Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 22:38
Behavioral task
behavioral1
Sample
Wave Goodbye.exe
Resource
win7-20231129-en
General
-
Target
Wave Goodbye.exe
-
Size
6.0MB
-
MD5
b67c09157b260b02037a716d28d7c34f
-
SHA1
a6da5549351e78fda395b5381dcf9e14240390fd
-
SHA256
ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824
-
SHA512
61cc65311af74f83ea950ef54661a5421df67026f7760e257ae3701b3b339f554ac1b42a63f2adafe142ad71a81c545b6749aac0a4f5c78eccd90d072fb7bbad
-
SSDEEP
98304:dHx3rQ9UT/cnDEuzHEAtpW1pAT0WaDMyaATQKC2witrFr9vQVN9x3gHWdFISYft4:73rpbcnDEuzkAtpWzATIaAEHVYJJmN/P
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Wave Goodbye.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Wave Goodbye.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Wave Goodbye.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Wave Goodbye.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Wave Goodbye.exe -
Executes dropped EXE 1 IoCs
Processes:
WaveInstaller.exepid process 5224 WaveInstaller.exe -
Processes:
resource yara_rule behavioral2/memory/1168-0-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral2/memory/1168-4-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral2/memory/1168-2-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral2/memory/1168-5-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral2/memory/1168-6-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral2/memory/1168-3-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral2/memory/1168-41-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral2/memory/1168-119-0x0000000140000000-0x0000000140F65000-memory.dmp themida -
Processes:
Wave Goodbye.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wave Goodbye.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 30 discord.com 31 discord.com 104 raw.githubusercontent.com 105 raw.githubusercontent.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Wave Goodbye.exepid process 1168 Wave Goodbye.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2080292272-204036150-2159171770-1000\{59C5F54A-CF77-4D87-BD94-E1D439865D92} msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 73953.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 2616 msedge.exe 2616 msedge.exe 2360 msedge.exe 2360 msedge.exe 4912 msedge.exe 4912 msedge.exe 5500 identity_helper.exe 5500 identity_helper.exe 5708 msedge.exe 5708 msedge.exe 1668 msedge.exe 1668 msedge.exe 1668 msedge.exe 1668 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
Processes:
msedge.exepid process 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WaveInstaller.exedescription pid process Token: SeDebugPrivilege 5224 WaveInstaller.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exepid process 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe 2360 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Wave Goodbye.exemsedge.exedescription pid process target process PID 1168 wrote to memory of 2360 1168 Wave Goodbye.exe msedge.exe PID 1168 wrote to memory of 2360 1168 Wave Goodbye.exe msedge.exe PID 2360 wrote to memory of 2308 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 2308 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 4492 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 2616 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 2616 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe PID 2360 wrote to memory of 3020 2360 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe"C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/6NNYUEXAR22⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe75ad46f8,0x7ffe75ad4708,0x7ffe75ad47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5244 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5252 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5220 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5972 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\WaveInstaller.exe"C:\Users\Admin\Downloads\WaveInstaller.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1384 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15422493033064297388,12115057764121160618,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556067634f68231081c4bd5bdbfcc202f
SHA15582776da6ffc75bb0973840fc3d15598bc09eb1
SHA2568c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD581e892ca5c5683efdf9135fe0f2adb15
SHA139159b30226d98a465ece1da28dc87088b20ecad
SHA256830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\62cfd870-9756-4c83-8dba-97d9fc87c8c8.tmpFilesize
5KB
MD51b8ea57dfac3ae20bdd190f4768a0617
SHA139bbaf60e127462e977512a83560cf01189a2d0e
SHA2565f751daf2737eb634e4ed919b955e311fdd10290924209eeda8c7e0fe6f21db2
SHA5129a136a5770306c99c67719af9e480b6623a978fbe6509275605b48e7ca65b145abd8545ca286615482c7cbef31941aac1b57fd9c7fd1196153ad71a99055e3f8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
264B
MD580eaa60099a876fbbbb0aa0c1593ff2a
SHA1c9ce44bb50ac080b948baee441e9f0f5749aea82
SHA25638b6323dbb69d66aa45f672ade210f334b084a90110d5848a9e74c6396e4896d
SHA5128f2d5d8aac71ebc6b622297bb55ae8e95616e5533857e13ceaa26c8f8fe0307b4e697df092637b4fb00f36970a1dfc658f7a211094271f4b5cb0dce9d322df0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
675B
MD5d3ce3af59b8f2acee22bc25c9f512faa
SHA12844ba6cda9bfbf7b51fe84b3f4f2fcd7acb7781
SHA2563d94654c7945576c2334022edabbc150f2eff8d8965e9202f6dfbeba9690de74
SHA512502206f4c825ba7a144be544c56186ec9bcc871b99480ccdda67df6f757bb44d4826d666962251c52e3905fc500bf561e02670370f35f0d2f0d46b0b1c484cba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5af4787c7b02c5b0e2ddff824acdfd3ee
SHA1555c7402eb658da17e3966946f8ad25b0188955c
SHA256c9cb3a30554dc5c5aeebbc5f664e0f2331fc550b8514cfb92dd61606db7032ee
SHA51250c86b7c69ba8dc4f535a1cc59bb8bf575784dc90699160ef6b93e68f0c54303fa1d885bf2b2419baa325390a96aa55e98a47f7ad79fdcd9f97511afadb1e2f8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5db408152302afb0c3063b7e4ab6651d1
SHA1f1f94979ae23f5c4e343ae2035e77aff3e503346
SHA256b17a95fe9a6ffb2fda330deb4a90715f4de58cb8429b24b0cfd2f2ff81f4ca32
SHA5122377c16e532b11221d6addc861bd685b748123c8e739102999869877226626498aaf47da47d091e24776b84d1fa80e550ba8270847fec39ee7f55108215693e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a5c55c9e1f0b0a13b5878374d7170a6b
SHA1b7347201f81ca7fcc08927e9f4a20e1e46415ea9
SHA256f71d8edb1a69e6eec37a685d1cf754fb8bf7e993ff0c57f28d4ad0a3b34af2f0
SHA512af04018c56fd99e48cdeb8424aae85d751dc57e52b4bbcf6c011f668636d86fbd7b6a6113528fe542d106dad9ab07047fae10fb4c7642f8e019d8e569d7d5b53
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
538B
MD5f084cd3e123e72649ed1e9e857c801b6
SHA1cf4cbf18bc1ecb057f3e70ee0ca33fe480a691ab
SHA256f63686ba7fdf0bd667b8d415c3ddbc6b183a51a948ca870c74271e23b20d137a
SHA512dd75b86b6a5e62f430219139efc42b0629434f3e04d01fc9d26a0cdaa592c8eabb94f4c4a9bb93bdfe164275a7637309d5a4c3e647b68ad92f8c9a9a8983c4ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e1b5.TMPFilesize
370B
MD50c3423b3319398b31f05d4660f84491b
SHA1281590369c1b9653a5df29e45250fd485d6ffeb7
SHA256992e844f5b5ea619dee64808347e40d2a3e11fc2d8f4c6bfe79bd7eb5edb638f
SHA5128e8a53d6d1c7e0fae426cfe65efc33983f94134c36ab78ff0f3202abdf717a02556d1e035996b20b2b76dc49f0fa81aa57ddafdf9c4a8419965eecaf991bc101
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59a36f8003cb65ff4b9de88e04e3a4b87
SHA13db0ec3f0a35cf7751c1633b0dbac405f1d99df1
SHA256330308579e33ca66cae59033ac8bbbf4ef3277120cc499678f1255df9ef862f5
SHA512335a67aa8abfa6bae449f3ea59a407f6a76a1694ba991a364c871c2508f1c7505e3202455422c1fbad0b6a7f452010a5e5084f6e82fc09dea2f7159b2c444e9b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a69249db0699cb7262b6d8f894a1e3ea
SHA10761786a9656ad966ad76f33feaa43cb70ba7e17
SHA256a1d566f7a5abd9316eeb967b1bdb0417a43c2885dcf63f98d4b6c684219a9fa6
SHA5125a4e45132d3b5d414e00bd31cbeb771965f3b262b8edd0faca5d166c4a32b24dfbb9e15989a07b55b35845b773132ceef215b4831a2e2679ffd16587c4f61b51
-
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exeFilesize
939KB
MD5258a9cae6024c91784bbd8aa5379e86f
SHA1fe1a808ba23053413359a78d5ec096b2cd540dd5
SHA2563881840473ec5286189d2fc8e85f0f26a2532890055d1653da9580aa31b2d0e5
SHA512b621ef432b430d2df0443fa0ebdd59dc7de6b32375c2fc83e8474838843c4abcf4a35f2b5f80e78911fc52336d71812ca9fbc9919314ea3b59bd26036a4ea5a5
-
C:\Users\Admin\Downloads\Unconfirmed 73953.crdownloadFilesize
1.5MB
MD5c822ab5332b11c9185765b157d0b6e17
SHA17fe909d73a24ddd87171896079cceb8b03663ad4
SHA256344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a
SHA512a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d
-
\??\pipe\LOCAL\crashpad_2360_XPGANLFPGESCMXBSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1168-2-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/1168-1-0x00007FFE942F0000-0x00007FFE942F2000-memory.dmpFilesize
8KB
-
memory/1168-4-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/1168-119-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/1168-3-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/1168-0-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/1168-41-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/1168-5-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/1168-6-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5224-175-0x0000000009CC0000-0x0000000009CF8000-memory.dmpFilesize
224KB
-
memory/5224-176-0x0000000009CA0000-0x0000000009CAE000-memory.dmpFilesize
56KB
-
memory/5224-273-0x0000000001400000-0x0000000001496000-memory.dmpFilesize
600KB
-
memory/5224-274-0x00000000014B0000-0x00000000014D6000-memory.dmpFilesize
152KB
-
memory/5224-275-0x00000000060C0000-0x00000000060C8000-memory.dmpFilesize
32KB
-
memory/5224-277-0x000000000B620000-0x000000000B692000-memory.dmpFilesize
456KB
-
memory/5224-278-0x00000000060E0000-0x00000000060EA000-memory.dmpFilesize
40KB
-
memory/5224-279-0x000000000AE60000-0x000000000AE6A000-memory.dmpFilesize
40KB
-
memory/5224-174-0x00000000008B0000-0x0000000000A42000-memory.dmpFilesize
1.6MB