344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06-07-2024 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveInstaller.exe
Size

1.5MB
MD5

c822ab5332b11c9185765b157d0b6e17
SHA1

7fe909d73a24ddd87171896079cceb8b03663ad4
SHA256

344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a
SHA512

a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d
SSDEEP

24576:9viinbT3ipyqwPx4x3RyFoBkkAd04wJAAh/jV1gJcPNZI6fntX3HOt2pbs81ind2:EinbT3ipTD0anywJAaD/3U2pb7indT

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Bloxstrap.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	Bloxstrap.exe

Executes dropped EXE 11 IoCs

Processes:

WaveBootstrapper.exeWaveBootstrapper.exeWaveWindows.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exenode.exeBloxstrap.exewindowsdesktop-runtime-6.0.31-win-x64.exewindowsdesktop-runtime-6.0.31-win-x64.exeCefSharp.BrowserSubprocess.exe

pid	process
4084	WaveBootstrapper.exe
3400	WaveBootstrapper.exe
3232	WaveWindows.exe
1544	WaveWindows.exe
4872	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
1488	node.exe
1444	Bloxstrap.exe
4716	windowsdesktop-runtime-6.0.31-win-x64.exe
2172	windowsdesktop-runtime-6.0.31-win-x64.exe
3424	CefSharp.BrowserSubprocess.exe

Loads dropped DLL 34 IoCs

Processes:

WaveBootstrapper.exeWaveBootstrapper.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exewindowsdesktop-runtime-6.0.31-win-x64.exeCefSharp.BrowserSubprocess.exe

pid	process
4084	WaveBootstrapper.exe
3400	WaveBootstrapper.exe
3232	WaveWindows.exe
3232	WaveWindows.exe
3232	WaveWindows.exe
3232	WaveWindows.exe
3232	WaveWindows.exe
4872	CefSharp.BrowserSubprocess.exe
4872	CefSharp.BrowserSubprocess.exe
4872	CefSharp.BrowserSubprocess.exe
4872	CefSharp.BrowserSubprocess.exe
4872	CefSharp.BrowserSubprocess.exe
4872	CefSharp.BrowserSubprocess.exe
4872	CefSharp.BrowserSubprocess.exe
4872	CefSharp.BrowserSubprocess.exe
4872	CefSharp.BrowserSubprocess.exe
4872	CefSharp.BrowserSubprocess.exe
4872	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
3232	WaveWindows.exe
2172	windowsdesktop-runtime-6.0.31-win-x64.exe
3424	CefSharp.BrowserSubprocess.exe
3424	CefSharp.BrowserSubprocess.exe
3424	CefSharp.BrowserSubprocess.exe
3424	CefSharp.BrowserSubprocess.exe
3424	CefSharp.BrowserSubprocess.exe
3424	CefSharp.BrowserSubprocess.exe
3424	CefSharp.BrowserSubprocess.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

Processes:

WaveWindows.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\KasperskyLab\LastUsername	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\KasperskyLab\Session	WaveWindows.exe
Key queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\KasperskyLab	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\KasperskyLab\LastUsername = "ZackZeek2"	WaveWindows.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\KasperskyLab	WaveWindows.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\KasperskyLab	WaveWindows.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
12	raw.githubusercontent.com
13	raw.githubusercontent.com
30	raw.githubusercontent.com
31	raw.githubusercontent.com
32	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

Processes:

WaveWindows.exe

description	ioc	process
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3232_749162649\manifest.fingerprint	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3232_749162649\_platform_specific\win_x86\widevinecdm.dll.sig	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3232_749162649\_platform_specific\win_x86\widevinecdm.dll	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3232_749162649\LICENSE	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3232_749162649\manifest.json	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3232_749162649\_metadata\verified_contents.json	WaveWindows.exe

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3212 1544 WerFault.exe WaveWindows.exe

pid	pid_target	process	target process
3212	1544	WerFault.exe	WaveWindows.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exebrowser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\dotnet.microsoft.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\dotnet.microsoft.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\microsoft.com\Total = "134"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "426411143"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "10"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 72f4d4c171cfda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdom = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\microsoft.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7d7fdabb71cfda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe

NTFS ADS 1 IoCs

Processes:

browser_broker.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.31-win-x64.exe.ths7m45.partial:Zone.Identifier	browser_broker.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

WaveWindows.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exe

pid	process
3232	WaveWindows.exe
1544	WaveWindows.exe
4872	CefSharp.BrowserSubprocess.exe
4872	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
3232	WaveWindows.exe
3424	CefSharp.BrowserSubprocess.exe
3424	CefSharp.BrowserSubprocess.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

3408 MicrosoftEdgeCP.exe
3408 MicrosoftEdgeCP.exe
3408 MicrosoftEdgeCP.exe
3408 MicrosoftEdgeCP.exe

pid	process
3408	MicrosoftEdgeCP.exe
3408	MicrosoftEdgeCP.exe
3408	MicrosoftEdgeCP.exe
3408	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WaveInstaller.exeWaveBootstrapper.exeWaveBootstrapper.exeWaveWindows.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	4400	WaveInstaller.exe
Token: SeDebugPrivilege	4084	WaveBootstrapper.exe
Token: SeDebugPrivilege	3400	WaveBootstrapper.exe
Token: SeDebugPrivilege	3232	WaveWindows.exe
Token: SeDebugPrivilege	1544	WaveWindows.exe
Token: SeDebugPrivilege	4872	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeDebugPrivilege	4472	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeDebugPrivilege	2468	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2468	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2468	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2468	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeDebugPrivilege	4728	MicrosoftEdge.exe
Token: SeDebugPrivilege	4728	MicrosoftEdge.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeDebugPrivilege	4576	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4576	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3232	WaveWindows.exe
Token: SeShutdownPrivilege	3232	WaveWindows.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WaveWindows.exe

pid process

3232 WaveWindows.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid process

4728 MicrosoftEdge.exe
3408 MicrosoftEdgeCP.exe
2468 MicrosoftEdgeCP.exe
3408 MicrosoftEdgeCP.exe

pid	process
4728	MicrosoftEdge.exe
3408	MicrosoftEdgeCP.exe
2468	MicrosoftEdgeCP.exe
3408	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

WaveInstaller.exeWaveBootstrapper.exeWaveBootstrapper.exeWaveWindows.exeMicrosoftEdgeCP.exebrowser_broker.exewindowsdesktop-runtime-6.0.31-win-x64.exe

description	pid	process	target process
PID 4400 wrote to memory of 4084	4400	WaveInstaller.exe	WaveBootstrapper.exe
PID 4400 wrote to memory of 4084	4400	WaveInstaller.exe	WaveBootstrapper.exe
PID 4400 wrote to memory of 4084	4400	WaveInstaller.exe	WaveBootstrapper.exe
PID 4084 wrote to memory of 3232	4084	WaveBootstrapper.exe	WaveWindows.exe
PID 4084 wrote to memory of 3232	4084	WaveBootstrapper.exe	WaveWindows.exe
PID 4084 wrote to memory of 3232	4084	WaveBootstrapper.exe	WaveWindows.exe
PID 3400 wrote to memory of 1544	3400	WaveBootstrapper.exe	WaveWindows.exe
PID 3400 wrote to memory of 1544	3400	WaveBootstrapper.exe	WaveWindows.exe
PID 3400 wrote to memory of 1544	3400	WaveBootstrapper.exe	WaveWindows.exe
PID 3232 wrote to memory of 4872	3232	WaveWindows.exe	CefSharp.BrowserSubprocess.exe
PID 3232 wrote to memory of 4872	3232	WaveWindows.exe	CefSharp.BrowserSubprocess.exe
PID 3232 wrote to memory of 4872	3232	WaveWindows.exe	CefSharp.BrowserSubprocess.exe
PID 3232 wrote to memory of 4472	3232	WaveWindows.exe	CefSharp.BrowserSubprocess.exe
PID 3232 wrote to memory of 4472	3232	WaveWindows.exe	CefSharp.BrowserSubprocess.exe
PID 3232 wrote to memory of 4472	3232	WaveWindows.exe	CefSharp.BrowserSubprocess.exe
PID 3232 wrote to memory of 1488	3232	WaveWindows.exe	node.exe
PID 3232 wrote to memory of 1488	3232	WaveWindows.exe	node.exe
PID 3232 wrote to memory of 1444	3232	WaveWindows.exe	Bloxstrap.exe
PID 3232 wrote to memory of 1444	3232	WaveWindows.exe	Bloxstrap.exe
PID 3408 wrote to memory of 3120	3408	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3408 wrote to memory of 3120	3408	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3408 wrote to memory of 3120	3408	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3408 wrote to memory of 3120	3408	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3408 wrote to memory of 3120	3408	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3408 wrote to memory of 3120	3408	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3408 wrote to memory of 3120	3408	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3408 wrote to memory of 3120	3408	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3408 wrote to memory of 3120	3408	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3408 wrote to memory of 3120	3408	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2380 wrote to memory of 4716	2380	browser_broker.exe	windowsdesktop-runtime-6.0.31-win-x64.exe
PID 2380 wrote to memory of 4716	2380	browser_broker.exe	windowsdesktop-runtime-6.0.31-win-x64.exe
PID 2380 wrote to memory of 4716	2380	browser_broker.exe	windowsdesktop-runtime-6.0.31-win-x64.exe
PID 4716 wrote to memory of 2172	4716	windowsdesktop-runtime-6.0.31-win-x64.exe	windowsdesktop-runtime-6.0.31-win-x64.exe
PID 4716 wrote to memory of 2172	4716	windowsdesktop-runtime-6.0.31-win-x64.exe	windowsdesktop-runtime-6.0.31-win-x64.exe
PID 4716 wrote to memory of 2172	4716	windowsdesktop-runtime-6.0.31-win-x64.exe	windowsdesktop-runtime-6.0.31-win-x64.exe
PID 3232 wrote to memory of 3424	3232	WaveWindows.exe	CefSharp.BrowserSubprocess.exe
PID 3232 wrote to memory of 3424	3232	WaveWindows.exe	CefSharp.BrowserSubprocess.exe
PID 3232 wrote to memory of 3424	3232	WaveWindows.exe	CefSharp.BrowserSubprocess.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2032,i,6870843791779545127,4761870422323338963,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2096 --mojo-platform-channel-handle=2024 /prefetch:2 --host-process-id=3232
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=3232
4⤵
- Executes dropped EXE
PID:1488

C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=2636,i,6870843791779545127,4761870422323338963,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2640 --mojo-platform-channel-handle=2632 /prefetch:3 --host-process-id=3232
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:1444

C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=3872,i,6870843791779545127,4761870422323338963,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=4332 --mojo-platform-channel-handle=4336 /prefetch:8 --host-process-id=3232
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3424

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3400

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1040
3⤵
- Program crash
PID:3212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4728

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.31-win-x64.exe
"C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.31-win-x64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\Temp\{19370D63-0C15-4C76-B8A3-97216F3993AE}\.cr\windowsdesktop-runtime-6.0.31-win-x64.exe
"C:\Windows\Temp\{19370D63-0C15-4C76-B8A3-97216F3993AE}\.cr\windowsdesktop-runtime-6.0.31-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.31-win-x64.exe" -burn.filehandle.attached=548 -burn.filehandle.self=544
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3120

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3232_749162649\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3232_749162649\manifest.json

Filesize
984B

MD5
0359d5b66d73a97ce5dc9f89ed84c458

SHA1
ce17e52eaac909dd63d16d93410de675d3e6ec0d

SHA256
beeab2f8d3833839399dde15ce9085c17b304445577d21333e883d6db6d0b755

SHA512
8fd94a098a4ab5c0fcd48c2cef2bb03328dd4d25c899bf5ed1ca561347d74a8aab8a214ba2d3180a86df72c52eb26987a44631d0ecd9edc84976c28d6c9dc16a

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe

Filesize
249KB

MD5
772c9fecbd0397f6cfb3d866cf3a5d7d

SHA1
6de3355d866d0627a756d0d4e29318e67650dacf

SHA256
2f88ea7e1183d320fb2b7483de2e860da13dc0c0caaf58f41a888528d78c809f

SHA512
82048bd6e50d38a863379a623b8cfda2d1553d8141923acf13f990c7245c833082523633eaa830362a12bfff300da61b3d8b3cccbe038ce2375fdfbd20dbca31

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe

Filesize
7KB

MD5
516ff62b2e1f4642caa954c0968719e8

SHA1
e349d0ce82e2109dd0d18416d9cf46e8411b7f15

SHA256
19da58849cec5933860116e60a1e94b08e30d90e0f955768270b47998d612045

SHA512
7aa4a0c87b29c2a84f585a884d8208fc2352a43f2cdb549c100e3b121837ad5f8dadb1101f57d1d3fcb7ebec9d9f22e07dc14239b7d2e2d25793c999becf288b

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.json

Filesize
643B

MD5
1e756632b73611ced3e48fb5d73c3e99

SHA1
e17b371e2dad970c700512f8da8395b455badad2

SHA256
df0f8488d40f10fae3cb05d60860a613a1f6c911129026a8759d85090ee898b0

SHA512
dda761f25dbad7086fa097690dba6a518c65062b9df05bb47cac1234a52f0bed79aa0bcdfcf4abfdc8738f8c21a3d7f7caa939602d4308d2d23d9245bbf7a939

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.json

Filesize
755B

MD5
9ba7c0d9176b164b14ced83740fd2f54

SHA1
4f71f96dc5717948e2e8f90ce38d069c1de27796

SHA256
7b3c4cf434222b4434a10040093c5dbee584351d9afa4b7682ee1dc0b3741743

SHA512
eeafecb17d3d7cd71782279522399744e2c7076cd77dbc1b63311b517e61644f1b0219740b0556ffb68164631585342f3153263c0584f344ee02b21de94fe83d

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.json~RFe59482b.TMP

Filesize
434B

MD5
fcc3728b3bbcee1942c219c4b7c4fc2c

SHA1
6e8fa899651d2225ba8aa37afb03128f573dd930

SHA256
839757d77fb91a1fc19f9b14f885afb8868a44e8eebbe374ea801ba913f0d00b

SHA512
a7e4475a2e11c5c64859619e406436f96f7e0714d1ae31c2dd832a1729a2b28b51f51accd0fa0bf427f8bce2244bab4fa92b3ecb36dd722d494e6e4de55ae623

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_100_percent.pak

Filesize
667KB

MD5
ae195e80859781a20414cf5faa52db06

SHA1
b18ecb5ec141415e3a210880e2b3d37470636485

SHA256
9957802c0792e621f76bbdb1c630fbad519922743b5d193294804164babda552

SHA512
c6fef84615fe20d1760ca496c98629feb4e533556724e9631d4282622748e7601225cf19dfb8351f4b540ae3f83785c1bcea6fe8c246cf70388e527654097c1c

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_200_percent.pak

Filesize
1.0MB

MD5
1abf6bad0c39d59e541f04162e744224

SHA1
db93c38253338a0b85e431bd4194d9e7bddb22c6

SHA256
01cb663a75f18bb2d0d800640a114f153a34bd8a5f2aa0ed7daa9b32967dc29e

SHA512
945d519221d626421094316f13b818766826b3bedddab0165c041540dddadc93136e32784c0562d26a420cb29479d04d2aa317b8d605cd242e5152bf05af197e

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\locales\en-US.pak

Filesize
456KB

MD5
4430b1833d56bc8eb1f7dc82bb7f4bc9

SHA1
dc15e6306625f155683326e859d83f846153c547

SHA256
b44ddcfac9df4934007e6c55a3c7f5e7f14c7e5e29f35c81de917fc3b22aabbc

SHA512
faf93bf371b2a88c1b874a5e2c54e4487fd152ad19c2a406a46f55ae75ecd421a779888c2e4c170857b16bfb5d8744bc1815a4732ed50b064b3cbd0c5ffad889

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\resources.pak

Filesize
8.0MB

MD5
4933d92c99afa246fc59eef010d5c858

SHA1
98d443654e93c73dd317f9f847f71fba3d5b3135

SHA256
62f4674daa15245ee081920b8ee191e72f36ca8fe24f6b986a832f45676915b2

SHA512
a3a69523c8e7310716daeebc06c2ba4fce673eccd1958e824ff179b82f4502d0ec095190179bbb387342e4150f952ea7533182fb6ba90377d17dafba8f4da623

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\v8_context_snapshot.bin

Filesize
643KB

MD5
28477a60b4fbd51dfef5237245817690

SHA1
b0afd5ea9f9d550124f23c65bc7851ddeffc662f

SHA256
169ea86f544e5cdf2a460675f876a9abb7f56bbe122782e94bb03d624931fc12

SHA512
3520658583bb498d5032a7f7ae77195fd2e5f8ed03c6531e56dee8320d8701102a723766e59f7766ab223f837e65a6d85cf862bb2bef6d2755ce45e672a47b22

Download Submit
C:\Users\Admin\AppData\Local\Luau Language Server\server\index.js

Filesize
6.1MB

MD5
6b1cad741d0b6374435f7e1faa93b5e7

SHA1
7b1957e63c10f4422421245e4dc64074455fd62a

SHA256
6f17add2a8c8c2d9f592adb65d88e08558e25c15cedd82e3f013c8146b5d840f

SHA512
a662fc83536eff797b8d59e2fb4a2fb7cd903be8fc4137de8470b341312534326383bb3af58991628f15f93e3bdd57621622d9d9b634fb5e6e03d4aa06977253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WaveBootstrapper.exe.log

Filesize
2KB

MD5
06d130c0479607768c8e7af4f4687094

SHA1
8648ff9b948322f2ac5975a1584289a6db5c49ad

SHA256
f35ffedaffa9044802667fa4149782bb6b28485fe9e4f876293dc6b0fd8931aa

SHA512
b6099ecd7a3b9b150648a00611c2d8a09cdfc23ddb04ea5c815ae177e25120e96d5e3eab0a4cf3d70d02d7866375d1d1ccefb9477baade57265773cec6467acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V28C7N3J\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\L1R0XQK1\dotnet.microsoft[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\L1R0XQK1\dotnet.microsoft[1].xml

Filesize
84B

MD5
4416f3f171e8c99970e5ea1ddbce2d56

SHA1
c898687e958e61f063fd6410dd399675c976ccad

SHA256
907aeb2609114c1f68fd1e03df032902089bfaa7f24989db15dc934dda2348dc

SHA512
29f08a0f30a15a07c95d9f16a3005bab04b3dc34d42e3d3c8d0157ff4b5730b8e7870487e138be9072649fabd959d9506dde5089d5c8c7280a7ed1e7b1a89496

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\1F4F3XWG\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O0P2OK5N\windowsdesktop-runtime-6.0.31-win-x64[1].exe

Filesize
32KB

MD5
8486c01fc4fdc4345241cb4de27196e9

SHA1
111c24066aba64f272b8e554e737708753fb5aef

SHA256
093833f61cddec748bb15d215ba557a1e857234fc91cb375b9c64e7e895abcd8

SHA512
0ae57914794a39b8329109ef7c949df2136b4366183b44a570f0c7f679de35645538744892316edd0b8918b3334abb5ee075c033bb346b6b2783d991dc2b3c48

Download Submit
C:\Users\Admin\AppData\Local\Wave\D3DCOMPILER_47.dll

Filesize
3.9MB

MD5
3b4647bcb9feb591c2c05d1a606ed988

SHA1
b42c59f96fb069fd49009dfd94550a7764e6c97c

SHA256
35773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7

SHA512
00cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe

Filesize
949KB

MD5
8fb51b92d496c6765f7ba44e6d4a8990

SHA1
d3e5a8465622cd5adae05babeb7e34b2b5c777d7

SHA256
ab49d6166a285b747e5f279620ab9cea12f33f7656d732aa75900fcb981a5394

SHA512
20de93a52fff7b092cb9d77bd26944abed5f5cb67146e6d2d70be6a431283b6de52eb37a0e13dc8bc57dcf8be2d5a95b9c11b3b030a3e2f03dd6e4efc23527a6

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe

Filesize
7.5MB

MD5
521e21ad5cd0137689bbde63f2729873

SHA1
a2333d3c6ad72680b568b56d7061b0aee5aa3e3d

SHA256
a632148f833a0c6ba79160f401aa614ae3d6aafe096abbffdabe046d3d712355

SHA512
2f77c2820ad24489d76547ba1a709e83395639ff9e1864d141b26e19834c245691bfd92a92047673da15517799ea0e3f17396c6a79d571bb0eee3636bfd8ed60

Download Submit
C:\Users\Admin\Desktop\SetMove.wmf

Filesize
383KB

MD5
68c409450ff2f4b13df9eaf8e2b53af5

SHA1
d0a9939f7fa4eca76a7324a6e47ed698836a5c39

SHA256
9b1ade062d09f427e2148b9b7b4ae74bcb7c857bd48be74df967744074043108

SHA512
c0de12607e10289c3fd7b06282ed15df91996298da3282982ce63629f5f1375e033d22828e5f34ce6a30be903cbf4fba6e6b892f4069b259c4e908a176fb187b

Download Submit
C:\Windows\Temp\{19370D63-0C15-4C76-B8A3-97216F3993AE}\.cr\windowsdesktop-runtime-6.0.31-win-x64.exe

Filesize
636KB

MD5
7dfa2d16780a7dc5976dc9503ef132b7

SHA1
d744c2bbd0f0f489a559d7376e4294589cedf8ad

SHA256
2551b141649dbd49ac35abf4ad54240abb88f97f488788aae33ec9cc06d5f065

SHA512
3f2fb1afb3899a234e05d819eda4395318a8cd3e043ca2a8dd895763e5076ab4798d3a202db8fa99c228baf72728b4618b74869f5f241fc5305a603339052112

Download Submit
C:\Windows\Temp\{39FE49A3-F79C-4524-B18A-2D3329CE6423}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.Core.dll

Filesize
915KB

MD5
100c32f77e68a2ce962e1a28997567ea

SHA1
a80a1f4019b8d44df6b5833fb0c51b929fa79843

SHA256
c0b9e29b240d8328f2f9a29ca0298ca4d967a926f3174a3442c3730c00d5a926

SHA512
f95530ef439fa5c4e3bc02db249b6a76e9d56849816ead83c9cd9bcd49d3443ccb88651d829165c98a67af40b3ef02b922971114f29c5c735e662ca35c0fb6ed

Download Submit
\Users\Admin\AppData\Local\CefSharp\CefSharp.dll

Filesize
272KB

MD5
9ca06a8f9e5f7239ca225ab810274023

SHA1
e1a219f567a7b7d3af9386df51b14c76e769c044

SHA256
5fd00ae3e83e6ca156647ff6df87b49ffc7cad47c23fe3ae07c067c5adf6f74a

SHA512
430c9bceed5439b987d5bd4840cfe32411ca61594f18597aca1948aa39a22c9d70beadf3bb9b1dd0373f81a94a25dcba17fa8e8c73abf06cba28d0971d5614c5

Download Submit
\Users\Admin\AppData\Local\CefSharp\chrome_elf.dll

Filesize
1020KB

MD5
7191d97ce7886a1a93a013e90868db96

SHA1
52dd736cb589dd1def87130893d6b9449a6a36e3

SHA256
32f925f833aa59e3f05322549fc3c326ac6fc604358f4efbf94c59d5c08b8dc6

SHA512
38ebb62c34d466935eabb157197c7c364d4345f22aa3b2641b636196ca1aeaa2152ac75d613ff90817cb94825189612ddd12fb96df29469511a46a7d9620e724

Download Submit
\Users\Admin\AppData\Local\CefSharp\libEGL.dll

Filesize
359KB

MD5
7dd6b0e4a31d35a0fae5ff425707073c

SHA1
fbd12e9f8e2252c52ce555c2ebbd7f07e62a0140

SHA256
8762d8001fc3ddd90e3129dfea172817e8d09b9936eaae391957de4326c8c906

SHA512
726968df6b83ab5f589276672250d92f532fe2dcea2176e42031a7f1dcecf578b0320cfe2a7d88bb9883ad99387d71c6ebf1e9968272bb5e62850ef09abd2648

Download Submit
\Users\Admin\AppData\Local\CefSharp\libGLESv2.dll

Filesize
6.6MB

MD5
8803db5b167fb5a5f8a8c595c4e4d7c6

SHA1
7fde861151f3bea66c65b6c2487a30728048811a

SHA256
52a58d25a41f4bd31cdb4a0d306217862e04ebf7c1925cc85330054a5523d719

SHA512
2fa9a0eda221982896e41eb387b5e156198615ac1a1fbac0acffd13008919368b41a240df416c1fce2e48c20a14cd7af7cca9fba476ada5e64a0cadde84a44b7

Download Submit
\Users\Admin\AppData\Local\CefSharp\vk_swiftshader.dll

Filesize
4.4MB

MD5
0ec149455727ace9acc09b3ba2c3a2b2

SHA1
6eeb990876cef6a34115b67f3190255db589f723

SHA256
e2d8ef53897e864b5b66bc73606681c99461798a9f4c1e13ca5cef7bc774d7fd

SHA512
c8eaa598c9439b1f2375fdac1f58896853510bddbd640707b9142c0d3793836120b28d7c2bd0407f0d5656dd19f14b312f37b7ac0165c9cc8b4c1a0f2af62531

Download Submit
\Users\Admin\AppData\Local\Wave\CefSharp.Core.Runtime.dll

Filesize
1.3MB

MD5
09cba584aa0aae9fc600745567393ef6

SHA1
bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279

SHA256
0babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5

SHA512
5f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1

Download Submit
memory/1544-272-0x0000000005C60000-0x0000000005CD6000-memory.dmp

Filesize
472KB

Download
memory/2468-384-0x0000023570100000-0x0000023570200000-memory.dmp

Filesize
1024KB

Download
memory/3120-685-0x000001B8392C0000-0x000001B8392E0000-memory.dmp

Filesize
128KB

Download
memory/3120-403-0x000001B821EC0000-0x000001B821EC2000-memory.dmp

Filesize
8KB

Download
memory/3120-400-0x000001B821E90000-0x000001B821E92000-memory.dmp

Filesize
8KB

Download
memory/3120-405-0x000001B821EE0000-0x000001B821EE2000-memory.dmp

Filesize
8KB

Download
memory/3120-677-0x000001B838D00000-0x000001B838D02000-memory.dmp

Filesize
8KB

Download
memory/3120-505-0x000001B8381E0000-0x000001B8381E2000-memory.dmp

Filesize
8KB

Download
memory/3120-614-0x000001B8335A0000-0x000001B8335C0000-memory.dmp

Filesize
128KB

Download
memory/3120-507-0x000001B8384D0000-0x000001B8384D2000-memory.dmp

Filesize
8KB

Download
memory/3120-509-0x000001B8384F0000-0x000001B8384F2000-memory.dmp

Filesize
8KB

Download
memory/3120-513-0x000001B838620000-0x000001B838622000-memory.dmp

Filesize
8KB

Download
memory/3120-503-0x000001B8381C0000-0x000001B8381C2000-memory.dmp

Filesize
8KB

Download
memory/3120-511-0x000001B838600000-0x000001B838602000-memory.dmp

Filesize
8KB

Download
memory/3120-546-0x000001B822740000-0x000001B822840000-memory.dmp

Filesize
1024KB

Download
memory/3120-615-0x000001B8335E0000-0x000001B833600000-memory.dmp

Filesize
128KB

Download
memory/3120-583-0x000001B8337E0000-0x000001B8338E0000-memory.dmp

Filesize
1024KB

Download
memory/3232-263-0x00000000063F0000-0x000000000654B000-memory.dmp

Filesize
1.4MB

Download
memory/3232-252-0x00000000009A0000-0x000000000112C000-memory.dmp

Filesize
7.5MB

Download
memory/3232-254-0x00000000059F0000-0x0000000005A14000-memory.dmp

Filesize
144KB

Download
memory/3232-788-0x0000000001500000-0x0000000001538000-memory.dmp

Filesize
224KB

Download
memory/3232-322-0x000000000D930000-0x000000000D9E2000-memory.dmp

Filesize
712KB

Download
memory/3232-789-0x0000000005F10000-0x0000000005FB0000-memory.dmp

Filesize
640KB

Download
memory/3232-330-0x000000000A310000-0x000000000A332000-memory.dmp

Filesize
136KB

Download
memory/3232-331-0x000000000FC10000-0x000000000FF60000-memory.dmp

Filesize
3.3MB

Download
memory/3232-790-0x0000000011960000-0x0000000011E8C000-memory.dmp

Filesize
5.2MB

Download
memory/3232-253-0x0000000005B60000-0x0000000005BAA000-memory.dmp

Filesize
296KB

Download
memory/3232-255-0x0000000006090000-0x0000000006176000-memory.dmp

Filesize
920KB

Download
memory/4084-240-0x000000000A360000-0x000000000A376000-memory.dmp

Filesize
88KB

Download
memory/4084-242-0x000000000A3E0000-0x000000000A3E8000-memory.dmp

Filesize
32KB

Download
memory/4084-235-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/4084-234-0x0000000000EA0000-0x0000000000F92000-memory.dmp

Filesize
968KB

Download
memory/4084-236-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/4084-239-0x0000000009630000-0x0000000009734000-memory.dmp

Filesize
1.0MB

Download
memory/4084-241-0x000000000A3A0000-0x000000000A3AA000-memory.dmp

Filesize
40KB

Download
memory/4084-251-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/4084-243-0x000000000A430000-0x000000000A44E000-memory.dmp

Filesize
120KB

Download
memory/4400-23-0x00000000056D0000-0x00000000056DA000-memory.dmp

Filesize
40KB

Download
memory/4400-22-0x00000000056C0000-0x00000000056CA000-memory.dmp

Filesize
40KB

Download
memory/4400-0-0x0000000073AAE000-0x0000000073AAF000-memory.dmp

Filesize
4KB

Download
memory/4400-1-0x0000000000170000-0x0000000000302000-memory.dmp

Filesize
1.6MB

Download
memory/4400-238-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/4400-2-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/4400-4-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/4400-3-0x0000000009310000-0x0000000009348000-memory.dmp

Filesize
224KB

Download
memory/4400-5-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/4400-6-0x0000000073AAE000-0x0000000073AAF000-memory.dmp

Filesize
4KB

Download
memory/4400-21-0x000000000A3A0000-0x000000000A412000-memory.dmp

Filesize
456KB

Download
memory/4400-19-0x0000000005600000-0x0000000005608000-memory.dmp

Filesize
32KB

Download
memory/4400-18-0x00000000055B0000-0x00000000055D6000-memory.dmp

Filesize
152KB

Download
memory/4400-17-0x0000000008BF0000-0x0000000008C86000-memory.dmp

Filesize
600KB

Download
memory/4400-10-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/4400-9-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/4400-7-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/4728-339-0x000001A90FE20000-0x000001A90FE30000-memory.dmp

Filesize
64KB

Download
memory/4728-374-0x000001A90D220000-0x000001A90D222000-memory.dmp

Filesize
8KB

Download
memory/4728-808-0x000001A9165F0000-0x000001A9165F1000-memory.dmp

Filesize
4KB

Download
memory/4728-807-0x000001A9165E0000-0x000001A9165E1000-memory.dmp

Filesize
4KB

Download
memory/4728-355-0x000001A90FF20000-0x000001A90FF30000-memory.dmp

Filesize
64KB

Download
memory/4872-285-0x0000000004970000-0x0000000004A5A000-memory.dmp

Filesize
936KB

Download
memory/4872-281-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/4872-292-0x0000000004C00000-0x0000000004C4A000-memory.dmp

Filesize
296KB

Download