Analysis
-
max time kernel
71s -
max time network
69s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 22:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/V9UzmQqb#yiHdxdBnKgZKIOr5a8Ka_rUojMaR6thk901zfdqCfds
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
https://mega.nz/file/V9UzmQqb#yiHdxdBnKgZKIOr5a8Ka_rUojMaR6thk901zfdqCfds
Resource
win11-20240611-en
General
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Wave Goodbye.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Wave Goodbye.exe -
Drops file in Drivers directory 1 IoCs
Processes:
Wave Goodbye.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Wave Goodbye.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Wave Goodbye.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Wave Goodbye.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Wave Goodbye.exe -
Executes dropped EXE 1 IoCs
Processes:
Wave Goodbye.exepid process 5456 Wave Goodbye.exe -
Processes:
resource yara_rule C:\Users\Admin\Downloads\Wave Goodbye.exe themida behavioral1/memory/5456-237-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5456-239-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5456-242-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5456-241-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5456-240-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5456-238-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5456-304-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5456-339-0x0000000140000000-0x0000000140F65000-memory.dmp themida -
Processes:
Wave Goodbye.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wave Goodbye.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Wave Goodbye.exepid process 5456 Wave Goodbye.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-200405930-3877336739-3533750831-1000\{68583DAF-CB37-47B2-8913-00A84B7423BF} msedge.exe -
Processes:
Wave Goodbye.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A Wave Goodbye.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A\Blob = 030000000100000014000000144e3687b1abf2c93d845118485a9e9e4407c93a2000000001000000b9050000308205b53082039da00302010202140c1f3dced2c83786458b8b3d31fdbfb6558aa8d3300d06092a864886f70d01010b0500306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c43301e170d3234303630343132313431385a170d3239303630343132313431385a306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100d6b1e4c30f439b224fdad6d7f0686d1d2c05e728c325f8c1da9513002a40a83424bb47b782467f3077d13bb2f3b254f573d17b7817e595888c548b02e845f8a34c2dd1b385675a87ab87e8428b3c6c0bdd16a24ea10495480af3582e55316f9c0731ef7f3c4fd15015899655f5a2a45cc9fee0a92200c073d48f1e437190720766f19bffa8d59fffadd3525f523e31a6cfdd633708c2a195b61ec910b8c302c99ac42baee759e1be9def6b01b02accef28aa13a9335e5d05e03cfb97c4c5efc7cce1d0854fb0085dd191acd9445bd193a6768131c336da2ebff5fd1508e7b93db45c54ea495f6486ef7539f614b9ba8b51877e23f3ee35c7b3cf9eac34bdbb89c2851671a19ab19111dbe647b206e0a014d7a8dc8acfb4115ad5c1b949d033d328d68e3280d6b7da552e7913f76378f18bbd2ad97ba05d42f80626515b47eac6d9613768113a31462d6ce41eef081aa359e83f0d4f4648352fda4f31d0ff8d5072152fbbaa6f51839d215c482f7e14fc7c6d52430fc1c2922ec081ce64534318e0764ede4f3f619e6cecc68b97ebb2dba85d47250181d4c649f34540ebe60ab64d3eabae9001dc3fcd15d9027f4b3babe6efcc012821ba49da004cdb4d367f77faec3ef44dad14f36ca7847381dba54468bdb3797dbdb30ce9b1f2b3ea39a7c1985f3ae3f3ee4e1d699dc60b70ab3559d360b752ffe5867efa6025fa022f825d0203010001a3533051301d0603551d0e04160414259f70a24e8b332df0f8d98bd36ce93fabc894ab301f0603551d23041830168014259f70a24e8b332df0f8d98bd36ce93fabc894ab300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038202010020e5f289742cba5c4627793a8a2f0d14d59acbf92bb4f97cbdeaf80208fc6027fecb3f1e4bca7dddfabf486f12d0098816361eccb47f037001dc7c5d16124c0025fad0ab4d35dccb3a624dbe5c0e38fe60658abad9f572ecca5df3f774d5a5eb5dbb56406ece7bbce47fa74d40ff0ba3309a9f95e791f980cec44b9da29604835db786bbdf714ab712c6287fc4940ef7f0449f3029e940fe61b290c2cea73b783fbaa21ea4a8b3f6cfdcc63b9dbd6a8731964aab6383ec01eea8fbf142778eddf538b022aaa4ac101e33a196aaa6d11aeeeaa37dd4d8f5d6bfa42c8fb58cc7adb08f38502592084a51f2d1ebd356991c837072879b1240993bf4ad01adcb998860f8c4680d6d76f2c5c68afe5de757deab7877bb287eb60fc46392a8113cd45a094b88101ec0d0c5d34dc4d3b4870567188aeb1f8df2c26fd5d12667575c71ea1bf272e424af711170b617ec3a5ce1a0db9a208b31b3b1048b61267b16d5287ee575d5b293988879775eee5d4392aa8f8eb3b39f91203a40990fd4d84c9965acd373bea5e44fa38491c08ac7c0bf6daa246b2b618b12a1756ff12ef401b7d38cdc6bfb0b5ecb7c89f113bf13c827a854492f65e4ee6c9e70fae22dcce01aec83294ba3ed620ab9ca681d6bb71bb4d397ba744d22912bca79aee83287e49593914e0001d4006acc74cdc83da2160f1deb7ac0fe5046c557771eefb82a4758929d Wave Goodbye.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 983278.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 2400 msedge.exe 2400 msedge.exe 2068 msedge.exe 2068 msedge.exe 4016 identity_helper.exe 4016 identity_helper.exe 5744 msedge.exe 5744 msedge.exe 1344 msedge.exe 1344 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
AUDIODG.EXEsvchost.exedescription pid process Token: 33 5016 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5016 AUDIODG.EXE Token: SeBackupPrivilege 5496 svchost.exe Token: SeRestorePrivilege 5496 svchost.exe Token: SeSecurityPrivilege 5496 svchost.exe Token: SeTakeOwnershipPrivilege 5496 svchost.exe Token: 35 5496 svchost.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
Processes:
msedge.exepid process 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
msedge.exepid process 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Wave Goodbye.exepid process 5456 Wave Goodbye.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2068 wrote to memory of 680 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 680 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2236 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2400 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 2400 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe PID 2068 wrote to memory of 4956 2068 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/V9UzmQqb#yiHdxdBnKgZKIOr5a8Ka_rUojMaR6thk901zfdqCfds1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb7be46f8,0x7fffb7be4708,0x7fffb7be47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5212 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5336 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6316 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2120,10997288370940239782,10550235182608854723,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6000 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x150 0x4241⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Wave Goodbye.exe"C:\Users\Admin\Downloads\Wave Goodbye.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/6NNYUEXAR22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffb7be46f8,0x7fffb7be4708,0x7fffb7be47183⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5477462b6ad8eaaf8d38f5e3a4daf17b0
SHA186174e670c44767c08a39cc2a53c09c318326201
SHA256e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d
SHA512a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b704c9ca0493bd4548ac9c69dc4a4f27
SHA1a3e5e54e630dabe55ca18a798d9f5681e0620ba7
SHA2562ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411
SHA51269c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\92b9700a-3a13-4199-835f-6ceacd43ba7b.tmpFilesize
660B
MD5ab37ac90cdecc91901394d304062f104
SHA1c85c4d513820704756461c926b2e9e6dcb9744b2
SHA256213dc8a80fc624a3793982cabc97a06b44aed6621bb9a7919ed9f98a330c03f2
SHA512172882ca78e0fb1476955798daaae6c00cf7cb4195e28f11cdfc2392aff51fb518475f655593dee40fc1f73278b5d937e4eb8ac6b7f0a2054be13e583a6dcefb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD5ed6fc4f73630bca18b51a741868c1ef7
SHA16b9195b1e14a377876c33393525b2dbe997ae13a
SHA2566baf8ed15f2206451fc7f826c7c2542051502cc3679a0c839842c069cab0b1a4
SHA512804072363338e4e329062e4ae47002298eccecdcc926281aec30fc50726f7bf091ad95b10b42d164cfe44f06f32c24c0984cb916653e9d7b07aadffb9c71fafe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5831ac95ca4d219696e88f802ad3c9442
SHA16898a8745b07fd1b0a17426b89ac4a20953eef7b
SHA256fbcecacc7256e733d3dc188605be65b2089ee69d085480f7999fc838d238cf1f
SHA5126006d851d4d6be110e75862b25208f8f1ea74f83887fbd3c1aa054fe87d4ba782cb56f89e42f0c7410c8075076771d592bd2fb3901b5def189751b7b544c3b7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e06becb72a293ca772b17cd4187254fe
SHA1fe3e32b68e1525335591c64ac192ffc37a8f08c1
SHA2569ba9a6633dadcf018dfe9cad2a28a16f52db221cbce4270bf317a75b23474e9c
SHA512156a20302768f5856bbe6d699dab01155f9f078ba8ff7a2fb22d0ca81e719d195890da24d62eaf551692b5505d36b8d8b5eb03a6dbff7cea940f1ee4cdc54bda
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD581f4463ed155151053ad2949557a22c4
SHA10ea09e959e243b230ff7b5667a71401e41a4f6de
SHA256c2d4e3ee920945a2e2f40ec97f9f630248540d93a9d34ab98d2c8cc638e4193b
SHA5126d2dd1e855e9b005fbcdb5942678d6042a2d32a9d283471390561858d650c7e2cc405476374cbaa7b8e9c3922d9f2e566af8f02373265270ce5908a5ad834912
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d955f5657c1db279235148a7f924e5c6
SHA107de4daf703236c1d99e07e8fe89c1884b7dba3f
SHA2562bf6131ec5d6fb1a20761fe5f3b6579a22f16b86b5462613ef0ff7d9fab46a39
SHA51263099088e86a2d19e24190e45d5fd1c36630bbb82d38ba9be2c5a0fbcbfd198bdbebffbb4dd356c44e0cca4496cbcbc0084d9fae6fe5f48c8d9c3ac1e6cfdda9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d6c8d05cacb690a10835ffe711ecb6cc
SHA13769e26d4137618ebf45325a8ac73007cdc933ff
SHA256665fd88fd3316cfc0d4d535f77498c05093644c5d1f04b530460ca1614381116
SHA5120407d55ad0b07539a578e21ce9e8ea3ab0a297862f8da3c9feb85fd55d010d710d18852f2ab78197b8d56b23202808d2690315abaaa2769985ff832c3263969b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD52aa19aafa6b057f6895f91f32542825a
SHA1f8a608b8aceb89121fdf98f1f600902be7ffc0f3
SHA2561336968dc87f17f19398751317f60713cd45c6e690d58976e86549f328daede6
SHA512576f7930b069c4b8b450f73db9e2d956d6a7be73dbbb9ec1ba2754170b5487d3521c6f6d0109d2c0d0d530c02b0a4703d94856b2bded7662bc25936bda1399d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe578424.TMPFilesize
48B
MD55129dfa59710a97cc51bcd888e74ff39
SHA109a3088f79cdfa7ca0c397454cdeabaf20eee904
SHA256890fd8bed3e9d7bcfb1ab3dc96b9df68bb0acf4b465422b7734e7a6350e4639e
SHA5120f27c7c861764ad30b4dbb3b05381eb46bed27fde4c4003a9269a821f0a56e4c0911d3e9835e196a8d1fbe484b8ecfd744f39ab7392d010b1ee0de3e94df0b4d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
537B
MD516af2d5bb91df80a441fa4448c32aa35
SHA1bd12c9dcdf19875ba45de154c9f91e6454b618ff
SHA25672f04dfb244ef5e8fe671355f8c70b4b5cd86808120396075c7908517c4637a7
SHA512e0c1a4092a5a8a2daf16821c7c03a10e6f951d77d43c3529485553c7896ab5aeaec236b903ad38660753573a04881a68597f9bbdd3703ee375aff6990f2e8601
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58311d.TMPFilesize
203B
MD5f00fe44e71d0a6fbadb3af99e4d88fdc
SHA131ade78dbddb81a1a1fafd4f8c6fa55a1a4684d9
SHA25654fd3483051fd9518bee08e2d59c654b837b3d4f60357f0081e49d46e9c02deb
SHA5129559596dbacbfd2bca55b114eb7a8bb7323884b4f6376644d9ae808a64cded3e05d7b713678d9f35d83392318e59b31fcedc67fabf4b21782658bcc3fa0388ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD560367b5a715c81fdffb1377b87da0414
SHA122bfb3d7ea6e5d0a124df465073800570c2a1c8b
SHA2564e78b9a1da390b2812ef18dc2e7f34b84484970b0a35164feb59fcd7d4c12e5e
SHA51232a49b1ada0e5b1729f7c2902807aeaed5b652d5ffce1dbede7320d2c38aa8b990ba0e5029a173b141c8b1a5411dd01c13b05f15bbcfc68f1d1ad192de865aa5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e7c3bda0df85da5ee52e8f111bc71b2e
SHA1a0129b0a2dd04c95dc2974e25091066047970bec
SHA256403c0ef68c81731eb58cfd1a4f3c5cfe3d9b6c1f8358db4d6cf2936340684763
SHA512f0d69263e27a6c4cbd48312bb51208e7f23a95c32f53fe96544c8e09b9b785fdbfc6540c769be747170330ec250f96af2efc49d85de488a718f178b3ef061ceb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5d3234f1fdd5ef15464bb66e2d9ba3d83
SHA1877c5cc986b8a187e109d0cc2bc4c76c5156bdc3
SHA2564498c908c37e59e7af72354d2f35a3847c3d56646e1540467e5f408aa1961c67
SHA512c7dafb6d985e5dff0bf07c75681ea9021c48a72d0e06495ea8eb39241a4f430df55e9df0bbea81564270f20cc580eb3749475f9eb73e0c2cee363fdcfaf473b4
-
C:\Users\Admin\Downloads\Wave Goodbye.exeFilesize
6.0MB
MD5b67c09157b260b02037a716d28d7c34f
SHA1a6da5549351e78fda395b5381dcf9e14240390fd
SHA256ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824
SHA51261cc65311af74f83ea950ef54661a5421df67026f7760e257ae3701b3b339f554ac1b42a63f2adafe142ad71a81c545b6749aac0a4f5c78eccd90d072fb7bbad
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5deca688b3a2d7e1224e65a13c66b405d
SHA15d088d911e53b05860d2294f081b7a56614c1b1b
SHA256efe68251dcfee5e61bce15c9028f4e237c45e24f23f66d0c9acf5355ba709341
SHA5128ed11f7e130d1d0d5f554849e9ad181f60d242d21aa6019307df20833e7646705716f591b13c9db0ba8643e8800816dd6b691572c80973f540fba14cc84d47be
-
\??\pipe\LOCAL\crashpad_2068_NLDPTPHMOLKBUOWQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/5456-238-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5456-304-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5456-239-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5456-237-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5456-240-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5456-241-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5456-242-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5456-339-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB