hxxps://drive[.]google[.]com/file/d/1d-AcYI1SvRj8B-iwa3CP7iaGyuSrBE28/view?usp=sharing

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1d-AcYI1SvRj8B-iwa3CP7iaGyuSrBE28/view?usp=sharing

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3712	WaveInstaller (5).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
5	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller (5).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3112	msedge.exe
3112	msedge.exe
3344	msedge.exe
3344	msedge.exe
2476	identity_helper.exe
2476	identity_helper.exe
3536	msedge.exe
3536	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3540	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeTcbPrivilege	4344	svchost.exe
Token: SeRestorePrivilege	4344	svchost.exe
Token: SeRestorePrivilege	3540	7zFM.exe
Token: 35	3540	7zFM.exe
Token: SeSecurityPrivilege	3540	7zFM.exe
Token: SeDebugPrivilege	3712	WaveInstaller (5).exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3540	7zFM.exe
3540	7zFM.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 2892	3344	msedge.exe	83
PID 3344 wrote to memory of 2892	3344	msedge.exe	83
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 4928	3344	msedge.exe	84
PID 3344 wrote to memory of 3112	3344	msedge.exe	85
PID 3344 wrote to memory of 3112	3344	msedge.exe	85
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86
PID 3344 wrote to memory of 4684	3344	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1d-AcYI1SvRj8B-iwa3CP7iaGyuSrBE28/view?usp=sharing
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5a1546f8,0x7ffe5a154708,0x7ffe5a154718
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15377886550721936642,2241042957381254861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:3776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4344
- C:\Windows\system32\dashost.exe
  dashost.exe {87af42d3-d885-4ae5-9bcf92d95501f614}
  2⤵
  PID:3180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2680

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Downloads.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3540

C:\Users\Admin\Desktop\WaveInstaller (5).exe
"C:\Users\Admin\Desktop\WaveInstaller (5).exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\089118c0-5cea-4c57-a30d-9aead84e4f78.tmp

Filesize
11KB

MD5
b3c87be34f9e4632278ced3037169d5f

SHA1
fdbc4ba96a10b23006cd65e218e2d73d3c82c292

SHA256
87eaeec149d3ba1d1979b97ba32023cf8c4807841bb1b57efc7f052b8955cd3f

SHA512
7a72cfdadca00a11a067269adb77f508364f3ddf5513268d0309439be0d02c5cdccb9ed8bafd5d0bed08fc07c4cccdc63b7b6ccf20ae52d95db851f09b279be8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
336e632142966bb5b1555731fdae58b9

SHA1
df21896206cb41e55caef4082b8d402435de5389

SHA256
bf03fb88aee2f97c7757c4d05b84f3873ba82c16de2a537679f521bb42d2a3d8

SHA512
f7cc58005811b16b1842307d473d379a0444269936ab2c0bbd58d827ad5383e0400e2a7e863f59215412a2f84924b1f8758b155b1b7eb83d045d1b6883c92173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dd3fc896ff3b0d6ebf2ed72827fd3aa3

SHA1
8c8a9bcb355d3fddca81c5a0b7c85a094fbe9b5f

SHA256
7d083e4431e3faf959c6c5f74d0319e5c7b199407b6a36c7adc980376e6da72e

SHA512
5950639d09cd39676d2277efd11e4e21fcb6431cd67f7f2ba900def9d25fc4d56015ae2a0e32fa9f599e71f1ffd0f1b3981c57a30d73095915f975e783633619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
698dd7ae389e90be871476ef184b3f43

SHA1
e06a1473d3e682598d7b1d4c3e283974b1da9119

SHA256
7092b7ef5022fd27f4d1d7f08b7a332ba00469ed17caeb47965446c1525fd006

SHA512
3e7ff84b294ab0fe511c2b665f14ebd780278085c74dba32efd7f08e0819060b96727d600272e4ce894496043904f7904af26ea098136baa6b1d503a6135ffd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
33a30fb652b4dec8b769f6ca7d588af9

SHA1
bd47c62cb64fd80a0d87df69b9824bf6e0f6ae65

SHA256
bc34bcca52ff74243d8563475f477d1e0141eb5fd35dc75938cda4f39ae12fa8

SHA512
859860c614724deec92aa279f816880e2d52e02183f27ad2ac55dc8df5955178e77eac00db991f6318b9d6ce4ef29713eddf0bc3d07051af8898feed8e44f9a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
688fa646f70b49d6d8cc170001ff5805

SHA1
39266af49ac41aeedf6bb5d6196f524d60d78b72

SHA256
b902c1c7e60f5e3a080483894fda581c571841e371a4beb9d0043bca568cc1c4

SHA512
8f41ba88c44a99d47d2cc4d021b76fafe867b7b40e564e1bf22d84694a54e67f6b4020945e7ac28f92e9dfddcf46392411127707de57bf7cb533144221d1a99c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a53259ccab6be556495db626b3b5d664

SHA1
34d4fba0ab4010f8971ecabf1f2b2a8483e5954b

SHA256
73158322b236e37cc3496bfc24e575abfe675213a5fe8348449147a3f931bc8a

SHA512
d2eee57a0cb1c6fd8bcb2b4551244775fa97da2f6408d46e9746afa0fdf77010e2a6b4c3ad9555498bcdc4bc65916c06fba1b216ef782e937908de6fa2a85aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
aa7b4634231c58c95e0f4325970fe671

SHA1
b6cf2864e6f4881f603dd0461793b2d980daefc0

SHA256
25b555b031bd383c1cae6aace5fe298655f9240c035ab11aa54bdf997f9d137b

SHA512
fbb0cb587cc77bde2d670f5a539b2c55d09324fbf003445a3567b8296bd9450c5d7321373d103fa8653d9d428618e61d8a5fd9875f4f193ca63d4f19ef71b13a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f560e95ee3996610af45bcac3236c16c

SHA1
aedc7c64d207b099fe733c42118adf75c339a299

SHA256
ab62d48cfeced47193e5a725764a89c7453d4d8ee2efc97095d375d84ce2a9af

SHA512
98516ad0e39eaf931027c05e6d64726db06f482e4715c3d7d1b942acea28a13986c5a4d3c41f3c617f32acce215a89687aa121ce52e6dc64f10ac4bbf9631aa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c3f5489294215c341083e7a582a9b5d3

SHA1
d7cd3e656e368384f2e082951fa00e7f7d812ea2

SHA256
e217ce5fd71758a3fd22b410bd8a0e5896ddfe5b8efc254da08d208195e89306

SHA512
720540ce809f3119f6f2d40167b6cdb3ae127241b9a951c5a570c69c4eabe763b683438834121deda924ca3bb238355017ec67d0c9ee40817bca68e93c2cb0da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b5585abb-c7c2-478a-963a-b7c94c7786ac.tmp

Filesize
7KB

MD5
3a61ed79332ac0260c0a8c4ac73bb878

SHA1
86b8a329f9ec68a0b7c63d7004e9f06dbccf1aa8

SHA256
504497cdeea246ace16f4e3d92c1f3248b6bf5c856689f585b40809441249cc2

SHA512
ec2b4161433784163e236edc0ebbff45b99d03b960eeca383c6e3d3c487063cd27ed9bebf777b13476b538f3e4ece991907ac88a4374d54891a8b96fe646abb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
59b3d39541b82bf8d385285e6f7e349e

SHA1
91806a6d9b7e1652ed23bbffd51e5c8eafcc632a

SHA256
47196ab42d2d92d9cb4fd5e8e919c6c4f2f6b1285cef455a34def14f514aea9a

SHA512
a8028da7a7a125bf633bcd80496e73c8345e7b5cca9fcc43d61470c5d6ea0724eca348fea0c727b5b8d337ba4ba0641fce766897c3f7568c9e93f328579ffb12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1edfda97a27f1586f4e310f24704816d

SHA1
965f82ae28001dde583dbec6f295044538df483f

SHA256
bcfee45137c639bbc270dd3436953e555fd22ae3616bc51e5ac3c01f7d586a8f

SHA512
be8210edc3faa2d03d5528484bcd617772f274e8d87cd19302808795037ed5f19488c80112e01a522e70f5a9552e0ecf15510c001ee7241309c9cf109478b977

Download Submit
C:\Users\Admin\Desktop\WaveInstaller (5).exe

Filesize
2.3MB

MD5
8ad8b6593c91d7960dad476d6d4af34f

SHA1
0a95f110c8264cde7768a3fd76db5687fda830ea

SHA256
43e6ae7e38488e95741b1cad60843e7ce49419889285433eb4e697c175a153ab

SHA512
09b522da0958f8b173e97b31b6c7141cb67de5d30db9ff71bc6e61ca9a97c09bff6b17d6eaa03c840500996aad25b3419391af64de1c59e98ff6a8eac636b686

Download Submit
C:\Users\Admin\Downloads\Downloads.zip

Filesize
27.3MB

MD5
7633fb2dedfa16071e64216cef932336

SHA1
af6e54fd5e9383847781139eec80801fa9d0cc81

SHA256
d4c138ee5fd81c633d9ec42fe186634eb348f14660c51211d1770e090df3f13e

SHA512
2da525df7caf825c14b99fa47cdc247ad3735ef641be6553f7de752e96d060fd6ff1a8e08c3ca8568617659d2cadca4be76d77794b80a11c2ad3beddfb90494b

Download Submit
memory/3712-209-0x0000000000D30000-0x0000000000F7A000-memory.dmp

Filesize
2.3MB

Download
memory/3712-210-0x0000000005A30000-0x0000000005AE2000-memory.dmp

Filesize
712KB

Download
memory/3712-211-0x0000000005AE0000-0x0000000005B62000-memory.dmp

Filesize
520KB

Download
memory/3712-212-0x00000000059F0000-0x00000000059F8000-memory.dmp

Filesize
32KB

Download
memory/3712-213-0x0000000005A00000-0x0000000005A08000-memory.dmp

Filesize
32KB

Download
memory/3712-214-0x000000000A510000-0x000000000A548000-memory.dmp

Filesize
224KB

Download
memory/3712-215-0x000000000A4E0000-0x000000000A4EE000-memory.dmp

Filesize
56KB

Download