Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 19:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://appleware.dev/download
Resource
win10v2004-20240802-en
General
-
Target
https://appleware.dev/download
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 880 WaveInstaller.exe 2700 WaveInstaller.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaveInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaveInstaller.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{748DD8D5-2548-4207-B784-8F91FEC2AFEC} msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 93947.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2716 msedge.exe 2716 msedge.exe 4272 msedge.exe 4272 msedge.exe 3320 identity_helper.exe 3320 identity_helper.exe 5072 msedge.exe 5072 msedge.exe 4328 msedge.exe 4328 msedge.exe 4328 msedge.exe 4328 msedge.exe 2212 msedge.exe 2212 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
pid Process 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 880 WaveInstaller.exe Token: SeDebugPrivilege 2700 WaveInstaller.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe 4272 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4272 wrote to memory of 1236 4272 msedge.exe 81 PID 4272 wrote to memory of 1236 4272 msedge.exe 81 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2972 4272 msedge.exe 82 PID 4272 wrote to memory of 2716 4272 msedge.exe 83 PID 4272 wrote to memory of 2716 4272 msedge.exe 83 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84 PID 4272 wrote to memory of 2432 4272 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://appleware.dev/download1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce4a646f8,0x7ffce4a64708,0x7ffce4a647182⤵PID:1236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:82⤵PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵PID:1244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:82⤵PID:3016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:1396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:3524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵PID:4632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:12⤵PID:4516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:12⤵PID:2788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:12⤵PID:3932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:12⤵PID:2240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:12⤵PID:4072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6076 /prefetch:82⤵PID:5116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5512 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:12⤵PID:4752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:12⤵PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:12⤵PID:4892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:1752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵PID:4196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2296 /prefetch:12⤵PID:2496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:12⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6536 /prefetch:82⤵PID:4084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:12⤵PID:1036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7248 /prefetch:82⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7288 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,9904673472733837965,892722638481154854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6972 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2212
-
-
C:\Users\Admin\Downloads\WaveInstaller.exe"C:\Users\Admin\Downloads\WaveInstaller.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Users\Admin\Downloads\WaveInstaller.exe"C:\Users\Admin\Downloads\WaveInstaller.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3744
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ecf7ca53c80b5245e35839009d12f866
SHA1a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696
-
Filesize
152B
MD54dd2754d1bea40445984d65abee82b21
SHA14b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA51292d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1
-
Filesize
20KB
MD56931123c52bee278b00ee54ae99f0ead
SHA16907e9544cd8b24f602d0a623cfe32fe9426f81f
SHA256c54a6c3031bf3472077c716fa942bd683119dc483b7e0181e8a608fa0b309935
SHA51240221fe98816aa369c45f87dc62e6d91fcdb559d9756cb6a05819f1cde629e23a51803e71371f4e4f27112a09489d58ed45b2b901a5f2f00c69c082b3576057f
-
Filesize
47KB
MD5015c126a3520c9a8f6a27979d0266e96
SHA12acf956561d44434a6d84204670cf849d3215d5f
SHA2563c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa
SHA51202a20f2788bb1c3b2c7d3142c664cdec306b6ba5366e57e33c008edb3eb78638b98dc03cdf932a9dc440ded7827956f99117e7a3a4d55acadd29b006032d9c5c
-
Filesize
20KB
MD593eeea702a80c096950e60b99b74b8a4
SHA1cc5facf47047c7aac51bdfa9db1339891957e8c7
SHA25698fa60f3d0aa0668eb3bd9f56657d4d016913f2194b0e2077810f4c906a77854
SHA512c4ceb5227cada0067261eb6adcda1a0cebe46e1184884a03bc8061f0d947fa8f3751ac3709080934e79ef2b0b76aa417f5e0df40ce8cbaa9c1b4153c3b83734f
-
Filesize
209KB
MD53e552d017d45f8fd93b94cfc86f842f2
SHA1dbeebe83854328e2575ff67259e3fb6704b17a47
SHA25627d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6
SHA512e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9
-
Filesize
3KB
MD5133561b3d471777c4a42971123ca2ca8
SHA11d0a707b65f914ff42ad66666a03b2cb7a911011
SHA256e501200c0249cc0a25e0a02617c1c11e272b215aba9dad61024eab5ccb64ffde
SHA5124a5cda07e28489b16fa3f68dfad16e447082afcb0b1982146fcd3d5730bec9aabb8ba5f643ba90f0d015894374cbde74363d990a2f090c7be9d123d20d1b9a64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize648B
MD560ab04d0e2af12c8364435facb5786b6
SHA106f4f2d34680b047227b7112e311c4d0fac6d7b5
SHA25695b811fb68c06e0a25505086bd294ef3fe4c65b7756eb30d379a7fae18c9f6bf
SHA512929c482f6fb21a73680dddc4e1aef7f0eea972fcf03f0cef1a097a34b3fd1d4f0d9a93758fd335531fe21af122805cedfbeb4b8aacc25c40ea77c80d1f19511f
-
Filesize
2KB
MD503222aba267fedf667b9be74af7b18a3
SHA12deb25f75e202c962ad0d16ec64907d6ef7db3e5
SHA2560fd80c56347dbb0a1d7e350717a8568f44133f0e08b600fa78c0ca3a7c4ae305
SHA5125abcc01fab2d613f95413b8a6dd6b90534d70fd6a77e8b651c229ad9d2bbe54d2f699bb52766e63743e54280e9830afe1117df980f0e29c94003511881ac96f1
-
Filesize
3KB
MD512de69dde1fe0c68416c81bdab6dbb31
SHA13f228b35c067960228e49dc645c025be61e43490
SHA256be26f0e096f541244d69af432cca9e16afe12fd0e9c7d9caefd5de0b3b9c5198
SHA512677492e185665a1f08ebd8b6adf04b5af72c9aef37b251abd5088df0f662ea44a8f3ddb86d59899bc458ba121cf784fff5f095520895efb8ca4962e06266b658
-
Filesize
6KB
MD503bf6a1eaed992a9430c7e11bb19f103
SHA16b6f140887fbf6409f86fb669d3f611bd46394d1
SHA2562652de05127e37f57580f6fccf630152fc683fe2fe461cb17caf5a43a7a1cc91
SHA512205a38705e24a06da8e8b048724b0ba36054aa6f25a530655f0d602fa2ac8039383d435d9a919b1f913c5c1221d1a904f10a5404e62b4bc94ad981dda6941d7c
-
Filesize
7KB
MD5aa9a0229446a3cab5a87515322dc2984
SHA142dc3bc6eddc79cc117a41287f9600f672869a26
SHA2561d5ce8513ee6f69a2c9d873be98c48fb0ca43ae28d3fa750352c51c05edbab3a
SHA5127b235112dc3ce4afb755d2f2221a097a69bc8e3154720149165d69d25c03b6163d6c29dea0e8605096d4d123a605d27adfba96eb21c6aa5b4a824adc410a26e0
-
Filesize
6KB
MD5f1816e779be09fb72b2f5c36c9677151
SHA18193c21ac5410721894cd012b611f5706b6b12bd
SHA256562b9c5f42b0f7e0c11efcadc70afd5fa87832e015b53007187830778700c1dd
SHA51289a4eb315305a19ac4534113fa719aa39b398341aadc3943f57ebead5da469d57fea9e35a1b287d81d8d7945e4ad8716bcfe65faa91416e22c51c7f837f70652
-
Filesize
6KB
MD590a390cb3ebed47fa5c08f43ec8b827e
SHA19c6731ee8d01118bb6a4d92f00e2801fa5d8d776
SHA256e87f5359f3f6cc66fddfa01f0be673ef41fb7b30220930778f251aeacfa14210
SHA512eaebc7c7b113dd7d7a0ae3d6a23bc2731f5c4f5d08ef7f5a6c91aba5489273c81470b959bdce5a0bb8a9118bac25fc3b25255ac05ba07a9ba8e37b7d6996a2f4
-
Filesize
8KB
MD53bad2ebd54224058150ce953d1106cad
SHA18e4de1ede859ef43a3f57c171aa518aea9522eb7
SHA256c2d623614819dd1f9aa2fb3950ca8653d0a3f5dc800446fa1cc31ec42b20ff43
SHA51252cbac2e320d68d65f2e432e30564d291367c0bea888a3d4d840f9850af339cd6bef3fa29894f743c4f4f2c984f6b6c679be5aef527b1893be0dec9e40646b7b
-
Filesize
8KB
MD551e7332526e424dfe73385f68d2a36fc
SHA1c43d12f91ba2e964a8990452724a1bd44d4f2091
SHA25681cf2fed59f68ff85147a8ba9d5e34788073bba67ee9f2fb367fde172cb36224
SHA512c25e2801cabebe8abf199d9cc3d8b2cf1bf199d2e729ca1e807d6c1142e77075e9437daa300b6142ffefd468ad233af3b1ab87db9e9b40149e144e65b55aeb66
-
Filesize
9KB
MD57f67f8a9f6543728c45225526c8686d8
SHA14513b2c573ce07b083b62915c6dbbb6f3d58f95b
SHA256ed7f7ea33fcc11026761fd28ede2fa799538365bb622076a6e2a49171c400dac
SHA512c75e0eec6d32336a5a61409e816b21629b73acedac69565da59c96b29700e039aeeffef59e78cbb1459132f0547a4ee61c8764678d54610cc4be810ad7522921
-
Filesize
1KB
MD5ae5608ef5652866ef3f324dd95b0b31b
SHA11b7fe6658edbd8e85e815ebfab1d8650f49cdc49
SHA25689991939b70c3c88cdd023082a9dc2ce28b352c3eebd894501964b5809b23022
SHA5124ec4f81b027efcb90363d0a2e833db3823369c0cca4f31f9450308f575d3dac59e6ac26f432ce2fde06e4aadafa60bee2c12e0f0d58521ae5d423af1ffd08585
-
Filesize
873B
MD56c636dd777c3d4be887b98755a0e4596
SHA14b7620eba01044ae588af6c9cb1de2d758cca2df
SHA256cea6418e4584ea878b2a4f6f31f9c0add0d8ab9a8d8749195695e87faf13f421
SHA5122dc69c3c5705c39f4b8a6d106f68d89b166e63b4aa50f9f4df7259a7a2f37db9719a39335183f0fef805bd29649d336cb8edd4bbd4a5fd2969ce20b7c6ebbf2f
-
Filesize
1KB
MD5d6e39c83bea7224e9fbc3b41bd47758f
SHA179868933ebc0730d09fb11097115c508b078fdd9
SHA25699d6f9f3e15711e83c32ce38d26e13ff73553b108faff1bcaf7bbe139b5c8377
SHA512419ece4e12128e08fdd171085c737776a3f008f70d9b8deda94153d17eeb1c05f39b6adf6fbb362ef92bef7446a5ed3b9aa4989a04c520b3e4ba3f64260f0a0e
-
Filesize
371B
MD5cf80e3927608c60cdea23341d06796ea
SHA138d2b2a077cb78b8a76250452d3dc7b77b8c10bd
SHA2568a026d28b274abea21c8dc3d0ff10675581e3ca3275b802b94cbe3887595b505
SHA512d8bd940f087ae3d09e186ff8e9619265f1ca6f6299dcd9550ad993d97ae4c24a71a0673f4ae0284dbb8f0e3c298633f3b1c06e9d47bc24d895e0211d033c112b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD542dbf1ca9255fc06059725e0c34d5486
SHA1e7f0744f695dba2db787e4423ccd6ebd521057a1
SHA256248e1c6633e39bc750875b63d2aa8efe21440c492f063c1328b938e99f7dc9bc
SHA512331ab3d6b05cf894d15262eecbdd51c2b70505f5cc0aef50c4e8d412d6877c75ebe39fbfed051fa1ae5f43d53bdbd65b16eafa0075b7f0b7ef98dc38ecc899ec
-
Filesize
11KB
MD591fa073b850a458dfbd9a3d5c435ec2f
SHA18a277caff648e04190341e5739ac2e499c133ff5
SHA256b482973d40a5a8957993f716760e8b89d457b12a4d108c18c44ea0b8665ec7f5
SHA5127f27be57f7b40ddbf6873c75b174c251b93bcf67747a78594e53fae7554327a39290e44fef1c5e6853acc1d5f71b32b64a4dbe0c7c7a3375b4ee6a430e93b73a
-
Filesize
2.3MB
MD58ad8b6593c91d7960dad476d6d4af34f
SHA10a95f110c8264cde7768a3fd76db5687fda830ea
SHA25643e6ae7e38488e95741b1cad60843e7ce49419889285433eb4e697c175a153ab
SHA51209b522da0958f8b173e97b31b6c7141cb67de5d30db9ff71bc6e61ca9a97c09bff6b17d6eaa03c840500996aad25b3419391af64de1c59e98ff6a8eac636b686