Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1014s -
max time network
1018s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
30/07/2024, 12:53
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/1_RVEpnP7H-42DnsVPNVej8iVxQerIpm0/view?usp=sharing
Resource
win10v2004-20240709-en
General
-
Target
https://drive.google.com/file/d/1_RVEpnP7H-42DnsVPNVej8iVxQerIpm0/view?usp=sharing
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation WaveInstaller (5).exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation WaveBootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation WaveWindows.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation Bloxstrap.exe -
Executes dropped EXE 5 IoCs
pid Process 6040 WaveInstaller (5).exe 4996 WaveBootstrapper.exe 4396 WaveWindows.exe 6020 node.exe 5656 Bloxstrap.exe -
Loads dropped DLL 2 IoCs
pid Process 4996 WaveBootstrapper.exe 4396 WaveWindows.exe -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\KasperskyLab\LastUsername WaveWindows.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\KasperskyLab\Session WaveWindows.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\KasperskyLab WaveWindows.exe Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\KasperskyLab WaveWindows.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 6 drive.google.com 9 drive.google.com 177 raw.githubusercontent.com 178 raw.githubusercontent.com 179 raw.githubusercontent.com 180 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaveWindows.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaveInstaller (5).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaveBootstrapper.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 3840 msedge.exe 3840 msedge.exe 2244 msedge.exe 2244 msedge.exe 332 identity_helper.exe 332 identity_helper.exe 5420 msedge.exe 5420 msedge.exe 1636 msedge.exe 1636 msedge.exe 1636 msedge.exe 1636 msedge.exe 4396 WaveWindows.exe 4396 WaveWindows.exe 4396 WaveWindows.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5688 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 5688 7zFM.exe Token: 35 5688 7zFM.exe Token: SeSecurityPrivilege 5688 7zFM.exe Token: SeDebugPrivilege 6040 WaveInstaller (5).exe Token: SeDebugPrivilege 4996 WaveBootstrapper.exe Token: SeDebugPrivilege 4396 WaveWindows.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 5688 7zFM.exe 5688 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe 2244 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 6020 node.exe 5656 Bloxstrap.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 4200 2244 msedge.exe 84 PID 2244 wrote to memory of 4200 2244 msedge.exe 84 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 1364 2244 msedge.exe 85 PID 2244 wrote to memory of 3840 2244 msedge.exe 86 PID 2244 wrote to memory of 3840 2244 msedge.exe 86 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87 PID 2244 wrote to memory of 4044 2244 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1_RVEpnP7H-42DnsVPNVej8iVxQerIpm0/view?usp=sharing1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa52e346f8,0x7ffa52e34708,0x7ffa52e347182⤵PID:4200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵PID:1364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:82⤵PID:4044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:12⤵PID:1200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:12⤵PID:2976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:82⤵PID:3716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵PID:3948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4056 /prefetch:82⤵PID:3176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:12⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:12⤵PID:2624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:12⤵PID:1248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,2122160938035612705,11653324355073951280,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4908 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1636
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4292
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4020
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5560
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Downloads.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5688
-
C:\Users\Admin\Desktop\WaveInstaller (5).exe"C:\Users\Admin\Desktop\WaveInstaller (5).exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6040 -
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4996 -
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396 -
C:\Users\Admin\AppData\Local\Luau Language Server\node.exe"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=43964⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6020
-
-
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5656
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD56546ceb273f079342df5e828a60f551b
SHA1ede41c27df51c39cd731797c340fcb8feda51ea3
SHA256e440da74de73212d80da3f27661fcb9436d03d9e8dbbb44c9c148aaf38071ca5
SHA512f0ea83bf836e93ff7b58582329a05ba183a25c92705fab36f576ec0c20cf687ce16a68e483698bda4215d441dec5916ffbdfa1763fb357e14ab5e0f1ffcaf824
-
Filesize
249KB
MD5772c9fecbd0397f6cfb3d866cf3a5d7d
SHA16de3355d866d0627a756d0d4e29318e67650dacf
SHA2562f88ea7e1183d320fb2b7483de2e860da13dc0c0caaf58f41a888528d78c809f
SHA51282048bd6e50d38a863379a623b8cfda2d1553d8141923acf13f990c7245c833082523633eaa830362a12bfff300da61b3d8b3cccbe038ce2375fdfbd20dbca31
-
Filesize
372B
MD5d94cf983fba9ab1bb8a6cb3ad4a48f50
SHA104855d8b7a76b7ec74633043ef9986d4500ca63c
SHA2561eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a
SHA51209a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998
-
Filesize
6.1MB
MD56b1cad741d0b6374435f7e1faa93b5e7
SHA17b1957e63c10f4422421245e4dc64074455fd62a
SHA2566f17add2a8c8c2d9f592adb65d88e08558e25c15cedd82e3f013c8146b5d840f
SHA512a662fc83536eff797b8d59e2fb4a2fb7cd903be8fc4137de8470b341312534326383bb3af58991628f15f93e3bdd57621622d9d9b634fb5e6e03d4aa06977253
-
Filesize
152B
MD575c9f57baeefeecd6c184627de951c1e
SHA152e0468e13cbfc9f15fc62cc27ce14367a996cff
SHA256648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f
SHA512c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15
-
Filesize
152B
MD510fa19df148444a77ceec60cabd2ce21
SHA1685b599c497668166ede4945d8885d204fd8d70f
SHA256c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b
SHA5123518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize408B
MD5e4baf95479832cf047ccbb17712deee8
SHA10eaeb2d116d631c2a6c81b75909e78991601dca0
SHA25647c5287354fc50405f6a4814efe798ac178ffd791b3c0cfd36dfa0e8a68db59a
SHA512a304f594b9cdccd29a4eaad81db83d5c7fd7d4ecd2731d6ecf063efb7e52e64ab325850311d3c37fadb281204f393299a0f84064edeef4c7cfc32b41615b62cb
-
Filesize
3KB
MD5d746cb37c39fe230796c66b7cc1c63d7
SHA1a3e4eb0f347dcde92c8052edbcf625c3c7ccd4be
SHA256c8f7f4d304159ab91d6959ab1e731d9b2fd8b12660394ff6e11ae057f566d76a
SHA512a1217998516402bb3b23842e0091ff87a74c1d689245fd763edb6650b29a96ca24cd7256eac0a3f770e62e10ade788bee526e731ce053412d58722a562b37d46
-
Filesize
3KB
MD5eecc57953fd9ef3f8cf6f237c3623c05
SHA1f24986a1d9bacf0198a317f36f01a7110ed16b06
SHA256e02f5495d04f0874e002ad8389e18f4b830220a38d7314ef83c24edb5f75a7ae
SHA5126860b6520fd246d3047bd2ac68e1824cedc1438e02689e447a84e677af3891c01ca0b31e02eeeec65dc4133f90a9bef84b00344e5589feae874db1dec9c25507
-
Filesize
3KB
MD514c756d7bbd1f1f5927aa7733b7bd0db
SHA1f4101ba7d2411c75d0502460b84b16c2c1624069
SHA25694dc8b8ace67dc4641e7c9cc93512f9faaa4b2ffddaeff777e6d2141c17e87ef
SHA51270e68ce56554715604b6472c32afbd2b5f7c3ba400cc3526d57d20901b81c7a707182979376a2127d1e359f0d605ff5c81adfc02ce578c9392017ab2776e455a
-
Filesize
3KB
MD5e6def058d1edc2c3625481714c5345e6
SHA1249a7fda792b9eb7adf882fcf133dcf36e7f88ea
SHA256c23e39c6d759379ee82e709410bb72d01c28e2018ca8ce2971c0e996df842692
SHA5123eeb1002e558f3475fcbb30763271bc4a27b14e3eb8802d783aa7f8376e053f73260600707f11465c1337fca812a806a801723ec7de3fa98ef13d2fd94a1b563
-
Filesize
3KB
MD5171bac4ec8e651e6bcb5fb5692ee7958
SHA12e14a7912e5f77b72f9e4efdc4788e39090ad27e
SHA2566066aa5d27ac893603af641d8dd458499daa266df29ce386322115457b8d4a85
SHA51214b1abdfb25fe7b331453b1e1bce7377f4dc18ebd455b31c7add18c2fcda4ec71159f83328b7ee21dfbb312d51a03046d3c894801655f00918994f1257d48231
-
Filesize
3KB
MD58fc640690bbef266d308c5fdfdc7758e
SHA1cfb8cb440df79cd200013a600d60c2aec6bca6bb
SHA25633666826956fd69cc1df4c96093babd2dc3d73520aa09a9f3aa2037ea6ff95f8
SHA51213bdb08b127b6bc126d87a616cc4c2e487af8362b3c9c21ee1072d343bc4132d70ba5716ee6dbbda951219189f791a8a07685b3b20589fba6194761dd59830db
-
Filesize
3KB
MD5ff02fbbbf54f78675c353f00790dc309
SHA1369a6058c14c6fd16a0da7cf453ffc0c77f38ee9
SHA2566b5031839d88fdbee01aa9beb52ee66fd18350309ce381ff9ad199fc678a0b68
SHA51234eb09813eeb30ebc4f3681f93fbf2f275bdee2e13ffa2f8129bf33c035be44905923c690958f40b8bc53f24369338c98827a53326ca0708491418a44bdba095
-
Filesize
3KB
MD514743c68d84a7d8408b660de66c83e49
SHA14e7e557f09d10dc689a24a79628af6e2b3feda06
SHA2564ec6a9bf63e9274d1d8599b45af9188ed39ba5623d537504dc546be40e951933
SHA51289e1b4768aa71ca5e8201762028c979ae929fadf39e1e3c8ce4129b583b05f1b76a067748a7a22a20f2fd1e1db3a15cc2a9bded619a91caf0e1dc3da591f6769
-
Filesize
3KB
MD51f48c2781908b05f724c47e3a6a2a75a
SHA1e6f395eb7511f92971a787798e2a50cd07ba2a23
SHA256771a127771ad2f82e2f4adf82b91155abc624862a587dcbb18cdde1d53957020
SHA512132944d6bf8405e4ee508696dd0635ec9a8551d7908d272968fb8c808483b4c92e0138a661b7b9768b31adb3f1668f7d217c560c2ebf574c85280e72a5dcc5dc
-
Filesize
3KB
MD548361021cc1a0a87690e52f03dbbc3e0
SHA13f8eda86826aae8ee1d59b6382c8fffb6fc4e40d
SHA256e7383759b4b00c9bcaa57c957c12305cf45116fbe7f997ac6fad973b7f6df37c
SHA51252e20b043e1399d6443cd21e7785bf5d7efcc4973094a94b5e48912e5d773c980ef3e0a41fadd61afdef962b78ba8584912f239bd9f487aa97ad80c008fceb4f
-
Filesize
3KB
MD59d44e5096a8d8095839402ac4382d81b
SHA15f23f3e66ce9aa3f93bf31b9f80480b5d57f50a5
SHA256ad3dae5b45285ab43e89cd5b5739048880252e8e85901091300e759dcd1b622a
SHA5122e8653d6d021e28977dd9675fc0df8068e45ad682860a4d8cf7f90f7ac4cc5364a679b55b143420dfe20a4090ecd832bd139b484bf65c2d4256b5a2347c8db58
-
Filesize
5KB
MD5bae9f925ed04189a8b8b1f688f750bc9
SHA13886c57b6562d1d0732d34082da7a8bc6dcbc252
SHA256e2cb034f3312f637f61fca35ff854b0b1ac18d4cd304915ff894cd640cd46664
SHA512548116fdef91b0e809b9cb3a2416bde17e5a830b446ef2018c73f45da48f3f986001ee3036be3e2b79089790f5c2e7d6b155f01c8d026a2afbe0745c65fa4db3
-
Filesize
6KB
MD56cd9323c1623e901e390b19eec40c424
SHA103fdf6f350a8630c210c7bd2931fb82bc4431e79
SHA256c0f91e3aad387eb0f54b791235ebf2fefcfb79ddb5253661f0723e9858bfd893
SHA512b36c381cf6fc8e0c577bc300df3ec47d1dd8e00da3f3315e12d99d4769f2958f504a7e9135dda70df3e14820b17ae845c8cef043a85673e9a76493b6f3afe6fe
-
Filesize
6KB
MD54f8575b307c126379e4b7c244597cb38
SHA154e45a22ed0c1b35fb72c47bfde834de1d842a87
SHA25654cc42ba5a17c42dd7e958068589bfeaf342da1222422060fd6a2ff16b1b6010
SHA5124f1f5a200024babf765d4ac589a57bc0e66f435564fdc98740a938a36eb839c96edef55cd8944aed583af218f97f5caf120aa6c7f7157a482bbf10256cd1868b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5db0e1f2ee0bd7e08534b007cb7094b18
SHA1b55a3b6adec7b04fda3635acf2969ac8aa1b5082
SHA2563326687094f11c0f25650f43e38db8c330a29284d2409d852d4fdad9b4d9bf0a
SHA5122358ae04a17ee9c083dd7675e963ccd3706a443bf115573021a7b418f9fc8c212fcbe058d31079e6ace78664ceb5f903d1397583b9e075380126524da2bceb6e
-
Filesize
11KB
MD53ca923653cf124cf652d3b0f75f09696
SHA17dc9ffdd07413339b6dc92e723905637a3f2a83c
SHA256fab4ea1b8d72d2b939c5ac36d700316d10f36bd891c74ae514eb9a24dfb76982
SHA5129fe07041c1a14809326844886cb01b3075e78c3ed09f20d7847f43d694371bbe7293f2d6c7edbc2468063109b930ccc6bf4324bf1da5cf642edaf15ec2060979
-
Filesize
3.9MB
MD53b4647bcb9feb591c2c05d1a606ed988
SHA1b42c59f96fb069fd49009dfd94550a7764e6c97c
SHA25635773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7
SHA51200cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50
-
Filesize
949KB
MD58fb51b92d496c6765f7ba44e6d4a8990
SHA1d3e5a8465622cd5adae05babeb7e34b2b5c777d7
SHA256ab49d6166a285b747e5f279620ab9cea12f33f7656d732aa75900fcb981a5394
SHA51220de93a52fff7b092cb9d77bd26944abed5f5cb67146e6d2d70be6a431283b6de52eb37a0e13dc8bc57dcf8be2d5a95b9c11b3b030a3e2f03dd6e4efc23527a6
-
Filesize
8.0MB
MD5b8631bbd78d3935042e47b672c19ccc3
SHA1cd0ea137f1544a31d2a62aaed157486dce3ecebe
SHA2569cfda541d595dc20a55df5422001dfb58debd401df3abff21b1eee8ede28451c
SHA5120c51d6247e39f7851538a5916b24972e845abfe429f0abdc7b532f654b4afe73dc6e1936f1b062da63bfc90273d3cbc297bf6c802e615f3711d0f180c070aa26
-
Filesize
2.3MB
MD58ad8b6593c91d7960dad476d6d4af34f
SHA10a95f110c8264cde7768a3fd76db5687fda830ea
SHA25643e6ae7e38488e95741b1cad60843e7ce49419889285433eb4e697c175a153ab
SHA51209b522da0958f8b173e97b31b6c7141cb67de5d30db9ff71bc6e61ca9a97c09bff6b17d6eaa03c840500996aad25b3419391af64de1c59e98ff6a8eac636b686
-
Filesize
27.7MB
MD5a3afaf6a35a8d9f498621f099b954340
SHA1ad4fec23fabf5f48b0f87bd570d9458775688b5d
SHA256369098d40c02418c92dc54f4350820b810004e1834f84aea05f50b992fb0fc99
SHA5128b6213d25930e6480289ccef1adb5c6c7dc2ae93c31244dd538eb23adabe527df6a77d5a288ba5070177d0f988a0cf652a4378e2c4d80642a810616b93d6206c