ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824

Analysis

max time kernel
1050s
max time network
455s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave Goodbye.exe
Size

6.0MB
MD5

b67c09157b260b02037a716d28d7c34f
SHA1

a6da5549351e78fda395b5381dcf9e14240390fd
SHA256

ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824
SHA512

61cc65311af74f83ea950ef54661a5421df67026f7760e257ae3701b3b339f554ac1b42a63f2adafe142ad71a81c545b6749aac0a4f5c78eccd90d072fb7bbad
SSDEEP

98304:dHx3rQ9UT/cnDEuzHEAtpW1pAT0WaDMyaATQKC2witrFr9vQVN9x3gHWdFISYft4:73rpbcnDEuzkAtpWzATIaAEHVYJJmN/P

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Wave Goodbye.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Wave Goodbye.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

Wave Goodbye.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Wave Goodbye.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Wave Goodbye.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Wave Goodbye.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Wave Goodbye.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Wave Goodbye.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Wave Goodbye.exe

Executes dropped EXE 8 IoCs

Processes:

WaveInstaller.exeWaveBootstrapper.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exenode.exeBloxstrap-v2.6.1.exeRobloxPlayerBeta.exe

pid	process
3148	WaveInstaller.exe
2956	WaveBootstrapper.exe
644	WaveWindows.exe
2852	CefSharp.BrowserSubprocess.exe
3052	CefSharp.BrowserSubprocess.exe
4076	node.exe
3424	Bloxstrap-v2.6.1.exe
4996	RobloxPlayerBeta.exe

Loads dropped DLL 26 IoCs

Processes:

WaveBootstrapper.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeRobloxPlayerBeta.exe

pid	process
2956	WaveBootstrapper.exe
644	WaveWindows.exe
644	WaveWindows.exe
644	WaveWindows.exe
644	WaveWindows.exe
644	WaveWindows.exe
2852	CefSharp.BrowserSubprocess.exe
2852	CefSharp.BrowserSubprocess.exe
2852	CefSharp.BrowserSubprocess.exe
2852	CefSharp.BrowserSubprocess.exe
2852	CefSharp.BrowserSubprocess.exe
2852	CefSharp.BrowserSubprocess.exe
2852	CefSharp.BrowserSubprocess.exe
2852	CefSharp.BrowserSubprocess.exe
2852	CefSharp.BrowserSubprocess.exe
2852	CefSharp.BrowserSubprocess.exe
2852	CefSharp.BrowserSubprocess.exe
3052	CefSharp.BrowserSubprocess.exe
3052	CefSharp.BrowserSubprocess.exe
3052	CefSharp.BrowserSubprocess.exe
3052	CefSharp.BrowserSubprocess.exe
3052	CefSharp.BrowserSubprocess.exe
3052	CefSharp.BrowserSubprocess.exe
3052	CefSharp.BrowserSubprocess.exe
644	WaveWindows.exe
4996	RobloxPlayerBeta.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2440-0-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2440-2-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2440-3-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2440-5-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2440-4-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2440-6-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2440-57-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/2440-132-0x0000000140000000-0x0000000140F65000-memory.dmp	themida

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

Processes:

WaveWindows.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\KasperskyLab	WaveWindows.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\KasperskyLab	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\KasperskyLab\LastUsername	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\KasperskyLab\Session	WaveWindows.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Wave Goodbye.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wave Goodbye.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Wave Goodbye.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

Processes:

flow	ioc
11	discord.com
72	camo.githubusercontent.com
30	raw.githubusercontent.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
41	raw.githubusercontent.com
42	raw.githubusercontent.com
80	raw.githubusercontent.com
3	discord.com
3	raw.githubusercontent.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

RobloxPlayerBeta.exe

pid process

4996 RobloxPlayerBeta.exe

pid	process
4996	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

Processes:

Wave Goodbye.exeRobloxPlayerBeta.exe

pid	process
2440	Wave Goodbye.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641741158465337"	chrome.exe

Modifies registry class 19 IoCs

Processes:

Bloxstrap-v2.6.1.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox\DefaultIcon	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox\shell	Bloxstrap-v2.6.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox-player	Bloxstrap-v2.6.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1276817940-128734381-631578427-1000\{9770E917-B586-4454-99BD-8A873B0C0550}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox\ = "URL: Roblox Protocol"	Bloxstrap-v2.6.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox-player\URL Protocol	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox\shell\open\command	Bloxstrap-v2.6.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" %1"	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox-player\DefaultIcon	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox-player\shell	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox\shell\open	Bloxstrap-v2.6.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox\URL Protocol	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox-player\shell\open\command	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox-player\shell\open	Bloxstrap-v2.6.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	Bloxstrap-v2.6.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" %1"	Bloxstrap-v2.6.1.exe

NTFS ADS 4 IoCs

Processes:

msedge.exemsedge.exechrome.exeBloxstrap-v2.6.1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 530205.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WaveInstaller.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bloxstrap-v2.6.1.exe:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe\:Zone.Identifier:$DATA	Bloxstrap-v2.6.1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exechrome.exeBloxstrap-v2.6.1.exeRobloxPlayerBeta.exe

pid	process
3068	msedge.exe
3068	msedge.exe
1228	msedge.exe
1228	msedge.exe
3140	msedge.exe
3140	msedge.exe
3780	msedge.exe
3780	msedge.exe
544	identity_helper.exe
544	identity_helper.exe
1620	msedge.exe
1620	msedge.exe
644	WaveWindows.exe
2852	CefSharp.BrowserSubprocess.exe
2852	CefSharp.BrowserSubprocess.exe
3052	CefSharp.BrowserSubprocess.exe
3052	CefSharp.BrowserSubprocess.exe
644	WaveWindows.exe
3344	chrome.exe
3344	chrome.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
4996	RobloxPlayerBeta.exe
4996	RobloxPlayerBeta.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe
3424	Bloxstrap-v2.6.1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

msedge.exechrome.exe

pid	process
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WaveInstaller.exeWaveBootstrapper.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3148	WaveInstaller.exe
Token: SeDebugPrivilege	2956	WaveBootstrapper.exe
Token: SeDebugPrivilege	644	WaveWindows.exe
Token: SeDebugPrivilege	2852	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	3052	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	644	WaveWindows.exe
Token: SeCreatePagefilePrivilege	644	WaveWindows.exe
Token: SeShutdownPrivilege	644	WaveWindows.exe
Token: SeCreatePagefilePrivilege	644	WaveWindows.exe
Token: SeShutdownPrivilege	644	WaveWindows.exe
Token: SeCreatePagefilePrivilege	644	WaveWindows.exe
Token: SeShutdownPrivilege	644	WaveWindows.exe
Token: SeCreatePagefilePrivilege	644	WaveWindows.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe
Token: SeCreatePagefilePrivilege	3344	chrome.exe
Token: SeShutdownPrivilege	3344	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exechrome.exe

pid	process
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe

Suspicious use of SendNotifyMessage 33 IoCs

Processes:

msedge.exechrome.exeBloxstrap-v2.6.1.exe

pid	process
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3344	chrome.exe
3424	Bloxstrap-v2.6.1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

node.exe

pid process

4076 node.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

RobloxPlayerBeta.exe

pid process

4996 RobloxPlayerBeta.exe

pid	process
4076	node.exe

pid	process
4996	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Wave Goodbye.exemsedge.exe

description	pid	process	target process
PID 2440 wrote to memory of 1228	2440	Wave Goodbye.exe	msedge.exe
PID 2440 wrote to memory of 1228	2440	Wave Goodbye.exe	msedge.exe
PID 1228 wrote to memory of 1196	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 1196	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 2808	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 3068	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 3068	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe
PID 1228 wrote to memory of 4920	1228	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe
"C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/6NNYUEXAR2
2⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff60bb3cb8,0x7fff60bb3cc8,0x7fff60bb3cd8
3⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
3⤵
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
3⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
3⤵
PID:828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
3⤵
PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
3⤵
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
3⤵
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5412 /prefetch:8
3⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5432 /prefetch:8
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3320 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
3⤵
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
3⤵
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
3⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
3⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
3⤵
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
3⤵
PID:660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6096 /prefetch:8
3⤵
PID:1084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,9966278178835559069,7581201127272160905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8
3⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Users\Admin\Downloads\WaveInstaller.exe
"C:\Users\Admin\Downloads\WaveInstaller.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2024,i,3482325904693203520,12732144684505788850,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2068 --mojo-platform-channel-handle=1988 /prefetch:2 --host-process-id=644
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=644
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4076

C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=2804,i,3482325904693203520,12732144684505788850,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2808 --mojo-platform-channel-handle=2800 /prefetch:3 --host-process-id=644
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff721cab58,0x7fff721cab68,0x7fff721cab78
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:2
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:1
2⤵
PID:3476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:1
2⤵
PID:828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4188 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:1
2⤵
PID:2344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4340 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
PID:2472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4108 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
PID:420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4840 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:1
2⤵
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3180 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:1
2⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3192 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:1
2⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3264 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
PID:3528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4316 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4248 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:1
2⤵
PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1944 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:1
2⤵
PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5060 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5080 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
PID:1704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5144 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:1
2⤵
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
- NTFS ADS
PID:3324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5184 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
PID:3940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4928 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
PID:1436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 --field-trial-handle=1816,i,12600757219118523545,8271619808894254945,131072 /prefetch:8
2⤵
PID:4732

C:\Users\Admin\Downloads\Bloxstrap-v2.6.1.exe
"C:\Users\Admin\Downloads\Bloxstrap-v2.6.1.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:3424

C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\RobloxPlayerBeta.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\RobloxPlayerBeta.exe" --app -channel production
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:4996

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3024

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Bloxstrap\Modifications\ClientSettings\ClientAppSettings.json
Filesize
79B

MD5
eab6dcc312473d43c2fa8cc41280d79c

SHA1
b4e9ec7e579d06dfcaa5ac616de2751308a153c3

SHA256
0a27d3c9100ab7ab6f03c45daeb0f0cd586f3aeb59daf7986e853f9614e954fe

SHA512
1ce0fdc237110d644bcc8238f184554f25813ccf7142fd312ce96fbb6659081db677b04485bf66d52100136da6bb9688e48b1287455725c7b4950153aa2a4595

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\sounds\ouch.ogg
Filesize
6KB

MD5
9404c52d6f311da02d65d4320bfebb59

SHA1
0b5b5c2e7c631894953d5828fec06bdf6adba55f

SHA256
c9775e361392877d1d521d0450a5368ee92d37dc542bc5e514373c9d5003f317

SHA512
22aa1acbcdcf56f571170d9c32fd0d025c50936387203a7827dbb925f352d2bc082a8a79db61c2d1f1795ad979e93367c80205d9141b73d806ae08fa089837c4

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.Core.dll
Filesize
915KB

MD5
100c32f77e68a2ce962e1a28997567ea

SHA1
a80a1f4019b8d44df6b5833fb0c51b929fa79843

SHA256
c0b9e29b240d8328f2f9a29ca0298ca4d967a926f3174a3442c3730c00d5a926

SHA512
f95530ef439fa5c4e3bc02db249b6a76e9d56849816ead83c9cd9bcd49d3443ccb88651d829165c98a67af40b3ef02b922971114f29c5c735e662ca35c0fb6ed

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
Filesize
7KB

MD5
516ff62b2e1f4642caa954c0968719e8

SHA1
e349d0ce82e2109dd0d18416d9cf46e8411b7f15

SHA256
19da58849cec5933860116e60a1e94b08e30d90e0f955768270b47998d612045

SHA512
7aa4a0c87b29c2a84f585a884d8208fc2352a43f2cdb549c100e3b121837ad5f8dadb1101f57d1d3fcb7ebec9d9f22e07dc14239b7d2e2d25793c999becf288b

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.dll
Filesize
272KB

MD5
9ca06a8f9e5f7239ca225ab810274023

SHA1
e1a219f567a7b7d3af9386df51b14c76e769c044

SHA256
5fd00ae3e83e6ca156647ff6df87b49ffc7cad47c23fe3ae07c067c5adf6f74a

SHA512
430c9bceed5439b987d5bd4840cfe32411ca61594f18597aca1948aa39a22c9d70beadf3bb9b1dd0373f81a94a25dcba17fa8e8c73abf06cba28d0971d5614c5

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\ShaderCache\data_1
Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_100_percent.pak
Filesize
667KB

MD5
ae195e80859781a20414cf5faa52db06

SHA1
b18ecb5ec141415e3a210880e2b3d37470636485

SHA256
9957802c0792e621f76bbdb1c630fbad519922743b5d193294804164babda552

SHA512
c6fef84615fe20d1760ca496c98629feb4e533556724e9631d4282622748e7601225cf19dfb8351f4b540ae3f83785c1bcea6fe8c246cf70388e527654097c1c

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_200_percent.pak
Filesize
1.0MB

MD5
1abf6bad0c39d59e541f04162e744224

SHA1
db93c38253338a0b85e431bd4194d9e7bddb22c6

SHA256
01cb663a75f18bb2d0d800640a114f153a34bd8a5f2aa0ed7daa9b32967dc29e

SHA512
945d519221d626421094316f13b818766826b3bedddab0165c041540dddadc93136e32784c0562d26a420cb29479d04d2aa317b8d605cd242e5152bf05af197e

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_elf.dll
Filesize
1020KB

MD5
7191d97ce7886a1a93a013e90868db96

SHA1
52dd736cb589dd1def87130893d6b9449a6a36e3

SHA256
32f925f833aa59e3f05322549fc3c326ac6fc604358f4efbf94c59d5c08b8dc6

SHA512
38ebb62c34d466935eabb157197c7c364d4345f22aa3b2641b636196ca1aeaa2152ac75d613ff90817cb94825189612ddd12fb96df29469511a46a7d9620e724

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\icudtl.dat
Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\libEGL.dll
Filesize
359KB

MD5
7dd6b0e4a31d35a0fae5ff425707073c

SHA1
fbd12e9f8e2252c52ce555c2ebbd7f07e62a0140

SHA256
8762d8001fc3ddd90e3129dfea172817e8d09b9936eaae391957de4326c8c906

SHA512
726968df6b83ab5f589276672250d92f532fe2dcea2176e42031a7f1dcecf578b0320cfe2a7d88bb9883ad99387d71c6ebf1e9968272bb5e62850ef09abd2648

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\libglesv2.dll
Filesize
6.6MB

MD5
8803db5b167fb5a5f8a8c595c4e4d7c6

SHA1
7fde861151f3bea66c65b6c2487a30728048811a

SHA256
52a58d25a41f4bd31cdb4a0d306217862e04ebf7c1925cc85330054a5523d719

SHA512
2fa9a0eda221982896e41eb387b5e156198615ac1a1fbac0acffd13008919368b41a240df416c1fce2e48c20a14cd7af7cca9fba476ada5e64a0cadde84a44b7

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\locales\en-US.pak
Filesize
456KB

MD5
4430b1833d56bc8eb1f7dc82bb7f4bc9

SHA1
dc15e6306625f155683326e859d83f846153c547

SHA256
b44ddcfac9df4934007e6c55a3c7f5e7f14c7e5e29f35c81de917fc3b22aabbc

SHA512
faf93bf371b2a88c1b874a5e2c54e4487fd152ad19c2a406a46f55ae75ecd421a779888c2e4c170857b16bfb5d8744bc1815a4732ed50b064b3cbd0c5ffad889

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\resources.pak
Filesize
8.0MB

MD5
4933d92c99afa246fc59eef010d5c858

SHA1
98d443654e93c73dd317f9f847f71fba3d5b3135

SHA256
62f4674daa15245ee081920b8ee191e72f36ca8fe24f6b986a832f45676915b2

SHA512
a3a69523c8e7310716daeebc06c2ba4fce673eccd1958e824ff179b82f4502d0ec095190179bbb387342e4150f952ea7533182fb6ba90377d17dafba8f4da623

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\vk_swiftshader.dll
Filesize
4.4MB

MD5
0ec149455727ace9acc09b3ba2c3a2b2

SHA1
6eeb990876cef6a34115b67f3190255db589f723

SHA256
e2d8ef53897e864b5b66bc73606681c99461798a9f4c1e13ca5cef7bc774d7fd

SHA512
c8eaa598c9439b1f2375fdac1f58896853510bddbd640707b9142c0d3793836120b28d7c2bd0407f0d5656dd19f14b312f37b7ac0165c9cc8b4c1a0f2af62531

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\7b1f07db-8d9f-4e2e-86ee-422578d5140b.tmp
Filesize
281KB

MD5
6167e69b0fa8f26466e7167341e992b5

SHA1
1b0baada01316656845157cf9d9a0a0df2cbf1be

SHA256
925de3ac6cbbf950cddc2af230c03f1ccbd81d839f615ebb98d339d1a39adbf9

SHA512
0d253289bdc74f50722d9114bd12841d887439c56901f10efd7b1b23569e5626f010706caa0abc131773b6b5e342fcef8b2bead6a575a8c0487f2db2520f352a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008
Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002f
Filesize
8.4MB

MD5
8450908897067c9527740d735897740b

SHA1
71c993302b3174fe4fd712eaf8886a4842778e42

SHA256
f5a04c5d6ddcb4cc3925656919c37a9ca18f20f3623c722dc45499cf1e4de8a8

SHA512
841d6d732db87ca350dd7f4eda273584810dc976f6a368a141de8ea8d87113e8f8ef92c747ee2fa3dc8f906456e2c2c17b122d3f86dea9042c40acb9170848f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
d322bf3e7b395d3e8981227115638f91

SHA1
76c28f8e639bc855d6c208f61e6d437a467be37c

SHA256
1f451b2a173795b3f490f13569eb627c23c2d8a69db3191a0dbe068cc582dd0f

SHA512
2173f3133c44ecc84273a9c3e3e568550d689afc52a9e7a35956be2d0c4e52b940b50bfec3c62ba3b273e965ac29ce9d98271a6f5a10ac470eabc5c2f637e3b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
fa5cc39097fa0c1a8ea6bcbbe5703eed

SHA1
022289604a97983c034f6b8ba48a27e3396b2b5b

SHA256
d5b51600093f154c569162d737b407ff63ddf942b2fb7abb4705da30a88f9486

SHA512
a3b762b5ec5c884c77b19f6f9c36bf02c8c8e6d952b96b44c7bd3cb2ea7dbebafc7a74991afb00a6843e2580f2f8a1c80f1849af9f07358bb9f4419f4b070c9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
de3406029fa48af3b9befa519ff74b0b

SHA1
9efc2f57eb476b93e58bd1e5bf9541fd61d9cd95

SHA256
71c5f815c60aa249f29b52b83346fe698af2b573574d63fc824268149d23ca9b

SHA512
34629526d38c8bd9ca02508d5cff470f21db2b35f731007b6babff2ae1353cc8557677c25f61b93b0f6c6d6db3d16fcb6fa8f15e438080cdf94af98a20692d2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
875deed850ec92d902a326f6342d1edd

SHA1
ff65ef3b036e983e2f6b71d1c6bd48f19bd345d1

SHA256
5eb087c478baa54babfef3b64de06cc669a6104222f3b5b1ce146855f15f4967

SHA512
b65432d0c40ea1bf696e7cf209176dcb1159acc713fe5a8ecbafe211ab9496fc07d12ff357498f02def64534809de228a1d0a4427374db73ed3e9d5ccdd62ee4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
f4f539c8dda56c1834cc75a9256f6732

SHA1
20f3f9a988dddc2883b4d542b5d3eb3f861c72bf

SHA256
e9cd0ae6ef017a124730d8740aac2fcb46e2bacc3262c9b767606c66b870c97b

SHA512
69c63cf5119eb5d1b183a27c7fd2c1599341c62e06e5a306219fa2c8d84786aefc08fd421266c6491bcb10512bda2a404674ee036f801541fa21eb7a106cef6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
691B

MD5
2dc0eb4ee350d5fd0873877a92c378d0

SHA1
0e60352eda625b86a6c1940e48be6c4c05571340

SHA256
9aaeb472484d5d28413f17aeb964075c15d58663d68ad74d1f9582d78e41ab08

SHA512
ed03e31216eb902cd03d2bf1e6afe33b03435e1c2e34654b2e05486c2448ffb8b6ff804779680eccf17f2a2efb1e17fae3ca00505e8cb4f0d1b38b06746cce40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
ca081f2d038c17795ec64f0764737af4

SHA1
80734c745a93d4df7d2a5e90cb66e2a73050c09c

SHA256
64eb63e62d09628f12035bf814cb84554de57ab4fdeb97243a0415c76c66cf26

SHA512
e9636d78d147e2a4aebae2474823e17bd3d8857e4fc6c25dc87788fc9392bb3c3dd0e0529d2ea330a10353a9a321ed18ae7350b909cc4c090b8b935401e99d41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
1d24ff6b37ab2a5b5d6ac3ee7c9f6f5e

SHA1
c98534e17f8e4f080cb18a83e46a1c2720fde821

SHA256
50f0df35727c8700ca1049612ae75b772614eea8b595ec8f534ae8fcdbcd6991

SHA512
a9de55276b40846f95cab9c7789dfe9fe923393e4b0eec3c08effe38132b4cd99e1c46ec3c6007ada6282876ce0fe9385d8d9f56b571c78beec2a8f436567fd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
becf5370f040ad91bb780a80c0407b33

SHA1
e9f3780034fba55d6a7d2d439d3101e02fdbe9b9

SHA256
868bf7fa1cc1d68df9629145e4ffbe935f386d0a71e7e441953fca7c715aa81e

SHA512
1e856a6f9bbb22360b4afe3730375f0b2ce22f0b550893b3e76a676b5b18d115d69646944baaaf996d4b80df9cd6875df4fcdf77a7ebfa7aab0e1473dc340fc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
22815b33e2427635a11a03c3a95de2f7

SHA1
e8235cec515655f4a546804c6b036599176eafed

SHA256
b29f9a7b175c7b80e92abca83447033627bcb15ce382e1c5b5f79fc0088c993d

SHA512
9374c0a86ff7a4c10d67ca1b717a85548e6eb978cc0e1118db11c8ba66bc306903a773fe1acb0f1116056d096431e3998541b17d3227c7c73e6660d12d6e50bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
8cb0207b805005a5aa1adf9c5c42da68

SHA1
a4421c3baa1d483a60885a2d3bbd5ac5c13acf2b

SHA256
8a38b8876174d66647c156409115581d70cca8ca607070acba7ae56ad27459fa

SHA512
5457e5afde57f08fe8a11da6f5e7d87080cf289c51bd0847a5c8269f673b4c032241125ece621bf8763ef9188b73b46647fb54be284c47c817e49302b5afc303

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
9c433034c7d8e06df8b2b323224afd6c

SHA1
fa7a55300adf27df25dc123aeacf4b2899e0ba95

SHA256
3e00e88ad8d592613793402579512976f14cefe5f412904a184bf4e8bd3828aa

SHA512
3c85d144bc60f8a41439e6fc1679eadc26efeb62d5fc0b5457e476db045113e331f26a9445d4e73c5e6f3797ae9bb43a3655dc70973d056f67b6b147077aa37c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
f979c789e5ee349eeb466c3b0eaff902

SHA1
334af99ab8e5765db01cb21c0fdfd3e73b2af4ce

SHA256
c8eb91e1058b9ae16104fc88cfcf567c5da8f2416a3dd94d3e66eb0feb323737

SHA512
c9b0c3261456e3f2a12a05f1e69a1570ef8159da6aad229ae7ae68f4a228d405b160fee9991258c7b5585dfd22b789a57c9abd73341dd84e8b1d90a0c1f26082

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
2b0b0bdf5169ecbcb69a3f543bb9e6d2

SHA1
a6e13afe5dde9eb4d9206c5f8c9c86a4f8bbad15

SHA256
ce6a4eb902254502ee92b09285678af69cd69bfe3bf36bafd3b31c25b0c01ae9

SHA512
9f1dab7c3789ee698c9a05ce236fea38fb28e62b565601297b561d9408b1e0ee98fde397de25c1f29932dc17cbb0078268d3527e894ec1b01c277a8ab6313b6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
88020f6c15d101798f86e1732858fae9

SHA1
64e4143e63d0c7413e3d320dac600344d4fe5010

SHA256
58f5c3660718a20d9a4fbfa86816f61a5621eea727b97373d48b9d46d8a6ee31

SHA512
f84bdbbdacbb9def8a4c7aa8827849d72bc59de1ea45befdfec59cb638e6eae73eefba0b85659b2436898b6f72d168b6e2db0d55fe58e89e997d03a9551f1dd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
88KB

MD5
2ca1c7d22645adec26dcfc29b6d1155f

SHA1
f445a300ec70b6fc0dee8d73e87a8e4ad5ccd606

SHA256
2a27bd2367bd38f9f8823b78df05c3c50c3cc2ecf90f518568dfdee760c93f78

SHA512
032e31f943a787e5c2cc2cccf65f0960a7ce86009ea32cecaec89639c96c116a560fb338e5ab0ebe7d244a78e4d41156cb901d341c422c5c61509559b11ab51f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a40c3.TMP
Filesize
83KB

MD5
e9fa532d6f038a988e4b62ef822ff39c

SHA1
6f4b01d5dd092a951f759b3e2a223b12bc34addd

SHA256
c9b497cbb682063a162bc66d23c00ffe25157407b34e36f61d64a854e2d40136

SHA512
c34e3728be157736d98ffa8cc8101440380ec3cbe4172df35c831c5747634ad046ef4e8407c58b2c36d78b119e831e0690f523160f2c6d304c123bb11659c36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a74887034b3a720c50e557d5b1c790bf

SHA1
fb245478258648a65aa189b967590eef6fb167be

SHA256
f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250

SHA512
888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
64f055a833e60505264595e7edbf62f6

SHA1
dad32ce325006c1d094b7c07550aca28a8dac890

SHA256
7172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99

SHA512
86644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
264B

MD5
2aa26ae7c6c3130260e029ff630d37e2

SHA1
d29e666c8afb9c02a4f53b753fab2183ca31ed9e

SHA256
aaaf8aeb5d053008bea58809d033168632e1a2119f68972561ba1d04f0fed9cb

SHA512
4a1eb077a6e9a8b1803487e79182e9c66bb482803f7e945dccc6087f41cc14c860856bf3ecc920dd3d4e22b62594861d0c9c34a6128d4bd8127c186f93bd3626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
673B

MD5
65d169496cc21ff8377d0abb8bd2dae4

SHA1
21a1d5ed862f12ffdc3da9e5aa9481174ced2cb2

SHA256
30c63dce3d59ced60a5af2153c31b2980241b8ab05c4c4a4e0b58e659f37f968

SHA512
0ee7a519bfef66c5bea34f0441f4e6e66db6f87e0d6075d3e79f367c5f3459976340d07796a51c6631182357063c5319a35f5008c0651747790106fe513657ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
66cf5a81b25ec580bba1981e216936b6

SHA1
2793e20c36eeee45c73ad341c0460f1a328af5a5

SHA256
6bb2b1e5b24d0e068728be22150dfc785f19edfce6e7d85cbde833929ea6b477

SHA512
2c26e89a6612113f69ff13496c0ef9109019a6a7cf60de3c0bbd8003788298d5aa45dd030883d9a305d2bab8c0d76e736858b58b45f48106d485d289002a1ed4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
22eb318bc4e2c0f6009e2a90e2579819

SHA1
15d872eb846ce1f4e9f2c1552714e95095e7fde5

SHA256
ff05297d227eb7febec1481d608bb997a0416c28455c4858171a0c7bc3cb215d

SHA512
43544283d6d6c9724dae45fb378fd7c369f80ae69e236ac410a2328bc49f205a94f71d5f5fec390462c93cc382e6e9f5c17c40b7b3f15fb087f7f6f57b1f7b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ed5784db49b4554de01aaff6b04a817b

SHA1
6c92c27e8c318d0ae59b9199faee449e1a092bce

SHA256
1502195a776a1067bf889a1c1de77574e6f2c71bad854eee599219644833d975

SHA512
07b856a220e1bd36c40460da926461d0869594e027f1b91d5eb664e56861f92d88a1cbd023820249b998fd0a5a502215494ccaf30d71032dc0d8b7a6550c2c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6125a92939caacee58cb7d7519a4e9a0

SHA1
0d0c06db53862d4889145428ff6e2a552be0c768

SHA256
050a32f1793fa23126d6048f2714cd819fab7711d8126515527392666131dcc0

SHA512
87e04854e7af966a0bc6bdc1e5f6278601d9c0555cb830381752d6d6e763da15f1aef409d8030c40f7ffad9bc498d016f7101c2425fd49f1f2b35f657231336b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
538B

MD5
1df4418facb465a3ada087e36fa607b7

SHA1
cb19ad184065916cef04c19a907c9deeeff59199

SHA256
b0ceb552a6f8adfdc10bb78858437f48f566954985e3e6e3070c29db12160c7f

SHA512
6b65a910a376bcf0e9d9ecaa6b8c069e1e8f9b529405ef6eab1068493acf7e2a58003f7cf70f7e22ca18976caf02af130ae867bd6942c0a176a2fcee0a4fb8ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f59b.TMP
Filesize
370B

MD5
d7b38df8b47d833d81af40c5091e106e

SHA1
cadc5dd7394e0f81ebffa3729cf0c016fcf729aa

SHA256
9a9d03f141e4c2dc5fab84e70b236018a01f56f05fe8db147f61f4fe62f887a1

SHA512
011eab8f2bcd353f0de5804152eadf8526bc8e85a648f946c0f8eed9ca20462318132d738559dfbfc9f8fe124c9177b63b029d9b0e32e3b9a3bdafa02d54efa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9009cf82280c137abb2a47dd22abb07e

SHA1
2ca4b282969f9d2d038855b74808edd264105e7d

SHA256
37483869c5de403b9f088591515422fead1cf468bb433a6729a6f3218fba1ed4

SHA512
14dfa0fda21bf37e2d3dbeb14c410e766f07161d12cd47516200662cfff60a07d1fd3a93a39380355eca970f6da052e8d4df2c418f9c5de7300dd1d14f6da952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9bacece10e368f55f666ff72a2915e3d

SHA1
1d93be8409dbe56178661ad403edc52e3c6463ee

SHA256
ebe84e797702d2aee9d9284635a1d5c53125fb9d17fcc0750809808a1c0fb4f4

SHA512
dc2eb1e4db9990c3c55c7bf672092c4ce4e2f1cd08f3b3725b89e594c26f7c9cd77322c107c9d1814e013b559d15254e2b8f4cc97f2715a51646ff230cb0ce62

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.Core.Runtime.dll
Filesize
1.3MB

MD5
09cba584aa0aae9fc600745567393ef6

SHA1
bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279

SHA256
0babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5

SHA512
5f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1

Download Submit
C:\Users\Admin\AppData\Local\Wave\D3DCOMPILER_47.dll
Filesize
3.9MB

MD5
3b4647bcb9feb591c2c05d1a606ed988

SHA1
b42c59f96fb069fd49009dfd94550a7764e6c97c

SHA256
35773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7

SHA512
00cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
Filesize
939KB

MD5
258a9cae6024c91784bbd8aa5379e86f

SHA1
fe1a808ba23053413359a78d5ec096b2cd540dd5

SHA256
3881840473ec5286189d2fc8e85f0f26a2532890055d1653da9580aa31b2d0e5

SHA512
b621ef432b430d2df0443fa0ebdd59dc7de6b32375c2fc83e8474838843c4abcf4a35f2b5f80e78911fc52336d71812ca9fbc9919314ea3b59bd26036a4ea5a5

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
Filesize
7.5MB

MD5
7e09dde2226c18dde3c76471c01b3665

SHA1
94bb80704e14314331e007b942a64f423104644f

SHA256
4f9a703b0491de02519a343659f0a351f6ad09942cd82920995d5fa89e6571ae

SHA512
c61c911eb37c758f64ae9372eb4208210b6a964bb8604d3fcd3285805448b1801a91c519ed0294815f8167500654b423d19161a82c82f7935ec637c4038c93dc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 530205.crdownload
Filesize
1.5MB

MD5
c822ab5332b11c9185765b157d0b6e17

SHA1
7fe909d73a24ddd87171896079cceb8b03663ad4

SHA256
344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a

SHA512
a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d

Download Submit
C:\Users\Admin\Downloads\WaveInstaller.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
008fba141529811128b8cd5f52300f6e

SHA1
1a350b35d82cb4bd7a924b6840c36a678105f793

SHA256
ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84

SHA512
80189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc

Download Submit
\??\pipe\LOCAL\crashpad_1228_ZUDJGSKTAEIMFNGN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/644-564-0x0000000006B20000-0x0000000006C7B000-memory.dmp

Filesize
1.4MB

Download
memory/644-556-0x00000000067B0000-0x0000000006896000-memory.dmp

Filesize
920KB

Download
memory/644-554-0x0000000006050000-0x000000000609A000-memory.dmp

Filesize
296KB

Download
memory/644-555-0x00000000060A0000-0x00000000060C4000-memory.dmp

Filesize
144KB

Download
memory/644-553-0x0000000000FB0000-0x000000000173C000-memory.dmp

Filesize
7.5MB

Download
memory/644-612-0x000000000D750000-0x000000000D802000-memory.dmp

Filesize
712KB

Download
memory/2440-132-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2440-57-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2440-1-0x00007FFF81127000-0x00007FFF81129000-memory.dmp

Filesize
8KB

Download
memory/2440-6-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2440-4-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2440-5-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2440-3-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2440-2-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2440-0-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/2852-583-0x00000000048D0000-0x00000000049BA000-memory.dmp

Filesize
936KB

Download
memory/2852-579-0x0000000000050000-0x0000000000058000-memory.dmp

Filesize
32KB

Download
memory/2852-590-0x0000000004AC0000-0x0000000004B0A000-memory.dmp

Filesize
296KB

Download
memory/2956-531-0x0000000000070000-0x0000000000160000-memory.dmp

Filesize
960KB

Download
memory/2956-537-0x0000000008F00000-0x0000000008F1E000-memory.dmp

Filesize
120KB

Download
memory/2956-536-0x0000000008EA0000-0x0000000008EA8000-memory.dmp

Filesize
32KB

Download
memory/2956-535-0x0000000008E60000-0x0000000008E6A000-memory.dmp

Filesize
40KB

Download
memory/2956-534-0x0000000008E20000-0x0000000008E36000-memory.dmp

Filesize
88KB

Download
memory/2956-533-0x0000000008110000-0x0000000008210000-memory.dmp

Filesize
1024KB

Download
memory/3148-313-0x00000000063F0000-0x00000000063FA000-memory.dmp

Filesize
40KB

Download
memory/3148-314-0x0000000006480000-0x000000000648A000-memory.dmp

Filesize
40KB

Download
memory/3148-312-0x000000000AAB0000-0x000000000AB22000-memory.dmp

Filesize
456KB

Download
memory/3148-310-0x00000000063D0000-0x00000000063D8000-memory.dmp

Filesize
32KB

Download
memory/3148-309-0x00000000063A0000-0x00000000063C6000-memory.dmp

Filesize
152KB

Download
memory/3148-308-0x0000000006210000-0x00000000062A6000-memory.dmp

Filesize
600KB

Download
memory/3148-192-0x000000000A1A0000-0x000000000A1AE000-memory.dmp

Filesize
56KB

Download
memory/3148-191-0x000000000A1D0000-0x000000000A208000-memory.dmp

Filesize
224KB

Download
memory/3148-181-0x0000000000C70000-0x0000000000E02000-memory.dmp

Filesize
1.6MB

Download
memory/4996-4660-0x00007FFF811F0000-0x00007FFF81220000-memory.dmp

Filesize
192KB

Download
memory/4996-4664-0x00007FFF81280000-0x00007FFF81289000-memory.dmp

Filesize
36KB

Download
memory/4996-4663-0x00007FFF811F0000-0x00007FFF81220000-memory.dmp

Filesize
192KB

Download
memory/4996-4661-0x00007FFF811F0000-0x00007FFF81220000-memory.dmp

Filesize
192KB

Download
memory/4996-4674-0x00007FFF803E0000-0x00007FFF803EC000-memory.dmp

Filesize
48KB

Download
memory/4996-4673-0x00007FFF802F0000-0x00007FFF80310000-memory.dmp

Filesize
128KB

Download
memory/4996-4684-0x00007FFF7EC30000-0x00007FFF7EC40000-memory.dmp

Filesize
64KB

Download
memory/4996-4683-0x00007FFF7EC30000-0x00007FFF7EC40000-memory.dmp

Filesize
64KB

Download
memory/4996-4682-0x00007FFF7EC30000-0x00007FFF7EC40000-memory.dmp

Filesize
64KB

Download
memory/4996-4681-0x00007FFF7EC10000-0x00007FFF7EC20000-memory.dmp

Filesize
64KB

Download
memory/4996-4680-0x00007FFF7EC10000-0x00007FFF7EC20000-memory.dmp

Filesize
64KB

Download
memory/4996-4679-0x00007FFF7EC10000-0x00007FFF7EC20000-memory.dmp

Filesize
64KB

Download
memory/4996-4678-0x00007FFF7EA60000-0x00007FFF7EA70000-memory.dmp

Filesize
64KB

Download
memory/4996-4677-0x00007FFF7EA60000-0x00007FFF7EA70000-memory.dmp

Filesize
64KB

Download
memory/4996-4676-0x00007FFF7E8F0000-0x00007FFF7E900000-memory.dmp

Filesize
64KB

Download
memory/4996-4675-0x00007FFF7E8F0000-0x00007FFF7E900000-memory.dmp

Filesize
64KB

Download
memory/4996-4672-0x00007FFF802F0000-0x00007FFF80310000-memory.dmp

Filesize
128KB

Download
memory/4996-4671-0x00007FFF802F0000-0x00007FFF80310000-memory.dmp

Filesize
128KB

Download
memory/4996-4670-0x00007FFF802F0000-0x00007FFF80310000-memory.dmp

Filesize
128KB

Download
memory/4996-4669-0x00007FFF802F0000-0x00007FFF80310000-memory.dmp

Filesize
128KB

Download
memory/4996-4668-0x00007FFF802D0000-0x00007FFF802E0000-memory.dmp

Filesize
64KB

Download
memory/4996-4667-0x00007FFF802D0000-0x00007FFF802E0000-memory.dmp

Filesize
64KB

Download
memory/4996-4666-0x00007FFF80240000-0x00007FFF80250000-memory.dmp

Filesize
64KB

Download
memory/4996-4665-0x00007FFF80240000-0x00007FFF80250000-memory.dmp

Filesize
64KB

Download
memory/4996-4659-0x00007FFF811F0000-0x00007FFF81220000-memory.dmp

Filesize
192KB

Download
memory/4996-4658-0x00007FFF811A0000-0x00007FFF811B0000-memory.dmp

Filesize
64KB

Download
memory/4996-4657-0x00007FFF811A0000-0x00007FFF811B0000-memory.dmp

Filesize
64KB

Download
memory/4996-4656-0x00007FFF81080000-0x00007FFF81090000-memory.dmp

Filesize
64KB

Download
memory/4996-4662-0x00007FFF811F0000-0x00007FFF81220000-memory.dmp

Filesize
192KB

Download
memory/4996-4655-0x00007FFF81080000-0x00007FFF81090000-memory.dmp

Filesize
64KB

Download
memory/4996-4689-0x00007FFF80230000-0x00007FFF8023D000-memory.dmp

Filesize
52KB

Download
memory/4996-4691-0x00007FFF80230000-0x00007FFF8023D000-memory.dmp

Filesize
52KB

Download
memory/4996-4690-0x00007FFF80230000-0x00007FFF8023D000-memory.dmp

Filesize
52KB

Download
memory/4996-4692-0x00007FFF80230000-0x00007FFF8023D000-memory.dmp

Filesize
52KB

Download
memory/4996-4688-0x00007FFF801F0000-0x00007FFF80200000-memory.dmp

Filesize
64KB

Download
memory/4996-4687-0x00007FFF801F0000-0x00007FFF80200000-memory.dmp

Filesize
64KB

Download
memory/4996-4701-0x00007FFF80FB0000-0x00007FFF80FB9000-memory.dmp

Filesize
36KB

Download
memory/4996-4704-0x00007FFF7ED80000-0x00007FFF7ED90000-memory.dmp

Filesize
64KB

Download
memory/4996-4711-0x00007FFF7EEF0000-0x00007FFF7EF16000-memory.dmp

Filesize
152KB

Download
memory/4996-4710-0x00007FFF7EDB0000-0x00007FFF7EDD0000-memory.dmp

Filesize
128KB

Download
memory/4996-4709-0x00007FFF7EDB0000-0x00007FFF7EDD0000-memory.dmp

Filesize
128KB

Download
memory/4996-4708-0x00007FFF7EDB0000-0x00007FFF7EDD0000-memory.dmp

Filesize
128KB

Download
memory/4996-4707-0x00007FFF7EDB0000-0x00007FFF7EDD0000-memory.dmp

Filesize
128KB

Download
memory/4996-4705-0x00007FFF7ED80000-0x00007FFF7ED90000-memory.dmp

Filesize
64KB

Download
memory/4996-4703-0x00007FFF7EC70000-0x00007FFF7EC80000-memory.dmp

Filesize
64KB

Download
memory/4996-4702-0x00007FFF7EC70000-0x00007FFF7EC80000-memory.dmp

Filesize
64KB

Download
memory/4996-4706-0x00007FFF7EDB0000-0x00007FFF7EDD0000-memory.dmp

Filesize
128KB

Download
memory/4996-4700-0x00007FFF80FB0000-0x00007FFF80FB9000-memory.dmp

Filesize
36KB

Download
memory/4996-4699-0x00007FFF80FB0000-0x00007FFF80FB9000-memory.dmp

Filesize
36KB

Download
memory/4996-4698-0x00007FFF80FB0000-0x00007FFF80FB9000-memory.dmp

Filesize
36KB

Download
memory/4996-4697-0x00007FFF80FB0000-0x00007FFF80FB9000-memory.dmp

Filesize
36KB

Download
memory/4996-4696-0x00007FFF80F90000-0x00007FFF80FA0000-memory.dmp

Filesize
64KB

Download
memory/4996-4695-0x00007FFF80F90000-0x00007FFF80FA0000-memory.dmp

Filesize
64KB

Download
memory/4996-4694-0x00007FFF80F90000-0x00007FFF80FA0000-memory.dmp

Filesize
64KB

Download
memory/4996-4693-0x00007FFF80230000-0x00007FFF8023D000-memory.dmp

Filesize
52KB

Download
memory/4996-4686-0x00007FFF80180000-0x00007FFF80190000-memory.dmp

Filesize
64KB

Download
memory/4996-4685-0x00007FFF80180000-0x00007FFF80190000-memory.dmp

Filesize
64KB

Download