Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
257s -
max time network
275s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29/06/2024, 23:20
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/IHaxU/Wave-Goodbye/raw/main/Wave%20Goodbye.exe
Resource
win10v2004-20240611-en
General
-
Target
https://github.com/IHaxU/Wave-Goodbye/raw/main/Wave%20Goodbye.exe
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Wave Goodbye.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Wave Goodbye.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Wave Goodbye.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Wave Goodbye.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation WaveInstaller.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation WaveBootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation WaveWindows.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation Bloxstrap.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 19 IoCs
pid Process 4440 Wave Goodbye.exe 5584 WaveInstaller.exe 5420 WaveBootstrapper.exe 5144 WaveWindows.exe 1716 CefSharp.BrowserSubprocess.exe 4324 CefSharp.BrowserSubprocess.exe 5752 node.exe 2312 Bloxstrap.exe 6180 MicrosoftEdgeWebview2Setup.exe 6564 MicrosoftEdgeUpdate.exe 6464 MicrosoftEdgeUpdate.exe 6604 MicrosoftEdgeUpdate.exe 6612 MicrosoftEdgeUpdateComRegisterShell64.exe 6668 MicrosoftEdgeUpdateComRegisterShell64.exe 6776 MicrosoftEdgeUpdateComRegisterShell64.exe 6708 MicrosoftEdgeUpdate.exe 6784 MicrosoftEdgeUpdate.exe 6840 MicrosoftEdgeUpdate.exe 7188 MicrosoftEdgeUpdate.exe -
Loads dropped DLL 40 IoCs
pid Process 5420 WaveBootstrapper.exe 5144 WaveWindows.exe 5144 WaveWindows.exe 5144 WaveWindows.exe 5144 WaveWindows.exe 5144 WaveWindows.exe 1716 CefSharp.BrowserSubprocess.exe 1716 CefSharp.BrowserSubprocess.exe 1716 CefSharp.BrowserSubprocess.exe 1716 CefSharp.BrowserSubprocess.exe 1716 CefSharp.BrowserSubprocess.exe 1716 CefSharp.BrowserSubprocess.exe 1716 CefSharp.BrowserSubprocess.exe 1716 CefSharp.BrowserSubprocess.exe 1716 CefSharp.BrowserSubprocess.exe 1716 CefSharp.BrowserSubprocess.exe 1716 CefSharp.BrowserSubprocess.exe 4324 CefSharp.BrowserSubprocess.exe 4324 CefSharp.BrowserSubprocess.exe 4324 CefSharp.BrowserSubprocess.exe 4324 CefSharp.BrowserSubprocess.exe 4324 CefSharp.BrowserSubprocess.exe 4324 CefSharp.BrowserSubprocess.exe 4324 CefSharp.BrowserSubprocess.exe 5144 WaveWindows.exe 6564 MicrosoftEdgeUpdate.exe 6464 MicrosoftEdgeUpdate.exe 6604 MicrosoftEdgeUpdate.exe 6612 MicrosoftEdgeUpdateComRegisterShell64.exe 6604 MicrosoftEdgeUpdate.exe 6668 MicrosoftEdgeUpdateComRegisterShell64.exe 6604 MicrosoftEdgeUpdate.exe 6776 MicrosoftEdgeUpdateComRegisterShell64.exe 6604 MicrosoftEdgeUpdate.exe 6708 MicrosoftEdgeUpdate.exe 6784 MicrosoftEdgeUpdate.exe 6840 MicrosoftEdgeUpdate.exe 6840 MicrosoftEdgeUpdate.exe 6784 MicrosoftEdgeUpdate.exe 7188 MicrosoftEdgeUpdate.exe -
resource yara_rule behavioral1/files/0x00080000000234aa-40.dat themida behavioral1/memory/4440-93-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-98-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-95-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-94-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-96-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-97-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-157-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-298-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-301-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-300-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-302-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-303-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-304-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-345-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-412-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-564-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-565-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-566-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-567-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-568-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-572-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-783-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-860-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-876-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-881-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-882-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-6403-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-7913-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-7917-0x0000000140000000-0x0000000140F65000-memory.dmp themida behavioral1/memory/4440-7988-0x0000000140000000-0x0000000140F65000-memory.dmp themida -
Checks for any installed AV software in registry 1 TTPs 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\KasperskyLab WaveWindows.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\KasperskyLab\LastUsername WaveWindows.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\KasperskyLab\Session WaveWindows.exe Key queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\KasperskyLab WaveWindows.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\KasperskyLab\LastUsername = "skibidi" WaveWindows.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\KasperskyLab\Session = "cracked, ihaxu on this shit, FUCK YOU RETARD" WaveWindows.exe Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\KasperskyLab WaveWindows.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wave Goodbye.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 155 raw.githubusercontent.com 20 raw.githubusercontent.com 67 discord.com 139 raw.githubusercontent.com 140 raw.githubusercontent.com 154 raw.githubusercontent.com 19 raw.githubusercontent.com 66 discord.com 152 raw.githubusercontent.com 153 raw.githubusercontent.com -
Checks system information in the registry 2 TTPs 8 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4440 Wave Goodbye.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\psmachine_arm64.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_lt.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_mr.dll MicrosoftEdgeWebview2Setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_hr.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_hu.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_ko.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_ka.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_da.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_sk.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_it.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_ne.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_cs.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_fi.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_sq.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_bs.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_mk.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_tt.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_nn.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_pl.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_zh-CN.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_af.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_fr-CA.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_es-419.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_ru.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_bn-IN.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdate.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\MicrosoftEdgeUpdateOnDemand.exe MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_pt-BR.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_nb.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_ur.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\psmachine.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_bg.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_bn.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\MicrosoftEdgeUpdateCore.exe MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_fa.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_am.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_sl.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_lb.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_quz.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_ar.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_fil.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_kn.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_ms.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_ga.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_kk.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_mt.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_sr-Cyrl-BA.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_ta.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_zh-TW.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\MicrosoftEdgeUpdate.exe MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_ca.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_en-GB.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_sv.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_km.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_sr-Cyrl-RS.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\MicrosoftEdgeUpdateBroker.exe MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\MicrosoftEdgeComRegisterShellARM64.exe MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\psuser_arm64.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_fr.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_ro.dll MicrosoftEdgeWebview2Setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\MicrosoftEdgeUpdateSetup.exe MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\msedgeupdateres_th.dll MicrosoftEdgeWebview2Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641769494382721" chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\PROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods\ = "17" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\ = "Microsoft Edge Update CredentialDialog" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\ProgID\ = "MicrosoftEdgeUpdate.ProcessLauncher.1.0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine.1.0\ = "Microsoft Edge Update Broker Class Factory" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ = "IPolicyStatus2" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\ProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ = "IAppBundleWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E3D94CEB-EC11-46BE-8872-7DDCE37FABFA} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods\ = "41" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\ProgID\ = "MicrosoftEdgeUpdate.PolicyStatusMachine.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine.1.0\CLSID\ = "{B5977F34-9264-4AC3-9B31-1224827FF6E8}" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\LOCALSERVER32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ = "Update3COMClass" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\PROGID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\ = "PSFactoryBuffer" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\Elevation MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.CoreClass" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3D94CEB-EC11-46BE-8872-7DDCE37FABFA}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods\ = "5" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69} MicrosoftEdgeUpdate.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A Wave Goodbye.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A\Blob = 030000000100000014000000144e3687b1abf2c93d845118485a9e9e4407c93a2000000001000000b9050000308205b53082039da00302010202140c1f3dced2c83786458b8b3d31fdbfb6558aa8d3300d06092a864886f70d01010b0500306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c43301e170d3234303630343132313431385a170d3239303630343132313431385a306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100d6b1e4c30f439b224fdad6d7f0686d1d2c05e728c325f8c1da9513002a40a83424bb47b782467f3077d13bb2f3b254f573d17b7817e595888c548b02e845f8a34c2dd1b385675a87ab87e8428b3c6c0bdd16a24ea10495480af3582e55316f9c0731ef7f3c4fd15015899655f5a2a45cc9fee0a92200c073d48f1e437190720766f19bffa8d59fffadd3525f523e31a6cfdd633708c2a195b61ec910b8c302c99ac42baee759e1be9def6b01b02accef28aa13a9335e5d05e03cfb97c4c5efc7cce1d0854fb0085dd191acd9445bd193a6768131c336da2ebff5fd1508e7b93db45c54ea495f6486ef7539f614b9ba8b51877e23f3ee35c7b3cf9eac34bdbb89c2851671a19ab19111dbe647b206e0a014d7a8dc8acfb4115ad5c1b949d033d328d68e3280d6b7da552e7913f76378f18bbd2ad97ba05d42f80626515b47eac6d9613768113a31462d6ce41eef081aa359e83f0d4f4648352fda4f31d0ff8d5072152fbbaa6f51839d215c482f7e14fc7c6d52430fc1c2922ec081ce64534318e0764ede4f3f619e6cecc68b97ebb2dba85d47250181d4c649f34540ebe60ab64d3eabae9001dc3fcd15d9027f4b3babe6efcc012821ba49da004cdb4d367f77faec3ef44dad14f36ca7847381dba54468bdb3797dbdb30ce9b1f2b3ea39a7c1985f3ae3f3ee4e1d699dc60b70ab3559d360b752ffe5867efa6025fa022f825d0203010001a3533051301d0603551d0e04160414259f70a24e8b332df0f8d98bd36ce93fabc894ab301f0603551d23041830168014259f70a24e8b332df0f8d98bd36ce93fabc894ab300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038202010020e5f289742cba5c4627793a8a2f0d14d59acbf92bb4f97cbdeaf80208fc6027fecb3f1e4bca7dddfabf486f12d0098816361eccb47f037001dc7c5d16124c0025fad0ab4d35dccb3a624dbe5c0e38fe60658abad9f572ecca5df3f774d5a5eb5dbb56406ece7bbce47fa74d40ff0ba3309a9f95e791f980cec44b9da29604835db786bbdf714ab712c6287fc4940ef7f0449f3029e940fe61b290c2cea73b783fbaa21ea4a8b3f6cfdcc63b9dbd6a8731964aab6383ec01eea8fbf142778eddf538b022aaa4ac101e33a196aaa6d11aeeeaa37dd4d8f5d6bfa42c8fb58cc7adb08f38502592084a51f2d1ebd356991c837072879b1240993bf4ad01adcb998860f8c4680d6d76f2c5c68afe5de757deab7877bb287eb60fc46392a8113cd45a094b88101ec0d0c5d34dc4d3b4870567188aeb1f8df2c26fd5d12667575c71ea1bf272e424af711170b617ec3a5ce1a0db9a208b31b3b1048b61267b16d5287ee575d5b293988879775eee5d4392aa8f8eb3b39f91203a40990fd4d84c9965acd373bea5e44fa38491c08ac7c0bf6daa246b2b618b12a1756ff12ef401b7d38cdc6bfb0b5ecb7c89f113bf13c827a854492f65e4ee6c9e70fae22dcce01aec83294ba3ed620ab9ca681d6bb71bb4d397ba744d22912bca79aee83287e49593914e0001d4006acc74cdc83da2160f1deb7ac0fe5046c557771eefb82a4758929d Wave Goodbye.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 386433.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1152 msedge.exe 1152 msedge.exe 4080 msedge.exe 4080 msedge.exe 4944 identity_helper.exe 4944 identity_helper.exe 380 msedge.exe 380 msedge.exe 3144 msedge.exe 3144 msedge.exe 5308 chrome.exe 5308 chrome.exe 5144 WaveWindows.exe 1716 CefSharp.BrowserSubprocess.exe 1716 CefSharp.BrowserSubprocess.exe 4324 CefSharp.BrowserSubprocess.exe 4324 CefSharp.BrowserSubprocess.exe 5144 WaveWindows.exe 5144 WaveWindows.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6564 MicrosoftEdgeUpdate.exe 6564 MicrosoftEdgeUpdate.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeShutdownPrivilege 5308 chrome.exe Token: SeCreatePagefilePrivilege 5308 chrome.exe Token: SeDebugPrivilege 5584 WaveInstaller.exe Token: SeDebugPrivilege 5420 WaveBootstrapper.exe Token: SeDebugPrivilege 5144 WaveWindows.exe Token: SeDebugPrivilege 1716 CefSharp.BrowserSubprocess.exe Token: SeDebugPrivilege 4324 CefSharp.BrowserSubprocess.exe Token: SeShutdownPrivilege 5144 WaveWindows.exe Token: SeCreatePagefilePrivilege 5144 WaveWindows.exe Token: SeShutdownPrivilege 5144 WaveWindows.exe Token: SeCreatePagefilePrivilege 5144 WaveWindows.exe Token: SeShutdownPrivilege 5144 WaveWindows.exe Token: SeCreatePagefilePrivilege 5144 WaveWindows.exe Token: SeShutdownPrivilege 5144 WaveWindows.exe Token: SeCreatePagefilePrivilege 5144 WaveWindows.exe Token: SeShutdownPrivilege 5144 WaveWindows.exe Token: SeCreatePagefilePrivilege 5144 WaveWindows.exe Token: SeShutdownPrivilege 5144 WaveWindows.exe Token: SeCreatePagefilePrivilege 5144 WaveWindows.exe Token: SeShutdownPrivilege 5144 WaveWindows.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4440 Wave Goodbye.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 5308 chrome.exe 2312 Bloxstrap.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4440 Wave Goodbye.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4080 wrote to memory of 1140 4080 msedge.exe 89 PID 4080 wrote to memory of 1140 4080 msedge.exe 89 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 2000 4080 msedge.exe 90 PID 4080 wrote to memory of 1152 4080 msedge.exe 91 PID 4080 wrote to memory of 1152 4080 msedge.exe 91 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92 PID 4080 wrote to memory of 776 4080 msedge.exe 92
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/IHaxU/Wave-Goodbye/raw/main/Wave%20Goodbye.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82b7446f8,0x7ff82b744708,0x7ff82b7447182⤵PID:1140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵PID:2000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:82⤵PID:776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:3992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:4204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:82⤵PID:2948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4188 /prefetch:82⤵PID:3324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵PID:4600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6048 /prefetch:82⤵PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵PID:4116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:12⤵PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵PID:2388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:2612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2768 /prefetch:12⤵PID:380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1312 /prefetch:12⤵PID:4188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3456 /prefetch:82⤵PID:1348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2140,13243871944423666922,11342458054005772070,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5808 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3144
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1012
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:832
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1212
-
C:\Users\Admin\Downloads\Wave Goodbye.exe"C:\Users\Admin\Downloads\Wave Goodbye.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4440 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/6NNYUEXAR22⤵PID:4852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ff82b7446f8,0x7ff82b744708,0x7ff82b7447183⤵PID:1012
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5308 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff82aadab58,0x7ff82aadab68,0x7ff82aadab782⤵PID:5324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:22⤵PID:5372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:82⤵PID:5156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:82⤵PID:2904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:12⤵PID:1680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:12⤵PID:5428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4384 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:12⤵PID:5688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:82⤵PID:1156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4372 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:82⤵PID:2868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:82⤵PID:5776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:82⤵PID:5900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:82⤵PID:3788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4800 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:12⤵PID:1124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5108 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:12⤵PID:5140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:82⤵PID:5744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5136 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:82⤵PID:4108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5144 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:82⤵PID:5760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:82⤵PID:1412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4328 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:82⤵PID:2964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5196 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:82⤵PID:1468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3284 --field-trial-handle=1820,i,12379753350750988667,3928587079245974857,131072 /prefetch:82⤵PID:3612
-
-
C:\Users\Admin\Downloads\WaveInstaller.exe"C:\Users\Admin\Downloads\WaveInstaller.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5584 -
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5420 -
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5144 -
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2060,i,2874947295252554250,10127910460847000049,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2072 --mojo-platform-channel-handle=2040 /prefetch:2 --host-process-id=51445⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=2712,i,2874947295252554250,10127910460847000049,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2716 --mojo-platform-channel-handle=2660 /prefetch:3 --host-process-id=51445⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Users\Admin\AppData\Local\Luau Language Server\node.exe"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=51445⤵
- Executes dropped EXE
PID:5752 -
C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave-luau.exe"C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave-luau.exe" lsp "--definitions=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\globalTypes.d.luau" "--definitions=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave.d.luau" "--docs=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\en-us.json"6⤵PID:5224
-
-
-
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:2312 -
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe" /silent /install6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6180 -
C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU2A39.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"7⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:6564 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:6464
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:6604 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:6612
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:6668
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:6776
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUM3MkFCMDktRjU2OC00RTBGLTg3NEMtRDZCRTFDM0E5QTIxfSIgdXNlcmlkPSJ7M0REMDREOTMtOUJCNi00RkY3LTlEQzYtNkYyM0Q0OUNDMUQyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins2OUU3MDkzMS0wNzM4LTRBMzYtQUVFNy1CNDM5RjE0QzA3MTl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RDZqeFBlVW1LZmg4eXR5NkYwN1l4TTFlWkRIL1RWNkZRVDJmZkRpWnl3dz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE4Ny40MSIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjcxMjEzMTg5NDgiIGluc3RhbGxfdGltZV9tcz0iNzEyIi8-PC9hcHA-PC9yZXF1ZXN0Pg8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:6708
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{1C72AB09-F568-4E0F-874C-D6BE1C3A9A21}" /silent8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6784
-
-
-
-
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=6264,i,2874947295252554250,10127910460847000049,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=6268 --mojo-platform-channel-handle=6332 /prefetch:8 --host-process-id=51445⤵PID:7900
-
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=6400,i,2874947295252554250,10127910460847000049,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=6396 --mojo-platform-channel-handle=6388 --host-process-id=5144 /prefetch:15⤵PID:7892
-
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=6436,i,2874947295252554250,10127910460847000049,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=6448 --mojo-platform-channel-handle=6428 --host-process-id=5144 /prefetch:15⤵PID:7932
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:5676
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:6044
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:6840 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUM3MkFCMDktRjU2OC00RTBGLTg3NEMtRDZCRTFDM0E5QTIxfSIgdXNlcmlkPSJ7M0REMDREOTMtOUJCNi00RkY3LTlEQzYtNkYyM0Q0OUNDMUQyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InswN0QwRUUyMS0wRENDLTQ4M0ItQTkwOC0wRUIwNjZDRjg2MjR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTEwLjAuNTQ4MS4xMDQiIG5leHR2ZXJzaW9uPSIxMTAuMC41NDgxLjEwNCIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjUiIHN5c3RlbV91cHRpbWVfdGlja3M9IjcxMjcxMzg3ODMiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:7188
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2ec 0x4f01⤵PID:7852
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201KB
MD54dc57ab56e37cd05e81f0d8aaafc5179
SHA1494a90728d7680f979b0ad87f09b5b58f16d1cd5
SHA25687c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718
SHA512320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b
-
Filesize
196KB
MD5d110423e0c47430d584b1bbfe7a3b831
SHA116bb5b324ecd712f5f83d44e0632554218cc0738
SHA25626826b628c412982ce820ab430bc1d6e7d0f5d5b6b4f856e11988ce631d01b10
SHA512c22c306be98ae4f1f2f11ae2955ba5c0ea36e10f10c23442df9b1905089df7cf8d72cbbdee57db222c96522b57f9672ae00df420d797b04ac7fcbd3208aa02a2
-
Filesize
249KB
MD5772c9fecbd0397f6cfb3d866cf3a5d7d
SHA16de3355d866d0627a756d0d4e29318e67650dacf
SHA2562f88ea7e1183d320fb2b7483de2e860da13dc0c0caaf58f41a888528d78c809f
SHA51282048bd6e50d38a863379a623b8cfda2d1553d8141923acf13f990c7245c833082523633eaa830362a12bfff300da61b3d8b3cccbe038ce2375fdfbd20dbca31
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaApp\graphic\shimmer_lightTheme.png
Filesize20KB
MD54f8f43c5d5c2895640ed4fdca39737d5
SHA1fb46095bdfcab74d61e1171632c25f783ef495fa
SHA256fc57f32c26087eef61b37850d60934eda1100ca8773f08e487191a74766053d1
SHA5127aebc0f79b2b23a76fb41df8bab4411813ffb1abc5e2797810679c0eaa690e7af7561b8473405694bd967470be337417fa42e30f0318acbf171d8f31620a31aa
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaApp\graphic\[email protected]
Filesize71KB
MD53fec0191b36b9d9448a73ff1a937a1f7
SHA1bee7d28204245e3088689ac08da18b43eae531ba
SHA2561a03e6f6a0de045aa588544c392d671c040b82a5598b4246af04f5a74910dc89
SHA512a8ab2bc2d937963af36d3255c6ea09cae6ab1599996450004bb18e8b8bdfbdde728821ac1662d8a0466680679011d8f366577b143766838fe91edf08a40353ce
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaDiscussions\buttonFill.png
Filesize247B
MD581ce54dfd6605840a1bd2f9b0b3f807d
SHA14a3a4c05b9c14c305a8bb06c768abc4958ba2f1c
SHA2560a6a5cafb4dee0d8c1d182ddec9f68ca0471d7fc820cf8dc2d68f27a35cd3386
SHA51257069c8ac03dd0fdfd97e2844c19138800ff6f7d508c26e5bc400b30fe78baa0991cc39f0f86fa10cd5d12b6b11b0b09c1a770e5cb2fdca157c2c8986a09e5ff
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\configs\DateTimeLocaleConfigs\zh-hans.json
Filesize2KB
MD5fb6605abd624d1923aef5f2122b5ae58
SHA16e98c0a31fa39c781df33628b55568e095be7d71
SHA2567b993133d329c46c0c437d985eead54432944d7b46db6ad6ea755505b8629d00
SHA51297a14eda2010033265b379aa5553359293baf4988a4cdde8a40b0315e318a7b30feee7f5e14c68131e85610c00585d0c67e636999e3af9b5b2209e1a27a82223
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\configs\DateTimeLocaleConfigs\zh-tw.json
Filesize2KB
MD5702c9879f2289959ceaa91d3045f28aa
SHA1775072f139acc8eafb219af355f60b2f57094276
SHA256a92a6988175f9c1d073e4b54bf6a31f9b5d3652eebdf6a351fb5e12bda76cbd5
SHA512815a6bef134c0db7a5926f0cf4b3f7702d71b0b2f13eca9539cd2fc5a61eea81b1884e4c4bc0b3398880589bff809ac8d5df833e7e4aeda4a1244e9a875d1e97
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\Cursors\KeyboardMouse\IBeamCursor.png
Filesize292B
MD5464c4983fa06ad6cf235ec6793de5f83
SHA18afeb666c8aee7290ab587a2bfb29fc3551669e8
SHA25699fd7f104948c6ab002d1ec69ffd6c896c91f9accc499588df0980b4346ecbed
SHA512f805f5f38535fe487b899486c8de6cf630114964e2c3ebc2af7152a82c6f6faef681b4d936a1867b5dff6566b688b5c01105074443cc2086b3fe71f7e6e404b1
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\StudioToolbox\Clear.png
Filesize538B
MD5fa8eaf9266c707e151bb20281b3c0988
SHA13ca097ad4cd097745d33d386cc2d626ece8cb969
SHA2568cf08bf7e50fea7b38f59f162ed956346c55a714ed8a9a8b0a1ada7e18480bc2
SHA512e29274300eab297c6de895bb39170f73f0a4ffa2a8c3732caeeeac16e2c25fb58bb401fdd5823cc62d9c413ec6c43d7c46861d7e14d52f8d9d8ff632e29f167c
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\StudioUIEditor\valueBoxRoundedRectangle.png
Filesize130B
MD5521fb651c83453bf42d7432896040e5e
SHA18fdbf2cc2617b5b58aaa91b94b0bf755d951cad9
SHA256630303ec4701779eaf86cc9fbf744b625becda53badc7271cbb6ddc56e638d70
SHA5128fa0a50e52a3c7c53735c7dd7af275ebc9c1843f55bb30ebe0587a85955a8da94ff993822d233f7ed118b1070a7d67718b55ba4a597dc49ed2bf2a3836c696f6
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\TerrainTools\checkbox_square.png
Filesize985B
MD52cb16991a26dc803f43963bdc7571e3f
SHA112ad66a51b60eeaed199bc521800f7c763a3bc7b
SHA256c7bae6d856f3bd9f00c122522eb3534d0d198a9473b6a379a5c3458181870646
SHA5124c9467e5e2d83b778d0fb8b6fd97964f8d8126f07bfd50c5d68c256703f291ceaed56be057e8e2c591b2d2c49f6b7e099a2b7088d0bf5bdd901433459663b1f8
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\Thumbstick1.png
Filesize641B
MD52cbe38df9a03133ddf11a940c09b49cd
SHA16fb5c191ed8ce9495c66b90aaf53662bfe199846
SHA2560835a661199a7d8df7249e8ae925987184efcc4fb85d9efac3cc2c1495020517
SHA512dcef5baccef9fff632456fe7bc3c4f4a403363d9103a8047a55f4bd4c413d0c5f751a2e37385fe9eba7a420dbdb77ca2ff883d47fcdd35af222191cc5bd5c7a9
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]
Filesize1KB
MD5e8c88cf5c5ef7ae5ddee2d0e8376b32f
SHA177f2a5b11436d247d1acc3bac8edffc99c496839
SHA2569607af14604a8e8eb1dec45d3eeca01fed33140c0ccc3e6ef8ca4a1f6219b5dd
SHA51232f5a1e907705346a56fbddfe0d8841d05415ff7abe28ae9281ba46fedf8270b982be0090b72e2e32de0ce36e21934f80eaf508fd010f7ab132d39f5305fb68f
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]
Filesize1KB
MD5499333dae156bb4c9e9309a4842be4c8
SHA1d18c4c36bdb297208589dc93715560acaf761c3a
SHA256d35a74469f1436f114c27c730a5ec0793073bcf098db37f10158d562a3174591
SHA51291c64173d2cdabc045c70e0538d45e1022cc74ec04989565b85f0f26fe3e788b700a0956a07a8c91d34c06fc1b7fad43bbdbb41b0c6f15b9881c3e46def8103e
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\Thumbstick2.png
Filesize738B
MD5a402aacac8be906bcc07d50669d32061
SHA19d75c1afbe9fc482983978cae4c553aa32625640
SHA25662a313b6cc9ffe7dd86bc9c4fcd7b8e8d1f14a15cdf41a53fb69af4ae3416102
SHA512d11567bcaad8bbd9e2b9f497c3215102c7e7546caf425e93791502d3d2b3f78dec13609796fcd6e1e7f5c7d794bac074d00a74001e7fe943d63463b483877546
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]
Filesize1KB
MD583e9b7823c0a5c4c67a603a734233dec
SHA12eaf04ad636bf71afdf73b004d17d366ac6d333e
SHA2563b5e06eb1a89975def847101f700f0caa60fe0198f53e51974ef1608c6e1e067
SHA512e8abb39a1ec340ac5c7d63137f607cd09eae0e885e4f73b84d8adad1b8f574155b92fbf2c9d3013f64ebbb6d55ead5419e7546b0f70dcde976d49e7440743b0f
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]
Filesize1KB
MD555b64987636b9740ab1de7debd1f0b2f
SHA196f67222ce7d7748ec968e95a2f6495860f9d9c9
SHA256f4a6bb3347ee3e603ea0b2f009bfa802103bc434ae3ff1db1f2043fa8cace8fc
SHA51273a88a278747de3fefbaabb3ff90c1c0750c8d6c17746787f17061f4eff933620407336bf9b755f4222b0943b07d8c4d01de1815d42ea65e78e0daa7072591e9
-
Filesize
738B
MD528b7e19429bfecc39a2328c699d60615
SHA1b685feca0ae538aa581d30474cf786221285a986
SHA2561e91738838c90acf95c64d3d530e1f3c64866f2e00936cb1e6eb4b6e463c5a28
SHA512798ae06936f3153d1a8744a7707a45ab2cd19b06446dd0c94147801542bd926c06f59771914514cef380da982731b1858d2c1c7d907c4a7e396324eeb39c5ae2
-
Filesize
434B
MD591888b8850545fbbebdf1c424a7ed999
SHA11f048f3eb04a2e1bce39401dc99b6ff275c07498
SHA256f9998707d334ccc6d220af869d7ebca4037eec8af8c4ec5de17cb7c9e750d1ed
SHA512df1c49c272115cf4e213debc09214e2bfcbe84b401f69a96c151ea5bd79fe44d70973c93e22a0a8869064a2152de98b9cce2e70a6bcfc231b707894e3d4b31ec
-
Filesize
667KB
MD5ae195e80859781a20414cf5faa52db06
SHA1b18ecb5ec141415e3a210880e2b3d37470636485
SHA2569957802c0792e621f76bbdb1c630fbad519922743b5d193294804164babda552
SHA512c6fef84615fe20d1760ca496c98629feb4e533556724e9631d4282622748e7601225cf19dfb8351f4b540ae3f83785c1bcea6fe8c246cf70388e527654097c1c
-
Filesize
1020KB
MD57191d97ce7886a1a93a013e90868db96
SHA152dd736cb589dd1def87130893d6b9449a6a36e3
SHA25632f925f833aa59e3f05322549fc3c326ac6fc604358f4efbf94c59d5c08b8dc6
SHA51238ebb62c34d466935eabb157197c7c364d4345f22aa3b2641b636196ca1aeaa2152ac75d613ff90817cb94825189612ddd12fb96df29469511a46a7d9620e724
-
Filesize
10.2MB
MD574bded81ce10a426df54da39cfa132ff
SHA1eb26bcc7d24be42bd8cfbded53bd62d605989bbf
SHA2567bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9
SHA512bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a
-
Filesize
456KB
MD54430b1833d56bc8eb1f7dc82bb7f4bc9
SHA1dc15e6306625f155683326e859d83f846153c547
SHA256b44ddcfac9df4934007e6c55a3c7f5e7f14c7e5e29f35c81de917fc3b22aabbc
SHA512faf93bf371b2a88c1b874a5e2c54e4487fd152ad19c2a406a46f55ae75ecd421a779888c2e4c170857b16bfb5d8744bc1815a4732ed50b064b3cbd0c5ffad889
-
Filesize
8.0MB
MD54933d92c99afa246fc59eef010d5c858
SHA198d443654e93c73dd317f9f847f71fba3d5b3135
SHA25662f4674daa15245ee081920b8ee191e72f36ca8fe24f6b986a832f45676915b2
SHA512a3a69523c8e7310716daeebc06c2ba4fce673eccd1958e824ff179b82f4502d0ec095190179bbb387342e4150f952ea7533182fb6ba90377d17dafba8f4da623
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\98f034e8-97fa-41e7-b1b7-7e697fe5a76e.tmp
Filesize7KB
MD59e342246ae7a2c933c97cee8644b7bce
SHA1071aa5064a36086124225c019707e433ac72aebb
SHA2566d23eff45b898c1abac40c575a7baf47f4f7f6b2a6458bdb32da75eb111a2f69
SHA512ba2ab124902592b1319ef00a82b5a1351930f8228ad5abb4aba98f015b69969b4246a69e6cca81291ccb3a7b17d9f889239d75d3a7f0a8e1dc458c5899730572
-
Filesize
216B
MD506a3feca270d3e06ddbe152756fe2c75
SHA15fdfef97e607b511af6e19187df978327dba6b16
SHA25617de5450e9536c544f1047c33f745256cba1d6155ebe8186ab04d2d45a4a4e5e
SHA512735705cae2466ba14c08d6b99d3ffb4e50cc0d51d3a625893a9476acfb000483ec2f6fef2d121162db08edd5d5e3ed23a0966abced269937b7b51be86265ab7f
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2KB
MD58ed727a60edc33d0ea189aceb637f361
SHA10adf2731518f2093b10f90558781418c60ea8e52
SHA2563655b99e9e0f4db830c97124cc92722c8dd1ae5da72de66044e550a6582562c9
SHA5126e14e0dd879dae33028b37d98f872750a5b84615b157f23918405bec6cd3603b9d4c150e941c3ad510a7f46fc3cc8135ef999be28deab275292a637b3e1be500
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5248b9d871c69084dbb75b96c76cf1f45
SHA14408e1b4d79ca207bdc3966ad7cb95b8b252ef32
SHA2564b8c1916505705d8cc916b99d2f446a9c6c30a5cc8847ba4d8461335385f5d31
SHA512464a4e8ff3ffc64ed35f99d62f43f3fcdeb33cf39650ac298f312d5dccab0cb341892787e74963b3ca7c71505f3319fb5cbb5241de0424893136753a65bc0b30
-
Filesize
524B
MD5023e88000bf11a313308603437a12cd9
SHA1bc17789ac72d64153df25819d8ae2a921b6e05c4
SHA2564847e57af4064821c1c5850bbd313a47c2d4057d5a059f6a347f76f6ab9e4fbf
SHA512d91f9b5e2ba55ece2174f66cd4646d4f9873ffc46dab3ba52612e39d9b9d9d6ef2053ff47e3caa571255539ebf92fe63d990c009e3c8493af0f29f745bc862e6
-
Filesize
7KB
MD50ec2e749366c6431125b1c2f6cab9676
SHA101ef35a795eae6863f7b54ff152af1dab95f4760
SHA256ebe20c65416b83cf69ac7d4684010f58fd3209a0c43f61a9dbdb5675a4a0c0a6
SHA5126208c35dcd996f61c766ad1b83fd8da42b50ea24936c5fb14320a462100dc8b59a64b7867233f24a01d8e4b0c756bfc2e38c1f9a3a79e7fff2197f024ca1d3e7
-
Filesize
7KB
MD5affa0d4e8fb13b3ab8c366a5574be5f8
SHA1c5852f137ea73995d23efff69e9d87559beccfc7
SHA256124c1081527c6546c02ae897faf983ad1eddfd384ff31599cd5d5204c7dff400
SHA5121ba6b28439ebb568a5b229272b3c96a5cce092d241524486b05545ba4ca0641d32fd14c08ec13cb639eaa088d4f0ad16d9911996c040797e6af50a3b9635f13f
-
Filesize
16KB
MD57cd2a4db46d599828677fbea896dba15
SHA16108d39dfea30f27e48de3dc94e88ec899a4086b
SHA25631e70d95a565e97ff81f41c36ff6f5bc14b59d0facc85db050857d7f48cb55fd
SHA5121bf77f704000b46602af48a8db8520580d9c5ec159100e8bb5d1190728a666089fa5b217e490d314af989d0e7638fab772c550aaf489be732f23a2ae100643eb
-
Filesize
281KB
MD5f76f87ff458e549878453c362e456f35
SHA1b0fcb3473680503c059084b4cb916220ae5d1c06
SHA256e02841837db348c42d0e4817ea91beb0f9a0f9de08c0471b388a0cb16452102a
SHA5124d327a06c380c275c1b89afd1c06cf5d4b2e4f1b6b0ec9edc6e85a2f4f0eafc609e2ac8f988ce8d6468faa593eba8cae86b0ef8a352b124b7e1f65c695df5501
-
Filesize
281KB
MD5bb4dc4a0b1d25b89720b93c0dc245c47
SHA116cd1b0917cdef6ba1e23f0a0f7802229be2f409
SHA256ad437ef5152388899d4b9eb7b628207a39e452d497bd7e7b1efdb31d84b6c851
SHA5128d6f508114c02176eb1f79c3a9b4f7dc7122e83a0487215e2270a95823fc7ef6f03f77bf775b6d6f214a29ee9097012f785c7fcee225c4ddfedcbfaf8ac7449b
-
Filesize
152B
MD5c5abc082d9d9307e797b7e89a2f755f4
SHA154c442690a8727f1d3453b6452198d3ec4ec13df
SHA256a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716
SHA512ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c
-
Filesize
152B
MD5b4a74bc775caf3de7fc9cde3c30ce482
SHA1c6ed3161390e5493f71182a6cb98d51c9063775d
SHA256dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280
SHA51255578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize456B
MD521df655bde987f043cf430408dc48651
SHA16c23126e39c1af88dcc4564d91507705f7647072
SHA25643a39df9ce0f94d8e1ddefa2c4c4d8d100fd8c784946488e36612c346e8b29fd
SHA51237a1c979d6a7b4f1543d79e7ba987460c6cd85211069a0884f5eccef5a376b9e87e95a99b52a39608f3157894a8aeabaf427b57fcfd139bb88b240a1ceea9dec
-
Filesize
474B
MD513181f87122e09ed44e80b3fee1379c3
SHA14cfabf6861fb4e2ee4b2f972eef45bdd8b11f4f2
SHA256ba78bc9982e7c24c0621755b995d10f4ae19de532fafaefff4fabd424a630aa1
SHA5122ec0f52ddce2102420e1dcccd3326c8ad7d22aeba6625d6e4d9a71a7d85db05a922ffec938f7865e5f1f6b02bbaf4d1d5badad2d661d268a4617282da0c68e01
-
Filesize
6KB
MD5d706089ab19815e27d1089ad8bc1d9e7
SHA13c656f141094239176b14e3eef073652376239b0
SHA25602502991c5451db5564e192c7df76f7f4409ad2a3fd35b9f3dcd263a4edb7813
SHA51253fb2b4df23c8252d285d45dd1c16b800f464b96f587c00a1530be4010e7ee50557b4d9528c8fb9f40c7a01188996801484c3d2a1e3cb7777b7df30035d78a28
-
Filesize
6KB
MD5ed2a3850621582c66ffba69243a7a453
SHA13b65e868caa9abdc64cb2a097656c17ac5d4681f
SHA256405c77438759ceb229331da15662a90e608769a2778eae63cc4a25901ead4485
SHA512af73ea9586702f8dc950e0c91b3f4993fd6173e2805218230e4388f47f263439bee8e9b5f263fef9a01eeb43f56c6d9ec807f87118e4641944145d8a263b7984
-
Filesize
6KB
MD594291d49c9c08aabaa942f5f42f0030c
SHA1e026f627876022d1fdeb27d4cb2c4148aa6730ea
SHA256d603c4209a5f36d945a6d15797054d12b34ea1608ab01271f57ab38e5bf2d4ff
SHA512bb27583b4f7fe75b72defd7a5276d545bc070a341a1a73b887e208a764da3e9ab483391a4ce2495314d5b790dfdfc14fdf0eeb252b62983b58b1e9c7f31e0e91
-
Filesize
6KB
MD56cb22391fbc2c055bf1da5e9dde998e9
SHA1dfa3085536776d8a8f7225e5b206f5f7bb681285
SHA25610b44236872e60294a0132f706adf1eaf93100bd8392a2ff478ad8b66e0cd0ec
SHA512078679e2e09950623739ae4adf19f61b68ebe7b2021abaee661d51204d12ee63bab2fc9a9ea4666e52f87955a636083a1429d1bd5e9c26e1d1a8356750c31961
-
Filesize
705B
MD557f4e4b8c6f68e630a36425e2a7db713
SHA1f634a1aadd38b2e96d40eebab1fff3859049c776
SHA2565d6ee20c9a8dfdf4e1c12b5e01fb35473e8b6fd6a0f148e2ec53b8b4815a9217
SHA51260d325edc14265e5822a2ec968ad309705a79c5d029427066fb482f838710c48de083adc48c833d7ae943c740a7954c06ad51fa1de93ef328d2665d8597f93a9
-
Filesize
371B
MD5223d9ee51bb3e666d1c87c6c85b2b819
SHA15c41db3b33707bdcb5432450fddfabde5a087bfe
SHA256cc2f549e407d43705727a1205e9613111619d24e3b2f78458ecdffa98827bb75
SHA512860b638ee234efef0c99b50339cbe4627b1e12cbdaca649de057dae41ddac7e9a555788a9eb50a2a4f55530715ec00c78ebc8e6b34ffe27552e8a60ecc16c81e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD58d95185ab646068b5a65933da3dc9c2b
SHA1040751ea9980fccdc41b6308fa4b06ba4b173e38
SHA256f0598c15aa85494075d8808137b264257bd528ec9d2662eab17765ff4ad534ac
SHA512595b5fbc0a995e36d2e23b13265eaf4b04e839f2f94a8bae1b523886a31d986d37fade8da4e50d054408749f5858e17b0465889a6df9e611d1b773c8dd0b66d3
-
Filesize
11KB
MD5e0f1e4d4a33488420f9208d666103e01
SHA14f041ea286eb02040478019a9e53209a3086087d
SHA25611864e94e18e224120cb612ffe19ce7e30bfc4c4ef3be3f937ffff4618506ac9
SHA5123f2328d79948fc443beafaabd0fcb0bdb4bb8ff3f1ce171816ec413e4bfb71fbb9df2515b56f6b7a0f8f0e8de10a5d8832886e50db4774eea6a8ed331b45c374
-
Filesize
11KB
MD5cee1662ec6acca11de1f50e6a8235bf3
SHA1e482fa36c05970125d8484ecd21c495c52de0c6d
SHA256f04baf9924e07a1c10be270d7e01674f81d0a80baed2c5da043856ec80a11226
SHA5120515f8b4609c48e223b216b56f18926212042b8cce68a693afd47e00621eaf58348d059815d4b1b4a1f8f63850ee68349b60834d6cdcc50566e1de9efda84b4c
-
Filesize
896KB
MD5eb656be5526a7481f7bc0cdffa838047
SHA1119d745f44b50fd21f6a022f1bfdfa66aa717850
SHA256aa7ab490bd5e59ad3c9c6779114575b4bb00f612fb8b510b128e4298a8adae5e
SHA512f5cd326c8c2175171f122f85e3f541ff3f454b64cdd20c4e475d3aa28057aa73ddd5861595312728d872ab64c34dd14d181cb00d1bd6e8d50beb35c01f37278c
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1.3MB
MD509cba584aa0aae9fc600745567393ef6
SHA1bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279
SHA2560babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5
SHA5125f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1
-
Filesize
3.9MB
MD53b4647bcb9feb591c2c05d1a606ed988
SHA1b42c59f96fb069fd49009dfd94550a7764e6c97c
SHA25635773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7
SHA51200cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50
-
Filesize
939KB
MD5258a9cae6024c91784bbd8aa5379e86f
SHA1fe1a808ba23053413359a78d5ec096b2cd540dd5
SHA2563881840473ec5286189d2fc8e85f0f26a2532890055d1653da9580aa31b2d0e5
SHA512b621ef432b430d2df0443fa0ebdd59dc7de6b32375c2fc83e8474838843c4abcf4a35f2b5f80e78911fc52336d71812ca9fbc9919314ea3b59bd26036a4ea5a5
-
Filesize
7.5MB
MD57e09dde2226c18dde3c76471c01b3665
SHA194bb80704e14314331e007b942a64f423104644f
SHA2564f9a703b0491de02519a343659f0a351f6ad09942cd82920995d5fa89e6571ae
SHA512c61c911eb37c758f64ae9372eb4208210b6a964bb8604d3fcd3285805448b1801a91c519ed0294815f8167500654b423d19161a82c82f7935ec637c4038c93dc
-
Filesize
6.0MB
MD5b67c09157b260b02037a716d28d7c34f
SHA1a6da5549351e78fda395b5381dcf9e14240390fd
SHA256ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824
SHA51261cc65311af74f83ea950ef54661a5421df67026f7760e257ae3701b3b339f554ac1b42a63f2adafe142ad71a81c545b6749aac0a4f5c78eccd90d072fb7bbad
-
Filesize
1.5MB
MD5c822ab5332b11c9185765b157d0b6e17
SHA17fe909d73a24ddd87171896079cceb8b03663ad4
SHA256344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a
SHA512a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d
-
Filesize
1KB
MD5deca688b3a2d7e1224e65a13c66b405d
SHA15d088d911e53b05860d2294f081b7a56614c1b1b
SHA256efe68251dcfee5e61bce15c9028f4e237c45e24f23f66d0c9acf5355ba709341
SHA5128ed11f7e130d1d0d5f554849e9ad181f60d242d21aa6019307df20833e7646705716f591b13c9db0ba8643e8800816dd6b691572c80973f540fba14cc84d47be