ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824

Analysis

max time kernel
146s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave Goodbye.exe
Size

6.0MB
MD5

b67c09157b260b02037a716d28d7c34f
SHA1

a6da5549351e78fda395b5381dcf9e14240390fd
SHA256

ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824
SHA512

61cc65311af74f83ea950ef54661a5421df67026f7760e257ae3701b3b339f554ac1b42a63f2adafe142ad71a81c545b6749aac0a4f5c78eccd90d072fb7bbad
SSDEEP

98304:dHx3rQ9UT/cnDEuzHEAtpW1pAT0WaDMyaATQKC2witrFr9vQVN9x3gHWdFISYft4:73rpbcnDEuzkAtpWzATIaAEHVYJJmN/P

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Wave Goodbye.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Wave Goodbye.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

Wave Goodbye.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Wave Goodbye.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Wave Goodbye.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Wave Goodbye.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Wave Goodbye.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Wave Goodbye.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Wave Goodbye.exe

Executes dropped EXE 7 IoCs

Processes:

WaveInstaller.exeWaveBootstrapper.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exenode.exeBloxstrap.exe

pid process

4368 WaveInstaller.exe
1004 WaveBootstrapper.exe
3180 WaveWindows.exe
3152 CefSharp.BrowserSubprocess.exe
3260 CefSharp.BrowserSubprocess.exe
656 node.exe
2640 Bloxstrap.exe

pid	process
4368	WaveInstaller.exe
1004	WaveBootstrapper.exe
3180	WaveWindows.exe
3152	CefSharp.BrowserSubprocess.exe
3260	CefSharp.BrowserSubprocess.exe
656	node.exe
2640	Bloxstrap.exe

Loads dropped DLL 25 IoCs

Processes:

WaveBootstrapper.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exe

pid	process
1004	WaveBootstrapper.exe
3180	WaveWindows.exe
3180	WaveWindows.exe
3180	WaveWindows.exe
3180	WaveWindows.exe
3180	WaveWindows.exe
3152	CefSharp.BrowserSubprocess.exe
3152	CefSharp.BrowserSubprocess.exe
3152	CefSharp.BrowserSubprocess.exe
3152	CefSharp.BrowserSubprocess.exe
3152	CefSharp.BrowserSubprocess.exe
3152	CefSharp.BrowserSubprocess.exe
3152	CefSharp.BrowserSubprocess.exe
3152	CefSharp.BrowserSubprocess.exe
3152	CefSharp.BrowserSubprocess.exe
3152	CefSharp.BrowserSubprocess.exe
3152	CefSharp.BrowserSubprocess.exe
3260	CefSharp.BrowserSubprocess.exe
3260	CefSharp.BrowserSubprocess.exe
3260	CefSharp.BrowserSubprocess.exe
3260	CefSharp.BrowserSubprocess.exe
3260	CefSharp.BrowserSubprocess.exe
3260	CefSharp.BrowserSubprocess.exe
3260	CefSharp.BrowserSubprocess.exe
3180	WaveWindows.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/3112-0-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3112-2-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3112-3-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3112-5-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3112-4-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3112-6-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3112-44-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3112-141-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3112-363-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3112-539-0x0000000140000000-0x0000000140F65000-memory.dmp	themida

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

Processes:

WaveWindows.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\KasperskyLab	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\KasperskyLab\LastUsername	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\KasperskyLab\Session	WaveWindows.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\KasperskyLab	WaveWindows.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Wave Goodbye.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wave Goodbye.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service
T1102

Processes:

flow ioc

10 discord.com
36 discord.com
55 raw.githubusercontent.com
65 raw.githubusercontent.com
66 raw.githubusercontent.com
67 raw.githubusercontent.com
68 raw.githubusercontent.com
2 raw.githubusercontent.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Wave Goodbye.exe

pid process

3112 Wave Goodbye.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Wave Goodbye.exe

flow	ioc
10	discord.com
36	discord.com
55	raw.githubusercontent.com
65	raw.githubusercontent.com
66	raw.githubusercontent.com
67	raw.githubusercontent.com
68	raw.githubusercontent.com
2	raw.githubusercontent.com

pid	process
3112	Wave Goodbye.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641738268230248"	chrome.exe

Modifies registry class 19 IoCs

Processes:

Bloxstrap.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox\shell\open	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox\URL Protocol	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox-player\shell\open\command	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox-player\shell	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox-player\URL Protocol	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox\DefaultIcon	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox\shell\open\command	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" %1"	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox-player\shell\open	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox\shell	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox-player	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" %1"	Bloxstrap.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1560405787-796225086-678739705-1000\{ABBF721E-1723-40DA-81C7-A560061C136F}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox\ = "URL: Roblox Protocol"	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\roblox-player\DefaultIcon	Bloxstrap.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\WaveInstaller.exe:Zone.Identifier chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\WaveInstaller.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

chrome.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeBloxstrap.exe

pid	process
4252	chrome.exe
4252	chrome.exe
1372	msedge.exe
1372	msedge.exe
4860	msedge.exe
4860	msedge.exe
4020	msedge.exe
4020	msedge.exe
4836	msedge.exe
4836	msedge.exe
4036	identity_helper.exe
4036	identity_helper.exe
3180	WaveWindows.exe
3152	CefSharp.BrowserSubprocess.exe
3152	CefSharp.BrowserSubprocess.exe
3260	CefSharp.BrowserSubprocess.exe
3260	CefSharp.BrowserSubprocess.exe
3180	WaveWindows.exe
2640	Bloxstrap.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

chrome.exemsedge.exe

pid process

4252 chrome.exe
4252 chrome.exe
4252 chrome.exe
4252 chrome.exe
4252 chrome.exe
4252 chrome.exe
4860 msedge.exe
4860 msedge.exe
4860 msedge.exe
4860 msedge.exe
4860 msedge.exe
4860 msedge.exe
4860 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeWaveInstaller.exeWaveBootstrapper.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exe

description	pid	process
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeDebugPrivilege	4368	WaveInstaller.exe
Token: SeDebugPrivilege	1004	WaveBootstrapper.exe
Token: SeDebugPrivilege	3180	WaveWindows.exe
Token: SeDebugPrivilege	3152	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	3260	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	3180	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3180	WaveWindows.exe
Token: SeShutdownPrivilege	3180	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3180	WaveWindows.exe
Token: SeShutdownPrivilege	3180	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3180	WaveWindows.exe
Token: SeShutdownPrivilege	3180	WaveWindows.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsedge.exeBloxstrap.exe

pid	process
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
2640	Bloxstrap.exe
2640	Bloxstrap.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exemsedge.exeBloxstrap.exe

pid	process
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
2640	Bloxstrap.exe
2640	Bloxstrap.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

node.exeBloxstrap.exe

pid process

656 node.exe
2640 Bloxstrap.exe

pid	process
656	node.exe
2640	Bloxstrap.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4252 wrote to memory of 4808	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 4808	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 896	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 3656	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 3656	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe
PID 4252 wrote to memory of 684	4252	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe
"C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/6NNYUEXAR2
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb6ec83cb8,0x7ffb6ec83cc8,0x7ffb6ec83cd8
3⤵
PID:1956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,11361951213521941603,4746617258140490457,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
3⤵
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,11361951213521941603,4746617258140490457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,11361951213521941603,4746617258140490457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
3⤵
PID:3692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11361951213521941603,4746617258140490457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
3⤵
PID:4704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11361951213521941603,4746617258140490457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
3⤵
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11361951213521941603,4746617258140490457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
3⤵
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1968,11361951213521941603,4746617258140490457,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3480 /prefetch:8
3⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1968,11361951213521941603,4746617258140490457,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3548 /prefetch:8
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11361951213521941603,4746617258140490457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
3⤵
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11361951213521941603,4746617258140490457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
3⤵
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11361951213521941603,4746617258140490457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
3⤵
PID:956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,11361951213521941603,4746617258140490457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
3⤵
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1968,11361951213521941603,4746617258140490457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,11361951213521941603,4746617258140490457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb6e60ab58,0x7ffb6e60ab68,0x7ffb6e60ab78
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1504 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:2
2⤵
PID:896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:8
2⤵
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1712 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:8
2⤵
PID:684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:1
2⤵
PID:3352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:1
2⤵
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4216 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:1
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:8
2⤵
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:8
2⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:8
2⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:8
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:8
2⤵
PID:1068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4144 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:1
2⤵
PID:3648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5176 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:1
2⤵
PID:2024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4620 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:1
2⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3024 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:8
2⤵
PID:2104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3148 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:8
2⤵
PID:2928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4308 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:8
2⤵
PID:3188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:8
2⤵
- NTFS ADS
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5200 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:8
2⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4788 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:8
2⤵
PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 --field-trial-handle=1824,i,15484254685329503380,13151417709931803648,131072 /prefetch:8
2⤵
PID:1332

C:\Users\Admin\Downloads\WaveInstaller.exe
"C:\Users\Admin\Downloads\WaveInstaller.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2012,i,10421484246907843314,2391868860808506235,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2056 --mojo-platform-channel-handle=2000 /prefetch:2 --host-process-id=3180
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=2604,i,10421484246907843314,2391868860808506235,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2608 --mojo-platform-channel-handle=2600 /prefetch:3 --host-process-id=3180
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=3180
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:656

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2640

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2264

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
Filesize
249KB

MD5
772c9fecbd0397f6cfb3d866cf3a5d7d

SHA1
6de3355d866d0627a756d0d4e29318e67650dacf

SHA256
2f88ea7e1183d320fb2b7483de2e860da13dc0c0caaf58f41a888528d78c809f

SHA512
82048bd6e50d38a863379a623b8cfda2d1553d8141923acf13f990c7245c833082523633eaa830362a12bfff300da61b3d8b3cccbe038ce2375fdfbd20dbca31

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Modifications\ClientSettings\ClientAppSettings.json
Filesize
120B

MD5
636492f4af87f25c20bd34a731007d86

SHA1
22a5c237a739ab0df4ff87c9e3d79dbe0c89b56a

SHA256
22a1e85723295eeb854345be57f7d6fb56f02b232a95d69405bf9d9e67a0fa0d

SHA512
cd2e3a738f535eb1a119bd4c319555899bcd4ce1049d7f8591a1a68c26844f33c1bd1e171706533b5c36263ade5e275b55d40f5710e0210e010925969182cd0c

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaApp\graphic\shimmer_lightTheme.png
Filesize
20KB

MD5
4f8f43c5d5c2895640ed4fdca39737d5

SHA1
fb46095bdfcab74d61e1171632c25f783ef495fa

SHA256
fc57f32c26087eef61b37850d60934eda1100ca8773f08e487191a74766053d1

SHA512
7aebc0f79b2b23a76fb41df8bab4411813ffb1abc5e2797810679c0eaa690e7af7561b8473405694bd967470be337417fa42e30f0318acbf171d8f31620a31aa

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaApp\graphic\[email protected]
Filesize
71KB

MD5
3fec0191b36b9d9448a73ff1a937a1f7

SHA1
bee7d28204245e3088689ac08da18b43eae531ba

SHA256
1a03e6f6a0de045aa588544c392d671c040b82a5598b4246af04f5a74910dc89

SHA512
a8ab2bc2d937963af36d3255c6ea09cae6ab1599996450004bb18e8b8bdfbdde728821ac1662d8a0466680679011d8f366577b143766838fe91edf08a40353ce

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaDiscussions\buttonFill.png
Filesize
247B

MD5
81ce54dfd6605840a1bd2f9b0b3f807d

SHA1
4a3a4c05b9c14c305a8bb06c768abc4958ba2f1c

SHA256
0a6a5cafb4dee0d8c1d182ddec9f68ca0471d7fc820cf8dc2d68f27a35cd3386

SHA512
57069c8ac03dd0fdfd97e2844c19138800ff6f7d508c26e5bc400b30fe78baa0991cc39f0f86fa10cd5d12b6b11b0b09c1a770e5cb2fdca157c2c8986a09e5ff

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\configs\DateTimeLocaleConfigs\zh-hans.json
Filesize
2KB

MD5
fb6605abd624d1923aef5f2122b5ae58

SHA1
6e98c0a31fa39c781df33628b55568e095be7d71

SHA256
7b993133d329c46c0c437d985eead54432944d7b46db6ad6ea755505b8629d00

SHA512
97a14eda2010033265b379aa5553359293baf4988a4cdde8a40b0315e318a7b30feee7f5e14c68131e85610c00585d0c67e636999e3af9b5b2209e1a27a82223

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\configs\DateTimeLocaleConfigs\zh-tw.json
Filesize
2KB

MD5
702c9879f2289959ceaa91d3045f28aa

SHA1
775072f139acc8eafb219af355f60b2f57094276

SHA256
a92a6988175f9c1d073e4b54bf6a31f9b5d3652eebdf6a351fb5e12bda76cbd5

SHA512
815a6bef134c0db7a5926f0cf4b3f7702d71b0b2f13eca9539cd2fc5a61eea81b1884e4c4bc0b3398880589bff809ac8d5df833e7e4aeda4a1244e9a875d1e97

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\sounds\ouch.ogg
Filesize
6KB

MD5
9404c52d6f311da02d65d4320bfebb59

SHA1
0b5b5c2e7c631894953d5828fec06bdf6adba55f

SHA256
c9775e361392877d1d521d0450a5368ee92d37dc542bc5e514373c9d5003f317

SHA512
22aa1acbcdcf56f571170d9c32fd0d025c50936387203a7827dbb925f352d2bc082a8a79db61c2d1f1795ad979e93367c80205d9141b73d806ae08fa089837c4

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\Cursors\KeyboardMouse\IBeamCursor.png
Filesize
292B

MD5
464c4983fa06ad6cf235ec6793de5f83

SHA1
8afeb666c8aee7290ab587a2bfb29fc3551669e8

SHA256
99fd7f104948c6ab002d1ec69ffd6c896c91f9accc499588df0980b4346ecbed

SHA512
f805f5f38535fe487b899486c8de6cf630114964e2c3ebc2af7152a82c6f6faef681b4d936a1867b5dff6566b688b5c01105074443cc2086b3fe71f7e6e404b1

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\StudioToolbox\Clear.png
Filesize
538B

MD5
fa8eaf9266c707e151bb20281b3c0988

SHA1
3ca097ad4cd097745d33d386cc2d626ece8cb969

SHA256
8cf08bf7e50fea7b38f59f162ed956346c55a714ed8a9a8b0a1ada7e18480bc2

SHA512
e29274300eab297c6de895bb39170f73f0a4ffa2a8c3732caeeeac16e2c25fb58bb401fdd5823cc62d9c413ec6c43d7c46861d7e14d52f8d9d8ff632e29f167c

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\StudioUIEditor\valueBoxRoundedRectangle.png
Filesize
130B

MD5
521fb651c83453bf42d7432896040e5e

SHA1
8fdbf2cc2617b5b58aaa91b94b0bf755d951cad9

SHA256
630303ec4701779eaf86cc9fbf744b625becda53badc7271cbb6ddc56e638d70

SHA512
8fa0a50e52a3c7c53735c7dd7af275ebc9c1843f55bb30ebe0587a85955a8da94ff993822d233f7ed118b1070a7d67718b55ba4a597dc49ed2bf2a3836c696f6

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\TerrainTools\checkbox_square.png
Filesize
985B

MD5
2cb16991a26dc803f43963bdc7571e3f

SHA1
12ad66a51b60eeaed199bc521800f7c763a3bc7b

SHA256
c7bae6d856f3bd9f00c122522eb3534d0d198a9473b6a379a5c3458181870646

SHA512
4c9467e5e2d83b778d0fb8b6fd97964f8d8126f07bfd50c5d68c256703f291ceaed56be057e8e2c591b2d2c49f6b7e099a2b7088d0bf5bdd901433459663b1f8

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\Thumbstick1.png
Filesize
641B

MD5
2cbe38df9a03133ddf11a940c09b49cd

SHA1
6fb5c191ed8ce9495c66b90aaf53662bfe199846

SHA256
0835a661199a7d8df7249e8ae925987184efcc4fb85d9efac3cc2c1495020517

SHA512
dcef5baccef9fff632456fe7bc3c4f4a403363d9103a8047a55f4bd4c413d0c5f751a2e37385fe9eba7a420dbdb77ca2ff883d47fcdd35af222191cc5bd5c7a9

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]
Filesize
1KB

MD5
e8c88cf5c5ef7ae5ddee2d0e8376b32f

SHA1
77f2a5b11436d247d1acc3bac8edffc99c496839

SHA256
9607af14604a8e8eb1dec45d3eeca01fed33140c0ccc3e6ef8ca4a1f6219b5dd

SHA512
32f5a1e907705346a56fbddfe0d8841d05415ff7abe28ae9281ba46fedf8270b982be0090b72e2e32de0ce36e21934f80eaf508fd010f7ab132d39f5305fb68f

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]
Filesize
1KB

MD5
499333dae156bb4c9e9309a4842be4c8

SHA1
d18c4c36bdb297208589dc93715560acaf761c3a

SHA256
d35a74469f1436f114c27c730a5ec0793073bcf098db37f10158d562a3174591

SHA512
91c64173d2cdabc045c70e0538d45e1022cc74ec04989565b85f0f26fe3e788b700a0956a07a8c91d34c06fc1b7fad43bbdbb41b0c6f15b9881c3e46def8103e

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\Thumbstick2.png
Filesize
738B

MD5
a402aacac8be906bcc07d50669d32061

SHA1
9d75c1afbe9fc482983978cae4c553aa32625640

SHA256
62a313b6cc9ffe7dd86bc9c4fcd7b8e8d1f14a15cdf41a53fb69af4ae3416102

SHA512
d11567bcaad8bbd9e2b9f497c3215102c7e7546caf425e93791502d3d2b3f78dec13609796fcd6e1e7f5c7d794bac074d00a74001e7fe943d63463b483877546

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]
Filesize
1KB

MD5
83e9b7823c0a5c4c67a603a734233dec

SHA1
2eaf04ad636bf71afdf73b004d17d366ac6d333e

SHA256
3b5e06eb1a89975def847101f700f0caa60fe0198f53e51974ef1608c6e1e067

SHA512
e8abb39a1ec340ac5c7d63137f607cd09eae0e885e4f73b84d8adad1b8f574155b92fbf2c9d3013f64ebbb6d55ead5419e7546b0f70dcde976d49e7440743b0f

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]
Filesize
1KB

MD5
55b64987636b9740ab1de7debd1f0b2f

SHA1
96f67222ce7d7748ec968e95a2f6495860f9d9c9

SHA256
f4a6bb3347ee3e603ea0b2f009bfa802103bc434ae3ff1db1f2043fa8cace8fc

SHA512
73a88a278747de3fefbaabb3ff90c1c0750c8d6c17746787f17061f4eff933620407336bf9b755f4222b0943b07d8c4d01de1815d42ea65e78e0daa7072591e9

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.Core.dll
Filesize
915KB

MD5
100c32f77e68a2ce962e1a28997567ea

SHA1
a80a1f4019b8d44df6b5833fb0c51b929fa79843

SHA256
c0b9e29b240d8328f2f9a29ca0298ca4d967a926f3174a3442c3730c00d5a926

SHA512
f95530ef439fa5c4e3bc02db249b6a76e9d56849816ead83c9cd9bcd49d3443ccb88651d829165c98a67af40b3ef02b922971114f29c5c735e662ca35c0fb6ed

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
Filesize
7KB

MD5
516ff62b2e1f4642caa954c0968719e8

SHA1
e349d0ce82e2109dd0d18416d9cf46e8411b7f15

SHA256
19da58849cec5933860116e60a1e94b08e30d90e0f955768270b47998d612045

SHA512
7aa4a0c87b29c2a84f585a884d8208fc2352a43f2cdb549c100e3b121837ad5f8dadb1101f57d1d3fcb7ebec9d9f22e07dc14239b7d2e2d25793c999becf288b

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_100_percent.pak
Filesize
667KB

MD5
ae195e80859781a20414cf5faa52db06

SHA1
b18ecb5ec141415e3a210880e2b3d37470636485

SHA256
9957802c0792e621f76bbdb1c630fbad519922743b5d193294804164babda552

SHA512
c6fef84615fe20d1760ca496c98629feb4e533556724e9631d4282622748e7601225cf19dfb8351f4b540ae3f83785c1bcea6fe8c246cf70388e527654097c1c

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_200_percent.pak
Filesize
1.0MB

MD5
1abf6bad0c39d59e541f04162e744224

SHA1
db93c38253338a0b85e431bd4194d9e7bddb22c6

SHA256
01cb663a75f18bb2d0d800640a114f153a34bd8a5f2aa0ed7daa9b32967dc29e

SHA512
945d519221d626421094316f13b818766826b3bedddab0165c041540dddadc93136e32784c0562d26a420cb29479d04d2aa317b8d605cd242e5152bf05af197e

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_elf.dll
Filesize
1020KB

MD5
7191d97ce7886a1a93a013e90868db96

SHA1
52dd736cb589dd1def87130893d6b9449a6a36e3

SHA256
32f925f833aa59e3f05322549fc3c326ac6fc604358f4efbf94c59d5c08b8dc6

SHA512
38ebb62c34d466935eabb157197c7c364d4345f22aa3b2641b636196ca1aeaa2152ac75d613ff90817cb94825189612ddd12fb96df29469511a46a7d9620e724

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\icudtl.dat
Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\locales\en-US.pak
Filesize
456KB

MD5
4430b1833d56bc8eb1f7dc82bb7f4bc9

SHA1
dc15e6306625f155683326e859d83f846153c547

SHA256
b44ddcfac9df4934007e6c55a3c7f5e7f14c7e5e29f35c81de917fc3b22aabbc

SHA512
faf93bf371b2a88c1b874a5e2c54e4487fd152ad19c2a406a46f55ae75ecd421a779888c2e4c170857b16bfb5d8744bc1815a4732ed50b064b3cbd0c5ffad889

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\resources.pak
Filesize
8.0MB

MD5
4933d92c99afa246fc59eef010d5c858

SHA1
98d443654e93c73dd317f9f847f71fba3d5b3135

SHA256
62f4674daa15245ee081920b8ee191e72f36ca8fe24f6b986a832f45676915b2

SHA512
a3a69523c8e7310716daeebc06c2ba4fce673eccd1958e824ff179b82f4502d0ec095190179bbb387342e4150f952ea7533182fb6ba90377d17dafba8f4da623

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
9a222d72c669e2df06f0e26f20010fc7

SHA1
3026de67d74aa848a9d4a2caa1672f052ec7f77d

SHA256
14c617a82a5b09fef73d3a5eeca0a7d9500219405eb36792e23abe9fee9465ff

SHA512
c86572d006875d7ad6d5bf068352256b59502eef56bb52e236c856834783506f55d75febbd8e177cc7052a7388201535ca5658cf4da609c6321d1701df7039bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
2994ad6b8bb72024971e902417d5893d

SHA1
d862cfbb3647129d39ed2af788a69a1376eb0474

SHA256
463ded707259412b7e7d4fc16e84c4a6831a8eced6912556414c1a581b124202

SHA512
5fe874dc4b17191ffcb8fa5aa98cd14a3406dc6cef44a29fc6d2ba01f92f5a32ee536fff98cc7a7d560ef48cec624de53739a5d2d5e5df275c30498e0c6aa334

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
692B

MD5
f697d4e5f85c65036a190f5779eaf20d

SHA1
4626183d103260b1f2e3c885e05a4f7848c7bf18

SHA256
d45b2509b2cba8d7ff9bfd67bad234230c4969384c5aaa82aec8629ad7ad846c

SHA512
c16dd16f0980b2627e1a425f355f3f2054259bce798af7f53c84c53cc5b8b37f837507e54bb8905dfd36eb4bcb3b81705a5ee88d55730375fd14c0a452733b46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
a075efaaa1f9b23c161137b1ad73526e

SHA1
1e123706b7730275d373008ad4dfab1adca16533

SHA256
fee73fc1cdf00e43360fed8116e969e5bf1e2478917c19fd7fb16e102b594839

SHA512
bdc4c8d4fbaf74c45f332bd64fb1a6266d673a5aae683c400d871a4384efa5d769a45eaa4fe1696f278accf08c16998fadfff24dfa9d4cbf5e3503c59d2902d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
cd9e6b7bf977e873a69f52f30adcff85

SHA1
8ba7975d59a8c63e91e2587d9232059d85dce12f

SHA256
20a63897d3918c31698e28e726e50e8103658a6b7ee6a931ed671a63ee439e7e

SHA512
4ce7a0c210a9484dacf153d5ff5501b1aa3eb9b9660cfc6b118d6b22b726a1694a4025d23ea163bbdbf3e5ca30d0107bcc1c5b880221ba42431604d011f42cef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
87cf26a630ff7a3fe8916ef27ae4eb4a

SHA1
a66b963af0770077fe8a54330c767ffe1e932dd4

SHA256
02d2e39148ca95eb94966bd9f7ebec8a9f25ada2bfb050f14ea0892138001ba2

SHA512
ea1a74a3848a7a1bd604f37ab42c4977ef73cd768f33821e8ef03c665d430e7edd59d3a2066c602f2b4da53a44008595d9dbab3eb822be714e0628f459565e89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
0463268bb6920eb2cc0a38eb818dc442

SHA1
b0c862132aa6b7b84e49b00cba2836e9d8300c3c

SHA256
4eb811151277fd6971fed4a11f6b2763d3a89ac63ee5beb35134b95e8746dc59

SHA512
f3fb4bff0ac2a2fd7a60b7f8fbc28e1cfc93866398488e901df75dcfcab57e261ea9e33523241c2ffa4efe2cf7fcff7a64c148ae1872c7e8da62429c0c04084b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
fce7c677edf30a4cc608e95e5077ccdf

SHA1
c1126ee5bb0cc35e050e3d7f9f67349a198454bb

SHA256
0ca287dafa54aad4e28c41134770246c7b8b4883031a3e546a84ccb6e406132a

SHA512
35e6b3deb843c1e744b29a3775128be224e62824a4763676e22c1010a5ad13e96c466ab0c359dea5a73de211985f8fb00e1e8b9aeaafa132da522f32fd40aadd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
a73680a6b4718b7c55e8079f5850625e

SHA1
ebff590e6e34b77a896649755c24702820860453

SHA256
61cec1d5973f42f33fd1c776dc3ff4ee09664d313fa7104f74480746ce3aa69d

SHA512
82ae492210d45a461c1c78f59fb60332f3cbf8fbac8aafa555aed2f2554b9ef9003f296126169c15288c84f7ec589a51e192d0a08463f42308036c176235d5b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
39b328bed5b7851b42d53b679b438f02

SHA1
2fd6fb2f711c8e5b977bf14a1c7648b7e75e792b

SHA256
b84d4c30242c6b9bafb067826e95398b3ec86f08687e2af0a0628e802a0b36c2

SHA512
34b6fd50ff267d82eed00051a226544ff3ebed5cad2cd28efef2ebf50894a266e3595973815acc4c0b40710ac8c289c1e5b797775064d2c11be7195e0b7e0ee6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
56823c8017815e221ad051b80ddb75f7

SHA1
049dad13e141fcf5c8a97e3a0290e123c5f71ac7

SHA256
d07f6a22d5f12bf79a7738811dbb64fb90bba3aa2ffba306427456fc17e67007

SHA512
eaf1f1aca5d1f2f3f547eca1193b27adb31c53db7d89aaa3d2b309cc53d296191d420353c3cf930a4a3ec6c2e77caec4f41a04a53c53e1386c24139f6b33ae48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
196eaa9f7a574c29bd419f9d8c2d9349

SHA1
19982d15d1e2688903b0a3e53a8517ab537b68ed

SHA256
df1e96677bcfffe5044826aa14a11e85ef2ebb014ee9e890e723a14dc5f31412

SHA512
e066d74da36a459c19db30e68b703ec9f92019f2d5f24fd476a5fd3653c0b453871e2c08cdc47f2b4d4c4be19ff99e6ef3956d93b2d7d0a69645577d44125ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f717f56b5d8e2e057c440a5a81043662

SHA1
0ad6c9bbd28dab5c9664bad04db95fd50db36b3f

SHA256
4286cd3f23251d0a607e47eccb5e0f4af8542d38b32879d2db2ab7f4e6031945

SHA512
61e263935d51028ec0aab51b938b880945a950cec9635a0dafddf795658ea0a2dfcf9cfc0cab5459b659bb7204347b047a5c6b924fabea44ce389b1cbb9867d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
7df5a4d720fe01f2bc08c475722af998

SHA1
61c7fd51affc66c619f6a6e9e72b5a1073aabbab

SHA256
d761d4f948e3db00891e6aa2a0fd7ef02731ff3f32caac4781c84284ea9ba73f

SHA512
6b69fd0ac54cc3bce71f61e6e6d66a19eafc36af233d2a1ed3bdfa5e4e24547eef1c743b69d0533a843b9d4e214043e3290fc8b12837148074fcc66999b5e65c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
612B

MD5
934ffba89513541c6be124cf4b566074

SHA1
6c6c898c510479c568e9d64fa1a1437c6e3e83d8

SHA256
8274b54e100a06980f4b3c5ad44f750efe170867e459132bb375ce314c7cb035

SHA512
1c741982092f67e532f6d351cbdff0b718cafd5c7918acb63b041c59e13e384bb3d957f56c4596face251aef3f849b69cdb5777a57421cf6aeccaec0aa79ea56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
3594cb869871db3c93f5eaab314ff59b

SHA1
e03fbed10f5fc0fbea4774ee91bf50dae7b8825f

SHA256
1334661aef337651615fd60fdc65fb6e904710d7052934d4cf7d92396da0ef76

SHA512
a107be02eac0e4938abd5835e8d44fcbda31a13edd34823fb7011a2e9ceee292238c39a8b15fdcd9295a02a4fc8abcfa3b37f9a5693aa45f5f7090b4d0ba42bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5ea84915ff8d6d5dbc653c7f3c54063c

SHA1
3d7970c7f28a8ecf766f30266c5d2f54b912df0c

SHA256
64009ac54b1483be25e949c6bab16a288406b251f751f32b646178458b3de10c

SHA512
f5860ea294449a642567e32ab5948683531af34bd002f7e54eacc4e501bba84f7ab5f1e8f3eafb58995d84a8f9fae996f121a5e587e2e5cd9551d4789e9526cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9bd83f053184ea8e7b030823d61c4834

SHA1
567f46e073bee7152602e6952d0629e7340d9c8b

SHA256
8b6260e182bc531d24eed9a947c7e645692d6d73f96771e8c33ce6ddef336a8b

SHA512
2e8941bd6bc912198980cbaf94638220e7c5f84e9fb8291af814fab184520f1369d45147c6378afe3284d17615653bd25aab56c1848ab5ff6d4dcec8abd4f425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
45fd0bc3aa7cce98a27276fde0220986

SHA1
2c8ddb6111ba2aacf13112b3a84c65a612581500

SHA256
8427b24011739ac89444d69497816f309f0957f78c302462fe2b17ad4cb4f672

SHA512
1f01dbcb6b9df5f69f9383357890a6a1aabc16b474f8e5c1463fa7e7c4a196bac21bcaccaf42b90a44f478588ac7e0f3df3df0487c5b2c428c55b79163f6cd39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
afc58ac37156a214ff9adfa51be21527

SHA1
376da8ce4fab3ea573cafac08abdc36b2a3d9340

SHA256
fbe3fd3eee027228ab8a8ac4c9f57b31df13b60d88b8f0a4d6aafb2de1d10f43

SHA512
aa7fbc83be08c6bc8e65a5b0dae89b89ddd54681317324dabe4f913225323433095d4dc9b4dec71a7bb7e1261f9a4508f7175ff4b63a91f74ddaed3c4d401a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
4fb9d6af4f0a698b9e2323a3936f011c

SHA1
4a493bfb6249cc5327672d0a6ad975522cc1d3b0

SHA256
51cfb9a172c57230bb62d4ee9f9774ca990419785339494d34b39cd4595edb4e

SHA512
6e7cfd4c8af0d5555dc0797bf2b14f086559c3cfec66253f50a19751ac357c378aea1f3e2f978f35ecbfb71c573f1bae1d42938cab8dfaaf1e4ae29243ad4062

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.Core.Runtime.dll
Filesize
1.3MB

MD5
09cba584aa0aae9fc600745567393ef6

SHA1
bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279

SHA256
0babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5

SHA512
5f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1

Download Submit
C:\Users\Admin\AppData\Local\Wave\D3DCOMPILER_47.dll
Filesize
3.9MB

MD5
3b4647bcb9feb591c2c05d1a606ed988

SHA1
b42c59f96fb069fd49009dfd94550a7764e6c97c

SHA256
35773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7

SHA512
00cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
Filesize
939KB

MD5
258a9cae6024c91784bbd8aa5379e86f

SHA1
fe1a808ba23053413359a78d5ec096b2cd540dd5

SHA256
3881840473ec5286189d2fc8e85f0f26a2532890055d1653da9580aa31b2d0e5

SHA512
b621ef432b430d2df0443fa0ebdd59dc7de6b32375c2fc83e8474838843c4abcf4a35f2b5f80e78911fc52336d71812ca9fbc9919314ea3b59bd26036a4ea5a5

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
Filesize
7.5MB

MD5
7e09dde2226c18dde3c76471c01b3665

SHA1
94bb80704e14314331e007b942a64f423104644f

SHA256
4f9a703b0491de02519a343659f0a351f6ad09942cd82920995d5fa89e6571ae

SHA512
c61c911eb37c758f64ae9372eb4208210b6a964bb8604d3fcd3285805448b1801a91c519ed0294815f8167500654b423d19161a82c82f7935ec637c4038c93dc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 834378.crdownload
Filesize
1.5MB

MD5
c822ab5332b11c9185765b157d0b6e17

SHA1
7fe909d73a24ddd87171896079cceb8b03663ad4

SHA256
344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a

SHA512
a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d

Download Submit
C:\Users\Admin\Downloads\WaveInstaller.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
008fba141529811128b8cd5f52300f6e

SHA1
1a350b35d82cb4bd7a924b6840c36a678105f793

SHA256
ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84

SHA512
80189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc

Download Submit
\??\pipe\crashpad_4252_LXZZQIVSHNHJNUHR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1004-769-0x0000000000D10000-0x0000000000E00000-memory.dmp

Filesize
960KB

Download
memory/1004-775-0x0000000009AE0000-0x0000000009AE8000-memory.dmp

Filesize
32KB

Download
memory/1004-772-0x0000000008DB0000-0x0000000008EB0000-memory.dmp

Filesize
1024KB

Download
memory/1004-773-0x0000000009A60000-0x0000000009A76000-memory.dmp

Filesize
88KB

Download
memory/1004-774-0x0000000009AA0000-0x0000000009AAA000-memory.dmp

Filesize
40KB

Download
memory/1004-776-0x0000000009B40000-0x0000000009B5E000-memory.dmp

Filesize
120KB

Download
memory/3112-5-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-44-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-4-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-2-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-1-0x00007FFB7E1A7000-0x00007FFB7E1A9000-memory.dmp

Filesize
8KB

Download
memory/3112-363-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-6-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-3-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-539-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-141-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3112-0-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3152-822-0x0000000004DA0000-0x0000000004E8A000-memory.dmp

Filesize
936KB

Download
memory/3152-823-0x0000000004FC0000-0x000000000500A000-memory.dmp

Filesize
296KB

Download
memory/3152-819-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/3180-840-0x000000000D490000-0x000000000D4B2000-memory.dmp

Filesize
136KB

Download
memory/3180-803-0x0000000006200000-0x000000000635B000-memory.dmp

Filesize
1.4MB

Download
memory/3180-841-0x000000000EBB0000-0x000000000EF07000-memory.dmp

Filesize
3.3MB

Download
memory/3180-792-0x0000000000690000-0x0000000000E1C000-memory.dmp

Filesize
7.5MB

Download
memory/3180-794-0x0000000003220000-0x0000000003244000-memory.dmp

Filesize
144KB

Download
memory/3180-793-0x0000000005770000-0x00000000057BA000-memory.dmp

Filesize
296KB

Download
memory/3180-835-0x000000000CF30000-0x000000000CFE2000-memory.dmp

Filesize
712KB

Download
memory/3180-795-0x0000000005E90000-0x0000000005F76000-memory.dmp

Filesize
920KB

Download
memory/4368-174-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmp

Filesize
2.0MB

Download
memory/4368-547-0x000000000BCA0000-0x000000000BCC6000-memory.dmp

Filesize
152KB

Download
memory/4368-550-0x000000000C430000-0x000000000C4A2000-memory.dmp

Filesize
456KB

Download
memory/4368-546-0x000000000BC00000-0x000000000BC96000-memory.dmp

Filesize
600KB

Download
memory/4368-552-0x000000000BCE0000-0x000000000BCEA000-memory.dmp

Filesize
40KB

Download
memory/4368-551-0x000000000BCD0000-0x000000000BCDA000-memory.dmp

Filesize
40KB

Download
memory/4368-409-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmp

Filesize
2.0MB

Download
memory/4368-771-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmp

Filesize
2.0MB

Download
memory/4368-172-0x00007FFB7E100000-0x00007FFB7E309000-memory.dmp

Filesize
2.0MB

Download
memory/4368-173-0x0000000000F60000-0x00000000010F2000-memory.dmp

Filesize
1.6MB

Download
memory/4368-175-0x000000000A380000-0x000000000A3B8000-memory.dmp

Filesize
224KB

Download
memory/4368-176-0x000000000A350000-0x000000000A35E000-memory.dmp

Filesize
56KB

Download
memory/4368-548-0x000000000B1A0000-0x000000000B1A8000-memory.dmp

Filesize
32KB

Download