qakbot | 0384750607deffb5a41a559dc3213c6fe63142c06f494987ed2183fa8045c0db

System Information Discovery

Processes:

WScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

WScript.execmd.exeWScript.execmd.exeWScript.execmd.exe

description	ioc	process
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\E:	cmd.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\51f353ce-e340-4c97-ad46-4a23af5ca9d3.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220916211409.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Service	msedge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000003	msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\HardwareID	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = e8baa059b9aed801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{727CE3B0-3604-11ED-B696-520B3B914C01} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1196080236"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30984721"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70c6bb4811cad801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000cf81988851efe753c948911babc6869d74f5086ad75b67a0a44f1f014180547c000000000e80000000020000200000002e1694ecfe62428f741db06be5b566be06badb06f86a4b33bb3dceaf8dc20c92200000005ff3b1d55ae113672bbb76989015b327727770bafb256b0ea6d5f764a6f8f042400000006fa5ac7d7285fb8fb6344031e6cad54440fdba99ca1f90ede8ef79c6cd5bdde29bb94768b61bd250998e535e607d4a5e12115ed4a7d2639752e0ee1d65655795	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30984721"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b142160000000002000000000010660000000100002000000079c0bca26af298c0c70427148b75e6caf471f01cd0fb6068343574569191d86b000000000e80000000020000200000003f2fc2c227a31671481de3960eaa73498b4d5d703e4109340784f57d1c4097e9200000007b5a70ecd242fdaaa5ceff4e1fb474882f275df1e40f831cec15e6f62f9b7689400000008a84baccc0556e9800199af462ef847c0cc747cd1967185b41c154e38a17326b20aeb346b09d8b33513555580479ef1a409b6c54d5dd6e449973034418e0d5f0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1196080236"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b07e644811cad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE

Modifies registry class 2 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeregsvr32.exemsedge.exeregsvr32.exeexplorer.exe

pid	process
3896	msedge.exe
3896	msedge.exe
3624	msedge.exe
3624	msedge.exe
2448	identity_helper.exe
2448	identity_helper.exe
1460	msedge.exe
1460	msedge.exe
2028	regsvr32.exe
2028	regsvr32.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
1512	regsvr32.exe
1512	regsvr32.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe
4416	explorer.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

2028 regsvr32.exe
1512 regsvr32.exe
3988 regsvr32.exe
5048 regsvr32.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3624 msedge.exe
3624 msedge.exe
3624 msedge.exe
3624 msedge.exe
3624 msedge.exe
3624 msedge.exe
3624 msedge.exe

pid	process
2028	regsvr32.exe
1512	regsvr32.exe
3988	regsvr32.exe
5048	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	3580	7zG.exe
Token: 35	3580	7zG.exe
Token: SeSecurityPrivilege	3580	7zG.exe
Token: SeSecurityPrivilege	3580	7zG.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

iexplore.exemsedge.exe7zG.exe

pid	process
1644	iexplore.exe
1644	iexplore.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3580	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1644 iexplore.exe
1644 iexplore.exe
1788 IEXPLORE.EXE
1788 IEXPLORE.EXE
1788 IEXPLORE.EXE
1788 IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exemsedge.exe

description	pid	process	target process
PID 1644 wrote to memory of 1788	1644	iexplore.exe	IEXPLORE.EXE
PID 1644 wrote to memory of 1788	1644	iexplore.exe	IEXPLORE.EXE
PID 1644 wrote to memory of 1788	1644	iexplore.exe	IEXPLORE.EXE
PID 3624 wrote to memory of 1960	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1960	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3720	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3896	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3896	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 3932	3624	msedge.exe	msedge.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Document#851980(Sep15).html
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1644 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Adds Run key to start application
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd88a046f8,0x7ffd88a04708,0x7ffd88a04718
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4900
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x200,0x22c,0x7ff61de65460,0x7ff61de65470,0x7ff61de65480
    3⤵
    PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3580 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3148 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1824 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6260 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3788 /prefetch:8
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2156,9011855192709130066,10967494357871267811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1128 /prefetch:8
  2⤵
  PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4464

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\all\onThink.js"
1⤵
- Checks computer location settings
- Enumerates connected drives
PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""E:\all\theirHim.bat" re gs v"
  2⤵
  - Enumerates connected drives
  PID:2600
- - C:\Windows\system32\regsvr32.exe
    regsvr32 all/manTheir.db
    3⤵
    PID:980
  - - C:\Windows\SysWOW64\regsvr32.exe
      all/manTheir.db
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2028
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4416

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\all\onThink.js"
1⤵
- Checks computer location settings
- Enumerates connected drives
PID:3192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""E:\all\theirHim.bat" re gs v"
  2⤵
  - Enumerates connected drives
  PID:1932
- - C:\Windows\system32\regsvr32.exe
    regsvr32 all/manTheir.db
    3⤵
    PID:4624
  - - C:\Windows\SysWOW64\regsvr32.exe
      all/manTheir.db
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1512
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        
        PID:4840

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Document#851980(Sep15)\Document#553600\" -ad -an -ai#7zMap23269:138:7zEvent1449
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3580

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Document#851980(Sep15)\Document#553600\all\theirHim.bat
1⤵
PID:2064

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\Document#851980(Sep15)\Document#553600\all\onThink.js
1⤵
PID:2564

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\all\onThink.js"
1⤵
- Checks computer location settings
- Enumerates connected drives
PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""E:\all\theirHim.bat" re gs v"
  2⤵
  - Enumerates connected drives
  PID:3912
- - C:\Windows\system32\regsvr32.exe
    regsvr32 all/manTheir.db
    3⤵
    PID:2348
  - - C:\Windows\SysWOW64\regsvr32.exe
      all/manTheir.db
      4⤵
      Suspicious behavior: MapViewOfSection
      PID:3988
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        
        PID:4044

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\all\onThink.js"
1⤵
- Checks computer location settings
PID:1076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\all\theirHim.bat" re gs v"
  2⤵
  PID:2028
- - C:\Windows\system32\regsvr32.exe
    regsvr32 all/manTheir.db
    3⤵
    PID:4036
  - - C:\Windows\SysWOW64\regsvr32.exe
      all/manTheir.db
      4⤵
      Suspicious behavior: MapViewOfSection
      PID:5048
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        
        PID:4864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery