d7737947b934ec2b5f21190c7d7e72871d715b9528988bccb7ef6211bec4c843

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MfFgzT.html
Size

512B
MD5

57292c5b5933fa957d77b4443d5e2947
SHA1

c51ae5797a024b2d4c803dfc815841aadff2929e
SHA256

d7737947b934ec2b5f21190c7d7e72871d715b9528988bccb7ef6211bec4c843
SHA512

411dfd63f1cb8591af5f4abc123a1ea48301222477ca22dd71e8a9d90e01e22b1ba2ad17c473cff27b5424977b58fa4ab60a792e9bd3b2bd42ea7966cdccacf1

Score

7^/10

defense_evasion discovery execution privilege_escalation

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5856	ClientManager.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\KasperskyLab	reg.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
5680	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
5692	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5856	ClientManager.exe
5856	ClientManager.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
5856	ClientManager.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
1872	msedge.exe
1872	msedge.exe
3976	msedge.exe
3976	msedge.exe
3672	identity_helper.exe
3672	identity_helper.exe
4972	msedge.exe
4972	msedge.exe
5692	powershell.exe
5692	powershell.exe
5692	powershell.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe
5856	ClientManager.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeDebugPrivilege	5692	powershell.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3600	WaveWindows.exe
Token: SeShutdownPrivilege	3600	WaveWindows.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 2540	3976	msedge.exe	83
PID 3976 wrote to memory of 2540	3976	msedge.exe	83
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1952	3976	msedge.exe	84
PID 3976 wrote to memory of 1872	3976	msedge.exe	85
PID 3976 wrote to memory of 1872	3976	msedge.exe	85
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86
PID 3976 wrote to memory of 720	3976	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\MfFgzT.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac07e46f8,0x7ffac07e4708,0x7ffac07e4718
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2336 /prefetch:8
  2⤵
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2348396390023845719,11439634994090027549,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3904 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3008

C:\Users\Admin\Downloads\WaveWindows\WaveWindows.exe
"C:\Users\Admin\Downloads\WaveWindows\WaveWindows.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3600
- C:\Users\Admin\Downloads\WaveWindows\WaveWindows.exe
  "C:\Users\Admin\Downloads\WaveWindows\WaveWindows.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\wave-electron" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,10993818106532209004,8986633864722967705,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1744 /prefetch:2
  2⤵
  PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "NET SESSION"
  2⤵
  PID:2412
- - C:\Windows\system32\net.exe
    NET SESSION
    3⤵
    PID:1904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 SESSION
      4⤵
      PID:2896
- C:\Users\Admin\Downloads\WaveWindows\WaveWindows.exe
  "C:\Users\Admin\Downloads\WaveWindows\WaveWindows.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\wave-electron" --standard-schemes=app --secure-schemes=app --field-trial-handle=2164,i,10993818106532209004,8986633864722967705,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:2852
- C:\Users\Admin\Downloads\WaveWindows\WaveWindows.exe
  "C:\Users\Admin\Downloads\WaveWindows\WaveWindows.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\wave-electron" --standard-schemes=app --secure-schemes=app --app-path="C:\Users\Admin\Downloads\WaveWindows\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2576,i,10993818106532209004,8986633864722967705,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:1
  2⤵
  PID:4300
- C:\Users\Admin\Downloads\WaveWindows\resources\node_modules\language-server\wave-luau.exe
  C:\Users\Admin\Downloads\WaveWindows\resources\node_modules\language-server\wave-luau.exe lsp --definitions=C:\Users\Admin\Downloads\WaveWindows\resources\node_modules\language-server\globalTypes.d.luau --definitions=C:\Users\Admin\Downloads\WaveWindows\resources\node_modules\language-server\wave.d.luau --docs=C:\Users\Admin\Downloads\WaveWindows\resources\node_modules\language-server\en-us.json
  2⤵
  PID:5404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\KasperskyLab" /v Session"
  2⤵
  PID:5424
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\KasperskyLab" /v Session
    3⤵
    - Checks for any installed AV software in registry
    PID:5524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Start-Process -FilePath & "C:\Users\Admin\Downloads\WaveWindows\bin\ClientManager.exe" -Verb RunAs -WorkingDirectory "C:\Users\Admin\Downloads\WaveWindows\bin" -NoNewWindow -Wait -WindowStyle Hidden"
  2⤵
  - Hide Artifacts: Hidden Window
  PID:5680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Start-Process -FilePath
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5692
- - C:\Users\Admin\Downloads\WaveWindows\bin\ClientManager.exe
    "C:\Users\Admin\Downloads\WaveWindows\bin\ClientManager.exe" -Verb RunAs -WorkingDirectory "C:\Users\Admin\Downloads\WaveWindows\bin" -NoNewWindow -Wait -WindowStyle Hidden
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Access Token Manipulation: Create Process with Token
    - Suspicious behavior: EnumeratesProcesses
    PID:5856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Window

T1564.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
a24945eb07aa9eb62d6e553d69f74966

SHA1
70569568333300797e168de3f3c51f821cbd8b39

SHA256
783b5b042c9f5b8fa3e3455e532d4290b3284021e5d7a65b31bbbb528fc8c083

SHA512
f72154836e246ed0cc9f2c6cf437587dd7ed249d55fcc19533724f629a7c0450e1357cf4417315fc1aca4a6bcec31a56b224cda81353d5d0b00333a1635202cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
252B

MD5
1c6347034f4d67205079fd704a899cd4

SHA1
a793e4dd88c825cf2e49131a1dcafe8f390349fb

SHA256
a2e5e3be2520a1221b0f7280082e5e83a8905e2b0827a40820975a1f16b771ad

SHA512
eb309f8ff5005db3180658715a432a17bd42a619e1e7368a7c0841458c555fe82a63e1d5a87f748b46f535edf5615c73176f5d939866ac74731834a00fc892ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8131d91721d89698034f493d4d7951fe

SHA1
16a37ccac022f238ed27a61ebe8d594c96691ea9

SHA256
89de851d30f1315e573345d934441a013196e2417c2f00147eabef7a6f4c799d

SHA512
e5d412c008a967d7a9d7631d141f27caa099d3b15b9c937ab300ec622ef3242d3dc63d8a2f49a5ac19ff56ed75d780cc0e1fba3acdc71e8ff4692173e573479c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4681d30a1d7aeed4e2041757b92ad103

SHA1
d6a613d814534f39dd7970462d92a6cfada501bb

SHA256
fe182207d2839ece877263c177f729b204395ae6cfcd13021082e5bf0addfe84

SHA512
f909439f6561da3a766dbd36015392d6a988e9136f05da3557cf00727c79e564a408d7ab135c57b64ba1cb2a9081e62e3306afd34790e0dd364b2647964b236e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d1440e8f4a83e6f0b23484b7e58580d

SHA1
0cb79a14b764716ae1a696f00cd420fc446ae1a3

SHA256
d17ac20dad34896d6bb28cc1f741e5c1c4d963c8a962bb767fae2f51d77d3494

SHA512
bff7520e010ffe1a11bd69190d2fc7da75b54072c22cba088cf4989e9f40fa2b187dec44b4dd7822de5d1b796c47cc572ce889ec93c666afad98fb4cd87f2d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000008

Filesize
20KB

MD5
e8e1f8273c10625d8b5e1541f8cab8fd

SHA1
18d7a3b3362fc592407e5b174a8fb60a128ce544

SHA256
45870d39eb491375c12251d35194e916ace795b1a67e02841e1bbcb14f1a0e44

SHA512
ca77d40ec247d16bc50302f8b13c79b37ab1fcf81c1f8ab50f2fc5430d4fabc74f5845c781bd11bb55840184e6765c2f18b28af72e1f7800fe0bb0b1f3f23b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dad4cede849e5813c65b958cc6cf6ce0

SHA1
27e895f14357dc014b3824bf84cfb16131422575

SHA256
826e027ac5996651f9ace61ef55041c8ffea47259648ea4cbcc2da6d255f215f

SHA512
b2adcab9a125fdec46e0905271a89f1ad3eb280739cfda368ef7188119db92cb7bc0f260f148c8abb686f3d2e8fcc6d0a2872fda9fdd6032fef783557963d254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
37b84cd0aa1980c5cf7ab82829c72af9

SHA1
dc568b472e5f437df3a5eb65fff4e57358203851

SHA256
9b88cace9e032faf4a0ed95de89aea3ba6be28428215c81ab892b78f44f55681

SHA512
39759ff0a729180a046cbf10bcff6181ee14e73c43c61b5dcca764b963d0b822993d3e953bdcb8aa87ebbc364e05f2395bf2daab8b69adbb3d3e8ef77ea18fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d5ahkain.tyg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\wave-electron\Network\Network Persistent State

Filesize
375B

MD5
2df0e2701c987d1640dc505bc4cd17c8

SHA1
bbd4d8a5b1f35b95ac946e01233c3ce726c2a9ef

SHA256
ede7f2a5604365a1ee88d157bc333a9cbd911ee99e9e227cca8127102893e0a5

SHA512
8d342aca37751076b3d94d83f34c37d9a37192a18b213d340868f7362b15799b82220c7373aca20365f662d38b7fa8dd54076f0902757673b2f16bc0c6110a25

Download Submit
C:\Users\Admin\AppData\Roaming\wave-electron\Network\Network Persistent State~RFe59836f.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\Downloads\WaveWindows\bin\ClientManager.exe

Filesize
21.6MB

MD5
0992b1eeef7450b8bc151cfe5a578f61

SHA1
9cb6b223d6fa8f0d29a7fa6e58ff5f757640c780

SHA256
068436912f008a35341b99be12c8af407cfccc4950fec63b59d88c0aa5c431f2

SHA512
4ee7d380c31145601b2031ee1b68ac31ac2eed0d63af7db1615b3dcf92b99e17a3110156ea6ba9ba1e8ba632bfbf8697428cb99183d7977a67a3258e9a2178b7

Download Submit
C:\Users\Admin\Downloads\WaveWindows\bin\config.json

Filesize
388B

MD5
98d76379e7044b833e18491e322a0bfb

SHA1
cc5c927fb5fbcf32b1a019783e23a519fb21d2a9

SHA256
4793e9c5f9e10e49b7525c83a0e85e03afa5067aff322513db4481259617b404

SHA512
2de2e839117a9d9b8cb611fb9708a8cb988b5e9b6843217f9c85ffe90a0772a51bf5fe48b8749e99537b6e59066eadd31f7dd25120b6806b575073ba80fe3ad4

Download Submit
memory/4300-188-0x00007FFACDFC0000-0x00007FFACDFC1000-memory.dmp

Filesize
4KB

Download
memory/4300-274-0x00000268AD3A0000-0x00000268AD44D000-memory.dmp

Filesize
692KB

Download
memory/4300-273-0x00000268ADAA0000-0x00000268AE1DF000-memory.dmp

Filesize
7.2MB

Download
memory/4300-187-0x00007FFACE600000-0x00007FFACE601000-memory.dmp

Filesize
4KB

Download
memory/5692-255-0x000001E6C4BA0000-0x000001E6C4BC2000-memory.dmp

Filesize
136KB

Download
memory/5856-263-0x00007FF7B7110000-0x00007FF7B9421000-memory.dmp

Filesize
35.1MB

Download
memory/5856-262-0x00007FFACF1C0000-0x00007FFACF1C2000-memory.dmp

Filesize
8KB

Download
memory/5856-261-0x00007FFACF1B0000-0x00007FFACF1B2000-memory.dmp

Filesize
8KB

Download