465fd258f124f640718c0727f39fbedd83f8f0585a9db0307c7c5a38bf092e85

Analysis

max time kernel
1799s
max time network
1178s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
03/07/2024, 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

solara.png
Size

5KB
MD5

b3d5c6d88c08fcafeefde059fd9d9b54
SHA1

0b5be3ef1f45d6a6b3dc79a55faa350ba9c1cd0d
SHA256

465fd258f124f640718c0727f39fbedd83f8f0585a9db0307c7c5a38bf092e85
SHA512

c034b254ad0256fbbe49ed7ee3f0bbb53011508f04165c2b2058223d6720af5ab061e4dcf254356b19cf5fb6ea03fdcf5a5406bd7e7961c05391879be37f55d7
SSDEEP

96:TCwK+RyfazbW82BYq5WXS0llxuQBZyTa5VYamTHxomSwZ72KHKXdx1HQnJ8O10oL:TSfazmLk7llxuQBHVz4HS42qEVoJ8Oqm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 17 IoCs

pid	Process
1556	WaveInstaller.exe
1656	WaveBootstrapper.exe
4404	WaveWindows.exe
5048	CefSharp.BrowserSubprocess.exe
72	CefSharp.BrowserSubprocess.exe
4952	node.exe
1268	Bloxstrap.exe
2572	CefSharp.BrowserSubprocess.exe
2376	CefSharp.BrowserSubprocess.exe
4924	CefSharp.BrowserSubprocess.exe
4976	wave-luau.exe
940	CefSharp.BrowserSubprocess.exe
1112	CefSharp.BrowserSubprocess.exe
1656	CefSharp.BrowserSubprocess.exe
5484	wave-luau.exe
2292	wave-luau.exe
5384	CefSharp.BrowserSubprocess.exe

Loads dropped DLL 64 IoCs

pid	Process
1656	WaveBootstrapper.exe
4404	WaveWindows.exe
4404	WaveWindows.exe
4404	WaveWindows.exe
4404	WaveWindows.exe
4404	WaveWindows.exe
5048	CefSharp.BrowserSubprocess.exe
5048	CefSharp.BrowserSubprocess.exe
5048	CefSharp.BrowserSubprocess.exe
5048	CefSharp.BrowserSubprocess.exe
5048	CefSharp.BrowserSubprocess.exe
5048	CefSharp.BrowserSubprocess.exe
5048	CefSharp.BrowserSubprocess.exe
5048	CefSharp.BrowserSubprocess.exe
5048	CefSharp.BrowserSubprocess.exe
5048	CefSharp.BrowserSubprocess.exe
5048	CefSharp.BrowserSubprocess.exe
72	CefSharp.BrowserSubprocess.exe
72	CefSharp.BrowserSubprocess.exe
72	CefSharp.BrowserSubprocess.exe
72	CefSharp.BrowserSubprocess.exe
72	CefSharp.BrowserSubprocess.exe
72	CefSharp.BrowserSubprocess.exe
72	CefSharp.BrowserSubprocess.exe
4404	WaveWindows.exe
2572	CefSharp.BrowserSubprocess.exe
2572	CefSharp.BrowserSubprocess.exe
2376	CefSharp.BrowserSubprocess.exe
2376	CefSharp.BrowserSubprocess.exe
2572	CefSharp.BrowserSubprocess.exe
2572	CefSharp.BrowserSubprocess.exe
2572	CefSharp.BrowserSubprocess.exe
2572	CefSharp.BrowserSubprocess.exe
2572	CefSharp.BrowserSubprocess.exe
2376	CefSharp.BrowserSubprocess.exe
2376	CefSharp.BrowserSubprocess.exe
2376	CefSharp.BrowserSubprocess.exe
2376	CefSharp.BrowserSubprocess.exe
2376	CefSharp.BrowserSubprocess.exe
4924	CefSharp.BrowserSubprocess.exe
4924	CefSharp.BrowserSubprocess.exe
4924	CefSharp.BrowserSubprocess.exe
4924	CefSharp.BrowserSubprocess.exe
4924	CefSharp.BrowserSubprocess.exe
4924	CefSharp.BrowserSubprocess.exe
4924	CefSharp.BrowserSubprocess.exe
940	CefSharp.BrowserSubprocess.exe
940	CefSharp.BrowserSubprocess.exe
940	CefSharp.BrowserSubprocess.exe
940	CefSharp.BrowserSubprocess.exe
940	CefSharp.BrowserSubprocess.exe
940	CefSharp.BrowserSubprocess.exe
940	CefSharp.BrowserSubprocess.exe
1112	CefSharp.BrowserSubprocess.exe
1112	CefSharp.BrowserSubprocess.exe
1112	CefSharp.BrowserSubprocess.exe
1112	CefSharp.BrowserSubprocess.exe
1112	CefSharp.BrowserSubprocess.exe
1112	CefSharp.BrowserSubprocess.exe
1112	CefSharp.BrowserSubprocess.exe
1112	CefSharp.BrowserSubprocess.exe
1656	CefSharp.BrowserSubprocess.exe
1656	CefSharp.BrowserSubprocess.exe
1656	CefSharp.BrowserSubprocess.exe

Checks for any installed AV software in registry 1 TTPs 25 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\FontSize	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\InlayHints = "1"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\SendCurrentDocument	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\Session = "Bearer ebf27a16-6a20-41e4-a819-c3388c55150d"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\ContinueOnStartUp	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\FontSize = "14"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\LastUsername	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\RefreshRate	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\InlayHints	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\LastUsername = "Michaa"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\Session	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\RedirectCompilerError	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\UsePerformanceMode = "0"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\Minimap	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\ContinueOnStartUp = "0"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\TopMost	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\TopMost = "0"	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\RedirectCompilerError = "1"	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\Minimap = "0"	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\SendCurrentDocument = "1"	WaveWindows.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab	WaveWindows.exe
Key queried	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\UsePerformanceMode	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab\RefreshRate = "60"	WaveWindows.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\KasperskyLab	WaveWindows.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	WaveWindows.exe
File opened (read-only)	\??\X:	WaveWindows.exe
File opened (read-only)	\??\I:	WaveWindows.exe
File opened (read-only)	\??\K:	WaveWindows.exe
File opened (read-only)	\??\L:	WaveWindows.exe
File opened (read-only)	\??\R:	WaveWindows.exe
File opened (read-only)	\??\Z:	WaveWindows.exe
File opened (read-only)	\??\G:	WaveWindows.exe
File opened (read-only)	\??\H:	WaveWindows.exe
File opened (read-only)	\??\M:	WaveWindows.exe
File opened (read-only)	\??\V:	WaveWindows.exe
File opened (read-only)	\??\Q:	WaveWindows.exe
File opened (read-only)	\??\T:	WaveWindows.exe
File opened (read-only)	\??\U:	WaveWindows.exe
File opened (read-only)	\??\A:	WaveWindows.exe
File opened (read-only)	\??\B:	WaveWindows.exe
File opened (read-only)	\??\J:	WaveWindows.exe
File opened (read-only)	\??\O:	WaveWindows.exe
File opened (read-only)	\??\Y:	WaveWindows.exe
File opened (read-only)	\??\E:	WaveWindows.exe
File opened (read-only)	\??\N:	WaveWindows.exe
File opened (read-only)	\??\P:	WaveWindows.exe
File opened (read-only)	\??\W:	WaveWindows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
62	raw.githubusercontent.com
63	raw.githubusercontent.com
64	raw.githubusercontent.com
24	raw.githubusercontent.com
53	raw.githubusercontent.com
61	raw.githubusercontent.com

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4404_19526690\_metadata\verified_contents.json	WaveWindows.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4404_19526690\manifest.fingerprint	WaveWindows.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	WaveWindows.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4404_19526690\_platform_specific\win_x86\widevinecdm.dll.sig	WaveWindows.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4404_19526690\_platform_specific\win_x86\widevinecdm.dll	WaveWindows.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4404_19526690\LICENSE	WaveWindows.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4404_19526690\manifest.json	WaveWindows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133644980162479952"	chrome.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox\ = "URL: Roblox Protocol"	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" %1"	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox-player\shell\open\command	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox-player\shell	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox-player\URL Protocol	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" %1"	Bloxstrap.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1474490143-3221292397-4168103503-1000\{9AE31202-90DB-46D9-9A57-44C22B3398EA}	WaveWindows.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox-player\DefaultIcon	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox\DefaultIcon	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox\shell\open\command	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox\shell	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox\shell\open	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox\URL Protocol	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox-player	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox-player\shell\open	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	Bloxstrap.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WaveInstaller.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3076	chrome.exe
3076	chrome.exe
4404	WaveWindows.exe
5048	CefSharp.BrowserSubprocess.exe
5048	CefSharp.BrowserSubprocess.exe
72	CefSharp.BrowserSubprocess.exe
72	CefSharp.BrowserSubprocess.exe
4404	WaveWindows.exe
2572	CefSharp.BrowserSubprocess.exe
2572	CefSharp.BrowserSubprocess.exe
2376	CefSharp.BrowserSubprocess.exe
2376	CefSharp.BrowserSubprocess.exe
4924	CefSharp.BrowserSubprocess.exe
4924	CefSharp.BrowserSubprocess.exe
4404	WaveWindows.exe
4404	WaveWindows.exe
940	CefSharp.BrowserSubprocess.exe
940	CefSharp.BrowserSubprocess.exe
1112	CefSharp.BrowserSubprocess.exe
1112	CefSharp.BrowserSubprocess.exe
1112	CefSharp.BrowserSubprocess.exe
1112	CefSharp.BrowserSubprocess.exe
1268	Bloxstrap.exe
1268	Bloxstrap.exe
1656	CefSharp.BrowserSubprocess.exe
1656	CefSharp.BrowserSubprocess.exe
5384	CefSharp.BrowserSubprocess.exe
5384	CefSharp.BrowserSubprocess.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeDebugPrivilege	1556	WaveInstaller.exe
Token: SeDebugPrivilege	1656	WaveBootstrapper.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
1268	Bloxstrap.exe
1268	Bloxstrap.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
1268	Bloxstrap.exe
1268	Bloxstrap.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4952	node.exe
1268	Bloxstrap.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3880	3076	chrome.exe	81
PID 3076 wrote to memory of 3880	3076	chrome.exe	81
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 3984	3076	chrome.exe	82
PID 3076 wrote to memory of 2144	3076	chrome.exe	83
PID 3076 wrote to memory of 2144	3076	chrome.exe	83
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84
PID 3076 wrote to memory of 1536	3076	chrome.exe	84

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\solara.png
1⤵
PID:912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb47a2cc40,0x7ffb47a2cc4c,0x7ffb47a2cc58
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1752 /prefetch:2
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2080,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2188 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4592,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4600 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4672,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4584,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4848,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5252,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4704,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5264,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5236,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5260,i,5947775997352749665,17748874331784412207,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4416 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1056
- C:\Users\Admin\Downloads\WaveInstaller.exe
  "C:\Users\Admin\Downloads\WaveInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- - C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
  - - C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
      "C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Enumerates connected drives
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:4404
    - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
        
        "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,10536941472454238112,2657920493894548311,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2100 --mojo-platform-channel-handle=2004 /prefetch:2 --host-process-id=4404
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:5048
    - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
        
        "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=2524,i,10536941472454238112,2657920493894548311,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2528 --mojo-platform-channel-handle=2520 /prefetch:3 --host-process-id=4404
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:72
    - - C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
        
        "C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=4404
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4952
      - C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave-luau.exe
        
        "C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave-luau.exe" lsp "--definitions=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\globalTypes.d.luau" "--definitions=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave.d.luau" "--docs=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\en-us.json"
        6⤵
        Executes dropped EXE
        
        PID:4976
      - C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave-luau.exe
        
        "C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave-luau.exe" lsp "--definitions=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\globalTypes.d.luau" "--definitions=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave.d.luau" "--docs=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\en-us.json"
        6⤵
        Executes dropped EXE
        
        PID:5484
      - C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave-luau.exe
        
        "C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave-luau.exe" lsp "--definitions=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\globalTypes.d.luau" "--definitions=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave.d.luau" "--docs=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\en-us.json"
        6⤵
        Executes dropped EXE
        
        PID:2292
    - - C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
        
        "C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1268
    - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
        
        "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=7224,i,10536941472454238112,2657920493894548311,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7228 --mojo-platform-channel-handle=7220 /prefetch:8 --host-process-id=4404
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2572
    - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
        
        "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=7332,i,10536941472454238112,2657920493894548311,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7336 --mojo-platform-channel-handle=7324 --host-process-id=4404 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4924
    - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
        
        "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=7352,i,10536941472454238112,2657920493894548311,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7364 --mojo-platform-channel-handle=7344 --host-process-id=4404 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2376
    - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
        
        "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=5796,i,10536941472454238112,2657920493894548311,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=5800 --mojo-platform-channel-handle=5820 /prefetch:8 --host-process-id=4404
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:940
    - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
        
        "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5580,i,10536941472454238112,2657920493894548311,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7816 --mojo-platform-channel-handle=7660 /prefetch:8 --host-process-id=4404
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1112
    - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
        
        "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=7748,i,10536941472454238112,2657920493894548311,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7524 --mojo-platform-channel-handle=720 --host-process-id=4404 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1656
    - - C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
        
        "C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3160,i,10536941472454238112,2657920493894548311,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7676 --mojo-platform-channel-handle=4188 --host-process-id=4404 /prefetch:1
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5384

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:984

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004C8
1⤵
PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe

Filesize
249KB

MD5
772c9fecbd0397f6cfb3d866cf3a5d7d

SHA1
6de3355d866d0627a756d0d4e29318e67650dacf

SHA256
2f88ea7e1183d320fb2b7483de2e860da13dc0c0caaf58f41a888528d78c809f

SHA512
82048bd6e50d38a863379a623b8cfda2d1553d8141923acf13f990c7245c833082523633eaa830362a12bfff300da61b3d8b3cccbe038ce2375fdfbd20dbca31

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Modifications\ClientSettings\ClientAppSettings.json

Filesize
120B

MD5
636492f4af87f25c20bd34a731007d86

SHA1
22a5c237a739ab0df4ff87c9e3d79dbe0c89b56a

SHA256
22a1e85723295eeb854345be57f7d6fb56f02b232a95d69405bf9d9e67a0fa0d

SHA512
cd2e3a738f535eb1a119bd4c319555899bcd4ce1049d7f8591a1a68c26844f33c1bd1e171706533b5c36263ade5e275b55d40f5710e0210e010925969182cd0c

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaApp\graphic\shimmer_lightTheme.png

Filesize
20KB

MD5
4f8f43c5d5c2895640ed4fdca39737d5

SHA1
fb46095bdfcab74d61e1171632c25f783ef495fa

SHA256
fc57f32c26087eef61b37850d60934eda1100ca8773f08e487191a74766053d1

SHA512
7aebc0f79b2b23a76fb41df8bab4411813ffb1abc5e2797810679c0eaa690e7af7561b8473405694bd967470be337417fa42e30f0318acbf171d8f31620a31aa

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaApp\graphic\[email protected]

Filesize
71KB

MD5
3fec0191b36b9d9448a73ff1a937a1f7

SHA1
bee7d28204245e3088689ac08da18b43eae531ba

SHA256
1a03e6f6a0de045aa588544c392d671c040b82a5598b4246af04f5a74910dc89

SHA512
a8ab2bc2d937963af36d3255c6ea09cae6ab1599996450004bb18e8b8bdfbdde728821ac1662d8a0466680679011d8f366577b143766838fe91edf08a40353ce

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaDiscussions\buttonFill.png

Filesize
247B

MD5
81ce54dfd6605840a1bd2f9b0b3f807d

SHA1
4a3a4c05b9c14c305a8bb06c768abc4958ba2f1c

SHA256
0a6a5cafb4dee0d8c1d182ddec9f68ca0471d7fc820cf8dc2d68f27a35cd3386

SHA512
57069c8ac03dd0fdfd97e2844c19138800ff6f7d508c26e5bc400b30fe78baa0991cc39f0f86fa10cd5d12b6b11b0b09c1a770e5cb2fdca157c2c8986a09e5ff

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\configs\DateTimeLocaleConfigs\zh-hans.json

Filesize
2KB

MD5
fb6605abd624d1923aef5f2122b5ae58

SHA1
6e98c0a31fa39c781df33628b55568e095be7d71

SHA256
7b993133d329c46c0c437d985eead54432944d7b46db6ad6ea755505b8629d00

SHA512
97a14eda2010033265b379aa5553359293baf4988a4cdde8a40b0315e318a7b30feee7f5e14c68131e85610c00585d0c67e636999e3af9b5b2209e1a27a82223

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\configs\DateTimeLocaleConfigs\zh-tw.json

Filesize
2KB

MD5
702c9879f2289959ceaa91d3045f28aa

SHA1
775072f139acc8eafb219af355f60b2f57094276

SHA256
a92a6988175f9c1d073e4b54bf6a31f9b5d3652eebdf6a351fb5e12bda76cbd5

SHA512
815a6bef134c0db7a5926f0cf4b3f7702d71b0b2f13eca9539cd2fc5a61eea81b1884e4c4bc0b3398880589bff809ac8d5df833e7e4aeda4a1244e9a875d1e97

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\sounds\ouch.ogg

Filesize
6KB

MD5
9404c52d6f311da02d65d4320bfebb59

SHA1
0b5b5c2e7c631894953d5828fec06bdf6adba55f

SHA256
c9775e361392877d1d521d0450a5368ee92d37dc542bc5e514373c9d5003f317

SHA512
22aa1acbcdcf56f571170d9c32fd0d025c50936387203a7827dbb925f352d2bc082a8a79db61c2d1f1795ad979e93367c80205d9141b73d806ae08fa089837c4

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\Cursors\KeyboardMouse\IBeamCursor.png

Filesize
292B

MD5
464c4983fa06ad6cf235ec6793de5f83

SHA1
8afeb666c8aee7290ab587a2bfb29fc3551669e8

SHA256
99fd7f104948c6ab002d1ec69ffd6c896c91f9accc499588df0980b4346ecbed

SHA512
f805f5f38535fe487b899486c8de6cf630114964e2c3ebc2af7152a82c6f6faef681b4d936a1867b5dff6566b688b5c01105074443cc2086b3fe71f7e6e404b1

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\StudioToolbox\Clear.png

Filesize
538B

MD5
fa8eaf9266c707e151bb20281b3c0988

SHA1
3ca097ad4cd097745d33d386cc2d626ece8cb969

SHA256
8cf08bf7e50fea7b38f59f162ed956346c55a714ed8a9a8b0a1ada7e18480bc2

SHA512
e29274300eab297c6de895bb39170f73f0a4ffa2a8c3732caeeeac16e2c25fb58bb401fdd5823cc62d9c413ec6c43d7c46861d7e14d52f8d9d8ff632e29f167c

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\StudioUIEditor\valueBoxRoundedRectangle.png

Filesize
130B

MD5
521fb651c83453bf42d7432896040e5e

SHA1
8fdbf2cc2617b5b58aaa91b94b0bf755d951cad9

SHA256
630303ec4701779eaf86cc9fbf744b625becda53badc7271cbb6ddc56e638d70

SHA512
8fa0a50e52a3c7c53735c7dd7af275ebc9c1843f55bb30ebe0587a85955a8da94ff993822d233f7ed118b1070a7d67718b55ba4a597dc49ed2bf2a3836c696f6

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\TerrainTools\checkbox_square.png

Filesize
985B

MD5
2cb16991a26dc803f43963bdc7571e3f

SHA1
12ad66a51b60eeaed199bc521800f7c763a3bc7b

SHA256
c7bae6d856f3bd9f00c122522eb3534d0d198a9473b6a379a5c3458181870646

SHA512
4c9467e5e2d83b778d0fb8b6fd97964f8d8126f07bfd50c5d68c256703f291ceaed56be057e8e2c591b2d2c49f6b7e099a2b7088d0bf5bdd901433459663b1f8

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\Thumbstick1.png

Filesize
641B

MD5
2cbe38df9a03133ddf11a940c09b49cd

SHA1
6fb5c191ed8ce9495c66b90aaf53662bfe199846

SHA256
0835a661199a7d8df7249e8ae925987184efcc4fb85d9efac3cc2c1495020517

SHA512
dcef5baccef9fff632456fe7bc3c4f4a403363d9103a8047a55f4bd4c413d0c5f751a2e37385fe9eba7a420dbdb77ca2ff883d47fcdd35af222191cc5bd5c7a9

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]

Filesize
1KB

MD5
e8c88cf5c5ef7ae5ddee2d0e8376b32f

SHA1
77f2a5b11436d247d1acc3bac8edffc99c496839

SHA256
9607af14604a8e8eb1dec45d3eeca01fed33140c0ccc3e6ef8ca4a1f6219b5dd

SHA512
32f5a1e907705346a56fbddfe0d8841d05415ff7abe28ae9281ba46fedf8270b982be0090b72e2e32de0ce36e21934f80eaf508fd010f7ab132d39f5305fb68f

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]

Filesize
1KB

MD5
499333dae156bb4c9e9309a4842be4c8

SHA1
d18c4c36bdb297208589dc93715560acaf761c3a

SHA256
d35a74469f1436f114c27c730a5ec0793073bcf098db37f10158d562a3174591

SHA512
91c64173d2cdabc045c70e0538d45e1022cc74ec04989565b85f0f26fe3e788b700a0956a07a8c91d34c06fc1b7fad43bbdbb41b0c6f15b9881c3e46def8103e

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\Thumbstick2.png

Filesize
738B

MD5
a402aacac8be906bcc07d50669d32061

SHA1
9d75c1afbe9fc482983978cae4c553aa32625640

SHA256
62a313b6cc9ffe7dd86bc9c4fcd7b8e8d1f14a15cdf41a53fb69af4ae3416102

SHA512
d11567bcaad8bbd9e2b9f497c3215102c7e7546caf425e93791502d3d2b3f78dec13609796fcd6e1e7f5c7d794bac074d00a74001e7fe943d63463b483877546

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]

Filesize
1KB

MD5
83e9b7823c0a5c4c67a603a734233dec

SHA1
2eaf04ad636bf71afdf73b004d17d366ac6d333e

SHA256
3b5e06eb1a89975def847101f700f0caa60fe0198f53e51974ef1608c6e1e067

SHA512
e8abb39a1ec340ac5c7d63137f607cd09eae0e885e4f73b84d8adad1b8f574155b92fbf2c9d3013f64ebbb6d55ead5419e7546b0f70dcde976d49e7440743b0f

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]

Filesize
1KB

MD5
55b64987636b9740ab1de7debd1f0b2f

SHA1
96f67222ce7d7748ec968e95a2f6495860f9d9c9

SHA256
f4a6bb3347ee3e603ea0b2f009bfa802103bc434ae3ff1db1f2043fa8cace8fc

SHA512
73a88a278747de3fefbaabb3ff90c1c0750c8d6c17746787f17061f4eff933620407336bf9b755f4222b0943b07d8c4d01de1815d42ea65e78e0daa7072591e9

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.Core.dll

Filesize
915KB

MD5
100c32f77e68a2ce962e1a28997567ea

SHA1
a80a1f4019b8d44df6b5833fb0c51b929fa79843

SHA256
c0b9e29b240d8328f2f9a29ca0298ca4d967a926f3174a3442c3730c00d5a926

SHA512
f95530ef439fa5c4e3bc02db249b6a76e9d56849816ead83c9cd9bcd49d3443ccb88651d829165c98a67af40b3ef02b922971114f29c5c735e662ca35c0fb6ed

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe

Filesize
7KB

MD5
516ff62b2e1f4642caa954c0968719e8

SHA1
e349d0ce82e2109dd0d18416d9cf46e8411b7f15

SHA256
19da58849cec5933860116e60a1e94b08e30d90e0f955768270b47998d612045

SHA512
7aa4a0c87b29c2a84f585a884d8208fc2352a43f2cdb549c100e3b121837ad5f8dadb1101f57d1d3fcb7ebec9d9f22e07dc14239b7d2e2d25793c999becf288b

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.dll

Filesize
272KB

MD5
9ca06a8f9e5f7239ca225ab810274023

SHA1
e1a219f567a7b7d3af9386df51b14c76e769c044

SHA256
5fd00ae3e83e6ca156647ff6df87b49ffc7cad47c23fe3ae07c067c5adf6f74a

SHA512
430c9bceed5439b987d5bd4840cfe32411ca61594f18597aca1948aa39a22c9d70beadf3bb9b1dd0373f81a94a25dcba17fa8e8c73abf06cba28d0971d5614c5

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.json

Filesize
738B

MD5
4f2a4c33c3caa85ea28b049398a9cb8b

SHA1
a68a0df0c4a78e1a595733884883963b15146573

SHA256
3e6cae491107d26cc3f1cca5b787f1fe1656f809effcaa7bac210fa764694f1b

SHA512
b0db7f5262c2dbfb098051736903ddec7b5f77bf47e61d17f07e891e6ebab56986928d06e0b566d77270becd5088d54e7181cf4a50536020d1c1f3a7631624c6

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.json

Filesize
434B

MD5
7b3bec0c36c7c2b8a91780848e0e28da

SHA1
ed4473d01db3c3f4d94cbd6b74e3c66cc124d17b

SHA256
b0dc48abdfbf4199a417fcd318e7284c4782024d903f5f8992687cd44d152fdc

SHA512
ada6099e56c51b71c4a916282561621fc737cbb136c4103650eabbdde4a2e32a656745d8bb7c415c89effdae6dd733eb736211e02bbde7a827a8cfde37ec1788

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.json

Filesize
529B

MD5
e97a36ff2a62f0519e47ff3974c8c687

SHA1
71d9f78994fbfce85f5b10305818ea155c55b7a7

SHA256
2267a1c3857cecdeda1c0363f35c2df94b49f0a0d30cc52f405610c186948244

SHA512
0ae00cac794220022f59adb588614bdfe023b7d4d208b93781375d23f50f629db3e510c0a1a96b32856d13f5b322f551a5bb75146112389846d3c95689cae3c0

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.json

Filesize
850B

MD5
6ae36bbea451aba982f622be624b6329

SHA1
fbee30a0a6acc19a2b3663214f0a4ada95c0603c

SHA256
aa7f1e4b7b8282ac1983044423c473528685083101d835262776b694b7ac7332

SHA512
3726a633c354858adcf5c0338cd5415b3cdd340f2615a208f43ffcba340f87dd5d77ed33c4f37382c0bc52adedef0888984509c92a91099763e7cca26c63bd2d

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_100_percent.pak

Filesize
667KB

MD5
ae195e80859781a20414cf5faa52db06

SHA1
b18ecb5ec141415e3a210880e2b3d37470636485

SHA256
9957802c0792e621f76bbdb1c630fbad519922743b5d193294804164babda552

SHA512
c6fef84615fe20d1760ca496c98629feb4e533556724e9631d4282622748e7601225cf19dfb8351f4b540ae3f83785c1bcea6fe8c246cf70388e527654097c1c

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_200_percent.pak

Filesize
1.0MB

MD5
1abf6bad0c39d59e541f04162e744224

SHA1
db93c38253338a0b85e431bd4194d9e7bddb22c6

SHA256
01cb663a75f18bb2d0d800640a114f153a34bd8a5f2aa0ed7daa9b32967dc29e

SHA512
945d519221d626421094316f13b818766826b3bedddab0165c041540dddadc93136e32784c0562d26a420cb29479d04d2aa317b8d605cd242e5152bf05af197e

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_elf.dll

Filesize
1020KB

MD5
7191d97ce7886a1a93a013e90868db96

SHA1
52dd736cb589dd1def87130893d6b9449a6a36e3

SHA256
32f925f833aa59e3f05322549fc3c326ac6fc604358f4efbf94c59d5c08b8dc6

SHA512
38ebb62c34d466935eabb157197c7c364d4345f22aa3b2641b636196ca1aeaa2152ac75d613ff90817cb94825189612ddd12fb96df29469511a46a7d9620e724

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\libEGL.dll

Filesize
359KB

MD5
7dd6b0e4a31d35a0fae5ff425707073c

SHA1
fbd12e9f8e2252c52ce555c2ebbd7f07e62a0140

SHA256
8762d8001fc3ddd90e3129dfea172817e8d09b9936eaae391957de4326c8c906

SHA512
726968df6b83ab5f589276672250d92f532fe2dcea2176e42031a7f1dcecf578b0320cfe2a7d88bb9883ad99387d71c6ebf1e9968272bb5e62850ef09abd2648

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\libGLESv2.dll

Filesize
6.6MB

MD5
8803db5b167fb5a5f8a8c595c4e4d7c6

SHA1
7fde861151f3bea66c65b6c2487a30728048811a

SHA256
52a58d25a41f4bd31cdb4a0d306217862e04ebf7c1925cc85330054a5523d719

SHA512
2fa9a0eda221982896e41eb387b5e156198615ac1a1fbac0acffd13008919368b41a240df416c1fce2e48c20a14cd7af7cca9fba476ada5e64a0cadde84a44b7

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\locales\en-US.pak

Filesize
456KB

MD5
4430b1833d56bc8eb1f7dc82bb7f4bc9

SHA1
dc15e6306625f155683326e859d83f846153c547

SHA256
b44ddcfac9df4934007e6c55a3c7f5e7f14c7e5e29f35c81de917fc3b22aabbc

SHA512
faf93bf371b2a88c1b874a5e2c54e4487fd152ad19c2a406a46f55ae75ecd421a779888c2e4c170857b16bfb5d8744bc1815a4732ed50b064b3cbd0c5ffad889

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\resources.pak

Filesize
8.0MB

MD5
4933d92c99afa246fc59eef010d5c858

SHA1
98d443654e93c73dd317f9f847f71fba3d5b3135

SHA256
62f4674daa15245ee081920b8ee191e72f36ca8fe24f6b986a832f45676915b2

SHA512
a3a69523c8e7310716daeebc06c2ba4fce673eccd1958e824ff179b82f4502d0ec095190179bbb387342e4150f952ea7533182fb6ba90377d17dafba8f4da623

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\vk_swiftshader.dll

Filesize
4.4MB

MD5
0ec149455727ace9acc09b3ba2c3a2b2

SHA1
6eeb990876cef6a34115b67f3190255db589f723

SHA256
e2d8ef53897e864b5b66bc73606681c99461798a9f4c1e13ca5cef7bc774d7fd

SHA512
c8eaa598c9439b1f2375fdac1f58896853510bddbd640707b9142c0d3793836120b28d7c2bd0407f0d5656dd19f14b312f37b7ac0165c9cc8b4c1a0f2af62531

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
71b037b0569f4a9790be0f267ca94b70

SHA1
63e6019c2a53779070ef2908e3b77cd1baf33e2f

SHA256
9327d61f7d091047fb1ba4c8718db59585dc489229d09ee90713a420fb194890

SHA512
f162d4b7b1523573a472d391020a5b2747022246e9a868caf8714ec088377d4f8e8cde3bf2cc675deb7084c91f77e687cadce6fb268c4eff1b58220c2c49f98a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
2258ba864a587246813d1618ec0f0d35

SHA1
acaf5a18fa1e7213db98f433e813b1c9360b32f2

SHA256
424c88a50d66f5c03e82e0148125a386112d32ec0282f4dd10c5a23482a43d96

SHA512
9668aa73b2ecb60add92831b3fa69263a13937713246c34286ce96a14a8a5a948d766c91a3e50ad02f4472d8b0a85ab9e2be10ad5773c2dd84a077796a008203

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
81b0f57f35a3ed92381f2cbaeceef348

SHA1
6ba08376db628de39cb11808df6dde4c4dc257d6

SHA256
f6b3c0827dba65949b94a52b9a9e573f17f49ec070cd7c7819274e45035d4a82

SHA512
538fa434998d88779c4886e7dd13c5bcdf59fd425eb85c83a76f72b761436fe417d3f1e753ddea14418fcb9691d5e631d550e7d39d933f36599f494ebf049e07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
85047696e511de3370307d9267b60cc1

SHA1
f7679e13c6fdd18de9cbefc8320a7365899c7f92

SHA256
202f2faba28b0ba86d693367d2bebb94ecc6cdcd7670bb6453c76b0f142692a5

SHA512
1a3e0c34db390d936ca049601c343dca887ad4fd85527337e587b9fe59fb6af6dbd075735e94bf1276e66e8d81f305c20d5fe7dc9d33aaf250950e18d26f2223

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b6db181ae3e0ee894d5c3285975913e6

SHA1
4b291c89c1f7ddc6c04e347f81bc55a689fb370b

SHA256
55209bd37a3b52f9ed2f98708ff4ee718bbbf3f628685e6fc4c46338d6024b5b

SHA512
bca8d0e634f7bf9a359da0b2dfe842604949c0655c411dda204c579c551c2e1475f4ee0a4ec3f90a2b87f2cfc84b055520621c764eedc2e87b4826d228092d5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b7a6c698b086bd7524eeb5672525cd91

SHA1
768a857301a6a99b0ec81703a1c29edd3fad1f74

SHA256
76e0d3810fa7e18ece61f298b42f898e026f7157e5abc215731a514cd77c03bc

SHA512
222ae014405e40da797d3dbdc188ada9be52618ca0fd1cff9c6a8ab3140e8d900e8105d2f8ccbd1f59b3d1451ec5cd4ad85731810a688eec016e2ef32a499c32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
721d598f4415af29827c368cc554a32e

SHA1
4f6e39771014241b3ffe67dc35ec69598bba58af

SHA256
b90fcb90d6174bb685320464b86c838a8c25dfdcb9a3a2f4d3a7dd1a13371849

SHA512
1e27dab58b77af3950b0c1783e081f25da52446fa81fa3dbca427d4dc094076839f9b9cb9d0111f70cb318d8820de9b5f9936cc1c15a7542653cbbe49588301f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e3f0e9d7be600a7135238cfa2bc03a94

SHA1
d8c7e519e820c4f655e30d6d457aaccfd7912edd

SHA256
d46535ff1e845bbfbc4313be2b33f998fe702686326e5d017e74c21fb0bd0818

SHA512
509f0b1f52dfc1c663099e27b27f278ab2279b9ce60317cb0e453b076865e9af01282e65e26e033829ca1eb3bfdbb95871e655c83b107c11c59e46e98c688476

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
167KB

MD5
ce38f7fd8d4a76ab324c8fa1715c4a8b

SHA1
14c28fbf28aca5054c9872292324855cd32a9dab

SHA256
74dfb380b5e10065b3ba3c6abb4b3115fff11759943fb125f49e24e905bee49a

SHA512
0463c75495c0f893ccde9ff8e24e7fe63c6a91d679c8036f54d8357b6e0083aee3c0991b7bb67a3a15b2a45865411a3e5b95bf78f76896cc40b3a2029fde9bed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
167KB

MD5
8b4d5e98ae9bccbff33770cef681d095

SHA1
65e2361df83cb9a3c9d22bf1c143f867f74f5d97

SHA256
aeadca30256ee6e55573a0cfd9fefee29a420bfdac9d7ab0351b030299839ee1

SHA512
76dff2a1077714eab0dec1ed3aaa42fffcd450c1c428ce26d52c90f093abef9e7f713446c3854cd63717bf6099473cf9956407ab6618e5d214cb4d7e382245b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f3996ba3a4e129b8496573f5b94f2022

SHA1
3f81013a4b197a8a05148db88db0ea15bf379e9d

SHA256
790a420cf37d4d093a2e3d6aba963a053d7169498481a8da564e3c34a04944db

SHA512
5b28af0014bc2e6d22bd477b389cf4458d85830cf0fb4190982781da5a337fa11e4f914f8551813936c6de01deac0a9c51a40663f3353696345a807c2730bb6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
152e2d70df732fae69af04ac066c4f82

SHA1
9a505687275ee411e73ced5eb748137f0665f43e

SHA256
32ddd71535f8627966a6f3853f8c8fafed84a65fcd11e994da9479948c7c8855

SHA512
7920ae97e3b6736976db1949777e5c567ca0dc950199fec956be08d6b4aabc11b1cd3db0f966c51df28825813d1568d492bf929714202f0cee52ca3c91f1d8c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.Core.Runtime.dll

Filesize
1.3MB

MD5
09cba584aa0aae9fc600745567393ef6

SHA1
bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279

SHA256
0babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5

SHA512
5f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1

Download Submit
C:\Users\Admin\AppData\Local\Wave\D3DCOMPILER_47.dll

Filesize
3.9MB

MD5
3b4647bcb9feb591c2c05d1a606ed988

SHA1
b42c59f96fb069fd49009dfd94550a7764e6c97c

SHA256
35773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7

SHA512
00cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe

Filesize
939KB

MD5
258a9cae6024c91784bbd8aa5379e86f

SHA1
fe1a808ba23053413359a78d5ec096b2cd540dd5

SHA256
3881840473ec5286189d2fc8e85f0f26a2532890055d1653da9580aa31b2d0e5

SHA512
b621ef432b430d2df0443fa0ebdd59dc7de6b32375c2fc83e8474838843c4abcf4a35f2b5f80e78911fc52336d71812ca9fbc9919314ea3b59bd26036a4ea5a5

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe

Filesize
7.5MB

MD5
d480fa673e647e8724368ebdc25e0466

SHA1
e9d79aa2ecbdae35092e05f2d7dec4bcb8cf1a78

SHA256
97e79046d57739603a980f5a5fb0642c05a082781095b9a7eb8475083ecd5703

SHA512
5f34adcb185556428e4351fb6ab0e009a8e0585e1f5fbefc480bfd5fcaa7321ede5d9d58ad28bd4d987c273cb35e057e04ba39add1a47615de4b2bba28bc7551

Download Submit
C:\Users\Admin\Downloads\WaveInstaller.exe

Filesize
1.5MB

MD5
c822ab5332b11c9185765b157d0b6e17

SHA1
7fe909d73a24ddd87171896079cceb8b03663ad4

SHA256
344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a

SHA512
a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d

Download Submit
C:\Users\Admin\Downloads\WaveInstaller.exe:Zone.Identifier

Filesize
76B

MD5
6426df412889a0bbfde061995a7415bb

SHA1
339b736382aa0fabeeb5cb16a564c58d27a387b6

SHA256
a4180fd8b67b4ba5e3eeb0d19b4fd1daa361bbf34882cf72b12bc5727497c260

SHA512
bc720ef63b4eda35fe52cc1bf50bd12b9383e11ea16a2c2347b17cebad34a889bfae983b0b4565d587191396636af62245a5878e8574f444bb3fb9ea76403a4f

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4404_19526690\manifest.json

Filesize
984B

MD5
0359d5b66d73a97ce5dc9f89ed84c458

SHA1
ce17e52eaac909dd63d16d93410de675d3e6ec0d

SHA256
beeab2f8d3833839399dde15ce9085c17b304445577d21333e883d6db6d0b755

SHA512
8fd94a098a4ab5c0fcd48c2cef2bb03328dd4d25c899bf5ed1ca561347d74a8aab8a214ba2d3180a86df72c52eb26987a44631d0ecd9edc84976c28d6c9dc16a

Download Submit
memory/1112-707-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/1112-710-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/1112-701-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/1112-711-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/1112-708-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/1112-709-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/1112-706-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/1112-705-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/1112-700-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/1112-699-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/1556-256-0x000000000B480000-0x000000000B516000-memory.dmp

Filesize
600KB

Download
memory/1556-246-0x0000000009BA0000-0x0000000009BD8000-memory.dmp

Filesize
224KB

Download
memory/1556-481-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/1556-141-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/1556-261-0x000000000A630000-0x000000000A63A000-memory.dmp

Filesize
40KB

Download
memory/1556-260-0x000000000AF50000-0x000000000AFC2000-memory.dmp

Filesize
456KB

Download
memory/1556-257-0x000000000A550000-0x000000000A576000-memory.dmp

Filesize
152KB

Download
memory/1556-262-0x000000000ABD0000-0x000000000ABDA000-memory.dmp

Filesize
40KB

Download
memory/1556-249-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/1556-248-0x000000007431E000-0x000000007431F000-memory.dmp

Filesize
4KB

Download
memory/1556-140-0x0000000000640000-0x00000000007D2000-memory.dmp

Filesize
1.6MB

Download
memory/1556-247-0x0000000009B70000-0x0000000009B7E000-memory.dmp

Filesize
56KB

Download
memory/1556-258-0x000000000A520000-0x000000000A528000-memory.dmp

Filesize
32KB

Download
memory/1556-139-0x000000007431E000-0x000000007431F000-memory.dmp

Filesize
4KB

Download
memory/1656-482-0x0000000008A10000-0x0000000008B10000-memory.dmp

Filesize
1024KB

Download
memory/1656-486-0x0000000009800000-0x000000000981E000-memory.dmp

Filesize
120KB

Download
memory/1656-479-0x0000000000970000-0x0000000000A60000-memory.dmp

Filesize
960KB

Download
memory/1656-483-0x0000000009720000-0x0000000009736000-memory.dmp

Filesize
88KB

Download
memory/1656-484-0x0000000009760000-0x000000000976A000-memory.dmp

Filesize
40KB

Download
memory/1656-485-0x00000000097A0000-0x00000000097A8000-memory.dmp

Filesize
32KB

Download
memory/4404-602-0x000000000CEC0000-0x000000000CED0000-memory.dmp

Filesize
64KB

Download
memory/4404-587-0x000000000FFD0000-0x00000000104FC000-memory.dmp

Filesize
5.2MB

Download
memory/4404-611-0x000000000CEC0000-0x000000000CED0000-memory.dmp

Filesize
64KB

Download
memory/4404-610-0x000000000CEC0000-0x000000000CED0000-memory.dmp

Filesize
64KB

Download
memory/4404-609-0x000000000CEC0000-0x000000000CED0000-memory.dmp

Filesize
64KB

Download
memory/4404-619-0x000000000CEC0000-0x000000000CED0000-memory.dmp

Filesize
64KB

Download
memory/4404-615-0x0000000011130000-0x0000000011140000-memory.dmp

Filesize
64KB

Download
memory/4404-614-0x000000000CEC0000-0x000000000CED0000-memory.dmp

Filesize
64KB

Download
memory/4404-608-0x0000000013CA0000-0x0000000013CB0000-memory.dmp

Filesize
64KB

Download
memory/4404-607-0x0000000013CA0000-0x0000000013CB0000-memory.dmp

Filesize
64KB

Download
memory/4404-606-0x0000000014740000-0x00000000148C8000-memory.dmp

Filesize
1.5MB

Download
memory/4404-605-0x0000000011130000-0x0000000011140000-memory.dmp

Filesize
64KB

Download
memory/4404-603-0x000000000CEC0000-0x000000000CED0000-memory.dmp

Filesize
64KB

Download
memory/4404-601-0x000000000CEC0000-0x000000000CED0000-memory.dmp

Filesize
64KB

Download
memory/4404-604-0x000000000CEC0000-0x000000000CED0000-memory.dmp

Filesize
64KB

Download
memory/4404-618-0x000000000CEC0000-0x000000000CED0000-memory.dmp

Filesize
64KB

Download
memory/4404-590-0x000000000E040000-0x000000000E048000-memory.dmp

Filesize
32KB

Download
memory/4404-589-0x000000000FE30000-0x000000000FE96000-memory.dmp

Filesize
408KB

Download
memory/4404-588-0x000000000D070000-0x000000000D0AE000-memory.dmp

Filesize
248KB

Download
memory/4404-621-0x0000000013CA0000-0x0000000013CB0000-memory.dmp

Filesize
64KB

Download
memory/4404-586-0x000000000DAF0000-0x000000000DB90000-memory.dmp

Filesize
640KB

Download
memory/4404-585-0x000000000CF90000-0x000000000CFC8000-memory.dmp

Filesize
224KB

Download
memory/4404-571-0x000000000E5A0000-0x000000000E8F7000-memory.dmp

Filesize
3.3MB

Download
memory/4404-570-0x000000000DEC0000-0x000000000DEE2000-memory.dmp

Filesize
136KB

Download
memory/4404-565-0x000000000CAD0000-0x000000000CB82000-memory.dmp

Filesize
712KB

Download
memory/4404-617-0x0000000013CA0000-0x0000000013CB0000-memory.dmp

Filesize
64KB

Download
memory/4404-620-0x0000000013CA0000-0x0000000013CB0000-memory.dmp

Filesize
64KB

Download
memory/4404-616-0x0000000013CA0000-0x0000000013CB0000-memory.dmp

Filesize
64KB

Download
memory/4404-513-0x0000000005C60000-0x0000000005DBB000-memory.dmp

Filesize
1.4MB

Download
memory/4404-505-0x0000000005340000-0x0000000005426000-memory.dmp

Filesize
920KB

Download
memory/4404-504-0x0000000002B20000-0x0000000002B44000-memory.dmp

Filesize
144KB

Download
memory/4404-503-0x00000000050A0000-0x00000000050EA000-memory.dmp

Filesize
296KB

Download
memory/4404-502-0x00000000000E0000-0x000000000086C000-memory.dmp

Filesize
7.5MB

Download
memory/4404-612-0x000000000CEC0000-0x000000000CED0000-memory.dmp

Filesize
64KB

Download
memory/4404-613-0x000000000CEC0000-0x000000000CED0000-memory.dmp

Filesize
64KB

Download
memory/5048-539-0x0000000004EC0000-0x0000000004F0A000-memory.dmp

Filesize
296KB

Download
memory/5048-528-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/5048-532-0x0000000004D20000-0x0000000004E0A000-memory.dmp

Filesize
936KB

Download