Analysis Overview
SHA256
72be5cdc343a20bdd70c7550c16e9c520102d1ceee2c39fd9f727097c54d2129
Threat Level: Likely malicious
The file Wave.zip was found to be: Likely malicious.
Malicious Activity Summary
Office macro that triggers on suspicious action
Loads dropped DLL
UPX packed file
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-14 11:37
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win7-20240705-en
Max time kernel
118s
Max time network
132s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1740 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1740 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1740 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1740 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1740 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1740 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1740 wrote to memory of 1928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.Core.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.Core.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:40
Platform
win10v2004-20240802-en
Max time kernel
48s
Max time network
60s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2772 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2772 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2772 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.Core.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.Core.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2272 -ip 2272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 1088
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
Files
memory/2272-0-0x0000000005050000-0x000000000513A000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:40
Platform
win10v2004-20240802-en
Max time kernel
79s
Max time network
93s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
memory/4504-0-0x0000000074B5E000-0x0000000074B5F000-memory.dmp
memory/4504-1-0x0000000000F00000-0x0000000000F08000-memory.dmp
memory/4504-2-0x00000000056F0000-0x00000000057DA000-memory.dmp
memory/4504-3-0x0000000005C50000-0x0000000005C9A000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\bin\xxhash.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:39
Platform
win7-20240729-en
Max time kernel
9s
Max time network
19s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Wave\WaveBootstrapper.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Wave\WaveBootstrapper.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\WaveBootstrapper.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2944 wrote to memory of 580 | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\WaveBootstrapper.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2944 wrote to memory of 580 | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\WaveBootstrapper.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2944 wrote to memory of 580 | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\WaveBootstrapper.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2944 wrote to memory of 580 | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\WaveBootstrapper.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Wave\WaveBootstrapper.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1440
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | clientsettingscdn.roblox.com | udp |
| GB | 18.165.242.74:443 | clientsettingscdn.roblox.com | tcp |
Files
memory/2944-0-0x000000007497E000-0x000000007497F000-memory.dmp
memory/2944-1-0x0000000000C10000-0x0000000000D02000-memory.dmp
memory/2944-2-0x0000000074970000-0x000000007505E000-memory.dmp
memory/2944-4-0x0000000000240000-0x000000000024A000-memory.dmp
memory/2944-3-0x0000000000240000-0x000000000024A000-memory.dmp
memory/2944-5-0x0000000074970000-0x000000007505E000-memory.dmp
memory/2944-6-0x00000000055C0000-0x00000000056C4000-memory.dmp
memory/2944-7-0x0000000000480000-0x000000000048A000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
164s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Wave\WaveBootstrapper.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\WaveBootstrapper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Wave\WaveBootstrapper.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clientsettingscdn.roblox.com | udp |
| GB | 18.165.242.53:443 | clientsettingscdn.roblox.com | tcp |
| US | 8.8.8.8:53 | 53.242.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/2308-0-0x0000000074E3E000-0x0000000074E3F000-memory.dmp
memory/2308-1-0x0000000000050000-0x0000000000142000-memory.dmp
memory/2308-2-0x0000000074E30000-0x00000000755E0000-memory.dmp
memory/2308-3-0x0000000074E30000-0x00000000755E0000-memory.dmp
memory/2308-4-0x0000000074E30000-0x00000000755E0000-memory.dmp
memory/2308-5-0x0000000007AA0000-0x0000000007AD8000-memory.dmp
memory/2308-6-0x0000000007A80000-0x0000000007A8E000-memory.dmp
memory/2308-7-0x0000000008910000-0x0000000008A14000-memory.dmp
memory/2308-8-0x0000000007AF0000-0x0000000007AFA000-memory.dmp
memory/2308-9-0x0000000009590000-0x00000000095B6000-memory.dmp
memory/2308-10-0x0000000007B00000-0x0000000007B08000-memory.dmp
memory/2308-11-0x00000000095D0000-0x00000000095E6000-memory.dmp
memory/2308-12-0x0000000009600000-0x000000000960A000-memory.dmp
memory/2308-13-0x0000000009610000-0x000000000961A000-memory.dmp
memory/2308-14-0x0000000009650000-0x0000000009658000-memory.dmp
memory/2308-15-0x00000000096B0000-0x00000000096CE000-memory.dmp
memory/2308-17-0x0000000074E30000-0x00000000755E0000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
163s
Command Line
Signatures
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe"
C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.178.131:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | luna-wpu3a.in | udp |
| US | 8.8.8.8:53 | 131.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI20642\setuptools\_vendor\backports.tarfile-1.2.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\setuptools\_vendor\jaraco.text-3.12.1.dist-info\LICENSE
| MD5 | 141643e11c48898150daa83802dbc65f |
| SHA1 | 0445ed0f69910eeaee036f09a39a13c6e1f37e12 |
| SHA256 | 86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741 |
| SHA512 | ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL
| MD5 | 43136dde7dd276932f6197bb6d676ef4 |
| SHA1 | 6b13c105452c519ea0b65ac1a975bd5e19c50122 |
| SHA256 | 189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714 |
| SHA512 | e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\python312.dll
| MD5 | ca67f0baf3cc3b7dbb545cda57ba3d81 |
| SHA1 | 5b4e36aef877307af8a8f78f3054d068d1a9ce89 |
| SHA256 | f804ed205e82003da6021ee6d2270733ca00992816e7e89ba13617c96dd0fba3 |
| SHA512 | a9f07dd02714c3efba436326425d443969018ace7ebd7cc33c39d43e3d45480a4fcd4c46c09ad132b4f273888f13e9f598de257130429fcb2519c000e4fab6f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/1820-825-0x00007FF850170000-0x00007FF850835000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_ctypes.pyd
| MD5 | 78f5225e986641eaebfe2bef27865603 |
| SHA1 | 118ac80fdf764f5bfbaad2d803420087b854817d |
| SHA256 | ae55ad9ad1f4cbc398cd0c87556f1f263505cde025c7c7f2c43ce4ae818eb183 |
| SHA512 | 70e18ea660120d60d6bfa17883c2aced276aa858c5da4dca1e1d56203891d996da4f349596c911cb16497db81b42af4ad85e473c3e80f8932557d967c9dad0e4 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\base_library.zip
| MD5 | 763d1a751c5d47212fbf0caea63f46f5 |
| SHA1 | 845eaa1046a47b5cf376b3dbefcf7497af25f180 |
| SHA256 | 378a4b40f4fa4a8229c93e0afee819085251af03402ccefa3b469651e50e60b7 |
| SHA512 | bb356dd610e6035f4002671440ce96624addf9a89fd952a6419647a528a551a6ccd0eca0ee2eeb080d9aad683b5afc9415c721fa62c3bcddcb7f1923f59d9c45 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\python3.DLL
| MD5 | 8dbe9bbf7118f4862e02cd2aaf43f1ab |
| SHA1 | 935bc8c5cea4502d0facf0c49c5f2b9c138608ed |
| SHA256 | 29f173e0147390a99f541ba0c0231fdd7dfbca84d0e2e561ef352bf1ec72f5db |
| SHA512 | 938f8387dcc356012ac4a952d371664700b110f7111fcc24f5df7d79791ae95bad0dbaf77d2d6c86c820bfd48a6bdbe8858b7e7ae1a77df88e596556c7135ed4 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\libffi-8.dll
| MD5 | be8ceb4f7cb0782322f0eb52bc217797 |
| SHA1 | 280a7cc8d297697f7f818e4274a7edd3b53f1e4d |
| SHA256 | 7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676 |
| SHA512 | 07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571 |
memory/1820-836-0x00007FF865ED0000-0x00007FF865EDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_bz2.pyd
| MD5 | 9da23eb807a43a954d40048b53a98e6f |
| SHA1 | e639bd9a27409fc72f36b4ec3383eeecdacb9dc5 |
| SHA256 | 02d0d3c0163f69a7e6713742ab98e73321c5298976089fe9a03b6d91d3293ebb |
| SHA512 | c8d164c8d4722dcd04f13aa11307fddd655e73fd03b15c8056b34252bce925ca679b48032313b8587369500d03574213da20e513c3b4c155099a84de9ac0bba8 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_lzma.pyd
| MD5 | 24a598b2caa17caee2e24d2bb97b445d |
| SHA1 | 262f07406e170284fea0c1e41093bfe1c4a25eab |
| SHA256 | af4ae25b17c7cf23d06e1f37fdefe903a840073266d4314e410a4acec2af6270 |
| SHA512 | 7bdf0a599c488436c118523a67ab154a37ffc5aab0ecec95c463bd068d1121b197c0ebb91dc7db3cf2a3db913abaffd0a60aedb373c0e670c63cd8d85f716f3a |
memory/1820-861-0x00007FF85B9E0000-0x00007FF85BA0D000-memory.dmp
memory/1820-860-0x00007FF864B70000-0x00007FF864B8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_wmi.pyd
| MD5 | 9ba21832765a278dfc220426e9c6a2e3 |
| SHA1 | b82716b165f3094b70e41a01b4785ca1b1e2c2de |
| SHA256 | aa23361fc26c1b91fcc458156eeca0ee869c6f9eca30182ceb2b83c810cfaab4 |
| SHA512 | a9232b7593c29543091c0f7d1043cc1b39ff0b7c324362fe860d3ee0674ca069c93a85d0a8c2bb6133904318f67e448c1fd99e491f0ddda57d8d9f984ed106a3 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_uuid.pyd
| MD5 | 8f5402bb6aac9c4ff9b4ce5ac3f0f147 |
| SHA1 | 87207e916d0b01047b311d78649763d6e001c773 |
| SHA256 | 793e44c75e7d746af2bb5176e46c454225f07cb27b1747f1b83d1748d81ad9ac |
| SHA512 | 65fdef32aeba850aa818a8c8bf794100725a9831b5242350e6c04d0bca075762e1b650f19c437a17b150e9fca6ad344ec4141a041fa12b5a91652361053c7e81 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_ssl.pyd
| MD5 | e5353f0aa2c35efd5b4a1a0805a6978c |
| SHA1 | d92f1066fe79dc1a1afe7ca3c0b9e803aced7e9f |
| SHA256 | 908a3938b962132f3f4429badad0e26a8b138de192a060ca1c1067e2b2ce128a |
| SHA512 | 11c632e69c982a77053fefb22e764dfdb30f6d10abe6c88e2512aa7daf26a0ef59dcc109d262cdb58875f2fba46312027b6e180dc7f0fa24ddc02b78a55c0c28 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_sqlite3.pyd
| MD5 | 4381c00145ed565ed992f415aa4e33da |
| SHA1 | 378be370c2290e9d6a9dee406f989c211cf0efe2 |
| SHA256 | d81d61074ed8a476af01a46eefb32a908eb8ab34f7cf7d4f53dcfd8274a163be |
| SHA512 | 57b527e0a2f55c45e1aaee147adb67933b6f6acd5f8eebe6efe97fc5f8c23f20a1303972b45076565d0bff880b751fc039a85673ee88a77a17f969e17ec0a3a7 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_socket.pyd
| MD5 | 886d68f020a8a2232fbcb8ab431ff9f8 |
| SHA1 | 65db84d574e9e38281475cb6d86acb94c74ce5b9 |
| SHA256 | 199c490b67f4364a78c6ba7df595e13e483e110345d067bf57b3826d3bf06715 |
| SHA512 | bb33bb67ee0204817282373f72a2666aa32e8e47a717e443247bd493853f804949bb59ae3b4a213fcad306d1ced123cd1377e05df3e353400120928597ed34da |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_queue.pyd
| MD5 | 52e8135f08c61f94b536d1a1c787bf23 |
| SHA1 | 6ea0d2bd42d3293273b27ea5fb64abef3361ba3f |
| SHA256 | fdcd6416bcbaddc8d0e3b029d2c5f621956066cb95c5fa06c948e7eec25152b8 |
| SHA512 | 06e75181a0831d1493ecc28a02f2f52fd30c1b53a4053e94a974b577ace6cdc912f1cb7223059cdacecf5fabfff1f2fff2955b1ba8f54ce5b15b7a6eec77c452 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_overlapped.pyd
| MD5 | ab8d1617e9c0c43c1683a567498c1441 |
| SHA1 | 69ee6500c1bb30b437693283075165dec0861433 |
| SHA256 | 7779b8fc61da810db720956b3d49c0d1c8cd4e05cc662f767fc8f0088cf923d4 |
| SHA512 | f1f79c4499b135c56eef659b82fc46e3869519c1adf0704c0e5fab34f593c741549c236c0c62610f4c9ee2ea10e9acbccb39474a518b66f41c84b3466c133b01 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_multiprocessing.pyd
| MD5 | 3cba83d3acab104d0237ca3fd0fda954 |
| SHA1 | 6fd08494729a6f3bef6b908365268bdac1e170f1 |
| SHA256 | a50471d9a065b2e4f0fa61fb88c2dcaa04b7f104fae9ea4bc981d0f6fe39e5fc |
| SHA512 | 09105f6e6ad13d8d89ef81f9d8c6273c0c540d29227d653d3e3a86d210030b1737f3779839088bc3ea1e08aaf2de70cf55d5288f34b7441bfbd8999a33b6e2d9 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_hashlib.pyd
| MD5 | 121f21e4c072b1307ec96e26dbb54f48 |
| SHA1 | fd7ffeb22377db68bd6abce8ea526afa14faad0f |
| SHA256 | 8dac9aa352bfcb960501682d412a9eeebea5d1cdde3771ba9b70a0ae2e08e883 |
| SHA512 | bec606d0b9c4cabc263a4eda3b8cd403e2486a4e3369fe99117386c4d1969248c54d762b465ab5bdf87fdcc7a08bf90aa873064c65063db8cd4dc437e7e1e6c5 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_decimal.pyd
| MD5 | c67548fec576c79aa4c7d829ebbcb8fd |
| SHA1 | 3c1dd3daf407257ded9717dadcf017fdd8a2c07c |
| SHA256 | 31c2c5200f59969c7078a5a913067dfcdf326cb0d43754e38893239774286fab |
| SHA512 | 696d76f6baf739aa2a0d1d057df6d3f8cba1008c0528c8060bb3808a775393bf5e61578154e0d1bd0f3162195b108fbe51daf005d29d368447b5c8fe844a338b |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_cffi_backend.cp312-win_amd64.pyd
| MD5 | e8204fbeced1bbe02489cfee909d573e |
| SHA1 | 7625ee886d50ffa837db6e2ade9c74e86f0d4fa2 |
| SHA256 | d0aa34b160311a35ca2b888dbb9423e8990962b7c89655a5e9c1ba97324ace6b |
| SHA512 | 3638126cc76adb7c4aa23c2d62219dfe8a04cffb3dafac50adbd1f53fc603084f48b9240f10fcd92681bc7fb1f0a54159149e4c90f7ee8043a64c3a5c50bd05a |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\_asyncio.pyd
| MD5 | d9f56d51d32bcbade2d954a9427337dc |
| SHA1 | d0e5cee77d5038193580335e3271bb5f1fb6bfc4 |
| SHA256 | 1b6c23b6f235ad58e4062b1dc4ce2c36f031f1469bf9e60c11e07603ca4656e3 |
| SHA512 | fc18968a319c11b2d9f20a376b93cc74503139506b1c9f9ee3dd226edc1ba753cad85c20368e162c14d26cf2f75f70ae7e82b2b9881088235f5eaca66e8dad66 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\VCRUNTIME140_1.dll
| MD5 | f8dfa78045620cf8a732e67d1b1eb53d |
| SHA1 | ff9a604d8c99405bfdbbf4295825d3fcbc792704 |
| SHA256 | a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5 |
| SHA512 | ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\unicodedata.pyd
| MD5 | 3d5cb46d212da9843d199f6989b37cd5 |
| SHA1 | ce5e427d49ea1adba9c941140f3502c969b6819e |
| SHA256 | 50a55bc145b1f43e5125ef0b09e508946221d02d5fea1b7550a43d8c8c41c970 |
| SHA512 | c52014c96578db4c7f97878a13ca8c2a4574cc6671689bb554382ad0e593eb87fac55961c7c11ef82b04627fb851ac44848bac9ec91fca0afaa965e4f1f24aa5 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\sqlite3.dll
| MD5 | 132614956f138f3594d1053e3fac4779 |
| SHA1 | 95115f866a87db308ff00af0273e04e31a3fdaae |
| SHA256 | 2a4ae8ca681fa6f8de3b6dbcc3d32652ea3ab3ee7e2be80b7aff822a382ca8ff |
| SHA512 | 5b12b51c78bd72f410e2f53c086322557591d9d66b6d473264fa731763ec2317470009c13cbb9d0985c9006c7f62c4eed14c263295bd7ef11db0bc492c2ca5a0 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\select.pyd
| MD5 | 6c123b56f3a37c129eff6fc816868b25 |
| SHA1 | ac6b6e3bdc53870ba044a38b9ae9a067b70e7641 |
| SHA256 | 99687f9b1648ac684dfb7937c75e3e50dc16704abd4c4c19601c40ec6971c5ee |
| SHA512 | b840871278a6cc32d5ab0cc6d9c129da0ba2d08b93c3c6c000e3989fe1ab8b09ed82ca547a1057690f52f22e44b203f424e2ccd9655be82a1094547a94ddc3c2 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\pyexpat.pyd
| MD5 | cfcb1a1159cc2aadba3c62ac44dc2363 |
| SHA1 | e19df1a6c3dfa545c6b2c20355b24584933d7f9f |
| SHA256 | 279aac95d765000d7b3b09b75e66a311a03833a0e28361683cf41161f37e3331 |
| SHA512 | f7f42bc3eb6a2db706f784e2b772c3ce5d0f87b4b3ff6bda6d2f934aecce0174d52623aad0a082dd1efc0f70c990a07fa9768ac96d42ddb52ea5be594198b447 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\luna.aes
| MD5 | 1b9e198e371a5f82e2f73dfb75a60458 |
| SHA1 | 28f0fc9e70ad1f4041f04c998e8eaa9ac1f1bb84 |
| SHA256 | 219ee08f47662fd083dedefd6e33244744755c7da3d48cc053a91015d54f2306 |
| SHA512 | 140132ea3f24563c4db8c9339a6c28863f774ab35c81247ad7d73a59a7894299c9e47447fa742cac6d85ad6410faad5a5764f5a96ff0554d75ad35053ea7181b |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\libssl-3.dll
| MD5 | 7e87c34b39f3a8c332df6e15fd83160b |
| SHA1 | db712b55f23d8e946c2d91cbbeb7c9a78a92b484 |
| SHA256 | 41448b8365b3a75cf33894844496eb03f84e5422b72b90bdcb9866051939c601 |
| SHA512 | eceda8b66736edf7f8e7e6d5a17e280342e989c5195525c697cc02dda80fd82d62c7fd4dc6c4825425bae69a820e1262b8d8cc00dbcd73868a26e16c14ac5559 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\libcrypto-3.dll
| MD5 | 63eb76eccfe70cff3a3935c0f7e8ba0f |
| SHA1 | a8dd05dce28b79047e18633aee5f7e68b2f89a36 |
| SHA256 | 785c8dde9803f8e1b279895c4e598a57dc7b01e0b1a914764fcedef0d7928b4e |
| SHA512 | 8da31fa77ead8711c0c6ffedcef6314f29d02a95411c6aacec626e150f329a5b96e9fdeae8d1a5e24d1ca5384ae2f0939a5cc0d58eb8bdbc5f00e62736dcc322 |
memory/1820-835-0x00007FF85EF20000-0x00007FF85EF45000-memory.dmp
memory/1820-864-0x00007FF863A70000-0x00007FF863A7F000-memory.dmp
memory/1820-866-0x00007FF85B9A0000-0x00007FF85B9D6000-memory.dmp
memory/1820-869-0x00007FF85FAA0000-0x00007FF85FAB9000-memory.dmp
memory/1820-870-0x00007FF8639B0000-0x00007FF8639BD000-memory.dmp
memory/1820-872-0x00007FF8600B0000-0x00007FF8600BD000-memory.dmp
memory/1820-874-0x00007FF85F290000-0x00007FF85F2A4000-memory.dmp
memory/1820-877-0x00007FF84FC40000-0x00007FF850169000-memory.dmp
memory/1820-876-0x00007FF850170000-0x00007FF850835000-memory.dmp
memory/1820-879-0x00007FF851410000-0x00007FF851443000-memory.dmp
memory/1820-881-0x00007FF850B20000-0x00007FF850BED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20642\setuptools\_vendor\jaraco\text\Lorem ipsum.txt
| MD5 | 4ce7501f6608f6ce4011d627979e1ae4 |
| SHA1 | 78363672264d9cd3f72d5c1d3665e1657b1a5071 |
| SHA256 | 37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b |
| SHA512 | a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\zstandard\backend_c.cp312-win_amd64.pyd
| MD5 | 2f12da584a362bad45c6b9b3ddd2445c |
| SHA1 | 86adc05435a9a7dc0b0c676456b15f64d7df6f44 |
| SHA256 | da95d86762fb4ea6a479990e1b91591ccad7d0f88072a7805052cd71168db115 |
| SHA512 | 6113292936ea39c45764c240e04a92479403ef6c64aa959922e94f990f8d405299793acbdeb8a4c924d81857e12b3d83e7c8c93c261e8101f4eee44ab77dc92e |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\charset_normalizer\md.cp312-win_amd64.pyd
| MD5 | e4fad9ff1b85862a6afaca2495d9f019 |
| SHA1 | 0e47d7c5d4de3a1d7e3bb31bd47ea22cc4ddeac4 |
| SHA256 | e5d362766e9806e7e64709de7e0cff40e03123d821c3f30cac5bac1360e08c18 |
| SHA512 | 706fb033fc2079b0aabe969bc51ccb6ffaaf1863daf0e4a83d6f13adc0fedab61cee2b63efb40f033aea22bf96886834d36f50af36e6e25b455e941c1676a30a |
memory/1820-885-0x00007FF850A90000-0x00007FF850B17000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20642\charset_normalizer\md__mypyc.cp312-win_amd64.pyd
| MD5 | 5c643741418d74c743ca128ff3f50646 |
| SHA1 | 0b499a3228865a985d86c1199d14614096efd8a0 |
| SHA256 | 2d86563fdfdc39894a53a293810744915192f3b3f40a47526551e66cdb9cb35c |
| SHA512 | 45d02b854557d8f9c25ca8136fa6d3daed24275cc77b1c98038752daed4318bd081c889ff1f4fa8a28e734c9167f477350a8fa863f61729c30c76e7a91d61a97 |
memory/1820-891-0x00007FF860010000-0x00007FF86001B000-memory.dmp
memory/1820-889-0x00007FF863A70000-0x00007FF863A7F000-memory.dmp
memory/1820-892-0x00007FF85B970000-0x00007FF85B997000-memory.dmp
memory/1820-894-0x00007FF84FB20000-0x00007FF84FC3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20642\certifi\cacert.pem
| MD5 | 181ac9a809b1a8f1bc39c1c5c777cf2a |
| SHA1 | 9341e715cea2e6207329e7034365749fca1f37dc |
| SHA256 | 488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee |
| SHA512 | e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85 |
C:\Users\Admin\AppData\Local\Temp\_MEI20642\psutil\_psutil_windows.pyd
| MD5 | 3adca2ff39adeb3567b73a4ca6d0253c |
| SHA1 | ae35dde2348c8490f484d1afd0648380090e74fc |
| SHA256 | 92202b877579b74a87be769d58f9d1e8aced8a97336ad70e97d09685a10afeb3 |
| SHA512 | 358d109b23cf99eb7396c450660f193e9e16f85f13737ecf29f4369b44f8356041a08443d157b325ccb5125a5f10410659761eda55f24fcc03a082ac8acdd345 |
memory/1820-899-0x00007FF85C260000-0x00007FF85C278000-memory.dmp
memory/1820-901-0x00007FF857580000-0x00007FF8575A4000-memory.dmp
memory/1820-903-0x00007FF85F290000-0x00007FF85F2A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20642\Cryptodome\Cipher\_raw_ecb.pyd
| MD5 | 768559588eef33d33d9fa64ab5ed482b |
| SHA1 | 09be733f1deed8593c20afaf04042f8370e4e82f |
| SHA256 | 57d3efc53d8c4be726597a1f3068947b895b5b8aba47fd382c600d8e72125356 |
| SHA512 | 3bf9cd35906e6e408089faea9ffcdf49cc164f58522764fe9e481d41b0e9c6ff14e13b0954d2c64bb942970bbf9d94d07fce0c0d5fdbd6ca045649675ecff0f2 |
memory/1820-906-0x00007FF84FC40000-0x00007FF850169000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20642\Cryptodome\Cipher\_raw_cbc.pyd
| MD5 | d9f0780e8df9e0adb12d1c4c39d6c9be |
| SHA1 | 2335d8d81c1a65d4f537553d66b70d37bc9a55b6 |
| SHA256 | e91c6bba58cf9dd76cb573f787c76f1da4481f4cbcdf5da3899cce4d3754bbe7 |
| SHA512 | 7785aadb25cffdb736ce5f9ae4ca2d97b634bc969a0b0cb14815afaff4398a529a5f86327102b8005ace30c0d196b2c221384a54d7db040c08f0a01de3621d42 |
memory/1820-908-0x00007FF84F9A0000-0x00007FF84FB1F000-memory.dmp
memory/1820-911-0x00007FF85EF10000-0x00007FF85EF1B000-memory.dmp
memory/1820-910-0x00007FF85F1C0000-0x00007FF85F1CB000-memory.dmp
memory/1820-914-0x00007FF85E4A0000-0x00007FF85E4AB000-memory.dmp
memory/1820-913-0x00007FF85E630000-0x00007FF85E63C000-memory.dmp
memory/1820-912-0x00007FF851410000-0x00007FF851443000-memory.dmp
memory/1820-916-0x00007FF856ED0000-0x00007FF856EDC000-memory.dmp
memory/1820-915-0x00007FF850B20000-0x00007FF850BED000-memory.dmp
memory/1820-922-0x00007FF850A40000-0x00007FF850A4B000-memory.dmp
memory/1820-921-0x00007FF850A50000-0x00007FF850A5C000-memory.dmp
memory/1820-920-0x00007FF850A60000-0x00007FF850A6E000-memory.dmp
memory/1820-919-0x00007FF850A70000-0x00007FF850A7C000-memory.dmp
memory/1820-918-0x00007FF850A80000-0x00007FF850A8C000-memory.dmp
memory/1820-917-0x00007FF851400000-0x00007FF85140B000-memory.dmp
memory/1820-925-0x00007FF850A10000-0x00007FF850A1C000-memory.dmp
memory/1820-924-0x00007FF850A20000-0x00007FF850A2C000-memory.dmp
memory/1820-923-0x00007FF850A30000-0x00007FF850A3B000-memory.dmp
memory/1820-926-0x00007FF85B970000-0x00007FF85B997000-memory.dmp
memory/1820-929-0x00007FF84F700000-0x00007FF84F70C000-memory.dmp
memory/1820-931-0x00007FF84F6D0000-0x00007FF84F6F9000-memory.dmp
memory/1820-930-0x00007FF84FB20000-0x00007FF84FC3A000-memory.dmp
memory/1820-928-0x00007FF84F710000-0x00007FF84F722000-memory.dmp
memory/1820-927-0x00007FF850A00000-0x00007FF850A0D000-memory.dmp
memory/1820-934-0x00007FF84F690000-0x00007FF84F69B000-memory.dmp
memory/1820-933-0x00007FF84F6A0000-0x00007FF84F6CE000-memory.dmp
memory/1820-935-0x00007FF857580000-0x00007FF8575A4000-memory.dmp
memory/1820-936-0x00007FF84F670000-0x00007FF84F68C000-memory.dmp
memory/1820-932-0x00007FF85C260000-0x00007FF85C278000-memory.dmp
memory/1820-937-0x00007FF84F260000-0x00007FF84F66C000-memory.dmp
memory/1820-938-0x00007FF84D090000-0x00007FF84F1B6000-memory.dmp
memory/1820-940-0x00007FF84D040000-0x00007FF84D061000-memory.dmp
memory/1820-939-0x00007FF84D070000-0x00007FF84D088000-memory.dmp
memory/1820-941-0x00007FF84CDF0000-0x00007FF84D039000-memory.dmp
memory/1820-953-0x00007FF85F290000-0x00007FF85F2A4000-memory.dmp
memory/1820-981-0x00007FF85FAA0000-0x00007FF85FAB9000-memory.dmp
memory/1820-984-0x00007FF85EF10000-0x00007FF85EF1B000-memory.dmp
memory/1820-983-0x00007FF85F1C0000-0x00007FF85F1CB000-memory.dmp
memory/1820-982-0x00007FF85B970000-0x00007FF85B997000-memory.dmp
memory/1820-980-0x00007FF85B9A0000-0x00007FF85B9D6000-memory.dmp
memory/1820-979-0x00007FF863A70000-0x00007FF863A7F000-memory.dmp
memory/1820-978-0x00007FF85B9E0000-0x00007FF85BA0D000-memory.dmp
memory/1820-977-0x00007FF864B70000-0x00007FF864B8A000-memory.dmp
memory/1820-976-0x00007FF865ED0000-0x00007FF865EDF000-memory.dmp
memory/1820-975-0x00007FF85EF20000-0x00007FF85EF45000-memory.dmp
memory/1820-974-0x00007FF8639B0000-0x00007FF8639BD000-memory.dmp
memory/1820-973-0x00007FF850A50000-0x00007FF850A5C000-memory.dmp
memory/1820-972-0x00007FF850A60000-0x00007FF850A6E000-memory.dmp
memory/1820-971-0x00007FF850A70000-0x00007FF850A7C000-memory.dmp
memory/1820-970-0x00007FF850A80000-0x00007FF850A8C000-memory.dmp
memory/1820-969-0x00007FF851400000-0x00007FF85140B000-memory.dmp
memory/1820-968-0x00007FF856ED0000-0x00007FF856EDC000-memory.dmp
memory/1820-967-0x00007FF85E4A0000-0x00007FF85E4AB000-memory.dmp
memory/1820-966-0x00007FF85E630000-0x00007FF85E63C000-memory.dmp
memory/1820-963-0x00007FF84F9A0000-0x00007FF84FB1F000-memory.dmp
memory/1820-962-0x00007FF857580000-0x00007FF8575A4000-memory.dmp
memory/1820-961-0x00007FF85C260000-0x00007FF85C278000-memory.dmp
memory/1820-960-0x00007FF84FB20000-0x00007FF84FC3A000-memory.dmp
memory/1820-958-0x00007FF860010000-0x00007FF86001B000-memory.dmp
memory/1820-957-0x00007FF850A90000-0x00007FF850B17000-memory.dmp
memory/1820-956-0x00007FF850B20000-0x00007FF850BED000-memory.dmp
memory/1820-955-0x00007FF851410000-0x00007FF851443000-memory.dmp
memory/1820-954-0x00007FF84FC40000-0x00007FF850169000-memory.dmp
memory/1820-952-0x00007FF8600B0000-0x00007FF8600BD000-memory.dmp
memory/1820-943-0x00007FF850170000-0x00007FF850835000-memory.dmp
memory/1820-998-0x00007FF84D070000-0x00007FF84D088000-memory.dmp
memory/1820-997-0x00007FF84D040000-0x00007FF84D061000-memory.dmp
memory/1820-996-0x00007FF84F260000-0x00007FF84F66C000-memory.dmp
memory/1820-995-0x00007FF84F670000-0x00007FF84F68C000-memory.dmp
memory/1820-994-0x00007FF84F690000-0x00007FF84F69B000-memory.dmp
memory/1820-993-0x00007FF84F6A0000-0x00007FF84F6CE000-memory.dmp
memory/1820-992-0x00007FF84F700000-0x00007FF84F70C000-memory.dmp
memory/1820-991-0x00007FF84F6D0000-0x00007FF84F6F9000-memory.dmp
memory/1820-990-0x00007FF84F710000-0x00007FF84F722000-memory.dmp
memory/1820-989-0x00007FF850A00000-0x00007FF850A0D000-memory.dmp
memory/1820-988-0x00007FF850A10000-0x00007FF850A1C000-memory.dmp
memory/1820-987-0x00007FF850A20000-0x00007FF850A2C000-memory.dmp
memory/1820-986-0x00007FF850A30000-0x00007FF850A3B000-memory.dmp
memory/1820-985-0x00007FF850A40000-0x00007FF850A4B000-memory.dmp
memory/1820-999-0x00007FF84D090000-0x00007FF84F1B6000-memory.dmp
memory/1820-1000-0x00007FF84CDF0000-0x00007FF84D039000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\bin\zstd.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:40
Platform
win7-20240729-en
Max time kernel
67s
Max time network
20s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2744 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2744 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2744 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2744 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 532
Network
Files
memory/2744-0-0x00000000741FE000-0x00000000741FF000-memory.dmp
memory/2744-1-0x0000000000EC0000-0x0000000000EC8000-memory.dmp
memory/2744-2-0x00000000045A0000-0x000000000468A000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
159s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Wpf.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win7-20240704-en
Max time kernel
120s
Max time network
131s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1256 wrote to memory of 1028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1256 wrote to memory of 1028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1256 wrote to memory of 1028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\bin\zstd.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1256 -s 80
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:42
Platform
win10v2004-20240802-en
Max time kernel
136s
Max time network
138s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2580 wrote to memory of 540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2580 wrote to memory of 540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2580 wrote to memory of 540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\d3dcompiler_47.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\d3dcompiler_47.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 540 -ip 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win7-20240708-en
Max time kernel
120s
Max time network
134s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2316 wrote to memory of 2320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.Runtime.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.Runtime.dll,#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win7-20240705-en
Max time kernel
121s
Max time network
136s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.dll,#1
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win7-20240729-en
Max time kernel
9s
Max time network
21s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2484 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2484 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2484 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\bin\wolfssl.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2484 -s 92
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
165s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3248 wrote to memory of 3228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3248 wrote to memory of 3228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3248 wrote to memory of 3228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\libEGL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
163s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3788 wrote to memory of 3044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3788 wrote to memory of 3044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3788 wrote to memory of 3044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\libGLESv2.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.189.79.40.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1656 wrote to memory of 3332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1656 wrote to memory of 3332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1656 wrote to memory of 3332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\libcef.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\libcef.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
137s
Max time network
165s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:42
Platform
win7-20240704-en
Max time kernel
119s
Max time network
141s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Wpf.dll,#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win7-20240704-en
Max time kernel
121s
Max time network
134s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.dll,#1
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4292 wrote to memory of 1732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4292 wrote to memory of 1732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4292 wrote to memory of 1732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\vk_swiftshader.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\vk_swiftshader.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1732 -ip 1732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5872 wrote to memory of 5924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5872 wrote to memory of 5924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5872 wrote to memory of 5924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.Runtime.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.Runtime.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 5924 -ip 5924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 1100
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/5924-0-0x0000000005170000-0x00000000052CB000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
133s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win7-20240708-en
Max time kernel
120s
Max time network
128s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2112 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe |
| PID 2112 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe |
| PID 2112 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe | C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe"
C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Wave\WaveInstaller.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI21122\setuptools\_vendor\backports.tarfile-1.2.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\setuptools\_vendor\jaraco.text-3.12.1.dist-info\LICENSE
| MD5 | 141643e11c48898150daa83802dbc65f |
| SHA1 | 0445ed0f69910eeaee036f09a39a13c6e1f37e12 |
| SHA256 | 86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741 |
| SHA512 | ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL
| MD5 | 43136dde7dd276932f6197bb6d676ef4 |
| SHA1 | 6b13c105452c519ea0b65ac1a975bd5e19c50122 |
| SHA256 | 189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714 |
| SHA512 | e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1 |
C:\Users\Admin\AppData\Local\Temp\_MEI21122\python312.dll
| MD5 | ca67f0baf3cc3b7dbb545cda57ba3d81 |
| SHA1 | 5b4e36aef877307af8a8f78f3054d068d1a9ce89 |
| SHA256 | f804ed205e82003da6021ee6d2270733ca00992816e7e89ba13617c96dd0fba3 |
| SHA512 | a9f07dd02714c3efba436326425d443969018ace7ebd7cc33c39d43e3d45480a4fcd4c46c09ad132b4f273888f13e9f598de257130429fcb2519c000e4fab6f7 |
memory/2956-823-0x000007FEF53C0000-0x000007FEF5A85000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win7-20240704-en
Max time kernel
118s
Max time network
131s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1976 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1976 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1976 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\bin\lz4.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1976 -s 80
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
162s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\bin\lz4.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
160s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\bin\wolfssl.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:42
Platform
win7-20240729-en
Max time kernel
120s
Max time network
134s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2448 wrote to memory of 1612 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2448 wrote to memory of 1612 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2448 wrote to memory of 1612 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\bin\zlib1.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2448 -s 80
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
143s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\bin\zlib1.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:42
Platform
win7-20240704-en
Max time kernel
4s
Max time network
22s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1780 wrote to memory of 2324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1780 wrote to memory of 2324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1780 wrote to memory of 2324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\bin\xxhash.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1780 -s 84
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-08-14 11:36
Reported
2024-08-14 11:41
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4404 wrote to memory of 4360 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4404 wrote to memory of 4360 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4404 wrote to memory of 4360 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\chrome_elf.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\chrome_elf.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.88.229.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |