ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824

Analysis

max time kernel
91s
max time network
204s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave Goodbye.exe
Size

6.0MB
MD5

b67c09157b260b02037a716d28d7c34f
SHA1

a6da5549351e78fda395b5381dcf9e14240390fd
SHA256

ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824
SHA512

61cc65311af74f83ea950ef54661a5421df67026f7760e257ae3701b3b339f554ac1b42a63f2adafe142ad71a81c545b6749aac0a4f5c78eccd90d072fb7bbad
SSDEEP

98304:dHx3rQ9UT/cnDEuzHEAtpW1pAT0WaDMyaATQKC2witrFr9vQVN9x3gHWdFISYft4:73rpbcnDEuzkAtpWzATIaAEHVYJJmN/P

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Wave Goodbye.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Wave Goodbye.exe
Drops file in Drivers directory 1 IoCs

Processes:

Wave Goodbye.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Wave Goodbye.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Wave Goodbye.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Wave Goodbye.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Wave Goodbye.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Wave Goodbye.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Wave Goodbye.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3112-0-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral2/memory/3112-2-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral2/memory/3112-4-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral2/memory/3112-5-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral2/memory/3112-3-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral2/memory/3112-6-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral2/memory/3112-171-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral2/memory/3112-174-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral2/memory/3112-176-0x0000000140000000-0x0000000140F65000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Wave Goodbye.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wave Goodbye.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 discord.com
12 discord.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Wave Goodbye.exe

pid process

3112 Wave Goodbye.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Wave Goodbye.exe

flow	ioc
1	discord.com
12	discord.com

pid	process
3112	Wave Goodbye.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1560405787-796225086-678739705-1000\{FBD6C67C-53F9-4EC9-B4A2-C5D9DD1301DD}	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Wave Goodbye.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A	Wave Goodbye.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A\Blob = 030000000100000014000000144e3687b1abf2c93d845118485a9e9e4407c93a2000000001000000b9050000308205b53082039da00302010202140c1f3dced2c83786458b8b3d31fdbfb6558aa8d3300d06092a864886f70d01010b0500306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c43301e170d3234303630343132313431385a170d3239303630343132313431385a306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100d6b1e4c30f439b224fdad6d7f0686d1d2c05e728c325f8c1da9513002a40a83424bb47b782467f3077d13bb2f3b254f573d17b7817e595888c548b02e845f8a34c2dd1b385675a87ab87e8428b3c6c0bdd16a24ea10495480af3582e55316f9c0731ef7f3c4fd15015899655f5a2a45cc9fee0a92200c073d48f1e437190720766f19bffa8d59fffadd3525f523e31a6cfdd633708c2a195b61ec910b8c302c99ac42baee759e1be9def6b01b02accef28aa13a9335e5d05e03cfb97c4c5efc7cce1d0854fb0085dd191acd9445bd193a6768131c336da2ebff5fd1508e7b93db45c54ea495f6486ef7539f614b9ba8b51877e23f3ee35c7b3cf9eac34bdbb89c2851671a19ab19111dbe647b206e0a014d7a8dc8acfb4115ad5c1b949d033d328d68e3280d6b7da552e7913f76378f18bbd2ad97ba05d42f80626515b47eac6d9613768113a31462d6ce41eef081aa359e83f0d4f4648352fda4f31d0ff8d5072152fbbaa6f51839d215c482f7e14fc7c6d52430fc1c2922ec081ce64534318e0764ede4f3f619e6cecc68b97ebb2dba85d47250181d4c649f34540ebe60ab64d3eabae9001dc3fcd15d9027f4b3babe6efcc012821ba49da004cdb4d367f77faec3ef44dad14f36ca7847381dba54468bdb3797dbdb30ce9b1f2b3ea39a7c1985f3ae3f3ee4e1d699dc60b70ab3559d360b752ffe5867efa6025fa022f825d0203010001a3533051301d0603551d0e04160414259f70a24e8b332df0f8d98bd36ce93fabc894ab301f0603551d23041830168014259f70a24e8b332df0f8d98bd36ce93fabc894ab300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038202010020e5f289742cba5c4627793a8a2f0d14d59acbf92bb4f97cbdeaf80208fc6027fecb3f1e4bca7dddfabf486f12d0098816361eccb47f037001dc7c5d16124c0025fad0ab4d35dccb3a624dbe5c0e38fe60658abad9f572ecca5df3f774d5a5eb5dbb56406ece7bbce47fa74d40ff0ba3309a9f95e791f980cec44b9da29604835db786bbdf714ab712c6287fc4940ef7f0449f3029e940fe61b290c2cea73b783fbaa21ea4a8b3f6cfdcc63b9dbd6a8731964aab6383ec01eea8fbf142778eddf538b022aaa4ac101e33a196aaa6d11aeeeaa37dd4d8f5d6bfa42c8fb58cc7adb08f38502592084a51f2d1ebd356991c837072879b1240993bf4ad01adcb998860f8c4680d6d76f2c5c68afe5de757deab7877bb287eb60fc46392a8113cd45a094b88101ec0d0c5d34dc4d3b4870567188aeb1f8df2c26fd5d12667575c71ea1bf272e424af711170b617ec3a5ce1a0db9a208b31b3b1048b61267b16d5287ee575d5b293988879775eee5d4392aa8f8eb3b39f91203a40990fd4d84c9965acd373bea5e44fa38491c08ac7c0bf6daa246b2b618b12a1756ff12ef401b7d38cdc6bfb0b5ecb7c89f113bf13c827a854492f65e4ee6c9e70fae22dcce01aec83294ba3ed620ab9ca681d6bb71bb4d397ba744d22912bca79aee83287e49593914e0001d4006acc74cdc83da2160f1deb7ac0fe5046c557771eefb82a4758929d	Wave Goodbye.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A	Wave Goodbye.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

3352 msedge.exe
3352 msedge.exe
1636 msedge.exe
1636 msedge.exe
2536 msedge.exe
2536 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

1636 msedge.exe
1636 msedge.exe
1636 msedge.exe

pid	process
3352	msedge.exe
3352	msedge.exe
1636	msedge.exe
1636	msedge.exe
2536	msedge.exe
2536	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid process

1636 msedge.exe
1636 msedge.exe
1636 msedge.exe
1636 msedge.exe
1636 msedge.exe
1636 msedge.exe
1636 msedge.exe
1636 msedge.exe
1636 msedge.exe
1636 msedge.exe
1636 msedge.exe
1636 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Wave Goodbye.exemsedge.exe

description	pid	process	target process
PID 3112 wrote to memory of 1636	3112	Wave Goodbye.exe	msedge.exe
PID 3112 wrote to memory of 1636	3112	Wave Goodbye.exe	msedge.exe
PID 1636 wrote to memory of 3660	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 3660	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1728	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 3352	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 3352	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe
PID 1636 wrote to memory of 1156	1636	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe
"C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/6NNYUEXAR2
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb6ecd3cb8,0x7ffb6ecd3cc8,0x7ffb6ecd3cd8
3⤵
PID:3660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,17346775435565176384,12261232912311889851,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
3⤵
PID:1728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,17346775435565176384,12261232912311889851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,17346775435565176384,12261232912311889851,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
3⤵
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17346775435565176384,12261232912311889851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
3⤵
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17346775435565176384,12261232912311889851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
3⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,17346775435565176384,12261232912311889851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
3⤵
PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,17346775435565176384,12261232912311889851,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4084 /prefetch:8
3⤵
PID:780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1892,17346775435565176384,12261232912311889851,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4028 /prefetch:8
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4600

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
196eaa9f7a574c29bd419f9d8c2d9349

SHA1
19982d15d1e2688903b0a3e53a8517ab537b68ed

SHA256
df1e96677bcfffe5044826aa14a11e85ef2ebb014ee9e890e723a14dc5f31412

SHA512
e066d74da36a459c19db30e68b703ec9f92019f2d5f24fd476a5fd3653c0b453871e2c08cdc47f2b4d4c4be19ff99e6ef3956d93b2d7d0a69645577d44125ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f717f56b5d8e2e057c440a5a81043662

SHA1
0ad6c9bbd28dab5c9664bad04db95fd50db36b3f

SHA256
4286cd3f23251d0a607e47eccb5e0f4af8542d38b32879d2db2ab7f4e6031945

SHA512
61e263935d51028ec0aab51b938b880945a950cec9635a0dafddf795658ea0a2dfcf9cfc0cab5459b659bb7204347b047a5c6b924fabea44ce389b1cbb9867d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
8a6325d6892d044fac2b7c658866fc28

SHA1
1dc11cd888e8c4860cb1bbf1bcf4c98ae749ab88

SHA256
93220ee079895340691469ed19b8afcea982c776a8571ce72eab217cf60b513f

SHA512
f959b4792626afeeff9f8539d20b82435663965a7c282ff12ef60952b6b51ec2e9e566265cfd63c915c72cc0b4c70bcacb95d0ec6298fdde9c59022d6c5c596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
247B

MD5
94bd83393ee4e3c749f28c3414160cbc

SHA1
68effb04ecc392f2ae4ad7bdc1e99b9116da474c

SHA256
e1dbf44fca250f32925910fcd7f59276e46d0d916eff30fdf9f85ef91bcd3d4b

SHA512
203109a405cd685a195e6cdae5d0a624abcd6c6a9333b88f312e50f96bafa03057366bd78bf62df8784ec97f14677d56f8b78b472000044618a784bcf7af3e8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
2d421533e3a20b14d2f3736db4e73934

SHA1
65e027550d736023821775a29080b2c849684bc5

SHA256
ff750cf66da799ac8d40b2c3a7e6aa7bf4a48f32b003006befa75ce3d5ce37d8

SHA512
0d84b7689ebc2637ab7bbdaaa57f4ba82592642f272b5101b75e2dcb91a0525a8f6e7d5c7efbb34ac0ee228d5e88979c06c1218113218674c50b717260d02b79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d6176e960801134842b103d0cd6d1ef4

SHA1
33798b04c76fd6a6983cea2b82894ce35e8dc6e7

SHA256
d06479185806decd2fb162fd685898534e32c6b4aac67c9d4324287e4a5427f7

SHA512
dd60b62e0143d13e667b721e7a70ea0e408ee2d1bcf4c7c52be49df1d49d3066c8be8e29ac16ee70dcfa22dc35c36576bd3becff0dc87feb816039a1ae9fd490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
10db3723327cb70273a7951556320ab2

SHA1
208642ccd24515cf45c5e39282f3878ee18e3459

SHA256
7e0a5086631d5e8e9fdc48cdaa457d3d1a64ef979eaa9340535e2561813d8f25

SHA512
c00c8e666d4e50508ca18bba2167260fee43732d0ed0754a71ff9bcb72939b47d87db227f464c174c48ea9c144950939a634f44d39dcf0c587cb7fe5cccea8c4

Download Submit
\??\pipe\LOCAL\crashpad_1636_FLALWDSLGEQZWSYV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3112-0-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-6-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-3-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-5-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-4-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-2-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-1-0x00007FFB7E1A7000-0x00007FFB7E1A9000-memory.dmp

Filesize
8KB

Download
memory/3112-171-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-174-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-176-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download