ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824

Analysis

max time kernel
288s
max time network
287s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 23:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

WavePremiumCracked.exe
Size

6.0MB
MD5

b67c09157b260b02037a716d28d7c34f
SHA1

a6da5549351e78fda395b5381dcf9e14240390fd
SHA256

ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824
SHA512

61cc65311af74f83ea950ef54661a5421df67026f7760e257ae3701b3b339f554ac1b42a63f2adafe142ad71a81c545b6749aac0a4f5c78eccd90d072fb7bbad
SSDEEP

98304:dHx3rQ9UT/cnDEuzHEAtpW1pAT0WaDMyaATQKC2witrFr9vQVN9x3gHWdFISYft4:73rpbcnDEuzkAtpWzATIaAEHVYJJmN/P

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WavePremiumCracked.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	WavePremiumCracked.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WavePremiumCracked.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WavePremiumCracked.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	node.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CefSharp.BrowserSubprocess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CefSharp.BrowserSubprocess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Bloxstrap.exe

Executes dropped EXE 12 IoCs

pid	Process
368	WaveBootstrapper.exe
3096	WaveWindows.exe
2276	CefSharp.BrowserSubprocess.exe
4596	CefSharp.BrowserSubprocess.exe
5048	node.exe
4832	Bloxstrap.exe
4836	CefSharp.BrowserSubprocess.exe
2464	CefSharp.BrowserSubprocess.exe
1800	CefSharp.BrowserSubprocess.exe
5356	wave-luau.exe
5892	CefSharp.BrowserSubprocess.exe
4944	CefSharp.BrowserSubprocess.exe

Loads dropped DLL 61 IoCs

pid	Process
368	WaveBootstrapper.exe
3096	WaveWindows.exe
3096	WaveWindows.exe
3096	WaveWindows.exe
3096	WaveWindows.exe
3096	WaveWindows.exe
2276	CefSharp.BrowserSubprocess.exe
2276	CefSharp.BrowserSubprocess.exe
2276	CefSharp.BrowserSubprocess.exe
2276	CefSharp.BrowserSubprocess.exe
2276	CefSharp.BrowserSubprocess.exe
2276	CefSharp.BrowserSubprocess.exe
2276	CefSharp.BrowserSubprocess.exe
2276	CefSharp.BrowserSubprocess.exe
2276	CefSharp.BrowserSubprocess.exe
2276	CefSharp.BrowserSubprocess.exe
2276	CefSharp.BrowserSubprocess.exe
4596	CefSharp.BrowserSubprocess.exe
4596	CefSharp.BrowserSubprocess.exe
4596	CefSharp.BrowserSubprocess.exe
4596	CefSharp.BrowserSubprocess.exe
4596	CefSharp.BrowserSubprocess.exe
4596	CefSharp.BrowserSubprocess.exe
4596	CefSharp.BrowserSubprocess.exe
3096	WaveWindows.exe
4836	CefSharp.BrowserSubprocess.exe
4836	CefSharp.BrowserSubprocess.exe
4836	CefSharp.BrowserSubprocess.exe
4836	CefSharp.BrowserSubprocess.exe
4836	CefSharp.BrowserSubprocess.exe
2464	CefSharp.BrowserSubprocess.exe
2464	CefSharp.BrowserSubprocess.exe
2464	CefSharp.BrowserSubprocess.exe
2464	CefSharp.BrowserSubprocess.exe
2464	CefSharp.BrowserSubprocess.exe
2464	CefSharp.BrowserSubprocess.exe
2464	CefSharp.BrowserSubprocess.exe
4836	CefSharp.BrowserSubprocess.exe
4836	CefSharp.BrowserSubprocess.exe
1800	CefSharp.BrowserSubprocess.exe
1800	CefSharp.BrowserSubprocess.exe
1800	CefSharp.BrowserSubprocess.exe
1800	CefSharp.BrowserSubprocess.exe
1800	CefSharp.BrowserSubprocess.exe
1800	CefSharp.BrowserSubprocess.exe
1800	CefSharp.BrowserSubprocess.exe
5892	CefSharp.BrowserSubprocess.exe
5892	CefSharp.BrowserSubprocess.exe
5892	CefSharp.BrowserSubprocess.exe
5892	CefSharp.BrowserSubprocess.exe
5892	CefSharp.BrowserSubprocess.exe
5892	CefSharp.BrowserSubprocess.exe
5892	CefSharp.BrowserSubprocess.exe
4944	CefSharp.BrowserSubprocess.exe
4944	CefSharp.BrowserSubprocess.exe
4944	CefSharp.BrowserSubprocess.exe
4944	CefSharp.BrowserSubprocess.exe
4944	CefSharp.BrowserSubprocess.exe
4944	CefSharp.BrowserSubprocess.exe
4944	CefSharp.BrowserSubprocess.exe
4944	CefSharp.BrowserSubprocess.exe

Themida packer 29 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/3148-0-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-5-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-2-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-4-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-6-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-3-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-7-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-9-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-10-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-11-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-12-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-13-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-18-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-19-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-21-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-22-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-26-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-243-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-244-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-245-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-354-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-373-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-374-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-377-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-378-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-443-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-450-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-465-0x0000000140000000-0x0000000140F65000-memory.dmp	themida
behavioral1/memory/3148-470-0x0000000140000000-0x0000000140F65000-memory.dmp	themida

Checks for any installed AV software in registry 1 TTPs 25 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\FontSize	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\TopMost = "0"	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\RefreshRate = "60"	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\SendCurrentDocument = "1"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\RedirectCompilerError	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\Minimap	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\InlayHints = "1"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\SendCurrentDocument	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\ContinueOnStartUp = "0"	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\RedirectCompilerError = "1"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\InlayHints	WaveWindows.exe
Key queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\UsePerformanceMode	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\RefreshRate	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\FontSize = "14"	WaveWindows.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\KasperskyLab	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\LastUsername	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\Session = "cracked, ihaxu on this shit, FUCK YOU RETARD"	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\UsePerformanceMode = "0"	WaveWindows.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\KasperskyLab	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\Session	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\LastUsername = "r0cktd"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\ContinueOnStartUp	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\TopMost	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\KasperskyLab\Minimap = "0"	WaveWindows.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WavePremiumCracked.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	WaveWindows.exe
File opened (read-only)	\??\M:	WaveWindows.exe
File opened (read-only)	\??\U:	WaveWindows.exe
File opened (read-only)	\??\W:	WaveWindows.exe
File opened (read-only)	\??\Y:	WaveWindows.exe
File opened (read-only)	\??\B:	WaveWindows.exe
File opened (read-only)	\??\E:	WaveWindows.exe
File opened (read-only)	\??\I:	WaveWindows.exe
File opened (read-only)	\??\N:	WaveWindows.exe
File opened (read-only)	\??\R:	WaveWindows.exe
File opened (read-only)	\??\T:	WaveWindows.exe
File opened (read-only)	\??\Z:	WaveWindows.exe
File opened (read-only)	\??\J:	WaveWindows.exe
File opened (read-only)	\??\K:	WaveWindows.exe
File opened (read-only)	\??\L:	WaveWindows.exe
File opened (read-only)	\??\P:	WaveWindows.exe
File opened (read-only)	\??\Q:	WaveWindows.exe
File opened (read-only)	\??\X:	WaveWindows.exe
File opened (read-only)	\??\A:	WaveWindows.exe
File opened (read-only)	\??\G:	WaveWindows.exe
File opened (read-only)	\??\O:	WaveWindows.exe
File opened (read-only)	\??\S:	WaveWindows.exe
File opened (read-only)	\??\V:	WaveWindows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
32	discord.com
153	raw.githubusercontent.com
174	raw.githubusercontent.com
173	raw.githubusercontent.com
33	discord.com
34	discord.com
154	raw.githubusercontent.com
171	raw.githubusercontent.com
172	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3148	WavePremiumCracked.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3096_352831567\_platform_specific\win_x86\widevinecdm.dll	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3096_352831567\LICENSE	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3096_352831567\manifest.json	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3096_352831567\_metadata\verified_contents.json	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3096_352831567\manifest.fingerprint	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3096_352831567\_platform_specific\win_x86\widevinecdm.dll.sig	WaveWindows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{C5FDC96C-7F57-4679-8460-C18A66D0AB2C}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{5EA57028-67BE-4F10-90A8-76952C3146A7}	WaveWindows.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A	WavePremiumCracked.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\144E3687B1ABF2C93D845118485A9E9E4407C93A\Blob = 030000000100000014000000144e3687b1abf2c93d845118485a9e9e4407c93a2000000001000000b9050000308205b53082039da00302010202140c1f3dced2c83786458b8b3d31fdbfb6558aa8d3300d06092a864886f70d01010b0500306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c43301e170d3234303630343132313431385a170d3239303630343132313431385a306a310b30090603550406130255533113301106035504080c0a43616c69666f726e696131223020060355040a0c19476f6f676c65205472757374205365727669636573204c4c433122302006035504030c19476f6f676c65205472757374205365727669636573204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100d6b1e4c30f439b224fdad6d7f0686d1d2c05e728c325f8c1da9513002a40a83424bb47b782467f3077d13bb2f3b254f573d17b7817e595888c548b02e845f8a34c2dd1b385675a87ab87e8428b3c6c0bdd16a24ea10495480af3582e55316f9c0731ef7f3c4fd15015899655f5a2a45cc9fee0a92200c073d48f1e437190720766f19bffa8d59fffadd3525f523e31a6cfdd633708c2a195b61ec910b8c302c99ac42baee759e1be9def6b01b02accef28aa13a9335e5d05e03cfb97c4c5efc7cce1d0854fb0085dd191acd9445bd193a6768131c336da2ebff5fd1508e7b93db45c54ea495f6486ef7539f614b9ba8b51877e23f3ee35c7b3cf9eac34bdbb89c2851671a19ab19111dbe647b206e0a014d7a8dc8acfb4115ad5c1b949d033d328d68e3280d6b7da552e7913f76378f18bbd2ad97ba05d42f80626515b47eac6d9613768113a31462d6ce41eef081aa359e83f0d4f4648352fda4f31d0ff8d5072152fbbaa6f51839d215c482f7e14fc7c6d52430fc1c2922ec081ce64534318e0764ede4f3f619e6cecc68b97ebb2dba85d47250181d4c649f34540ebe60ab64d3eabae9001dc3fcd15d9027f4b3babe6efcc012821ba49da004cdb4d367f77faec3ef44dad14f36ca7847381dba54468bdb3797dbdb30ce9b1f2b3ea39a7c1985f3ae3f3ee4e1d699dc60b70ab3559d360b752ffe5867efa6025fa022f825d0203010001a3533051301d0603551d0e04160414259f70a24e8b332df0f8d98bd36ce93fabc894ab301f0603551d23041830168014259f70a24e8b332df0f8d98bd36ce93fabc894ab300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038202010020e5f289742cba5c4627793a8a2f0d14d59acbf92bb4f97cbdeaf80208fc6027fecb3f1e4bca7dddfabf486f12d0098816361eccb47f037001dc7c5d16124c0025fad0ab4d35dccb3a624dbe5c0e38fe60658abad9f572ecca5df3f774d5a5eb5dbb56406ece7bbce47fa74d40ff0ba3309a9f95e791f980cec44b9da29604835db786bbdf714ab712c6287fc4940ef7f0449f3029e940fe61b290c2cea73b783fbaa21ea4a8b3f6cfdcc63b9dbd6a8731964aab6383ec01eea8fbf142778eddf538b022aaa4ac101e33a196aaa6d11aeeeaa37dd4d8f5d6bfa42c8fb58cc7adb08f38502592084a51f2d1ebd356991c837072879b1240993bf4ad01adcb998860f8c4680d6d76f2c5c68afe5de757deab7877bb287eb60fc46392a8113cd45a094b88101ec0d0c5d34dc4d3b4870567188aeb1f8df2c26fd5d12667575c71ea1bf272e424af711170b617ec3a5ce1a0db9a208b31b3b1048b61267b16d5287ee575d5b293988879775eee5d4392aa8f8eb3b39f91203a40990fd4d84c9965acd373bea5e44fa38491c08ac7c0bf6daa246b2b618b12a1756ff12ef401b7d38cdc6bfb0b5ecb7c89f113bf13c827a854492f65e4ee6c9e70fae22dcce01aec83294ba3ed620ab9ca681d6bb71bb4d397ba744d22912bca79aee83287e49593914e0001d4006acc74cdc83da2160f1deb7ac0fe5046c557771eefb82a4758929d	WavePremiumCracked.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3096	WaveWindows.exe
3096	WaveWindows.exe
2276	CefSharp.BrowserSubprocess.exe
2276	CefSharp.BrowserSubprocess.exe
4596	CefSharp.BrowserSubprocess.exe
4596	CefSharp.BrowserSubprocess.exe
3096	WaveWindows.exe
2464	CefSharp.BrowserSubprocess.exe
2464	CefSharp.BrowserSubprocess.exe
4836	CefSharp.BrowserSubprocess.exe
4836	CefSharp.BrowserSubprocess.exe
1800	CefSharp.BrowserSubprocess.exe
1800	CefSharp.BrowserSubprocess.exe
3096	WaveWindows.exe
3096	WaveWindows.exe
5892	CefSharp.BrowserSubprocess.exe
5892	CefSharp.BrowserSubprocess.exe
4944	CefSharp.BrowserSubprocess.exe
4944	CefSharp.BrowserSubprocess.exe
4944	CefSharp.BrowserSubprocess.exe
4944	CefSharp.BrowserSubprocess.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4516	WaveInstaller.exe
Token: SeDebugPrivilege	368	WaveBootstrapper.exe
Token: SeDebugPrivilege	3096	WaveWindows.exe
Token: SeDebugPrivilege	2276	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	4596	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3096	WaveWindows.exe
Token: SeShutdownPrivilege	3096	WaveWindows.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3148	WavePremiumCracked.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5048	node.exe
4832	Bloxstrap.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 5004	3148	WavePremiumCracked.exe	94
PID 3148 wrote to memory of 5004	3148	WavePremiumCracked.exe	94
PID 4516 wrote to memory of 368	4516	WaveInstaller.exe	122
PID 4516 wrote to memory of 368	4516	WaveInstaller.exe	122
PID 4516 wrote to memory of 368	4516	WaveInstaller.exe	122
PID 368 wrote to memory of 3096	368	WaveBootstrapper.exe	123
PID 368 wrote to memory of 3096	368	WaveBootstrapper.exe	123
PID 368 wrote to memory of 3096	368	WaveBootstrapper.exe	123
PID 3096 wrote to memory of 2276	3096	WaveWindows.exe	124
PID 3096 wrote to memory of 2276	3096	WaveWindows.exe	124
PID 3096 wrote to memory of 2276	3096	WaveWindows.exe	124
PID 3096 wrote to memory of 4596	3096	WaveWindows.exe	126
PID 3096 wrote to memory of 4596	3096	WaveWindows.exe	126
PID 3096 wrote to memory of 4596	3096	WaveWindows.exe	126
PID 3096 wrote to memory of 5048	3096	WaveWindows.exe	125
PID 3096 wrote to memory of 5048	3096	WaveWindows.exe	125
PID 3096 wrote to memory of 4832	3096	WaveWindows.exe	128
PID 3096 wrote to memory of 4832	3096	WaveWindows.exe	128
PID 3096 wrote to memory of 4836	3096	WaveWindows.exe	129
PID 3096 wrote to memory of 4836	3096	WaveWindows.exe	129
PID 3096 wrote to memory of 4836	3096	WaveWindows.exe	129
PID 3096 wrote to memory of 1800	3096	WaveWindows.exe	130
PID 3096 wrote to memory of 1800	3096	WaveWindows.exe	130
PID 3096 wrote to memory of 1800	3096	WaveWindows.exe	130
PID 3096 wrote to memory of 2464	3096	WaveWindows.exe	131
PID 3096 wrote to memory of 2464	3096	WaveWindows.exe	131
PID 3096 wrote to memory of 2464	3096	WaveWindows.exe	131
PID 5048 wrote to memory of 5356	5048	node.exe	132
PID 5048 wrote to memory of 5356	5048	node.exe	132
PID 3096 wrote to memory of 5892	3096	WaveWindows.exe	134
PID 3096 wrote to memory of 5892	3096	WaveWindows.exe	134
PID 3096 wrote to memory of 5892	3096	WaveWindows.exe	134
PID 3096 wrote to memory of 4944	3096	WaveWindows.exe	135
PID 3096 wrote to memory of 4944	3096	WaveWindows.exe	135
PID 3096 wrote to memory of 4944	3096	WaveWindows.exe	135

C:\Users\Admin\AppData\Local\Temp\WavePremiumCracked.exe
"C:\Users\Admin\AppData\Local\Temp\WavePremiumCracked.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/6NNYUEXAR2
  2⤵
  PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:8
1⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4428,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4984 /prefetch:1
1⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4716,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:1
1⤵
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=4916,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:1
1⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5576,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5588 /prefetch:8
1⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5904,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5924 /prefetch:1
1⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5836,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6104 /prefetch:8
1⤵
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5308,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4972 /prefetch:8
1⤵
- Modifies registry class
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6192,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6216 /prefetch:1
1⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5312,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6564 /prefetch:8
1⤵
PID:2872

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468 0x470
1⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5464,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6056 /prefetch:1
1⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5524,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6944 /prefetch:8
1⤵
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6928,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6696 /prefetch:1
1⤵
PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=7044,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7276 /prefetch:8
1⤵
PID:4032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=6932,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7280 /prefetch:1
1⤵
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6772,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6912 /prefetch:8
1⤵
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7628,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7596 /prefetch:8
1⤵
PID:116

C:\Users\Admin\Downloads\WaveInstaller.exe
"C:\Users\Admin\Downloads\WaveInstaller.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
  "C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
    "C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2036,i,14382997339746329036,16330660057469169752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2064 --mojo-platform-channel-handle=2028 /prefetch:2 --host-process-id=3096
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2276
  - - C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
      "C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=3096
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5048
    - - C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave-luau.exe
        
        "C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave-luau.exe" lsp "--definitions=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\globalTypes.d.luau" "--definitions=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave.d.luau" "--docs=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\en-us.json"
        5⤵
        Executes dropped EXE
        
        PID:5356
  - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=2812,i,14382997339746329036,16330660057469169752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2816 --mojo-platform-channel-handle=2808 /prefetch:3 --host-process-id=3096
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4596
  - - C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
      "C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4832
  - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=7396,i,14382997339746329036,16330660057469169752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7400 --mojo-platform-channel-handle=7392 /prefetch:8 --host-process-id=3096
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:4836
  - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=7516,i,14382997339746329036,16330660057469169752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7520 --mojo-platform-channel-handle=7512 --host-process-id=3096 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:1800
  - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=7712,i,14382997339746329036,16330660057469169752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7724 --mojo-platform-channel-handle=7704 --host-process-id=3096 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2464
  - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=5240,i,14382997339746329036,16330660057469169752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=5244 --mojo-platform-channel-handle=6240 /prefetch:8 --host-process-id=3096
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:5892
  - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=7888,i,14382997339746329036,16330660057469169752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7952 --mojo-platform-channel-handle=8128 /prefetch:8 --host-process-id=3096
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5800,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6832 /prefetch:8
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3096_352831567\manifest.json

Filesize
984B

MD5
0359d5b66d73a97ce5dc9f89ed84c458

SHA1
ce17e52eaac909dd63d16d93410de675d3e6ec0d

SHA256
beeab2f8d3833839399dde15ce9085c17b304445577d21333e883d6db6d0b755

SHA512
8fd94a098a4ab5c0fcd48c2cef2bb03328dd4d25c899bf5ed1ca561347d74a8aab8a214ba2d3180a86df72c52eb26987a44631d0ecd9edc84976c28d6c9dc16a

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.dll

Filesize
4.3MB

MD5
6546ceb273f079342df5e828a60f551b

SHA1
ede41c27df51c39cd731797c340fcb8feda51ea3

SHA256
e440da74de73212d80da3f27661fcb9436d03d9e8dbbb44c9c148aaf38071ca5

SHA512
f0ea83bf836e93ff7b58582329a05ba183a25c92705fab36f576ec0c20cf687ce16a68e483698bda4215d441dec5916ffbdfa1763fb357e14ab5e0f1ffcaf824

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe

Filesize
249KB

MD5
772c9fecbd0397f6cfb3d866cf3a5d7d

SHA1
6de3355d866d0627a756d0d4e29318e67650dacf

SHA256
2f88ea7e1183d320fb2b7483de2e860da13dc0c0caaf58f41a888528d78c809f

SHA512
82048bd6e50d38a863379a623b8cfda2d1553d8141923acf13f990c7245c833082523633eaa830362a12bfff300da61b3d8b3cccbe038ce2375fdfbd20dbca31

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.runtimeconfig.json

Filesize
372B

MD5
d94cf983fba9ab1bb8a6cb3ad4a48f50

SHA1
04855d8b7a76b7ec74633043ef9986d4500ca63c

SHA256
1eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a

SHA512
09a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.Core.dll

Filesize
915KB

MD5
100c32f77e68a2ce962e1a28997567ea

SHA1
a80a1f4019b8d44df6b5833fb0c51b929fa79843

SHA256
c0b9e29b240d8328f2f9a29ca0298ca4d967a926f3174a3442c3730c00d5a926

SHA512
f95530ef439fa5c4e3bc02db249b6a76e9d56849816ead83c9cd9bcd49d3443ccb88651d829165c98a67af40b3ef02b922971114f29c5c735e662ca35c0fb6ed

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe

Filesize
7KB

MD5
516ff62b2e1f4642caa954c0968719e8

SHA1
e349d0ce82e2109dd0d18416d9cf46e8411b7f15

SHA256
19da58849cec5933860116e60a1e94b08e30d90e0f955768270b47998d612045

SHA512
7aa4a0c87b29c2a84f585a884d8208fc2352a43f2cdb549c100e3b121837ad5f8dadb1101f57d1d3fcb7ebec9d9f22e07dc14239b7d2e2d25793c999becf288b

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.dll

Filesize
272KB

MD5
9ca06a8f9e5f7239ca225ab810274023

SHA1
e1a219f567a7b7d3af9386df51b14c76e769c044

SHA256
5fd00ae3e83e6ca156647ff6df87b49ffc7cad47c23fe3ae07c067c5adf6f74a

SHA512
430c9bceed5439b987d5bd4840cfe32411ca61594f18597aca1948aa39a22c9d70beadf3bb9b1dd0373f81a94a25dcba17fa8e8c73abf06cba28d0971d5614c5

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.json

Filesize
529B

MD5
eb11e926c95506768fcc2fa9132282dc

SHA1
e58eede9db746774dcdf46a19f4d2abff5b4a753

SHA256
7a7228480175dfec506cf8195630d31eadef0d373a16a09cf8cd77b83100bfac

SHA512
13140c31e3573175669f5843da1dc46bce44c55685317eee8836d7bdbb4b41c9d09f54d083440d9bcf5a07c3f85bb468356b4f22d9a50a3ca3588c8fe19c8487

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.json

Filesize
738B

MD5
2eff19d32b87652df8fa01e628a9d3d6

SHA1
86b222b69444f0aaf257c2e9f568816d9a5762b5

SHA256
9363fbe7bc70204ccffe4fbb44c21b438bd55c027a95920e3d47c029e92948ca

SHA512
eaea114425fd24c44dabddca33e159b8a25dacd8b8a2898bcb71194b777ee33bb7d99dfe35fbd715278a9abd7f6173962cc3cf27d7d85a5810fb734f425fc7b5

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.json

Filesize
850B

MD5
a3722714e823d90498511046c7562902

SHA1
6845476b9813dccd04188d2c4cf2c72497054208

SHA256
1f7f53dcf6782a10a45b2653423568391aae0396457debd1045ea8964c4a1cdd

SHA512
5382c77f6a10bc655ffb3daa1844269c21cd8c4ac224f1cf3ea14b051e475c07b54c239f20c13118bf63da2b4c85f08fea37e452f8f8040014c2ec3c66d8cb2f

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.json~RFe5b0329.TMP

Filesize
434B

MD5
b988a5a4cf396eb959d68aa221b01fdb

SHA1
5b8da1ac3704e4f92cc0b2b5091b55a95577e0ef

SHA256
a1820683ddcd832e3e35283407dfc56afc6cf05d1fae358e2c5e2b1924c3e82a

SHA512
2e3c7b08d7c25a25a1c74041dc645d4029daecd5ce6da54e167c6fedac1e5902d573801c40dfe5ea300f4708be13dc2334466ed8e72183c25d4331052a5d16a4

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_100_percent.pak

Filesize
667KB

MD5
ae195e80859781a20414cf5faa52db06

SHA1
b18ecb5ec141415e3a210880e2b3d37470636485

SHA256
9957802c0792e621f76bbdb1c630fbad519922743b5d193294804164babda552

SHA512
c6fef84615fe20d1760ca496c98629feb4e533556724e9631d4282622748e7601225cf19dfb8351f4b540ae3f83785c1bcea6fe8c246cf70388e527654097c1c

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_200_percent.pak

Filesize
1.0MB

MD5
1abf6bad0c39d59e541f04162e744224

SHA1
db93c38253338a0b85e431bd4194d9e7bddb22c6

SHA256
01cb663a75f18bb2d0d800640a114f153a34bd8a5f2aa0ed7daa9b32967dc29e

SHA512
945d519221d626421094316f13b818766826b3bedddab0165c041540dddadc93136e32784c0562d26a420cb29479d04d2aa317b8d605cd242e5152bf05af197e

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_elf.dll

Filesize
1020KB

MD5
7191d97ce7886a1a93a013e90868db96

SHA1
52dd736cb589dd1def87130893d6b9449a6a36e3

SHA256
32f925f833aa59e3f05322549fc3c326ac6fc604358f4efbf94c59d5c08b8dc6

SHA512
38ebb62c34d466935eabb157197c7c364d4345f22aa3b2641b636196ca1aeaa2152ac75d613ff90817cb94825189612ddd12fb96df29469511a46a7d9620e724

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\libEGL.dll

Filesize
359KB

MD5
7dd6b0e4a31d35a0fae5ff425707073c

SHA1
fbd12e9f8e2252c52ce555c2ebbd7f07e62a0140

SHA256
8762d8001fc3ddd90e3129dfea172817e8d09b9936eaae391957de4326c8c906

SHA512
726968df6b83ab5f589276672250d92f532fe2dcea2176e42031a7f1dcecf578b0320cfe2a7d88bb9883ad99387d71c6ebf1e9968272bb5e62850ef09abd2648

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\libGLESv2.dll

Filesize
6.6MB

MD5
8803db5b167fb5a5f8a8c595c4e4d7c6

SHA1
7fde861151f3bea66c65b6c2487a30728048811a

SHA256
52a58d25a41f4bd31cdb4a0d306217862e04ebf7c1925cc85330054a5523d719

SHA512
2fa9a0eda221982896e41eb387b5e156198615ac1a1fbac0acffd13008919368b41a240df416c1fce2e48c20a14cd7af7cca9fba476ada5e64a0cadde84a44b7

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\locales\en-US.pak

Filesize
456KB

MD5
4430b1833d56bc8eb1f7dc82bb7f4bc9

SHA1
dc15e6306625f155683326e859d83f846153c547

SHA256
b44ddcfac9df4934007e6c55a3c7f5e7f14c7e5e29f35c81de917fc3b22aabbc

SHA512
faf93bf371b2a88c1b874a5e2c54e4487fd152ad19c2a406a46f55ae75ecd421a779888c2e4c170857b16bfb5d8744bc1815a4732ed50b064b3cbd0c5ffad889

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\resources.pak

Filesize
8.0MB

MD5
4933d92c99afa246fc59eef010d5c858

SHA1
98d443654e93c73dd317f9f847f71fba3d5b3135

SHA256
62f4674daa15245ee081920b8ee191e72f36ca8fe24f6b986a832f45676915b2

SHA512
a3a69523c8e7310716daeebc06c2ba4fce673eccd1958e824ff179b82f4502d0ec095190179bbb387342e4150f952ea7533182fb6ba90377d17dafba8f4da623

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\v8_context_snapshot.bin

Filesize
643KB

MD5
28477a60b4fbd51dfef5237245817690

SHA1
b0afd5ea9f9d550124f23c65bc7851ddeffc662f

SHA256
169ea86f544e5cdf2a460675f876a9abb7f56bbe122782e94bb03d624931fc12

SHA512
3520658583bb498d5032a7f7ae77195fd2e5f8ed03c6531e56dee8320d8701102a723766e59f7766ab223f837e65a6d85cf862bb2bef6d2755ce45e672a47b22

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\vk_swiftshader.dll

Filesize
4.4MB

MD5
0ec149455727ace9acc09b3ba2c3a2b2

SHA1
6eeb990876cef6a34115b67f3190255db589f723

SHA256
e2d8ef53897e864b5b66bc73606681c99461798a9f4c1e13ca5cef7bc774d7fd

SHA512
c8eaa598c9439b1f2375fdac1f58896853510bddbd640707b9142c0d3793836120b28d7c2bd0407f0d5656dd19f14b312f37b7ac0165c9cc8b4c1a0f2af62531

Download Submit
C:\Users\Admin\AppData\Local\Luau Language Server\server\index.js

Filesize
6.1MB

MD5
6b1cad741d0b6374435f7e1faa93b5e7

SHA1
7b1957e63c10f4422421245e4dc64074455fd62a

SHA256
6f17add2a8c8c2d9f592adb65d88e08558e25c15cedd82e3f013c8146b5d840f

SHA512
a662fc83536eff797b8d59e2fb4a2fb7cd903be8fc4137de8470b341312534326383bb3af58991628f15f93e3bdd57621622d9d9b634fb5e6e03d4aa06977253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
b95651a07fd8fe7a9000d9ec2c1cbb69

SHA1
6749e21bf384c5ab9a0c7baa027d53302ea60eda

SHA256
37a4512a5da7bc5a447bea7ddd0fc788e168e30497d898f7a8ef42681ee807dd

SHA512
7189688da89f6a066d6f1a747d269df2ce11dcef4b01b47caba7623a2cb8d6f9d58abc192eade321172982e86ef8b77f8fe0f93cab125be852b1331f00175ce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.Core.Runtime.dll

Filesize
1.3MB

MD5
09cba584aa0aae9fc600745567393ef6

SHA1
bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279

SHA256
0babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5

SHA512
5f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1

Download Submit
C:\Users\Admin\AppData\Local\Wave\D3DCOMPILER_47.dll

Filesize
3.9MB

MD5
3b4647bcb9feb591c2c05d1a606ed988

SHA1
b42c59f96fb069fd49009dfd94550a7764e6c97c

SHA256
35773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7

SHA512
00cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe

Filesize
939KB

MD5
258a9cae6024c91784bbd8aa5379e86f

SHA1
fe1a808ba23053413359a78d5ec096b2cd540dd5

SHA256
3881840473ec5286189d2fc8e85f0f26a2532890055d1653da9580aa31b2d0e5

SHA512
b621ef432b430d2df0443fa0ebdd59dc7de6b32375c2fc83e8474838843c4abcf4a35f2b5f80e78911fc52336d71812ca9fbc9919314ea3b59bd26036a4ea5a5

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe

Filesize
7.5MB

MD5
7e09dde2226c18dde3c76471c01b3665

SHA1
94bb80704e14314331e007b942a64f423104644f

SHA256
4f9a703b0491de02519a343659f0a351f6ad09942cd82920995d5fa89e6571ae

SHA512
c61c911eb37c758f64ae9372eb4208210b6a964bb8604d3fcd3285805448b1801a91c519ed0294815f8167500654b423d19161a82c82f7935ec637c4038c93dc

Download Submit
C:\Users\Admin\AppData\Local\Wave\bin\Background.mp4

Filesize
4.6MB

MD5
9782180eb68f73030fe24ef6a1735932

SHA1
589827fe098ba048c9f871a28db8eae3e3537ff4

SHA256
3a1cbb800f8f25c2ab703ba8bfdb01e938e4143c3bc0fea8ca734fb5ba779ba7

SHA512
dc768638bae2d6d47d8910252ae64a656d8a6fd88efdf24165ddce51b7afdb4acb3fddd41dfe788737a2cab4fab66174db2f0d2f48bc8669af76d1656bca8be1

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
deca688b3a2d7e1224e65a13c66b405d

SHA1
5d088d911e53b05860d2294f081b7a56614c1b1b

SHA256
efe68251dcfee5e61bce15c9028f4e237c45e24f23f66d0c9acf5355ba709341

SHA512
8ed11f7e130d1d0d5f554849e9ad181f60d242d21aa6019307df20833e7646705716f591b13c9db0ba8643e8800816dd6b691572c80973f540fba14cc84d47be

Download Submit
memory/368-263-0x0000000009FD0000-0x0000000009FEE000-memory.dmp

Filesize
120KB

Download
memory/368-256-0x0000000000A20000-0x0000000000B10000-memory.dmp

Filesize
960KB

Download
memory/368-259-0x00000000091D0000-0x00000000092D0000-memory.dmp

Filesize
1024KB

Download
memory/368-260-0x0000000009EF0000-0x0000000009F06000-memory.dmp

Filesize
88KB

Download
memory/368-261-0x0000000009F30000-0x0000000009F3A000-memory.dmp

Filesize
40KB

Download
memory/368-262-0x0000000009F70000-0x0000000009F78000-memory.dmp

Filesize
32KB

Download
memory/2276-307-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2276-311-0x0000000004C60000-0x0000000004D4A000-memory.dmp

Filesize
936KB

Download
memory/2276-318-0x0000000004DF0000-0x0000000004E3A000-memory.dmp

Filesize
296KB

Download
memory/3096-401-0x0000000015370000-0x0000000015380000-memory.dmp

Filesize
64KB

Download
memory/3096-413-0x0000000015370000-0x0000000015380000-memory.dmp

Filesize
64KB

Download
memory/3096-511-0x000000000A4C0000-0x000000000A532000-memory.dmp

Filesize
456KB

Download
memory/3096-279-0x0000000000780000-0x0000000000F0C000-memory.dmp

Filesize
7.5MB

Download
memory/3096-281-0x00000000057C0000-0x00000000057E4000-memory.dmp

Filesize
144KB

Download
memory/3096-280-0x0000000005770000-0x00000000057BA000-memory.dmp

Filesize
296KB

Download
memory/3096-282-0x0000000005ED0000-0x0000000005FB6000-memory.dmp

Filesize
920KB

Download
memory/3096-467-0x000000000A4C0000-0x000000000A532000-memory.dmp

Filesize
456KB

Download
memory/3096-447-0x00000000118C0000-0x00000000121E2000-memory.dmp

Filesize
9.1MB

Download
memory/3096-290-0x0000000006250000-0x00000000063AB000-memory.dmp

Filesize
1.4MB

Download
memory/3096-444-0x0000000005C20000-0x0000000005C3D000-memory.dmp

Filesize
116KB

Download
memory/3096-446-0x000000000DBC0000-0x000000000DBDC000-memory.dmp

Filesize
112KB

Download
memory/3096-445-0x000000000A4C0000-0x000000000A532000-memory.dmp

Filesize
456KB

Download
memory/3096-432-0x000000000E3A0000-0x000000000E3AA000-memory.dmp

Filesize
40KB

Download
memory/3096-402-0x0000000015E40000-0x0000000015FC6000-memory.dmp

Filesize
1.5MB

Download
memory/3096-412-0x0000000015370000-0x0000000015380000-memory.dmp

Filesize
64KB

Download
memory/3096-403-0x0000000015370000-0x0000000015380000-memory.dmp

Filesize
64KB

Download
memory/3096-404-0x0000000011380000-0x0000000011390000-memory.dmp

Filesize
64KB

Download
memory/3096-408-0x0000000015370000-0x0000000015380000-memory.dmp

Filesize
64KB

Download
memory/3096-409-0x0000000015370000-0x0000000015380000-memory.dmp

Filesize
64KB

Download
memory/3096-410-0x0000000011380000-0x0000000011390000-memory.dmp

Filesize
64KB

Download
memory/3096-411-0x0000000011380000-0x0000000011390000-memory.dmp

Filesize
64KB

Download
memory/3096-407-0x00000000127D0000-0x00000000127E0000-memory.dmp

Filesize
64KB

Download
memory/3096-405-0x0000000011380000-0x0000000011390000-memory.dmp

Filesize
64KB

Download
memory/3096-347-0x000000000D760000-0x000000000D812000-memory.dmp

Filesize
712KB

Download
memory/3096-406-0x0000000011380000-0x0000000011390000-memory.dmp

Filesize
64KB

Download
memory/3096-400-0x00000000127D0000-0x00000000127E0000-memory.dmp

Filesize
64KB

Download
memory/3096-398-0x0000000011380000-0x0000000011390000-memory.dmp

Filesize
64KB

Download
memory/3096-397-0x0000000011380000-0x0000000011390000-memory.dmp

Filesize
64KB

Download
memory/3096-356-0x000000000ECD0000-0x000000000ECF2000-memory.dmp

Filesize
136KB

Download
memory/3096-357-0x000000000F8A0000-0x000000000FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/3096-399-0x0000000011380000-0x0000000011390000-memory.dmp

Filesize
64KB

Download
memory/3096-396-0x0000000011380000-0x0000000011390000-memory.dmp

Filesize
64KB

Download
memory/3096-384-0x000000000DDF0000-0x000000000DDF8000-memory.dmp

Filesize
32KB

Download
memory/3096-382-0x0000000005BC0000-0x0000000005BFE000-memory.dmp

Filesize
248KB

Download
memory/3096-383-0x000000000DB10000-0x000000000DB76000-memory.dmp

Filesize
408KB

Download
memory/3096-381-0x0000000011390000-0x00000000118BC000-memory.dmp

Filesize
5.2MB

Download
memory/3096-380-0x000000000DCD0000-0x000000000DD70000-memory.dmp

Filesize
640KB

Download
memory/3096-379-0x000000000A550000-0x000000000A588000-memory.dmp

Filesize
224KB

Download
memory/3148-245-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-22-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-374-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-373-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-10-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-9-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-7-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-11-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-12-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-354-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-378-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-1-0x00007FFCDAB30000-0x00007FFCDAB32000-memory.dmp

Filesize
8KB

Download
memory/3148-0-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-13-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-377-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-443-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-465-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-19-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-470-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-21-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-5-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-26-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-18-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-3-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-244-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-2-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-450-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-6-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-4-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/3148-243-0x0000000140000000-0x0000000140F65000-memory.dmp

Filesize
15.4MB

Download
memory/4516-14-0x00007FFCDAA90000-0x00007FFCDAC85000-memory.dmp

Filesize
2.0MB

Download
memory/4516-36-0x000000000C120000-0x000000000C12A000-memory.dmp

Filesize
40KB

Download
memory/4516-35-0x000000000C110000-0x000000000C11A000-memory.dmp

Filesize
40KB

Download
memory/4516-34-0x000000000C090000-0x000000000C102000-memory.dmp

Filesize
456KB

Download
memory/4516-32-0x000000000B380000-0x000000000B388000-memory.dmp

Filesize
32KB

Download
memory/4516-31-0x000000000B340000-0x000000000B366000-memory.dmp

Filesize
152KB

Download
memory/4516-30-0x000000000B2A0000-0x000000000B336000-memory.dmp

Filesize
600KB

Download
memory/4516-258-0x00007FFCDAA90000-0x00007FFCDAC85000-memory.dmp

Filesize
2.0MB

Download
memory/4516-20-0x00007FFCDAA90000-0x00007FFCDAC85000-memory.dmp

Filesize
2.0MB

Download
memory/4516-17-0x0000000009560000-0x000000000956E000-memory.dmp

Filesize
56KB

Download
memory/4516-16-0x0000000009590000-0x00000000095C8000-memory.dmp

Filesize
224KB

Download
memory/4516-15-0x0000000000280000-0x0000000000412000-memory.dmp

Filesize
1.6MB

Download