Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 07:26
Static task
static1
Behavioral task
behavioral1
Sample
d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe
Resource
win10v2004-20220414-en
General
-
Target
d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe
-
Size
1.3MB
-
MD5
f8d29431dde6dd65e034b99c29ce9c64
-
SHA1
0c23620a0070f37794b895c35d7afe1de83bc36f
-
SHA256
d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d
-
SHA512
844d18e3694ba0ef27c80bfc7a5638cf221559a4fa7e32383e84e9e0b095bdb342cc751ef8e2f39f6b95d438707bbb083434f753d00dbb2fafb5bd666ab6caae
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2068-138-0x0000000000400000-0x0000000000455000-memory.dmp family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
Syqcaa.exepid process 4844 Syqcaa.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Syqcaa.exemsedge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Syq = "C:\\Users\\Admin\\AppData\\Local\\Syq\\Syqnb.vbs" Syqcaa.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Syqcaa.exedescription pid process target process PID 4844 set thread context of 2068 4844 Syqcaa.exe notepad.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\86b68e17-1737-4ec7-94fb-1d5954705ddb.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220520082434.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
Syqcaa.exemsedge.exemsedge.exeidentity_helper.exepid process 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 4844 Syqcaa.exe 1788 msedge.exe 1788 msedge.exe 2460 msedge.exe 2460 msedge.exe 1996 identity_helper.exe 1996 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2460 msedge.exe 2460 msedge.exe 2460 msedge.exe 2460 msedge.exe 2460 msedge.exe 2460 msedge.exe 2460 msedge.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 2460 msedge.exe 2460 msedge.exe 2460 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exeSyqcaa.exenotepad.exemsedge.exedescription pid process target process PID 4288 wrote to memory of 4844 4288 d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe Syqcaa.exe PID 4288 wrote to memory of 4844 4288 d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe Syqcaa.exe PID 4288 wrote to memory of 4844 4288 d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe Syqcaa.exe PID 4844 wrote to memory of 992 4844 Syqcaa.exe TapiUnattend.exe PID 4844 wrote to memory of 992 4844 Syqcaa.exe TapiUnattend.exe PID 4844 wrote to memory of 992 4844 Syqcaa.exe TapiUnattend.exe PID 4844 wrote to memory of 2080 4844 Syqcaa.exe sxstrace.exe PID 4844 wrote to memory of 2080 4844 Syqcaa.exe sxstrace.exe PID 4844 wrote to memory of 2080 4844 Syqcaa.exe sxstrace.exe PID 4844 wrote to memory of 3876 4844 Syqcaa.exe sethc.exe PID 4844 wrote to memory of 3876 4844 Syqcaa.exe sethc.exe PID 4844 wrote to memory of 3876 4844 Syqcaa.exe sethc.exe PID 4844 wrote to memory of 2068 4844 Syqcaa.exe notepad.exe PID 4844 wrote to memory of 2068 4844 Syqcaa.exe notepad.exe PID 4844 wrote to memory of 2068 4844 Syqcaa.exe notepad.exe PID 4844 wrote to memory of 2068 4844 Syqcaa.exe notepad.exe PID 4844 wrote to memory of 2068 4844 Syqcaa.exe notepad.exe PID 2068 wrote to memory of 2460 2068 notepad.exe msedge.exe PID 2068 wrote to memory of 2460 2068 notepad.exe msedge.exe PID 2460 wrote to memory of 4396 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 4396 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1244 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1788 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1788 2460 msedge.exe msedge.exe PID 2460 wrote to memory of 1680 2460 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe"C:\Users\Admin\AppData\Local\Temp\d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Syqcaa.exe"C:\Users\Admin\AppData\Roaming\Syqcaa.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"3⤵
-
C:\Windows\SysWOW64\sxstrace.exe"C:\Windows\System32\sxstrace.exe"3⤵
-
C:\Windows\SysWOW64\sethc.exe"C:\Windows\System32\sethc.exe"3⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=notepad.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbe0fe46f8,0x7ffbe0fe4708,0x7ffbe0fe47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5296 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4832 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4272 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7e7c45460,0x7ff7e7c45470,0x7ff7e7c454806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4272 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3408 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,13702317726234445366,4542376050470738846,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1940 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=notepad.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe0fe46f8,0x7ffbe0fe4708,0x7ffbe0fe47185⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c8ce7285f4bd4ade99ffd08c0351e308
SHA1c3de927f710893a2821e9ade59c80cbaab3b6e12
SHA256d434784b824ab0d1279c8d37b95219c3b9de8840827d9fb08e4f22a9022ef297
SHA5127a958b60031dc96e7212be39dd999193029089992f0ed6c95e299f6914b6cfd5f126d9c98121c1f316b51f3e6806785cceaafa1e3d6c9bd317e7a858ff3f0646
-
C:\Users\Admin\AppData\Roaming\Syq.bmpFilesize
1.1MB
MD55d801ad9e4e0968882610093c2da99e4
SHA1d571efc92376e42b2d52990b46ac56301efe53eb
SHA25601b6cc5ce5fefee474567d6976a6f1e16bfb7b04b284e1ad016628470a6ea64d
SHA512dedf3341c2102a8fe89d52d428a4462133e33f1a9342a308af3262c89292bcf9ac49ac7136a9bcf9c01728f4c6a7d62c3aa8ef1be630c4f5f4ae55a72de37465
-
C:\Users\Admin\AppData\Roaming\Syqcaa.exeFilesize
489KB
MD586788fb5973f81acb9f960562056b4e0
SHA1649fe2ceeddb5176c9ecf42e9988974b4d6dfa9d
SHA256ad1c0fcad688cb96556b2794627851defb6ca697e4445d908d69472053aa28e4
SHA512f492aff12e080eb7f5d36004b10e28c5a4b184f538ad0d68597d85883dc73c59625653aa79034aec83ccd3c4c2ba8112024ade760606f6c1c64b385f8f3e065b
-
C:\Users\Admin\AppData\Roaming\Syqcaa.exeFilesize
489KB
MD586788fb5973f81acb9f960562056b4e0
SHA1649fe2ceeddb5176c9ecf42e9988974b4d6dfa9d
SHA256ad1c0fcad688cb96556b2794627851defb6ca697e4445d908d69472053aa28e4
SHA512f492aff12e080eb7f5d36004b10e28c5a4b184f538ad0d68597d85883dc73c59625653aa79034aec83ccd3c4c2ba8112024ade760606f6c1c64b385f8f3e065b
-
\??\pipe\LOCAL\crashpad_2460_YLLMERDCPQMWKQOEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/992-134-0x0000000000000000-mapping.dmp
-
memory/1244-142-0x0000000000000000-mapping.dmp
-
memory/1320-156-0x0000000000000000-mapping.dmp
-
memory/1680-145-0x0000000000000000-mapping.dmp
-
memory/1788-143-0x0000000000000000-mapping.dmp
-
memory/1904-161-0x0000000000000000-mapping.dmp
-
memory/1996-166-0x0000000000000000-mapping.dmp
-
memory/2068-138-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2068-137-0x0000000000000000-mapping.dmp
-
memory/2080-135-0x0000000000000000-mapping.dmp
-
memory/2460-139-0x0000000000000000-mapping.dmp
-
memory/3144-174-0x0000000000000000-mapping.dmp
-
memory/3144-154-0x0000000000000000-mapping.dmp
-
memory/3200-148-0x0000000000000000-mapping.dmp
-
memory/3800-170-0x0000000000000000-mapping.dmp
-
memory/3824-150-0x0000000000000000-mapping.dmp
-
memory/3876-136-0x0000000000000000-mapping.dmp
-
memory/4120-160-0x0000000000000000-mapping.dmp
-
memory/4240-162-0x0000000000000000-mapping.dmp
-
memory/4276-152-0x0000000000000000-mapping.dmp
-
memory/4396-140-0x0000000000000000-mapping.dmp
-
memory/4840-172-0x0000000000000000-mapping.dmp
-
memory/4844-130-0x0000000000000000-mapping.dmp
-
memory/4856-164-0x0000000000000000-mapping.dmp
-
memory/4908-158-0x0000000000000000-mapping.dmp
-
memory/5000-168-0x0000000000000000-mapping.dmp
-
memory/5060-165-0x0000000000000000-mapping.dmp