Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

14/03/2025, 18:59

250314-xngmvaxscy 4

27/07/2024, 21:38

240727-1hhvhatcke 10

Analysis

  • max time kernel
    268s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 21:38

General

  • Target

    https://www.mediafire.com/file/5m68x2gx8mpqc9k/Wave_Patcher.rar/file

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1266866341571461145/w77pxgx17qK5NC3jPAoiGlU17x5HMUhUrIPtzVPCNb94ddb5gjD2NOd-1mDz4Ca_u0g7

Signatures

  • Skuld stealer

    An info stealer written in Go lang.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Detects videocard installed 1 TTPs 2 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 48 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/5m68x2gx8mpqc9k/Wave_Patcher.rar/file
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce1a846f8,0x7ffce1a84708,0x7ffce1a84718
      2⤵
        PID:2484
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        2⤵
          PID:4440
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2740
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
          2⤵
            PID:4888
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
            2⤵
              PID:2460
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
              2⤵
                PID:228
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5276 /prefetch:8
                2⤵
                  PID:4640
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
                  2⤵
                    PID:4208
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
                    2⤵
                      PID:2988
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
                      2⤵
                        PID:4748
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
                        2⤵
                          PID:4280
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4628
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
                          2⤵
                            PID:2464
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
                            2⤵
                              PID:1060
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=3512 /prefetch:8
                              2⤵
                                PID:2616
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3340
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4356
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:4140
                                  • C:\Windows\servicing\TrustedInstaller.exe
                                    C:\Windows\servicing\TrustedInstaller.exe
                                    1⤵
                                      PID:4208
                                    • C:\Program Files\7-Zip\7zG.exe
                                      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Wave Patcher\" -spe -an -ai#7zMap11890:86:7zEvent22385
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of FindShellTrayWindow
                                      PID:4672
                                    • C:\Users\Admin\Downloads\Wave Patcher\Wave Patcher.exe
                                      "C:\Users\Admin\Downloads\Wave Patcher\Wave Patcher.exe"
                                      1⤵
                                      • Drops file in Drivers directory
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Maps connected drives based on registry
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4684
                                      • C:\Windows\system32\attrib.exe
                                        attrib +h +s "C:\Users\Admin\Downloads\Wave Patcher\Wave Patcher.exe"
                                        2⤵
                                        • Views/modifies file attributes
                                        PID:2088
                                      • C:\Windows\System32\Wbem\wmic.exe
                                        wmic csproduct get UUID
                                        2⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3060
                                      • C:\Windows\system32\attrib.exe
                                        attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                        2⤵
                                        • Views/modifies file attributes
                                        PID:4828
                                      • C:\Windows\System32\Wbem\wmic.exe
                                        wmic path win32_VideoController get name
                                        2⤵
                                        • Detects videocard installed
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3048
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\Wave Patcher\Wave Patcher.exe"
                                        2⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:3776
                                      • C:\Windows\System32\Wbem\wmic.exe
                                        wmic os get Caption
                                        2⤵
                                          PID:1692
                                        • C:\Windows\System32\Wbem\wmic.exe
                                          wmic cpu get Name
                                          2⤵
                                            PID:4968
                                          • C:\Windows\System32\Wbem\wmic.exe
                                            wmic path win32_VideoController get name
                                            2⤵
                                            • Detects videocard installed
                                            PID:216
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                            2⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:3860
                                          • C:\Windows\System32\Wbem\wmic.exe
                                            wmic csproduct get UUID
                                            2⤵
                                              PID:4240
                                            • C:\Windows\system32\netsh.exe
                                              netsh wlan show profiles
                                              2⤵
                                              • Event Triggered Execution: Netsh Helper DLL
                                              • System Network Configuration Discovery: Wi-Fi Discovery
                                              PID:4860
                                            • C:\Windows\system32\attrib.exe
                                              attrib -r C:\Windows\System32\drivers\etc\hosts
                                              2⤵
                                              • Drops file in Drivers directory
                                              • Views/modifies file attributes
                                              PID:1060
                                            • C:\Windows\system32\attrib.exe
                                              attrib +r C:\Windows\System32\drivers\etc\hosts
                                              2⤵
                                              • Drops file in Drivers directory
                                              • Views/modifies file attributes
                                              PID:2204
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                              2⤵
                                                PID:3536
                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gosw5ca4\gosw5ca4.cmdline"
                                                  3⤵
                                                    PID:4504
                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3629.tmp" "c:\Users\Admin\AppData\Local\Temp\gosw5ca4\CSC8EFDAFC34395444BA98E25CAD7262DF9.TMP"
                                                      4⤵
                                                        PID:1988

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                  Filesize

                                                  2KB

                                                  MD5

                                                  d85ba6ff808d9e5444a4b369f5bc2730

                                                  SHA1

                                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                                  SHA256

                                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                  SHA512

                                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\57ea2145-5cb2-4cbc-a8d9-a1010fea36f0.tmp

                                                  Filesize

                                                  10KB

                                                  MD5

                                                  a0825be748bd02ea9763897d54d44c51

                                                  SHA1

                                                  fecab029f931676e449f07bb9e107cfee5764e16

                                                  SHA256

                                                  b5ff4e5160b86fc3fff67edba5faaa2ca17b403d01d197097d3a0e2e3cc4b981

                                                  SHA512

                                                  39e991163faaec625e3588e932c8452b36936dc5a8830d83924b6b10b82bc72ce9b07b2c9835ce7a205d6e5a90c24d258b968fd894bd32ce7ac5ee9bf637c7b2

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  04b60a51907d399f3685e03094b603cb

                                                  SHA1

                                                  228d18888782f4e66ca207c1a073560e0a4cc6e7

                                                  SHA256

                                                  87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

                                                  SHA512

                                                  2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  9622e603d436ca747f3a4407a6ca952e

                                                  SHA1

                                                  297d9aed5337a8a7290ea436b61458c372b1d497

                                                  SHA256

                                                  ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

                                                  SHA512

                                                  f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                  Filesize

                                                  744B

                                                  MD5

                                                  f06155b76ee2b7fb45ad86dfbe3b888d

                                                  SHA1

                                                  5cb7165114e714955505967d1f67a2688886a8ce

                                                  SHA256

                                                  abe4c32e9314cf4e13f71d2873adb38bcf96ebe9efb4faace8bfaf376c8867ec

                                                  SHA512

                                                  01e010496e41f2bdca61b2db7126cd68b7e80af0ddd1d8ed21dadd7d55eb1b97ebeed7fac5e8b008a99d440dd80cda8d988c18e3ef3f9892e4ff46c8b736b913

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

                                                  Filesize

                                                  124KB

                                                  MD5

                                                  2034521d0cd05458143e478e9c46d517

                                                  SHA1

                                                  68f2ccd3b77ff53168682db0b779ef206b9af3fb

                                                  SHA256

                                                  acf23ab2b217b63c756733dabb98cc695f885c754793d4b59ba01f9ef73cc448

                                                  SHA512

                                                  e6b7947d63f6fcc7e8b3f0459818b173ccc9c9ba3a0a21f8ee40d84d765a2a190ab98980436c1bc8ba84f78cebef07296b52fbb4492512f246ffd8bfa5c62061

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

                                                  Filesize

                                                  748B

                                                  MD5

                                                  6317d6359252cf4a434f3ceb3488aa9b

                                                  SHA1

                                                  109ed3fe45e989474b883f11c4fac256b0c80cad

                                                  SHA256

                                                  a2f85801876b3235a47c8bed5acfef36da06e258e4b9c82b06810eccdf37e583

                                                  SHA512

                                                  9078067f7b417b95409feb9ab1088c1ff6e22a5963de5463b7863853999a91aa4642ad140a3d6594b75fa3d1d5b72df71ec3d07c2bed09318b0ef636c8255db4

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                  Filesize

                                                  111B

                                                  MD5

                                                  285252a2f6327d41eab203dc2f402c67

                                                  SHA1

                                                  acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                  SHA256

                                                  5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                  SHA512

                                                  11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                  Filesize

                                                  4KB

                                                  MD5

                                                  adb8ac08e031dc67b7af678fa75b9955

                                                  SHA1

                                                  1ca7537fef72cf4f772b5288720edbad4fdb1543

                                                  SHA256

                                                  8ce8d0a915026a9a17f9d24ccf14b86766d82ad3e3826d720a2698790dd000d7

                                                  SHA512

                                                  6e24f72e28fd808e09130764580c46f8bf7325085dde0b1d3d8e3fc5bc24259ee366bcd4e597fe24ca8ec667fbc4c87effac0943f67e65d5b280b1c657fbaad6

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  5KB

                                                  MD5

                                                  9466b44f2de1ba06383f5bf1dd54b0fb

                                                  SHA1

                                                  73bdd12300caefb3461c828f75754a80ce4d3214

                                                  SHA256

                                                  b6fe961974c8425988ddff0534d4e2f5bba1b2b5f0faf2ba9c0be2cb6c49614a

                                                  SHA512

                                                  635bf7ee72e16c780dc69097352f58894581730aa98bf363d29d85c2a5d71aea5f470803d2ecae1d6df3428e560e0c2b8ee79b72112296bbbfe4a48f95d38054

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  8KB

                                                  MD5

                                                  9c8a149d5c6f035f441ad6d648516707

                                                  SHA1

                                                  a9878160083aeb39fd6656e38b8c8f34ee16174b

                                                  SHA256

                                                  75bbcc6561fd923aa50a41236d106bc1685bd0bb8214d1bbbb6878729cc76e08

                                                  SHA512

                                                  93e7728c3c1f2b84a75b9e05a4cfbee3097627faa735005cbcc28efc2d48f37e0e27a714913c13a93fce18c3bebd9831780a251be57b6b3520b1f2f2977fa877

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  9KB

                                                  MD5

                                                  0a6e7707bed776a0efca965f862bbfee

                                                  SHA1

                                                  21ab702381cca362b5d37580fadf81696f777bb0

                                                  SHA256

                                                  cd8acb120b3c2e904f672e81c7de83afa867200b79203b777808c16ad95964e3

                                                  SHA512

                                                  9b12c10cc5b58ac8132eadc1af56c6c656ec968462a7957d1d2c55a6349f0fbabf32082c7e8ea1379753537c00e09ed59094e2602211c86932571606a29d2f94

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                  Filesize

                                                  10KB

                                                  MD5

                                                  ae9cf37699d5b5cec1a4eac34926a4d4

                                                  SHA1

                                                  41036b74234a6d66be662a148cd9e82cba29e149

                                                  SHA256

                                                  349be63d0cf9d941f584cca4d2f2a8325d74a799e63471abdd51c8b9f7399a47

                                                  SHA512

                                                  eab4ba50fb5ba370392c30a5c7c58589730e3172dc1d9090130cde2a0446243d62c930d96ae43e8f3e9819aba07125d59fa99d6170ca1acfba03fc06cef45bb0

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                  Filesize

                                                  10KB

                                                  MD5

                                                  0a72bc98dcd2ee5a027e2d0f7b550bb3

                                                  SHA1

                                                  bf6d422cc580d0d3d8b8f3409c850abe3311120c

                                                  SHA256

                                                  786b2fc58b7289fc72fc467e4019d463fa4378dd25f174f6e27443de61ae9a89

                                                  SHA512

                                                  34af1af26afeef19da9e676b47983501dfd2809bad5f17da7f1565534ca7a02c708fe5ddd34e425ccbd6f967fa23d27f4ce6c64a6c1c2927f23e31ea784a0120

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  944B

                                                  MD5

                                                  a8e8360d573a4ff072dcc6f09d992c88

                                                  SHA1

                                                  3446774433ceaf0b400073914facab11b98b6807

                                                  SHA256

                                                  bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                                                  SHA512

                                                  4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  944B

                                                  MD5

                                                  67e8893616f805af2411e2f4a1411b2a

                                                  SHA1

                                                  39bf1e1a0ddf46ce7c136972120f512d92827dcd

                                                  SHA256

                                                  ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

                                                  SHA512

                                                  164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

                                                • C:\Users\Admin\AppData\Local\Temp\RES3629.tmp

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  bd327af902605a30d23bb8cfc4956fa2

                                                  SHA1

                                                  55a14b8139716673aa50eb47aec0908309e6dc82

                                                  SHA256

                                                  3ce7d03366112d537dbf31dcd475b229c7376567aad73146c5228c1c340b1278

                                                  SHA512

                                                  cdbc936dd976871f7b56065b75a8ea7995d0ae27361481cdad2037217ff37c3914ba0642b2622b629ece3dc0145470adf13df7adfa2ee51c28ba435753679dc9

                                                • C:\Users\Admin\AppData\Local\Temp\X5V3Q2TZs7\Display (1).png

                                                  Filesize

                                                  259KB

                                                  MD5

                                                  c50ae4826126a0e7045e82ed25f5612a

                                                  SHA1

                                                  99b0670e3a77f9e25df470ade2a5308de9d956e2

                                                  SHA256

                                                  88617c6349204e52055b591b907c38d8c3777b6f7a09874ad3e0aba8698f3b55

                                                  SHA512

                                                  aa5c211a8e2fd4519b17449e927e843c8bd675898f9eaa0d099553e509b6528be536c60612725961a62e82eb8d108d5508c197754fce26dc6ef286ceb7445a15

                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zchxdoqo.dvq.ps1

                                                  Filesize

                                                  60B

                                                  MD5

                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                  SHA1

                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                  SHA256

                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                  SHA512

                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                • C:\Users\Admin\AppData\Local\Temp\gosw5ca4\gosw5ca4.dll

                                                  Filesize

                                                  4KB

                                                  MD5

                                                  83f7ac622d437ff55afdb341006e6655

                                                  SHA1

                                                  08d8422157844c4628491a629d4901b4243a53f9

                                                  SHA256

                                                  086147d353088d38f58d5368bebe76dd5018f280a5532d0558986a1be2bb550b

                                                  SHA512

                                                  41d573cd9bad5798671294c5289d3b9bc965fc50cf963127605e4cfea9610349c9a5766ca1e639c1030dbfb16ec99200936609f6b7f1a513bcaa0e811f295ee0

                                                • C:\Users\Admin\Downloads\Wave Patcher.rar

                                                  Filesize

                                                  7.5MB

                                                  MD5

                                                  21506d74ea85e069149fb91841b208a9

                                                  SHA1

                                                  aec0fb6fb1da151852af525e86016809592e84df

                                                  SHA256

                                                  3612f91929b87d68b5059d930dd5fee68461c743577c70b2cb501f4016b4aa8c

                                                  SHA512

                                                  2ce98f5c47ee544027a58e6821a0af822a053ea0d5295722f82b82e991c781ca7cc9999837fb7955e873b048a29983acf4a783ca9c250971b1bc0baeb8287641

                                                • C:\Users\Admin\Downloads\Wave Patcher\Wave Patcher.exe

                                                  Filesize

                                                  14.2MB

                                                  MD5

                                                  67a0a960f47058f0b38ea5d9fceb7ecf

                                                  SHA1

                                                  c200a22c4d1639e8a5803d435e45a8ab94331a49

                                                  SHA256

                                                  aea122a1e7b8965189f58fdfd773edc9d245b3ebd87f68750e71cdae665cb679

                                                  SHA512

                                                  d7ecd2d0bea1060bfb60d3b1b98959f8ff8d40224cfa5e224b460a6d0712d870439e0a753fce6600e0652606e817aa51ddd75c592a2cdda810e0cb4808b60f24

                                                • C:\Windows\System32\drivers\etc\hosts

                                                  Filesize

                                                  2KB

                                                  MD5

                                                  6e2386469072b80f18d5722d07afdc0b

                                                  SHA1

                                                  032d13e364833d7276fcab8a5b2759e79182880f

                                                  SHA256

                                                  ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

                                                  SHA512

                                                  e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

                                                • \??\c:\Users\Admin\AppData\Local\Temp\gosw5ca4\CSC8EFDAFC34395444BA98E25CAD7262DF9.TMP

                                                  Filesize

                                                  652B

                                                  MD5

                                                  9aeeb9e9f37057cdb9a817fada2366f8

                                                  SHA1

                                                  58c67a677679f84d387221fea1564efb42040a63

                                                  SHA256

                                                  d4370b15d9dd5936d2bdd7429e9bec0aac87e434a258aab4273e1b2b4304811b

                                                  SHA512

                                                  3089bf01e75e981eee40863c5c6314d2a10997d0e352aec8734fcc37a096f0d775c93186f731a55f591937afe021b7f95e61066a5fbbc96e634788101b5ded8b

                                                • \??\c:\Users\Admin\AppData\Local\Temp\gosw5ca4\gosw5ca4.0.cs

                                                  Filesize

                                                  1004B

                                                  MD5

                                                  c76055a0388b713a1eabe16130684dc3

                                                  SHA1

                                                  ee11e84cf41d8a43340f7102e17660072906c402

                                                  SHA256

                                                  8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

                                                  SHA512

                                                  22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

                                                • \??\c:\Users\Admin\AppData\Local\Temp\gosw5ca4\gosw5ca4.cmdline

                                                  Filesize

                                                  607B

                                                  MD5

                                                  fa11b566e1278a7d6f1dcd9cfea779ac

                                                  SHA1

                                                  f9e2ca4919bee8905c5a5b9d0e175433992b0283

                                                  SHA256

                                                  e573f9c1a5a79dd74cb3dc1a374085591f5b67baaf311db996829b6e3692263f

                                                  SHA512

                                                  9ced3cf86859fb017bf9dc0d55e184fa9745251746f3d485effc598a36030aaba7526a93f768e983866a7b3e5a4991d82b6a341d32a555ca60fcbe676d8a2d8e

                                                • memory/3536-336-0x00000281E2E60000-0x00000281E2E68000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/3776-284-0x00000154B62C0000-0x00000154B62E2000-memory.dmp

                                                  Filesize

                                                  136KB

                                                • memory/3860-311-0x000002E67B880000-0x000002E67B8C8000-memory.dmp

                                                  Filesize

                                                  288KB