0bb7c13730809f9630ba5160f485a38590096ba8cb8104ab189f2c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\client.bin

Filesize
130KB

MD5
906a949e34472f99ba683eff21907231

SHA1
7c5a57af209597fa6c6bce7d1a8016b936d3b0b6

SHA256
9d3ea5af7dc261bf93c76f55d702a315aa22fb241e4207dc86cd834c262245c8

SHA512
29fd20ae7f1b8bac831c0bb85da4325a62e10961989e14299f5f50776c8f7e669cc1527bf2c3868bd7230e73ac110ba8b1f0491ac0f2923d79d7a2871c7c961d

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugins.bin

Filesize
240B

MD5
5e709fc806e8ba3385487699004f6d29

SHA1
2f32547ed5b9db3b33969fb4858945610aaeedb2

SHA256
9ecbf989dedf1403db953fb4e5955c9f63415cbe1f6492c3246bac405a4d036f

SHA512
a6706c9f76d837a7e0ab12e3c1c6d94fedde9dc52d4fecd02befd8850752155e2bf801cdf0488a98e49c50c4f0595a3fc4916950badba9bb83a5b7a35d3ffaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\public.bin

Filesize
17B

MD5
602d0cc4e7246f8a3b8a5ee9c7fabe30

SHA1
e9ecc8f782cf27ae68339b0cdfd0f79c69aa4afc

SHA256
6de29ee3e660fd3ab419f568fcf65f8418484eb43d5bfcdbfac5d456fd8488f2

SHA512
ccaf306f4e4b4ee7de6a62954bbebcb52d131da49912d2d6ad39d07012dffe66ec6109dfbd5fbfd166e98e7bcb2c564b75eda0a2eda2ee815f71db5986506f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.log

Filesize
103KB

MD5
ac6285562e5e3e4e98feb7fe8df884a4

SHA1
4b7fc4ea7c39b95efa7d4e1d68b9b3994c38683b

SHA256
51d9e422386e5e64eadc212bff06b33c2a163bfe355ce98d756ce00afd76ae2a

SHA512
6db244bf0e1948626e64b2b8636b9bf71fa4b2bbe5e7c4877a444da00bcc7964efa9f01f6e4c90963961a3a8bdb3bb8ff7d28660596e6f468b53313ab5e3453b

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.bin

Filesize
280B

MD5
daa76574a834b950a015d191e410c400

SHA1
c93dae186bb23e7fc052b6cbc4626c58bc0f60a5

SHA256
c4c2bb97d9abf6e224897855a0f6699d8f886ca816811ea5bfeb8e71d72b7d4f

SHA512
9cd119d3f55a172036fd625738c3ebcd45b534255da36c208b594605eca32a58470ea4d0493026d160e062806d015cd878c44521e2450247eb5a8ae203a8fe6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dll

Filesize
792KB

MD5
9b19dcee960dc215e64b1d82348707a9

SHA1
9c1e0f76673eb385787120e17404df179316ca2b

SHA256
3515f704b0012c01fc8be5b717905c0587b29255fc9eb7ad3f2b66a130691d38

SHA512
cc1304ab171feb2ac6df941f4b35aab8ce7b503f96b5539b366b39268cce8b21ea2fdbce16eff809a9a121a60a65ebbd0f59f75360800f541b9e5f93e729a55d

Download Submit
C:\Users\Admin\Desktop\serek wodny.exe

Filesize
130KB

MD5
3378c09eb2c345965db15682dd23ac06

SHA1
9485ea7b6232472c79d050d90f6177b69fdf5917

SHA256
1f4b49f0865ed6272f8d5dd1b91d5348803fc2c5e092e305b9ac166cdff2df6d

SHA512
392bd021c14f66382df17a36f37283d673b502f156f92f51d58c6dbc0f89a5924ade92755382b8afbc9fae3a66bd37df2875de085769bc97714e6c76bacb1742

Download Submit
C:\Users\Admin\Downloads\NANOCORE-RAT-master.zip.crdownload

Filesize
6.2MB

MD5
91ed4f9a5b7d642f0a3c278b8a71c19d

SHA1
72ce48187dbef2588283d6eb8b758e5f7d7be264

SHA256
c3eb885cd4e260140af85eaff756fc79262bd4cff6b8e4cb489531f51bc3fb61

SHA512
67a746305115f91bb2c068ff59eeb9d38a911ef2f2e2d6709d5ad39b4b52bdc59f5d9e42300c096904899f7bab083f58de86279cbdb39951f93643ac24d5f602

Download Submit
memory/4632-1312-0x000001C2174C0000-0x000001C2174CE000-memory.dmp

Filesize
56KB

Download
memory/4632-1313-0x000001C217970000-0x000001C21797A000-memory.dmp

Filesize
40KB

Download
memory/4632-1314-0x000001C2179A0000-0x000001C2179A8000-memory.dmp

Filesize
32KB

Download
memory/4632-1315-0x000001C233000000-0x000001C233249000-memory.dmp

Filesize
2.3MB

Download