Analysis
-
max time kernel
451s -
max time network
452s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 23:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/IHaxU/Wave-Goodbye/raw/main/Wave%20Goodbye.exe
Resource
win10v2004-20240611-en
General
-
Target
https://github.com/IHaxU/Wave-Goodbye/raw/main/Wave%20Goodbye.exe
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Wave Goodbye.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Wave Goodbye.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
Wave Goodbye.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Wave Goodbye.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
Processes:
MicrosoftEdgeUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Wave Goodbye.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Wave Goodbye.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Wave Goodbye.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MicrosoftEdgeUpdate.exeWaveInstaller.exeWaveBootstrapper.exeWaveWindows.exeBloxstrap.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation WaveInstaller.exe Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation WaveBootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation WaveWindows.exe Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation Bloxstrap.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 25 IoCs
Processes:
Wave Goodbye.exeWaveInstaller.exeWaveBootstrapper.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exenode.exeBloxstrap.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeMicrosoftEdge_X64_126.0.2592.81.exesetup.exesetup.exeMicrosoftEdgeUpdate.exepid process 5936 Wave Goodbye.exe 3644 WaveInstaller.exe 1436 WaveBootstrapper.exe 4648 WaveWindows.exe 1756 CefSharp.BrowserSubprocess.exe 732 CefSharp.BrowserSubprocess.exe 6116 node.exe 2488 Bloxstrap.exe 7240 MicrosoftEdgeWebview2Setup.exe 6972 MicrosoftEdgeUpdate.exe 6800 MicrosoftEdgeUpdate.exe 6720 MicrosoftEdgeUpdate.exe 6684 MicrosoftEdgeUpdateComRegisterShell64.exe 6680 MicrosoftEdgeUpdateComRegisterShell64.exe 6872 MicrosoftEdgeUpdateComRegisterShell64.exe 6788 MicrosoftEdgeUpdate.exe 6704 MicrosoftEdgeUpdate.exe 6664 MicrosoftEdgeUpdate.exe 6592 MicrosoftEdgeUpdate.exe 2356 CefSharp.BrowserSubprocess.exe 8204 CefSharp.BrowserSubprocess.exe 8900 MicrosoftEdge_X64_126.0.2592.81.exe 8836 setup.exe 5532 setup.exe 2660 MicrosoftEdgeUpdate.exe -
Loads dropped DLL 56 IoCs
Processes:
WaveBootstrapper.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeMicrosoftEdgeUpdate.exepid process 1436 WaveBootstrapper.exe 4648 WaveWindows.exe 4648 WaveWindows.exe 4648 WaveWindows.exe 4648 WaveWindows.exe 4648 WaveWindows.exe 1756 CefSharp.BrowserSubprocess.exe 1756 CefSharp.BrowserSubprocess.exe 1756 CefSharp.BrowserSubprocess.exe 1756 CefSharp.BrowserSubprocess.exe 1756 CefSharp.BrowserSubprocess.exe 1756 CefSharp.BrowserSubprocess.exe 1756 CefSharp.BrowserSubprocess.exe 1756 CefSharp.BrowserSubprocess.exe 1756 CefSharp.BrowserSubprocess.exe 1756 CefSharp.BrowserSubprocess.exe 1756 CefSharp.BrowserSubprocess.exe 732 CefSharp.BrowserSubprocess.exe 732 CefSharp.BrowserSubprocess.exe 732 CefSharp.BrowserSubprocess.exe 732 CefSharp.BrowserSubprocess.exe 732 CefSharp.BrowserSubprocess.exe 732 CefSharp.BrowserSubprocess.exe 732 CefSharp.BrowserSubprocess.exe 4648 WaveWindows.exe 6972 MicrosoftEdgeUpdate.exe 6800 MicrosoftEdgeUpdate.exe 6720 MicrosoftEdgeUpdate.exe 6684 MicrosoftEdgeUpdateComRegisterShell64.exe 6720 MicrosoftEdgeUpdate.exe 6680 MicrosoftEdgeUpdateComRegisterShell64.exe 6720 MicrosoftEdgeUpdate.exe 6872 MicrosoftEdgeUpdateComRegisterShell64.exe 6720 MicrosoftEdgeUpdate.exe 6788 MicrosoftEdgeUpdate.exe 6704 MicrosoftEdgeUpdate.exe 6664 MicrosoftEdgeUpdate.exe 6664 MicrosoftEdgeUpdate.exe 6704 MicrosoftEdgeUpdate.exe 6592 MicrosoftEdgeUpdate.exe 2356 CefSharp.BrowserSubprocess.exe 2356 CefSharp.BrowserSubprocess.exe 2356 CefSharp.BrowserSubprocess.exe 2356 CefSharp.BrowserSubprocess.exe 2356 CefSharp.BrowserSubprocess.exe 2356 CefSharp.BrowserSubprocess.exe 2356 CefSharp.BrowserSubprocess.exe 8204 CefSharp.BrowserSubprocess.exe 8204 CefSharp.BrowserSubprocess.exe 8204 CefSharp.BrowserSubprocess.exe 8204 CefSharp.BrowserSubprocess.exe 8204 CefSharp.BrowserSubprocess.exe 8204 CefSharp.BrowserSubprocess.exe 8204 CefSharp.BrowserSubprocess.exe 8204 CefSharp.BrowserSubprocess.exe 2660 MicrosoftEdgeUpdate.exe -
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 657365.crdownload themida behavioral1/memory/5936-92-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-96-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-93-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-94-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-95-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-97-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-111-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-187-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-210-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-211-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-298-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-348-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-367-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-390-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-391-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-392-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-397-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-407-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-417-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-418-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-419-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-420-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-424-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-661-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-738-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-743-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-1285-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-7771-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-7774-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-7781-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-7785-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-7797-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-7836-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-7851-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-7854-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/5936-7857-0x0000000140000000-0x0000000140F65000-memory.dmp themida -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
Processes:
WaveWindows.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\KasperskyLab WaveWindows.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\KasperskyLab WaveWindows.exe Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\KasperskyLab\LastUsername WaveWindows.exe Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\KasperskyLab\Session WaveWindows.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Wave Goodbye.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wave Goodbye.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
Processes:
flow ioc 16 raw.githubusercontent.com 133 raw.githubusercontent.com 146 raw.githubusercontent.com 147 raw.githubusercontent.com 148 raw.githubusercontent.com 149 raw.githubusercontent.com 17 raw.githubusercontent.com 67 discord.com 68 discord.com 134 raw.githubusercontent.com -
Checks system information in the registry 2 TTPs 10 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Wave Goodbye.exepid process 5936 Wave Goodbye.exe -
Drops file in Program Files directory 64 IoCs
Processes:
setup.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exesetup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\lb.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\msedgewebview2.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Trust Protection Lists\Mu\LICENSE setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUD310.tmp\MicrosoftEdgeUpdateOnDemand.exe MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUD310.tmp\msedgeupdateres_en.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\nl.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\ml.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\ug.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUD310.tmp\msedgeupdateres_ms.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUD310.tmp\msedgeupdateres_sr-Latn-RS.dll MicrosoftEdgeWebview2Setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\vccorlib140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Extensions\external_extensions.json setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUD310.tmp\msedgeupdateres_mt.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\gu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Trust Protection Lists\Mu\Advertising setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Trust Protection Lists\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\ca.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\identity_proxy\beta.identity_helper.exe.manifest setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\kn.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\msedge.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Trust Protection Lists\Mu\Analytics setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\sq.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\identity_proxy\win10\identity_helper.Sparse.Internal.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\VisualElements\SmallLogoBeta.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\es-419.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\sk.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\identity_proxy\win10\identity_helper.Sparse.Stable.msix setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\mspdf.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Trust Protection Lists\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\show_third_party_software_licenses.bat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\MEIPreload\preloaded_data.pb setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\gl.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Trust Protection Lists\Mu\CompatExceptions setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\libGLESv2.dll setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUD310.tmp\msedgeupdateres_quz.dll MicrosoftEdgeWebview2Setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\hi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Trust Protection Lists\Sigma\Staging setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUD310.tmp\msedgeupdate.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUD310.tmp\msedgeupdateres_te.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\te.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUD310.tmp\msedgeupdateres_ca-Es-VALENCIA.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\identity_proxy\win10\identity_helper.Sparse.Beta.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\ar.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUD310.tmp\msedgeupdateres_cs.dll MicrosoftEdgeWebview2Setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\identity_proxy\win11\identity_helper.Sparse.Beta.msix setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\hu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\delegatedWebFeatures.sccd setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\VisualElements\SmallLogoDev.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\MEIPreload\preloaded_data.pb setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\km.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUD310.tmp\msedgeupdateres_pt-PT.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUD310.tmp\msedgeupdateres_nn.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\he.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\msedge.dll.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\VisualElements\SmallLogoCanary.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\edge_feedback\camera_mf_trace.wprp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\kn.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Temp\EUD310.tmp\MicrosoftEdgeUpdateSetup.exe MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\dxil.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\zh-TW.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\icudtl.dat setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
MicrosoftEdgeUpdate.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeBloxstrap.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\VERSIONINDEPENDENTPROGID MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine\CLSID\ = "{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\ProgID\ = "MicrosoftEdgeUpdate.CoreMachineClass.1" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\ELEVATION MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\PROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService\CurVer\ = "MicrosoftEdgeUpdate.Update3COMClassService.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods\ = "17" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\ = "Microsoft Edge Update Process Launcher Class" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\Elevation\Enabled = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebMachine" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation\Enabled = "1" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ELEVATION MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods\ = "16" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\roblox-player\DefaultIcon Bloxstrap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\VERSIONINDEPENDENTPROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc\CLSID\ = "{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine\CLSID\ = "{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine\CLSID\ = "{B5977F34-9264-4AC3-9B31-1224827FF6E8}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LocalServer32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods\ = "17" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\ = "Microsoft Edge Update Update3Web" MicrosoftEdgeUpdate.exe -
Processes:
Wave Goodbye.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A Wave Goodbye.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A\Blob = 030000000100000014000000144e3687b1abf2c93d845118485a9e9e4407c93a2000000001000000b9050000308205b53082039da00302010202140c1f3dced2c83786458b8b3d31fdbfb6558aa8d3300d06092a864886f70d01010b0500306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c43301e170d3234303630343132313431385a170d3239303630343132313431385a306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100d6b1e4c30f439b224fdad6d7f0686d1d2c05e728c325f8c1da9513002a40a83424bb47b782467f3077d13bb2f3b254f573d17b7817e595888c548b02e845f8a34c2dd1b385675a87ab87e8428b3c6c0bdd16a24ea10495480af3582e55316f9c0731ef7f3c4fd15015899655f5a2a45cc9fee0a92200c073d48f1e437190720766f19bffa8d59fffadd3525f523e31a6cfdd633708c2a195b61ec910b8c302c99ac42baee759e1be9def6b01b02accef28aa13a9335e5d05e03cfb97c4c5efc7cce1d0854fb0085dd191acd9445bd193a6768131c336da2ebff5fd1508e7b93db45c54ea495f6486ef7539f614b9ba8b51877e23f3ee35c7b3cf9eac34bdbb89c2851671a19ab19111dbe647b206e0a014d7a8dc8acfb4115ad5c1b949d033d328d68e3280d6b7da552e7913f76378f18bbd2ad97ba05d42f80626515b47eac6d9613768113a31462d6ce41eef081aa359e83f0d4f4648352fda4f31d0ff8d5072152fbbaa6f51839d215c482f7e14fc7c6d52430fc1c2922ec081ce64534318e0764ede4f3f619e6cecc68b97ebb2dba85d47250181d4c649f34540ebe60ab64d3eabae9001dc3fcd15d9027f4b3babe6efcc012821ba49da004cdb4d367f77faec3ef44dad14f36ca7847381dba54468bdb3797dbdb30ce9b1f2b3ea39a7c1985f3ae3f3ee4e1d699dc60b70ab3559d360b752ffe5867efa6025fa022f825d0203010001a3533051301d0603551d0e04160414259f70a24e8b332df0f8d98bd36ce93fabc894ab301f0603551d23041830168014259f70a24e8b332df0f8d98bd36ce93fabc894ab300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038202010020e5f289742cba5c4627793a8a2f0d14d59acbf92bb4f97cbdeaf80208fc6027fecb3f1e4bca7dddfabf486f12d0098816361eccb47f037001dc7c5d16124c0025fad0ab4d35dccb3a624dbe5c0e38fe60658abad9f572ecca5df3f774d5a5eb5dbb56406ece7bbce47fa74d40ff0ba3309a9f95e791f980cec44b9da29604835db786bbdf714ab712c6287fc4940ef7f0449f3029e940fe61b290c2cea73b783fbaa21ea4a8b3f6cfdcc63b9dbd6a8731964aab6383ec01eea8fbf142778eddf538b022aaa4ac101e33a196aaa6d11aeeeaa37dd4d8f5d6bfa42c8fb58cc7adb08f38502592084a51f2d1ebd356991c837072879b1240993bf4ad01adcb998860f8c4680d6d76f2c5c68afe5de757deab7877bb287eb60fc46392a8113cd45a094b88101ec0d0c5d34dc4d3b4870567188aeb1f8df2c26fd5d12667575c71ea1bf272e424af711170b617ec3a5ce1a0db9a208b31b3b1048b61267b16d5287ee575d5b293988879775eee5d4392aa8f8eb3b39f91203a40990fd4d84c9965acd373bea5e44fa38491c08ac7c0bf6daa246b2b618b12a1756ff12ef401b7d38cdc6bfb0b5ecb7c89f113bf13c827a854492f65e4ee6c9e70fae22dcce01aec83294ba3ed620ab9ca681d6bb71bb4d397ba744d22912bca79aee83287e49593914e0001d4006acc74cdc83da2160f1deb7ac0fe5046c557771eefb82a4758929d Wave Goodbye.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 657365.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 317070.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exetaskmgr.exemsedge.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeMicrosoftEdgeUpdate.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeBloxstrap.exepid process 3168 msedge.exe 3168 msedge.exe 2064 msedge.exe 2064 msedge.exe 1132 identity_helper.exe 1132 identity_helper.exe 5836 msedge.exe 5836 msedge.exe 3904 msedge.exe 3904 msedge.exe 4056 msedge.exe 4056 msedge.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 6088 msedge.exe 6088 msedge.exe 6088 msedge.exe 6088 msedge.exe 4648 WaveWindows.exe 4648 WaveWindows.exe 1756 CefSharp.BrowserSubprocess.exe 1756 CefSharp.BrowserSubprocess.exe 732 CefSharp.BrowserSubprocess.exe 732 CefSharp.BrowserSubprocess.exe 4648 WaveWindows.exe 6972 MicrosoftEdgeUpdate.exe 6972 MicrosoftEdgeUpdate.exe 2356 CefSharp.BrowserSubprocess.exe 2356 CefSharp.BrowserSubprocess.exe 8204 CefSharp.BrowserSubprocess.exe 8204 CefSharp.BrowserSubprocess.exe 8204 CefSharp.BrowserSubprocess.exe 8204 CefSharp.BrowserSubprocess.exe 6972 MicrosoftEdgeUpdate.exe 6972 MicrosoftEdgeUpdate.exe 6972 MicrosoftEdgeUpdate.exe 6972 MicrosoftEdgeUpdate.exe 2488 Bloxstrap.exe 2488 Bloxstrap.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
Processes:
msedge.exepid process 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WaveInstaller.exetaskmgr.exeWaveBootstrapper.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exedescription pid process Token: SeDebugPrivilege 3644 WaveInstaller.exe Token: SeDebugPrivilege 3220 taskmgr.exe Token: SeSystemProfilePrivilege 3220 taskmgr.exe Token: SeCreateGlobalPrivilege 3220 taskmgr.exe Token: 33 3220 taskmgr.exe Token: SeIncBasePriorityPrivilege 3220 taskmgr.exe Token: SeDebugPrivilege 1436 WaveBootstrapper.exe Token: SeDebugPrivilege 4648 WaveWindows.exe Token: SeDebugPrivilege 1756 CefSharp.BrowserSubprocess.exe Token: SeDebugPrivilege 732 CefSharp.BrowserSubprocess.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe Token: SeShutdownPrivilege 4648 WaveWindows.exe Token: SeCreatePagefilePrivilege 4648 WaveWindows.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 2064 msedge.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe 3220 taskmgr.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
Wave Goodbye.exenode.exeBloxstrap.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exepid process 5936 Wave Goodbye.exe 6116 node.exe 2488 Bloxstrap.exe 7240 MicrosoftEdgeWebview2Setup.exe 6972 MicrosoftEdgeUpdate.exe 6800 MicrosoftEdgeUpdate.exe 6720 MicrosoftEdgeUpdate.exe 6788 MicrosoftEdgeUpdate.exe 6704 MicrosoftEdgeUpdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2064 wrote to memory of 4904 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 4904 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 1072 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3168 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3168 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe PID 2064 wrote to memory of 3528 2064 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/IHaxU/Wave-Goodbye/raw/main/Wave%20Goodbye.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa974146f8,0x7ffa97414708,0x7ffa974147182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4100 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4100 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4740 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5840 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\Wave Goodbye.exe"C:\Users\Admin\Downloads\Wave Goodbye.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/6NNYUEXAR23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa974146f8,0x7ffa97414708,0x7ffa974147184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1312 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6864 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6884 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5480 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\WaveInstaller.exe"C:\Users\Admin\Downloads\WaveInstaller.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2004,i,11425767256193113491,7291109753556968533,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2008 --mojo-platform-channel-handle=1996 /prefetch:2 --host-process-id=46485⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Luau Language Server\node.exe"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=46485⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=2812,i,11425767256193113491,7291109753556968533,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2816 --mojo-platform-channel-handle=2808 /prefetch:3 --host-process-id=46485⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe" /silent /install6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Temp\EUD310.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUD310.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"7⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RkEyMUMzMjEtRjcxNC00RTZFLUI4OTktRDkyOURENjQzNUY4fSIgdXNlcmlkPSJ7QUYyOTY4RjQtMDY4OC00MjE4LUEwMDItNDZGRjdFNkIyREFGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntCODA1QTFEOC1DQUMzLTQxQzktOTg4QS05QTc2ODEyM0FCQTd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE0Ny4zNyIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY4OTQ4MjU3NTQiIGluc3RhbGxfdGltZV9tcz0iNDkxIi8-PC9hcHA-PC9yZXF1ZXN0Pg8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{FA21C321-F714-4E6E-B899-D929DD6435F8}" /silent8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=4152,i,11425767256193113491,7291109753556968533,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=4156 --mojo-platform-channel-handle=4160 /prefetch:8 --host-process-id=46485⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4168,i,11425767256193113491,7291109753556968533,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2296 --mojo-platform-channel-handle=4476 /prefetch:8 --host-process-id=46485⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,14613104516459868979,13714184618509368485,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6268 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RkEyMUMzMjEtRjcxNC00RTZFLUI4OTktRDkyOURENjQzNUY4fSIgdXNlcmlkPSJ7QUYyOTY4RjQtMDY4OC00MjE4LUEwMDItNDZGRjdFNkIyREFGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins4RkU5RTUyNi0wM0M1LTQ3MEYtOTA2OS0zQ0YzQTZBQ0Y2QTN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTEwLjAuNTQ4MS4xMDQiIG5leHR2ZXJzaW9uPSIxMTAuMC41NDgxLjEwNCIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjUiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY4OTkwMjU1NDMiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0E704DD4-1803-4DC8-A5C9-0F990280C2CB}\MicrosoftEdge_X64_126.0.2592.81.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0E704DD4-1803-4DC8-A5C9-0F990280C2CB}\MicrosoftEdge_X64_126.0.2592.81.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0E704DD4-1803-4DC8-A5C9-0F990280C2CB}\EDGEMITMP_355F3.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0E704DD4-1803-4DC8-A5C9-0F990280C2CB}\EDGEMITMP_355F3.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0E704DD4-1803-4DC8-A5C9-0F990280C2CB}\MicrosoftEdge_X64_126.0.2592.81.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0E704DD4-1803-4DC8-A5C9-0F990280C2CB}\EDGEMITMP_355F3.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0E704DD4-1803-4DC8-A5C9-0F990280C2CB}\EDGEMITMP_355F3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.127 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0E704DD4-1803-4DC8-A5C9-0F990280C2CB}\EDGEMITMP_355F3.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=126.0.2592.81 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff64c1daa40,0x7ff64c1daa4c,0x7ff64c1daa584⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RkEyMUMzMjEtRjcxNC00RTZFLUI4OTktRDkyOURENjQzNUY4fSIgdXNlcmlkPSJ7QUYyOTY4RjQtMDY4OC00MjE4LUEwMDItNDZGRjdFNkIyREFGfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGMjkyM0I1MS03NjJBLTQ4NkYtODZENy01RkZBN0QwODUxNjZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTI2LjAuMjU5Mi44MSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjkxODM1NTc5NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY5MTg0OTU3MzciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4MDk5Njk3NzcxIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8xMTEwYmY2My1jNmNlLTQ3MTQtOTY5Yi1iMzAyOGI0NDFjNDc_UDE9MTcyMDMxMDE5NyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1NVVphZmJQM1dCTERPMjFZWlIlMmJ3VEVQSFdtV1clMmJ5WGtoSVNWcG51OEZaS1dtR1FBNmo0c1NQaWVqOU1oTndkSTVmelUyb2U2MmptN2c5Z0xVS1NSQkElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzMwODIxNjgiIHRvdGFsPSIxNzMwODIxNjgiIGRvd25sb2FkX3RpbWVfbXM9IjExMTc3MCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjgwOTk4MDU4MDEiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4MTE0MDg1OTYxIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4NTU0NTM1NTMyIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iODc4IiBkb3dubG9hZF90aW1lX21zPSIxMTgxMTQiIGRvd25sb2FkZWQ9IjE3MzA4MjE2OCIgdG90YWw9IjE3MzA4MjE2OCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNDQwNDIiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
2Image File Execution Options Injection
1Component Object Model Hijacking
1Privilege Escalation
Event Triggered Execution
2Image File Execution Options Injection
1Component Object Model Hijacking
1Defense Evasion
Virtualization/Sandbox Evasion
1Subvert Trust Controls
1Install Root Certificate
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Installer\setup.exeFilesize
6.5MB
MD57c44a5cba89f38d967b1f4e11225da0f
SHA144837f2ff9b3ebc7c371ee5f9e0cd5dcaad508dd
SHA256a10c3e0b2ec1286bfe6b3fe9005a9132fad01be9afc4bdd5adb29f174b8fb706
SHA51225b4cae7fc6d200dab70e94461b7f2e7899813975cab498fb367a32aa2e187fb7b1330545b60f6340d53fe5e04a1ecfb5d6b8bf004ac26ecaa7a8f6e387dfe99
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeFilesize
201KB
MD54dc57ab56e37cd05e81f0d8aaafc5179
SHA1494a90728d7680f979b0ad87f09b5b58f16d1cd5
SHA25687c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718
SHA512320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4648_1546349364\LICENSEFilesize
473B
MD5f6719687bed7403612eaed0b191eb4a9
SHA1dd03919750e45507743bd089a659e8efcefa7af1
SHA256afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59
SHA512dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4648_1546349364\manifest.jsonFilesize
984B
MD50359d5b66d73a97ce5dc9f89ed84c458
SHA1ce17e52eaac909dd63d16d93410de675d3e6ec0d
SHA256beeab2f8d3833839399dde15ce9085c17b304445577d21333e883d6db6d0b755
SHA5128fd94a098a4ab5c0fcd48c2cef2bb03328dd4d25c899bf5ed1ca561347d74a8aab8a214ba2d3180a86df72c52eb26987a44631d0ecd9edc84976c28d6c9dc16a
-
C:\Program Files\MsEdgeCrashpad\settings.datFilesize
280B
MD5f66b8ed3028fb5fa190adda5272f74b9
SHA12984dbaeb4f09e94d1e3cc130a20062bae9ddf85
SHA2564ecd5bddf7b503c0e1dbfff9d73ddb1e984143960da11732247a94e92f9d5c93
SHA512654be74b5f94694a67c4f34f739ef7b80a47d271a014929456e5f2ac94f448c461885b8b98fb4801502fd8592845a33634e188f0e4d0ea924235fbc97302c5f8
-
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.logFilesize
65KB
MD5d60b63f849cb01467c5155cfde0de80f
SHA1ded9f1fa94d5f760fa177c2d5d685c55c652e213
SHA256a174658114f24026ed16366a6e83868012e4794b69266afcb82d56a447056c65
SHA512380fac3c65f56152dc970899f841947bf8c1a584c5e5a3b1f930f54fcce6f8a65b8f93662430f8f144afe9f27644f990bc1eade0c5e89ed5d591fd9b1c8dce45
-
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exeFilesize
249KB
MD5772c9fecbd0397f6cfb3d866cf3a5d7d
SHA16de3355d866d0627a756d0d4e29318e67650dacf
SHA2562f88ea7e1183d320fb2b7483de2e860da13dc0c0caaf58f41a888528d78c809f
SHA51282048bd6e50d38a863379a623b8cfda2d1553d8141923acf13f990c7245c833082523633eaa830362a12bfff300da61b3d8b3cccbe038ce2375fdfbd20dbca31
-
C:\Users\Admin\AppData\Local\Bloxstrap\Modifications\ClientSettings\ClientAppSettings.jsonFilesize
120B
MD5636492f4af87f25c20bd34a731007d86
SHA122a5c237a739ab0df4ff87c9e3d79dbe0c89b56a
SHA25622a1e85723295eeb854345be57f7d6fb56f02b232a95d69405bf9d9e67a0fa0d
SHA512cd2e3a738f535eb1a119bd4c319555899bcd4ce1049d7f8591a1a68c26844f33c1bd1e171706533b5c36263ade5e275b55d40f5710e0210e010925969182cd0c
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaApp\graphic\shimmer_lightTheme.pngFilesize
20KB
MD54f8f43c5d5c2895640ed4fdca39737d5
SHA1fb46095bdfcab74d61e1171632c25f783ef495fa
SHA256fc57f32c26087eef61b37850d60934eda1100ca8773f08e487191a74766053d1
SHA5127aebc0f79b2b23a76fb41df8bab4411813ffb1abc5e2797810679c0eaa690e7af7561b8473405694bd967470be337417fa42e30f0318acbf171d8f31620a31aa
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaApp\graphic\[email protected]Filesize
71KB
MD53fec0191b36b9d9448a73ff1a937a1f7
SHA1bee7d28204245e3088689ac08da18b43eae531ba
SHA2561a03e6f6a0de045aa588544c392d671c040b82a5598b4246af04f5a74910dc89
SHA512a8ab2bc2d937963af36d3255c6ea09cae6ab1599996450004bb18e8b8bdfbdde728821ac1662d8a0466680679011d8f366577b143766838fe91edf08a40353ce
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaDiscussions\buttonFill.pngFilesize
247B
MD581ce54dfd6605840a1bd2f9b0b3f807d
SHA14a3a4c05b9c14c305a8bb06c768abc4958ba2f1c
SHA2560a6a5cafb4dee0d8c1d182ddec9f68ca0471d7fc820cf8dc2d68f27a35cd3386
SHA51257069c8ac03dd0fdfd97e2844c19138800ff6f7d508c26e5bc400b30fe78baa0991cc39f0f86fa10cd5d12b6b11b0b09c1a770e5cb2fdca157c2c8986a09e5ff
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\configs\DateTimeLocaleConfigs\zh-hans.jsonFilesize
2KB
MD5fb6605abd624d1923aef5f2122b5ae58
SHA16e98c0a31fa39c781df33628b55568e095be7d71
SHA2567b993133d329c46c0c437d985eead54432944d7b46db6ad6ea755505b8629d00
SHA51297a14eda2010033265b379aa5553359293baf4988a4cdde8a40b0315e318a7b30feee7f5e14c68131e85610c00585d0c67e636999e3af9b5b2209e1a27a82223
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\configs\DateTimeLocaleConfigs\zh-tw.jsonFilesize
2KB
MD5702c9879f2289959ceaa91d3045f28aa
SHA1775072f139acc8eafb219af355f60b2f57094276
SHA256a92a6988175f9c1d073e4b54bf6a31f9b5d3652eebdf6a351fb5e12bda76cbd5
SHA512815a6bef134c0db7a5926f0cf4b3f7702d71b0b2f13eca9539cd2fc5a61eea81b1884e4c4bc0b3398880589bff809ac8d5df833e7e4aeda4a1244e9a875d1e97
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\sounds\ouch.oggFilesize
6KB
MD59404c52d6f311da02d65d4320bfebb59
SHA10b5b5c2e7c631894953d5828fec06bdf6adba55f
SHA256c9775e361392877d1d521d0450a5368ee92d37dc542bc5e514373c9d5003f317
SHA51222aa1acbcdcf56f571170d9c32fd0d025c50936387203a7827dbb925f352d2bc082a8a79db61c2d1f1795ad979e93367c80205d9141b73d806ae08fa089837c4
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\Cursors\KeyboardMouse\IBeamCursor.pngFilesize
292B
MD5464c4983fa06ad6cf235ec6793de5f83
SHA18afeb666c8aee7290ab587a2bfb29fc3551669e8
SHA25699fd7f104948c6ab002d1ec69ffd6c896c91f9accc499588df0980b4346ecbed
SHA512f805f5f38535fe487b899486c8de6cf630114964e2c3ebc2af7152a82c6f6faef681b4d936a1867b5dff6566b688b5c01105074443cc2086b3fe71f7e6e404b1
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\StudioToolbox\Clear.pngFilesize
538B
MD5fa8eaf9266c707e151bb20281b3c0988
SHA13ca097ad4cd097745d33d386cc2d626ece8cb969
SHA2568cf08bf7e50fea7b38f59f162ed956346c55a714ed8a9a8b0a1ada7e18480bc2
SHA512e29274300eab297c6de895bb39170f73f0a4ffa2a8c3732caeeeac16e2c25fb58bb401fdd5823cc62d9c413ec6c43d7c46861d7e14d52f8d9d8ff632e29f167c
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\StudioUIEditor\valueBoxRoundedRectangle.pngFilesize
130B
MD5521fb651c83453bf42d7432896040e5e
SHA18fdbf2cc2617b5b58aaa91b94b0bf755d951cad9
SHA256630303ec4701779eaf86cc9fbf744b625becda53badc7271cbb6ddc56e638d70
SHA5128fa0a50e52a3c7c53735c7dd7af275ebc9c1843f55bb30ebe0587a85955a8da94ff993822d233f7ed118b1070a7d67718b55ba4a597dc49ed2bf2a3836c696f6
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\TerrainTools\checkbox_square.pngFilesize
985B
MD52cb16991a26dc803f43963bdc7571e3f
SHA112ad66a51b60eeaed199bc521800f7c763a3bc7b
SHA256c7bae6d856f3bd9f00c122522eb3534d0d198a9473b6a379a5c3458181870646
SHA5124c9467e5e2d83b778d0fb8b6fd97964f8d8126f07bfd50c5d68c256703f291ceaed56be057e8e2c591b2d2c49f6b7e099a2b7088d0bf5bdd901433459663b1f8
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\Thumbstick1.pngFilesize
641B
MD52cbe38df9a03133ddf11a940c09b49cd
SHA16fb5c191ed8ce9495c66b90aaf53662bfe199846
SHA2560835a661199a7d8df7249e8ae925987184efcc4fb85d9efac3cc2c1495020517
SHA512dcef5baccef9fff632456fe7bc3c4f4a403363d9103a8047a55f4bd4c413d0c5f751a2e37385fe9eba7a420dbdb77ca2ff883d47fcdd35af222191cc5bd5c7a9
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]Filesize
1KB
MD5e8c88cf5c5ef7ae5ddee2d0e8376b32f
SHA177f2a5b11436d247d1acc3bac8edffc99c496839
SHA2569607af14604a8e8eb1dec45d3eeca01fed33140c0ccc3e6ef8ca4a1f6219b5dd
SHA51232f5a1e907705346a56fbddfe0d8841d05415ff7abe28ae9281ba46fedf8270b982be0090b72e2e32de0ce36e21934f80eaf508fd010f7ab132d39f5305fb68f
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]Filesize
1KB
MD5499333dae156bb4c9e9309a4842be4c8
SHA1d18c4c36bdb297208589dc93715560acaf761c3a
SHA256d35a74469f1436f114c27c730a5ec0793073bcf098db37f10158d562a3174591
SHA51291c64173d2cdabc045c70e0538d45e1022cc74ec04989565b85f0f26fe3e788b700a0956a07a8c91d34c06fc1b7fad43bbdbb41b0c6f15b9881c3e46def8103e
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\Thumbstick2.pngFilesize
738B
MD5a402aacac8be906bcc07d50669d32061
SHA19d75c1afbe9fc482983978cae4c553aa32625640
SHA25662a313b6cc9ffe7dd86bc9c4fcd7b8e8d1f14a15cdf41a53fb69af4ae3416102
SHA512d11567bcaad8bbd9e2b9f497c3215102c7e7546caf425e93791502d3d2b3f78dec13609796fcd6e1e7f5c7d794bac074d00a74001e7fe943d63463b483877546
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]Filesize
1KB
MD583e9b7823c0a5c4c67a603a734233dec
SHA12eaf04ad636bf71afdf73b004d17d366ac6d333e
SHA2563b5e06eb1a89975def847101f700f0caa60fe0198f53e51974ef1608c6e1e067
SHA512e8abb39a1ec340ac5c7d63137f607cd09eae0e885e4f73b84d8adad1b8f574155b92fbf2c9d3013f64ebbb6d55ead5419e7546b0f70dcde976d49e7440743b0f
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]Filesize
1KB
MD555b64987636b9740ab1de7debd1f0b2f
SHA196f67222ce7d7748ec968e95a2f6495860f9d9c9
SHA256f4a6bb3347ee3e603ea0b2f009bfa802103bc434ae3ff1db1f2043fa8cace8fc
SHA51273a88a278747de3fefbaabb3ff90c1c0750c8d6c17746787f17061f4eff933620407336bf9b755f4222b0943b07d8c4d01de1815d42ea65e78e0daa7072591e9
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.Core.dllFilesize
915KB
MD5100c32f77e68a2ce962e1a28997567ea
SHA1a80a1f4019b8d44df6b5833fb0c51b929fa79843
SHA256c0b9e29b240d8328f2f9a29ca0298ca4d967a926f3174a3442c3730c00d5a926
SHA512f95530ef439fa5c4e3bc02db249b6a76e9d56849816ead83c9cd9bcd49d3443ccb88651d829165c98a67af40b3ef02b922971114f29c5c735e662ca35c0fb6ed
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exeFilesize
7KB
MD5516ff62b2e1f4642caa954c0968719e8
SHA1e349d0ce82e2109dd0d18416d9cf46e8411b7f15
SHA25619da58849cec5933860116e60a1e94b08e30d90e0f955768270b47998d612045
SHA5127aa4a0c87b29c2a84f585a884d8208fc2352a43f2cdb549c100e3b121837ad5f8dadb1101f57d1d3fcb7ebec9d9f22e07dc14239b7d2e2d25793c999becf288b
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.dllFilesize
272KB
MD59ca06a8f9e5f7239ca225ab810274023
SHA1e1a219f567a7b7d3af9386df51b14c76e769c044
SHA2565fd00ae3e83e6ca156647ff6df87b49ffc7cad47c23fe3ae07c067c5adf6f74a
SHA512430c9bceed5439b987d5bd4840cfe32411ca61594f18597aca1948aa39a22c9d70beadf3bb9b1dd0373f81a94a25dcba17fa8e8c73abf06cba28d0971d5614c5
-
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.jsonFilesize
643B
MD588bad6a021d1f69b4cc9411fcad9ec1d
SHA1696d99d673fbcb2c7eb47e58405e8f8577523f10
SHA2566fba73d7e887ac19f0d4cba0acc45c53842eea62e45b91297ed75b6cce99651e
SHA5124720409c2c04ddb4fce55b0b28e4c7cfb4dbd8cade3c205e26a1b48f38217a53fa66291113815ecac4b6f86e20ce2ac3f1e9128ba32f87a5ed7b3c9f52b797cc
-
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.jsonFilesize
755B
MD52817aed5888a05588a05f58f43e79a2e
SHA13437b20a30bc21701531f4c0fb389790d56f77b4
SHA25690666a26e52c985de60b18e9697c6e7727b773c836ec2da98cfb18be4fbb4bda
SHA512a11ef31c0fe7a5d372ae5353b65b87fe2ff1c6b2e978d95c99b479442c3db293e4fcb032de7103f97f16668d11a8065c3820d572a59c0b4e50694c9e9305b9ba
-
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.json~RFe5b66d5.TMPFilesize
434B
MD57df94e93b9213e848b382af4a8939522
SHA126d118ee404fff8877361438b8bbaf54af19c25f
SHA256b41c27eb37962b084a552a3d478b31c30a98bfa8aee07208c11f49d06df013c9
SHA5126a7ac621525f1cd818bb41f22216d1b527742e298cb7fbc117f2934af932a050a96ad94de66868c48ea732f806f8542e8608d526b0611b70bf054511efc320d2
-
C:\Users\Admin\AppData\Local\CefSharp\chrome_100_percent.pakFilesize
667KB
MD5ae195e80859781a20414cf5faa52db06
SHA1b18ecb5ec141415e3a210880e2b3d37470636485
SHA2569957802c0792e621f76bbdb1c630fbad519922743b5d193294804164babda552
SHA512c6fef84615fe20d1760ca496c98629feb4e533556724e9631d4282622748e7601225cf19dfb8351f4b540ae3f83785c1bcea6fe8c246cf70388e527654097c1c
-
C:\Users\Admin\AppData\Local\CefSharp\chrome_200_percent.pakFilesize
1.0MB
MD51abf6bad0c39d59e541f04162e744224
SHA1db93c38253338a0b85e431bd4194d9e7bddb22c6
SHA25601cb663a75f18bb2d0d800640a114f153a34bd8a5f2aa0ed7daa9b32967dc29e
SHA512945d519221d626421094316f13b818766826b3bedddab0165c041540dddadc93136e32784c0562d26a420cb29479d04d2aa317b8d605cd242e5152bf05af197e
-
C:\Users\Admin\AppData\Local\CefSharp\chrome_elf.dllFilesize
1020KB
MD57191d97ce7886a1a93a013e90868db96
SHA152dd736cb589dd1def87130893d6b9449a6a36e3
SHA25632f925f833aa59e3f05322549fc3c326ac6fc604358f4efbf94c59d5c08b8dc6
SHA51238ebb62c34d466935eabb157197c7c364d4345f22aa3b2641b636196ca1aeaa2152ac75d613ff90817cb94825189612ddd12fb96df29469511a46a7d9620e724
-
C:\Users\Admin\AppData\Local\CefSharp\icudtl.datFilesize
10.2MB
MD574bded81ce10a426df54da39cfa132ff
SHA1eb26bcc7d24be42bd8cfbded53bd62d605989bbf
SHA2567bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9
SHA512bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a
-
C:\Users\Admin\AppData\Local\CefSharp\locales\en-US.pakFilesize
456KB
MD54430b1833d56bc8eb1f7dc82bb7f4bc9
SHA1dc15e6306625f155683326e859d83f846153c547
SHA256b44ddcfac9df4934007e6c55a3c7f5e7f14c7e5e29f35c81de917fc3b22aabbc
SHA512faf93bf371b2a88c1b874a5e2c54e4487fd152ad19c2a406a46f55ae75ecd421a779888c2e4c170857b16bfb5d8744bc1815a4732ed50b064b3cbd0c5ffad889
-
C:\Users\Admin\AppData\Local\CefSharp\resources.pakFilesize
8.0MB
MD54933d92c99afa246fc59eef010d5c858
SHA198d443654e93c73dd317f9f847f71fba3d5b3135
SHA25662f4674daa15245ee081920b8ee191e72f36ca8fe24f6b986a832f45676915b2
SHA512a3a69523c8e7310716daeebc06c2ba4fce673eccd1958e824ff179b82f4502d0ec095190179bbb387342e4150f952ea7533182fb6ba90377d17dafba8f4da623
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5db9081c34e133c32d02f593df88f047a
SHA1a0da007c14fd0591091924edc44bee90456700c6
SHA256c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e
SHA51212f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD53a09f853479af373691d131247040276
SHA11b6f098e04da87e9cf2d3284943ec2144f36ac04
SHA256a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f
SHA512341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
624B
MD5655a5fc38181470628d7e2f2dbc2e2eb
SHA176033c92541cd58ccceda89ca25ee1fdbf727b7f
SHA256048af0a7a40e5db8aa65596b7c62138aec48df1cdb0f5db1db0a09bae112f15e
SHA51233a4f691ccddafd72d021a584ba12d4edb1a24c61505d086fc7d7ba3150a367fb86a9c005a80800de1fc2780d8edad828ba68e4df33739b06308f61378768a8b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
456B
MD57ca4988910b98d3d9b0c78ff9dcf1301
SHA1001b92c7d5896a4dfe6b9ddd97dad5c0a7cdb9d2
SHA256e9034a5355db90da0ca2b25bf0e907fe449678917714225989787b2c9e6808a7
SHA512ae4df011cae3f4eb86956f4eb05dd5fda2e78c63044eecc752b3edc610e19bbd72e8bf4ea0ab07848263c6b89bae5eb053bdfcb944a1b579e55bd97ba56781d1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
902B
MD5b5399420ecf1bedbc61dae4fe6561921
SHA15d4c4f884e65700b3698b8bb5dffb42fa2417295
SHA25696f9987099f064077fc6059eaf7083f8e7f812b1618e5c31e87cecbf8b1cf7bb
SHA5128d2569a8b6be47a296d43fcb59e259e752a6350ba22cc5218996c6acec710344dd1df1f945aed8ea1625cfae734386f66dfa5f617faad0f86dacfd0c72fb8ca8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
474B
MD513181f87122e09ed44e80b3fee1379c3
SHA14cfabf6861fb4e2ee4b2f972eef45bdd8b11f4f2
SHA256ba78bc9982e7c24c0621755b995d10f4ae19de532fafaefff4fabd424a630aa1
SHA5122ec0f52ddce2102420e1dcccd3326c8ad7d22aeba6625d6e4d9a71a7d85db05a922ffec938f7865e5f1f6b02bbaf4d1d5badad2d661d268a4617282da0c68e01
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
902B
MD583de9878b768c97ee40e8c479b920bef
SHA1b45096b2085059de2e8e29e3079ab3a19e6efb85
SHA256f5c765c70fc175d184c5ad360109bc96225aea13b3c00c84b042820fdcfef7e2
SHA512861ba0bfeb04d1171033a91ffc75162e178a4cabac6cb45172a9d636b882d42f8ed289011763787b4a5cbc82c6334e6c7241002c10c38572aaaf99cf6a5dd29c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD522ad80f66cdea53740d22fdcee444932
SHA1805fd28b472dcb23824357e540de3430f0685ab4
SHA2561db5d740dd40b5eb83fddab6a49e5b52bbd04aeeb31a063134bd53d5a746d3c9
SHA512101f717aee62f748cea4fc0f09a1b405000019d3a0e09710adb246d1775fb4bb649e1e41012cf466ae6bc45a7719e16f682957880763202015fe1bbb00eb179b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD50a53e366894dd7bc44c784cde7092768
SHA1087add947f7714a23f8d57e14e8658e34e20d763
SHA256c9d73ae6fb51b24756c2ed08250b17e04f2b2fd31d87b106568ed4ce9b435be5
SHA5126b4c73049bf0bd0d227475fc946d1b4c713e89399e4d09a07a63cb16efb423228bc42c6d927e04394925af287f969dc5a1f50a7fcb5fef92dac6fa39f51d3872
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5200d075d665aeac81733e5fd473490ed
SHA1a69499d1db2e51c5ded2f681c28a8675077d6d0a
SHA25683fccc6db48b733db0a276a9d22f560032db806cca8d54ced526cf6d0636cc28
SHA51221344f840abf9164d585c27f0375fcb3b99c53f535713204b824ddf3681d12a72aea6c019cb7d3750a3310fd49410b0331a4d4ebcacec2e63662f0db3e57405a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e12782326e6662baf81cb1c943a54397
SHA1b115eed0537ba33668a45cc754fe31f8907d4478
SHA256231707196ebd07d3b913fa75d4abf58c9788aafb77163450756cc1b4415411a2
SHA512becade117cb52ae17520f653d00ee9ce1b46890b5ef1f0204714398ad6fa39dc0d5c42fc4e340c4799c32a3089e0deb40bd85defa412998f8dfa5b673c0c386b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50adfa95b098fa0dd911566486eb79471
SHA1e9b46a8ec4cd0b7bb2c77525fdabbab9d8c33e83
SHA25632ef2eaa2706e547d0bc94246b51e873e407c1a216c01ec64a4767a4137741eb
SHA512bb9999088c991f47d399b80f1aa4679adce858cf7bbb7c3263bf5084e93940be4168857b437fee7be2224a154b393da531e30812361ebc1f8280a8e11b53c2d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
705B
MD5c883ad6dfcda979d1cd36b2235a364f1
SHA15e6ad32d12d8efaa7a0c037ba77b021afc8fa6c4
SHA25674b25342bec38cdd773b62b702cc2adf685503de180c7c44b496854d77529685
SHA512384b412455aaab1934c9bc71fa51680914ee790e09ac3d8eecbd48f060ae75512f78de9d43ba0fd49a3126368a8de40c9dcbb554a7ecce054b70db1c563e3fe7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
873B
MD599bd158547d8c25169694deb9ba944d4
SHA1f49e628e528a04bf91abcf827a2dacbd54d50451
SHA25693857e051353e14ae43d7aceb20277b83a7eff6fc03e5d208a1437b9b0d01b91
SHA512557d027fac83d98d33be454b72b39508d98ca6196d9d0f0edda1d473546be8084ff4959dd9199e3ea00cfcbbf33c8d2af2a5e47caa0380d906df5cd5b8ba199a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fd3c.TMPFilesize
371B
MD50e3b4a936cc940984ed6aa428fc40b19
SHA1a277941e996b7658d56b187b9b44ab93a1c44333
SHA256d17564175bfe439134848f48610429dfacaf8c9edb145021b03f5841e5fb3b86
SHA512aa9f0586a92b12c5c52db80be3938bab57f0f695be263ebb5d53d66a302801427c5537242351ee532d31c733580e9b28d069caa509ce210a55837b0953953bf9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5316db407c2a934ccdf77cb8bed6f1231
SHA14dc267484a00f6864095347202ea870af4e5e699
SHA25633f18b6da90aa88b070b1fa184fdae44ea7dbc1e1f295f8fa12d4e1bd6cd5617
SHA512195781e9b711df4e143b08bae50049c106b35443f0a21107e29cbf122f2b4899643f88a249f1790d9a05576cec34335bd35851b2121f378678fc5ec2ec2b48cc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5aae3dd32e57051c6a5a68152c49deca0
SHA17eb33a6a67f5b11b6a847ca70c8586bfcf207d9c
SHA25668535d937d9ad36a0b3c6f20102472a800edf61fbe62a6fcc8cfcc11ab70e32f
SHA512b6183e3663bd8f74cf86abc8367f248b8d6b00517b4ed3a7a1ca817eadd447a31a2bda028bfb4976a05deec9ef1584f5972dee22b3eb1c217895b2229d8f4d82
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD58879e2cecdfefa604f6dbdee2a963cb6
SHA192fc23e0caea622ee18d099ac51133bf5e71538d
SHA25691b9f344ae606516824ecb51c45157b8bc638c8e0457ac23e187b45bd3d3fc55
SHA512602effd5f7247dc259fb17ed33b72c41400709b5e2b1c5949463af5b18221fcc3d6a3b300caae02cb018049b94947c2659aa6524b60bf1fe91530f570d9de128
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5365c8782799a1a77695d0f2e15cb6082
SHA1500cdc60e6381e25fa645a2f4d2280a7642ae4f1
SHA256a543df27b0e4be832d750950fcb1c859cd18628d3522a6b97893f2a53e9cb0ba
SHA512e6d21dd5fb2c1fef4e3bbdde69614e3178ce591f3c7c9247712b33a4b4799c2215dd78ad341e03447e0192f7c51017e57f9cb739e9aad799fdcbd104c45b83cd
-
C:\Users\Admin\AppData\Local\Wave\CefSharp.Core.Runtime.dllFilesize
1.3MB
MD509cba584aa0aae9fc600745567393ef6
SHA1bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279
SHA2560babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5
SHA5125f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1
-
C:\Users\Admin\AppData\Local\Wave\D3DCOMPILER_47.dllFilesize
3.9MB
MD53b4647bcb9feb591c2c05d1a606ed988
SHA1b42c59f96fb069fd49009dfd94550a7764e6c97c
SHA25635773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7
SHA51200cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50
-
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exeFilesize
939KB
MD5258a9cae6024c91784bbd8aa5379e86f
SHA1fe1a808ba23053413359a78d5ec096b2cd540dd5
SHA2563881840473ec5286189d2fc8e85f0f26a2532890055d1653da9580aa31b2d0e5
SHA512b621ef432b430d2df0443fa0ebdd59dc7de6b32375c2fc83e8474838843c4abcf4a35f2b5f80e78911fc52336d71812ca9fbc9919314ea3b59bd26036a4ea5a5
-
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exeFilesize
7.5MB
MD57e09dde2226c18dde3c76471c01b3665
SHA194bb80704e14314331e007b942a64f423104644f
SHA2564f9a703b0491de02519a343659f0a351f6ad09942cd82920995d5fa89e6571ae
SHA512c61c911eb37c758f64ae9372eb4208210b6a964bb8604d3fcd3285805448b1801a91c519ed0294815f8167500654b423d19161a82c82f7935ec637c4038c93dc
-
C:\Users\Admin\Downloads\Unconfirmed 317070.crdownloadFilesize
1.5MB
MD5c822ab5332b11c9185765b157d0b6e17
SHA17fe909d73a24ddd87171896079cceb8b03663ad4
SHA256344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a
SHA512a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d
-
C:\Users\Admin\Downloads\Unconfirmed 657365.crdownloadFilesize
6.0MB
MD5b67c09157b260b02037a716d28d7c34f
SHA1a6da5549351e78fda395b5381dcf9e14240390fd
SHA256ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824
SHA51261cc65311af74f83ea950ef54661a5421df67026f7760e257ae3701b3b339f554ac1b42a63f2adafe142ad71a81c545b6749aac0a4f5c78eccd90d072fb7bbad
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5deca688b3a2d7e1224e65a13c66b405d
SHA15d088d911e53b05860d2294f081b7a56614c1b1b
SHA256efe68251dcfee5e61bce15c9028f4e237c45e24f23f66d0c9acf5355ba709341
SHA5128ed11f7e130d1d0d5f554849e9ad181f60d242d21aa6019307df20833e7646705716f591b13c9db0ba8643e8800816dd6b691572c80973f540fba14cc84d47be
-
\??\pipe\LOCAL\crashpad_2064_IIJMXPYGJYVBONCXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1436-656-0x000000000A2B0000-0x000000000A2B8000-memory.dmpFilesize
32KB
-
memory/1436-657-0x000000000A310000-0x000000000A32E000-memory.dmpFilesize
120KB
-
memory/1436-651-0x0000000000E10000-0x0000000000F00000-memory.dmpFilesize
960KB
-
memory/1436-653-0x0000000009590000-0x0000000009690000-memory.dmpFilesize
1024KB
-
memory/1436-654-0x000000000A240000-0x000000000A256000-memory.dmpFilesize
88KB
-
memory/1436-655-0x000000000A270000-0x000000000A27A000-memory.dmpFilesize
40KB
-
memory/1756-710-0x0000000005200000-0x000000000524A000-memory.dmpFilesize
296KB
-
memory/1756-700-0x0000000000860000-0x0000000000868000-memory.dmpFilesize
32KB
-
memory/1756-704-0x00000000050C0000-0x00000000051AA000-memory.dmpFilesize
936KB
-
memory/3220-383-0x0000027685A50000-0x0000027685A51000-memory.dmpFilesize
4KB
-
memory/3220-385-0x0000027685A50000-0x0000027685A51000-memory.dmpFilesize
4KB
-
memory/3220-384-0x0000027685A50000-0x0000027685A51000-memory.dmpFilesize
4KB
-
memory/3220-386-0x0000027685A50000-0x0000027685A51000-memory.dmpFilesize
4KB
-
memory/3220-387-0x0000027685A50000-0x0000027685A51000-memory.dmpFilesize
4KB
-
memory/3220-389-0x0000027685A50000-0x0000027685A51000-memory.dmpFilesize
4KB
-
memory/3220-377-0x0000027685A50000-0x0000027685A51000-memory.dmpFilesize
4KB
-
memory/3220-388-0x0000027685A50000-0x0000027685A51000-memory.dmpFilesize
4KB
-
memory/3220-379-0x0000027685A50000-0x0000027685A51000-memory.dmpFilesize
4KB
-
memory/3220-378-0x0000027685A50000-0x0000027685A51000-memory.dmpFilesize
4KB
-
memory/3644-430-0x00000000098D0000-0x00000000098D8000-memory.dmpFilesize
32KB
-
memory/3644-434-0x0000000009900000-0x000000000990A000-memory.dmpFilesize
40KB
-
memory/3644-347-0x0000000009B60000-0x0000000009B6E000-memory.dmpFilesize
56KB
-
memory/3644-346-0x0000000009B90000-0x0000000009BC8000-memory.dmpFilesize
224KB
-
memory/3644-433-0x00000000098F0000-0x00000000098FA000-memory.dmpFilesize
40KB
-
memory/3644-428-0x000000000AC70000-0x000000000AD06000-memory.dmpFilesize
600KB
-
memory/3644-429-0x0000000009890000-0x00000000098B6000-memory.dmpFilesize
152KB
-
memory/3644-432-0x000000000B0D0000-0x000000000B142000-memory.dmpFilesize
456KB
-
memory/3644-336-0x0000000000780000-0x0000000000912000-memory.dmpFilesize
1.6MB
-
memory/4648-675-0x00000000056F0000-0x000000000573A000-memory.dmpFilesize
296KB
-
memory/4648-722-0x000000000CA40000-0x000000000CAF2000-memory.dmpFilesize
712KB
-
memory/4648-727-0x000000000D880000-0x000000000D8A2000-memory.dmpFilesize
136KB
-
memory/4648-728-0x0000000010630000-0x0000000010984000-memory.dmpFilesize
3.3MB
-
memory/4648-674-0x0000000000480000-0x0000000000C0C000-memory.dmpFilesize
7.5MB
-
memory/4648-676-0x00000000052B0000-0x00000000052D4000-memory.dmpFilesize
144KB
-
memory/4648-677-0x0000000005C10000-0x0000000005CF6000-memory.dmpFilesize
920KB
-
memory/4648-685-0x0000000005F70000-0x00000000060CB000-memory.dmpFilesize
1.4MB
-
memory/5936-419-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-7774-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-1285-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-743-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-738-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-391-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-392-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-397-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-407-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-417-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-418-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-367-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-348-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-420-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-424-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-661-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-298-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-211-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-7771-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-92-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-96-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-390-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-7781-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-93-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-7785-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-210-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-187-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-7797-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-111-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-97-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-7836-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-95-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-7851-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-7854-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-7857-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5936-94-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/6972-7787-0x000000005E450000-0x000000005E660000-memory.dmpFilesize
2.1MB
-
memory/6972-7773-0x000000005E450000-0x000000005E660000-memory.dmpFilesize
2.1MB
-
memory/6972-7772-0x0000000000830000-0x0000000000865000-memory.dmpFilesize
212KB
-
memory/8204-7860-0x0000000009CF0000-0x0000000009CF1000-memory.dmpFilesize
4KB
-
memory/8204-7859-0x0000000009CF0000-0x0000000009CF1000-memory.dmpFilesize
4KB
-
memory/8204-7864-0x0000000009CF0000-0x0000000009CF1000-memory.dmpFilesize
4KB
-
memory/8204-7858-0x0000000009CF0000-0x0000000009CF1000-memory.dmpFilesize
4KB