amadey | 74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

Analysis

max time kernel
167s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe
Size

336KB
MD5

53f54f7688b7becf3f68ca1ac3cb3565
SHA1

b99a8ee9253186f3a19e750e4b9a7cecedb30136
SHA256

74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b
SHA512

a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Score

10^/10

amadey microsoft persistence phishing suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.10

185.215.113.35/d2VxjasuwS_old/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

orxds.exeorxds.exeorxds.exe

pid process

4184 orxds.exe
4356 orxds.exe
2620 orxds.exe

pid	process
4184	orxds.exe
4356	orxds.exe
2620	orxds.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exeorxds.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	orxds.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft
Suspicious use of SetThreadContext 1 IoCs

Processes:

orxds.exe

description pid process target process

PID 4184 set thread context of 4356 4184 orxds.exe orxds.exe

description	pid	process	target process
PID 4184 set thread context of 4356	4184	orxds.exe	orxds.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220523035654.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\00a9b337-00a7-420c-bb25-0f0b2a21f66e.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1468	4016	WerFault.exe	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe
260	2620	WerFault.exe	orxds.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1520 schtasks.exe

pid	process
1520	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exe

pid process

3100 msedge.exe
3100 msedge.exe
1788 msedge.exe
1788 msedge.exe
1412 msedge.exe
1412 msedge.exe
1140 identity_helper.exe
1140 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1412 msedge.exe
1412 msedge.exe
1412 msedge.exe
1412 msedge.exe
1412 msedge.exe
1412 msedge.exe
1412 msedge.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

1412 msedge.exe
1412 msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
3100	msedge.exe
3100	msedge.exe
1788	msedge.exe
1788	msedge.exe
1412	msedge.exe
1412	msedge.exe
1140	identity_helper.exe
1140	identity_helper.exe

pid	process
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe

pid	process
1412	msedge.exe
1412	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exeorxds.execmd.exeorxds.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4016 wrote to memory of 4184	4016	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe	orxds.exe
PID 4016 wrote to memory of 4184	4016	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe	orxds.exe
PID 4016 wrote to memory of 4184	4016	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe	orxds.exe
PID 4184 wrote to memory of 4068	4184	orxds.exe	cmd.exe
PID 4184 wrote to memory of 4068	4184	orxds.exe	cmd.exe
PID 4184 wrote to memory of 4068	4184	orxds.exe	cmd.exe
PID 4184 wrote to memory of 1520	4184	orxds.exe	schtasks.exe
PID 4184 wrote to memory of 1520	4184	orxds.exe	schtasks.exe
PID 4184 wrote to memory of 1520	4184	orxds.exe	schtasks.exe
PID 4068 wrote to memory of 3136	4068	cmd.exe	reg.exe
PID 4068 wrote to memory of 3136	4068	cmd.exe	reg.exe
PID 4068 wrote to memory of 3136	4068	cmd.exe	reg.exe
PID 4184 wrote to memory of 4356	4184	orxds.exe	orxds.exe
PID 4184 wrote to memory of 4356	4184	orxds.exe	orxds.exe
PID 4184 wrote to memory of 4356	4184	orxds.exe	orxds.exe
PID 4184 wrote to memory of 4356	4184	orxds.exe	orxds.exe
PID 4184 wrote to memory of 4356	4184	orxds.exe	orxds.exe
PID 4184 wrote to memory of 4356	4184	orxds.exe	orxds.exe
PID 4184 wrote to memory of 4356	4184	orxds.exe	orxds.exe
PID 4184 wrote to memory of 4356	4184	orxds.exe	orxds.exe
PID 4356 wrote to memory of 2000	4356	orxds.exe	msedge.exe
PID 4356 wrote to memory of 2000	4356	orxds.exe	msedge.exe
PID 2000 wrote to memory of 2292	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 2292	2000	msedge.exe	msedge.exe
PID 4356 wrote to memory of 1412	4356	orxds.exe	msedge.exe
PID 4356 wrote to memory of 1412	4356	orxds.exe	msedge.exe
PID 1412 wrote to memory of 3816	1412	msedge.exe	msedge.exe
PID 1412 wrote to memory of 3816	1412	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe
PID 2000 wrote to memory of 1804	2000	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe
"C:\Users\Admin\AppData\Local\Temp\74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4016

C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\d273120da5\
3⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\d273120da5\
4⤵
PID:3136

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe" /F
3⤵
- Creates scheduled task(s)
PID:1520

C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=orxds.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
4⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe198d46f8,0x7ffe198d4708,0x7ffe198d4718
5⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,18023010915232485070,17452292056925444217,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
5⤵
PID:1804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,18023010915232485070,17452292056925444217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2892 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=orxds.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe198d46f8,0x7ffe198d4708,0x7ffe198d4718
5⤵
PID:3816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2604 /prefetch:2
5⤵
PID:1328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2696 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3064 /prefetch:8
5⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
5⤵
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
5⤵
PID:2300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
5⤵
PID:4212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5268 /prefetch:8
5⤵
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
5⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
5⤵
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6040 /prefetch:8
5⤵
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
5⤵
PID:1080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
5⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 /prefetch:8
5⤵
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff7336b5460,0x7ff7336b5470,0x7ff7336b5480
6⤵
PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2304 /prefetch:8
5⤵
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2096,1997751445986915421,13173594488567032374,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 /prefetch:8
5⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 1108
2⤵
- Program crash
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4016 -ip 4016
1⤵
PID:4708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 492
2⤵
- Program crash
PID:260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2620 -ip 2620
1⤵
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
471B

MD5
cf8ea82f5cc724dcca1ffec92a1f626b

SHA1
03c6cd68a34f952b90d3356e14dff6ad4fc3ed1f

SHA256
1414de813b11dd1865983d46094f4589d01b8b172e0175e7bf729c59ee438000

SHA512
bf5a77da544eff2ca7c0eb6a85f612fcfea1326b83bead3f3522d0e0667c2f90c311757001b329dc4d5b51366c4f7bf163212b2d6e17058d2008621a3d9e6f72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
539f857388eff95501036d47ef248c74

SHA1
df20df9ef1c4dda1bd79020580654a8a54f7d2a1

SHA256
0a05240659b153d0663f107b9361e370a6945abc78f8e67ab65e5b73bb0225a5

SHA512
b300414e29710101a3185fbe0453ffec72a990217d43cbc73cc99db6b50fdc50355822a3a6904e29947c09a32efeb715c217d9b54b79320ba71271887b2afd8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
539f857388eff95501036d47ef248c74

SHA1
df20df9ef1c4dda1bd79020580654a8a54f7d2a1

SHA256
0a05240659b153d0663f107b9361e370a6945abc78f8e67ab65e5b73bb0225a5

SHA512
b300414e29710101a3185fbe0453ffec72a990217d43cbc73cc99db6b50fdc50355822a3a6904e29947c09a32efeb715c217d9b54b79320ba71271887b2afd8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
442B

MD5
aa07d11b3c68974e5309d83ff5d9558c

SHA1
9ce9e371c5b4ce4fa1d36b89f6bba07550ff94c7

SHA256
3e025aee6901e172e46a050fbe00baf400ee9476b06def5963caf2ded7c6cd31

SHA512
1d778977c6d733d65af35795bd750bcba5764b38642bfbb5927f0a95d45bc2877b99b2f54b100a191b1b4068214b7f1368cf342faf0a24cb1ea145f4b0bf364b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
416B

MD5
6d19f8b45a462b68d5488a1ed27f9f4b

SHA1
7138301cb017b0df78f9c273cad0fa7e37923c8c

SHA256
db604eb5f661e0205e35ec3a62be7688e3e74ff34c0e04596e9377f745d08384

SHA512
cdf38cf515886ec9a01a1f0923487e59d39f7669f83de7143e0a693ac3a4b0f2c9ed1be38caf4eb8e149754e74bb06774954354f163762d452c6ccc9d05c0972

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
416B

MD5
6d19f8b45a462b68d5488a1ed27f9f4b

SHA1
7138301cb017b0df78f9c273cad0fa7e37923c8c

SHA256
db604eb5f661e0205e35ec3a62be7688e3e74ff34c0e04596e9377f745d08384

SHA512
cdf38cf515886ec9a01a1f0923487e59d39f7669f83de7143e0a693ac3a4b0f2c9ed1be38caf4eb8e149754e74bb06774954354f163762d452c6ccc9d05c0972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0f2fd3ffef216b4a9345a3bf7c19e54c

SHA1
bb53767f6009d83c4af27ddb9f72b88d2dea8c1c

SHA256
4587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a

SHA512
5987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0f2fd3ffef216b4a9345a3bf7c19e54c

SHA1
bb53767f6009d83c4af27ddb9f72b88d2dea8c1c

SHA256
4587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a

SHA512
5987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
95e22ee8bac6765a868c13fc5ca5017c

SHA1
dff7d454639c700bb4408bf2cef900337977eb56

SHA256
cb320ebc79962dfd60205d687132b62ac884924f6cf5c5a40aea28fd2bc44802

SHA512
47fb43256f59834aaf626e3c9c9e20f71afbb018f64755d8e05f6cbd8dde21e1c14049192a90bffd99413a58a0cacebdd8bce7b3d464aa622d7eefad71145428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
9da582668a8843812530f5b2cd535386

SHA1
4b9c5c0ac191c8035f791c2925229ee0d2c682a1

SHA256
0c6bce1bb7e7f3ace69522bed1d06f1693e811d3fb9aeea7aab52ec35df179ef

SHA512
f91a42449ddf512b303a95e2c3a4530e1219f939afdcddb28fc8e840be684f120bcacf044ac0779550dee2c303bea94937b64ee23ff24ba2141738d2e4245e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings
Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris
Filesize
40B

MD5
eb23c38cb1709c1b602efa289322b777

SHA1
531a5ef143f1b057cf81909c7e4ad7f1a137c1da

SHA256
0003e5c99de34bb6fc6fd1eab8d3c424d5c0338e11fa20e5efa9e5a88207f8c1

SHA512
f326dafe15c268182967cb175fea8a9ec774a61d74d639e40167c5e43a3946786e4e2971394fb6e9c29e64782ba5eca1c89c6c43a086208f1c3188973b5441ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637888653630212091
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic
Filesize
29B

MD5
ce545b52b20b2f56ffb26d2ca2ed4491

SHA1
ebe904c20bb43891db4560f458e66663826aa885

SHA256
e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899

SHA512
1ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684
Filesize
450KB

MD5
a7aab197b91381bcdec092e1910a3d62

SHA1
35794f2d2df163223391a2b21e1610f14f46a78f

SHA256
6337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b

SHA512
cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774

Download Submit
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
\??\pipe\LOCAL\crashpad_1412_KUCBEEEEARONRTVI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2000_VUJSZDZTJYWKTWZS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/224-176-0x0000000000000000-mapping.dmp

Download
memory/1080-191-0x0000000000000000-mapping.dmp

Download
memory/1112-203-0x0000000000000000-mapping.dmp

Download
memory/1140-196-0x0000000000000000-mapping.dmp

Download
memory/1172-182-0x0000000000000000-mapping.dmp

Download
memory/1328-160-0x0000000000000000-mapping.dmp

Download
memory/1336-195-0x0000000000000000-mapping.dmp

Download
memory/1412-147-0x0000000000000000-mapping.dmp

Download
memory/1520-140-0x0000000000000000-mapping.dmp

Download
memory/1788-161-0x0000000000000000-mapping.dmp

Download
memory/1804-153-0x0000000000000000-mapping.dmp

Download
memory/2000-145-0x0000000000000000-mapping.dmp

Download
memory/2292-146-0x0000000000000000-mapping.dmp

Download
memory/2300-178-0x0000000000000000-mapping.dmp

Download
memory/2620-199-0x0000000000400000-0x0000000002B70000-memory.dmp

Filesize
39.4MB

Download
memory/2620-198-0x0000000002DD1000-0x0000000002DEF000-memory.dmp

Filesize
120KB

Download
memory/2928-189-0x0000000000000000-mapping.dmp

Download
memory/3100-156-0x0000000000000000-mapping.dmp

Download
memory/3136-141-0x0000000000000000-mapping.dmp

Download
memory/3520-201-0x0000000000000000-mapping.dmp

Download
memory/3604-193-0x0000000000000000-mapping.dmp

Download
memory/3816-148-0x0000000000000000-mapping.dmp

Download
memory/4016-135-0x0000000000400000-0x0000000002B70000-memory.dmp

Filesize
39.4MB

Download
memory/4016-131-0x00000000048A0000-0x00000000048D8000-memory.dmp

Filesize
224KB

Download
memory/4016-130-0x0000000002DCE000-0x0000000002DEC000-memory.dmp

Filesize
120KB

Download
memory/4068-136-0x0000000000000000-mapping.dmp

Download
memory/4184-132-0x0000000000000000-mapping.dmp

Download
memory/4184-137-0x0000000002DDD000-0x0000000002DFB000-memory.dmp

Filesize
120KB

Download
memory/4184-139-0x0000000000400000-0x0000000002B70000-memory.dmp

Filesize
39.4MB

Download
memory/4184-138-0x0000000002D10000-0x0000000002D48000-memory.dmp

Filesize
224KB

Download
memory/4212-180-0x0000000000000000-mapping.dmp

Download
memory/4288-184-0x0000000000000000-mapping.dmp

Download
memory/4308-186-0x0000000000000000-mapping.dmp

Download
memory/4316-194-0x0000000000000000-mapping.dmp

Download
memory/4356-142-0x0000000000000000-mapping.dmp

Download
memory/4356-143-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4984-174-0x0000000000000000-mapping.dmp

Download