hxxps://drive[.]google[.]com/file/d/1_RVEpnP7H-42DnsVPNVej8iVxQerIpm0/view?usp=sharing

Analysis

max time kernel
1049s
max time network
1046s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1_RVEpnP7H-42DnsVPNVej8iVxQerIpm0/view?usp=sharing

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	wave_bypass.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	wave_bypass.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	wave_bypass.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wave_bypass.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	node.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	CefSharp.BrowserSubprocess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	CefSharp.BrowserSubprocess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	Bloxstrap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	WaveInstaller (5).exe

Executes dropped EXE 16 IoCs

pid	Process
5820	WaveInstaller (5).exe
4296	WaveBootstrapper.exe
3324	WaveWindows.exe
5284	node.exe
4524	CefSharp.BrowserSubprocess.exe
6140	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
1536	CefSharp.BrowserSubprocess.exe
5372	CefSharp.BrowserSubprocess.exe
3924	wave-luau.exe
1976	wave_bypass.exe
4756	Bloxstrap.exe
2520	wave_bypass.exe
5576	CefSharp.BrowserSubprocess.exe
1464	CefSharp.BrowserSubprocess.exe
2036	wave_bypass.exe

Loads dropped DLL 64 IoCs

pid	Process
4296	WaveBootstrapper.exe
3324	WaveWindows.exe
3324	WaveWindows.exe
3324	WaveWindows.exe
3324	WaveWindows.exe
3324	WaveWindows.exe
3324	WaveWindows.exe
3324	WaveWindows.exe
3324	WaveWindows.exe
3324	WaveWindows.exe
3324	WaveWindows.exe
3324	WaveWindows.exe
3324	WaveWindows.exe
4524	CefSharp.BrowserSubprocess.exe
4524	CefSharp.BrowserSubprocess.exe
4524	CefSharp.BrowserSubprocess.exe
4524	CefSharp.BrowserSubprocess.exe
4524	CefSharp.BrowserSubprocess.exe
4524	CefSharp.BrowserSubprocess.exe
4524	CefSharp.BrowserSubprocess.exe
6140	CefSharp.BrowserSubprocess.exe
6140	CefSharp.BrowserSubprocess.exe
6140	CefSharp.BrowserSubprocess.exe
6140	CefSharp.BrowserSubprocess.exe
6140	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
6140	CefSharp.BrowserSubprocess.exe
6140	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
1536	CefSharp.BrowserSubprocess.exe
1536	CefSharp.BrowserSubprocess.exe
4524	CefSharp.BrowserSubprocess.exe
4524	CefSharp.BrowserSubprocess.exe
4524	CefSharp.BrowserSubprocess.exe
1536	CefSharp.BrowserSubprocess.exe
1536	CefSharp.BrowserSubprocess.exe
1536	CefSharp.BrowserSubprocess.exe
4524	CefSharp.BrowserSubprocess.exe
1536	CefSharp.BrowserSubprocess.exe
1536	CefSharp.BrowserSubprocess.exe
5372	CefSharp.BrowserSubprocess.exe
5372	CefSharp.BrowserSubprocess.exe
5372	CefSharp.BrowserSubprocess.exe
5372	CefSharp.BrowserSubprocess.exe
5372	CefSharp.BrowserSubprocess.exe
5372	CefSharp.BrowserSubprocess.exe
5372	CefSharp.BrowserSubprocess.exe
1976	wave_bypass.exe
1976	wave_bypass.exe
1976	wave_bypass.exe
1976	wave_bypass.exe
1976	wave_bypass.exe
1976	wave_bypass.exe
2520	wave_bypass.exe
2520	wave_bypass.exe
5576	CefSharp.BrowserSubprocess.exe
5576	CefSharp.BrowserSubprocess.exe
5576	CefSharp.BrowserSubprocess.exe
5576	CefSharp.BrowserSubprocess.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1976-616-0x0000000140000000-0x0000000144C21000-memory.dmp	themida
behavioral1/memory/1976-626-0x0000000140000000-0x0000000144C21000-memory.dmp	themida
behavioral1/memory/1976-625-0x0000000140000000-0x0000000144C21000-memory.dmp	themida
behavioral1/memory/1976-627-0x0000000140000000-0x0000000144C21000-memory.dmp	themida
behavioral1/memory/1976-628-0x0000000140000000-0x0000000144C21000-memory.dmp	themida
behavioral1/memory/1976-643-0x0000000140000000-0x0000000144C21000-memory.dmp	themida
behavioral1/memory/1976-654-0x0000000140000000-0x0000000144C21000-memory.dmp	themida
behavioral1/memory/1976-657-0x0000000140000000-0x0000000144C21000-memory.dmp	themida
behavioral1/memory/1976-782-0x0000000140000000-0x0000000144C21000-memory.dmp	themida
behavioral1/memory/1976-919-0x0000000140000000-0x0000000144C21000-memory.dmp	themida

Checks for any installed AV software in registry 1 TTPs 29 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\LastUsername	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\RefreshRate = "60"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\FontSize	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\SendCurrentDocument = "1"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\Session	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\ContinueOnStartUp	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\TopMost = "0"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\RedirectCompilerError	WaveWindows.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\KasperskyLab	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\Session = "Bearer b5c68457-df7d-4dee-9788-b53e89c25fe5"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\TopMost	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\UsePerformanceMode = "0"	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\FontSize = "14"	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\Minimap = "0"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\InlayHints	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\SendCurrentDocument	WaveWindows.exe
Key opened	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\KasperskyLab	WaveWindows.exe
Key queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\RedirectCompilerError = "1"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\UsePerformanceMode	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\Minimap	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\FirstHash	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\RefreshRate	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\SecondHash	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\FirstHash = "\"cad1a09ebb8ec6983968373e739268b4-2\""	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\SecondHash = "\"a625cdef16860630acdae42d81b038aa\""	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\LastUsername = "5wzx22"	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\ContinueOnStartUp = "0"	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\KasperskyLab\InlayHints = "1"	WaveWindows.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wave_bypass.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	WaveWindows.exe
File opened (read-only)	\??\S:	WaveWindows.exe
File opened (read-only)	\??\V:	WaveWindows.exe
File opened (read-only)	\??\Z:	WaveWindows.exe
File opened (read-only)	\??\B:	WaveWindows.exe
File opened (read-only)	\??\E:	WaveWindows.exe
File opened (read-only)	\??\G:	WaveWindows.exe
File opened (read-only)	\??\H:	WaveWindows.exe
File opened (read-only)	\??\J:	WaveWindows.exe
File opened (read-only)	\??\L:	WaveWindows.exe
File opened (read-only)	\??\O:	WaveWindows.exe
File opened (read-only)	\??\U:	WaveWindows.exe
File opened (read-only)	\??\A:	WaveWindows.exe
File opened (read-only)	\??\X:	WaveWindows.exe
File opened (read-only)	\??\W:	WaveWindows.exe
File opened (read-only)	\??\K:	WaveWindows.exe
File opened (read-only)	\??\N:	WaveWindows.exe
File opened (read-only)	\??\R:	WaveWindows.exe
File opened (read-only)	\??\T:	WaveWindows.exe
File opened (read-only)	\??\I:	WaveWindows.exe
File opened (read-only)	\??\Q:	WaveWindows.exe
File opened (read-only)	\??\Y:	WaveWindows.exe
File opened (read-only)	\??\P:	WaveWindows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
180	raw.githubusercontent.com
181	raw.githubusercontent.com
5	drive.google.com
10	drive.google.com
160	raw.githubusercontent.com
161	raw.githubusercontent.com
178	raw.githubusercontent.com
179	raw.githubusercontent.com

Network Service Discovery 1 TTPs 7 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5576	CefSharp.BrowserSubprocess.exe
1464	CefSharp.BrowserSubprocess.exe
4524	CefSharp.BrowserSubprocess.exe
1536	CefSharp.BrowserSubprocess.exe
5372	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
6140	CefSharp.BrowserSubprocess.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1976	wave_bypass.exe
2520	wave_bypass.exe
2036	wave_bypass.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3324_1665775005\manifest.fingerprint	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3324_1665775005\_platform_specific\win_x86\widevinecdm.dll.sig	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3324_1665775005\_platform_specific\win_x86\widevinecdm.dll	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3324_1665775005\LICENSE	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3324_1665775005\manifest.json	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3324_1665775005\_metadata\verified_contents.json	WaveWindows.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller (5).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveWindows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1750093773-264148664-1320403265-1000\{AC2714DC-65B2-4632-BE2E-243C623265B2}	WaveWindows.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1256	msedge.exe
1256	msedge.exe
3028	msedge.exe
3028	msedge.exe
3912	identity_helper.exe
3912	identity_helper.exe
5584	msedge.exe
5584	msedge.exe
3324	WaveWindows.exe
3324	WaveWindows.exe
4524	CefSharp.BrowserSubprocess.exe
4524	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
4472	CefSharp.BrowserSubprocess.exe
6140	CefSharp.BrowserSubprocess.exe
6140	CefSharp.BrowserSubprocess.exe
1536	CefSharp.BrowserSubprocess.exe
1536	CefSharp.BrowserSubprocess.exe
5372	CefSharp.BrowserSubprocess.exe
5372	CefSharp.BrowserSubprocess.exe
3064	msedge.exe
3064	msedge.exe
3244	msedge.exe
3244	msedge.exe
3324	WaveWindows.exe
3324	WaveWindows.exe
5576	CefSharp.BrowserSubprocess.exe
5576	CefSharp.BrowserSubprocess.exe
1464	CefSharp.BrowserSubprocess.exe
1464	CefSharp.BrowserSubprocess.exe
1464	CefSharp.BrowserSubprocess.exe
1464	CefSharp.BrowserSubprocess.exe
2064	msedge.exe
2064	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
4280	identity_helper.exe
4280	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5872	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3244	msedge.exe
3244	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5872	7zFM.exe
Token: 35	5872	7zFM.exe
Token: SeSecurityPrivilege	5872	7zFM.exe
Token: SeDebugPrivilege	5820	WaveInstaller (5).exe
Token: SeDebugPrivilege	4296	WaveBootstrapper.exe
Token: SeDebugPrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: 33	2508	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2508	AUDIODG.EXE
Token: 33	3324	WaveWindows.exe
Token: SeIncBasePriorityPrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeDebugPrivilege	4524	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	4472	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	6140	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeDebugPrivilege	1536	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeDebugPrivilege	5372	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3324	WaveWindows.exe
Token: SeShutdownPrivilege	3324	WaveWindows.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
5872	7zFM.exe
3028	msedge.exe
5872	7zFM.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5284	node.exe
4756	Bloxstrap.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1676	3028	msedge.exe	84
PID 3028 wrote to memory of 1676	3028	msedge.exe	84
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 2400	3028	msedge.exe	85
PID 3028 wrote to memory of 1256	3028	msedge.exe	86
PID 3028 wrote to memory of 1256	3028	msedge.exe	86
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87
PID 3028 wrote to memory of 5036	3028	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1_RVEpnP7H-42DnsVPNVej8iVxQerIpm0/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff952d746f8,0x7ff952d74708,0x7ff952d74718
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,13687061310649358217,1827173028738915002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5708

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Downloads.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5872

C:\Users\Admin\Desktop\WaveInstaller (5).exe
"C:\Users\Admin\Desktop\WaveInstaller (5).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5820
- C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
  "C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4296
- - C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
    "C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3324
  - - C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
      "C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=3324
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5284
    - - C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave-luau.exe
        
        "C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave-luau.exe" lsp "--definitions=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\globalTypes.d.luau" "--definitions=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave.d.luau" "--docs=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\en-us.json"
        5⤵
        Executes dropped EXE
        
        PID:3924
  - - C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6772,i,18285321743013686748,8351858369510867799,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=6776 --mojo-platform-channel-handle=6764 /prefetch:2 --host-process-id=3324
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4524
  - - C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=7164,i,18285321743013686748,8351858369510867799,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7008 --mojo-platform-channel-handle=7160 /prefetch:8 --host-process-id=3324
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6140
  - - C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=7004,i,18285321743013686748,8351858369510867799,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7172 --mojo-platform-channel-handle=7012 /prefetch:3 --host-process-id=3324
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4472
  - - C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=7388,i,18285321743013686748,8351858369510867799,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7392 --mojo-platform-channel-handle=7384 --host-process-id=3324 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5372
  - - C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=7404,i,18285321743013686748,8351858369510867799,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7416 --mojo-platform-channel-handle=7396 --host-process-id=3324 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1536
  - - C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
      "C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4756
  - - C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=5956,i,18285321743013686748,8351858369510867799,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=5960 --mojo-platform-channel-handle=5808 /prefetch:8 --host-process-id=3324
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5576
  - - C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4696,i,18285321743013686748,8351858369510867799,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=4700 --mojo-platform-channel-handle=5960 /prefetch:8 --host-process-id=3324
      4⤵
      Executes dropped EXE
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1464

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x460
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Users\Admin\Desktop\wave_bypass.exe
"C:\Users\Admin\Desktop\wave_bypass.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1976
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://one.one.one.one/
  2⤵
  PID:5576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://one.one.one.one/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff952d746f8,0x7ff952d74708,0x7ff952d74718
      4⤵
      PID:4452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,12244220408969056469,1348917348777971318,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
      4⤵
      PID:5336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,12244220408969056469,1348917348777971318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,12244220408969056469,1348917348777971318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
      4⤵
      PID:2976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,12244220408969056469,1348917348777971318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
      4⤵
      PID:4228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,12244220408969056469,1348917348777971318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
      4⤵
      PID:724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5656

C:\Users\Admin\Desktop\wave_bypass.exe
"C:\Users\Admin\Desktop\wave_bypass.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2520
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:3248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://one.one.one.one/
  2⤵
  PID:3776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://one.one.one.one/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of SendNotifyMessage
    PID:5616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff952d746f8,0x7ff952d74708,0x7ff952d74718
      4⤵
      PID:5352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2706155391774391993,6003111383159509760,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
      4⤵
      PID:4232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,2706155391774391993,6003111383159509760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,2706155391774391993,6003111383159509760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
      4⤵
      PID:2460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2706155391774391993,6003111383159509760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      PID:5504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2706155391774391993,6003111383159509760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
      4⤵
      PID:5888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,2706155391774391993,6003111383159509760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
      4⤵
      PID:996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,2706155391774391993,6003111383159509760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2706155391774391993,6003111383159509760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
      4⤵
      PID:6020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2706155391774391993,6003111383159509760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
      4⤵
      PID:5092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2706155391774391993,6003111383159509760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
      4⤵
      PID:1840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2706155391774391993,6003111383159509760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
      4⤵
      PID:4148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1284

C:\Users\Admin\Desktop\wave_bypass.exe
"C:\Users\Admin\Desktop\wave_bypass.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3324_1665775005\manifest.json

Filesize
984B

MD5
0359d5b66d73a97ce5dc9f89ed84c458

SHA1
ce17e52eaac909dd63d16d93410de675d3e6ec0d

SHA256
beeab2f8d3833839399dde15ce9085c17b304445577d21333e883d6db6d0b755

SHA512
8fd94a098a4ab5c0fcd48c2cef2bb03328dd4d25c899bf5ed1ca561347d74a8aab8a214ba2d3180a86df72c52eb26987a44631d0ecd9edc84976c28d6c9dc16a

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe

Filesize
249KB

MD5
772c9fecbd0397f6cfb3d866cf3a5d7d

SHA1
6de3355d866d0627a756d0d4e29318e67650dacf

SHA256
2f88ea7e1183d320fb2b7483de2e860da13dc0c0caaf58f41a888528d78c809f

SHA512
82048bd6e50d38a863379a623b8cfda2d1553d8141923acf13f990c7245c833082523633eaa830362a12bfff300da61b3d8b3cccbe038ce2375fdfbd20dbca31

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\LocalPrefs.json

Filesize
738B

MD5
92cc3d6c8213a25dfd69e7f075ee8d26

SHA1
a9f02f7e1146ad51e5a968540d93ac0e3fecc087

SHA256
18480668fe65f28695cd00b3cb90c08d4f017e1fc6d8572447e5db3a5fd0de3e

SHA512
a873b5711838d77192ca328cb6951b21f2661f56d31f98d08ef740235dfe8d58606ab7f1a8617e344d57bc949394813b98a48d3e61779edab5311eb7164e80a2

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\LocalPrefs.json

Filesize
850B

MD5
3d545f1401d56dd6456770d79b5fdd03

SHA1
c7a6d744d79619ab7122489b23a8986cac4a686e

SHA256
6517d4c658ac5d740079932a587285817425650f06fc6b12f7db98973c2acc4c

SHA512
ef20aa040e7301f8d272789401d1f5e310b68a332bb017860c5a938c306d0f87c8cf16551045b3f5421173ecdca13f4127066911db51eeddbc2f65fe9cccc4c8

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\LocalPrefs.json~RFe64d736.TMP

Filesize
529B

MD5
06693842db09c3a226e97ac2d2c7203f

SHA1
e67735da6f6d5a0f4d9799876356daa0dde8e72e

SHA256
684a22e4f9069ea2796661e1ece98f83ce368f04b6721e8da833ab09d62f881c

SHA512
e24046d63c13208f041f9137230f0ae2358df6675a527d3d94cde5a1c190b06000e35a719000d7e96c3f1143c7b3c2cc4b6e57d54d50141700ea560bb886564c

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\ShaderCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Luau Language Server\server\index.js

Filesize
6.1MB

MD5
6b1cad741d0b6374435f7e1faa93b5e7

SHA1
7b1957e63c10f4422421245e4dc64074455fd62a

SHA256
6f17add2a8c8c2d9f592adb65d88e08558e25c15cedd82e3f013c8146b5d840f

SHA512
a662fc83536eff797b8d59e2fb4a2fb7cd903be8fc4137de8470b341312534326383bb3af58991628f15f93e3bdd57621622d9d9b634fb5e6e03d4aa06977253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2d30752d-a2d4-4943-bbec-c32999e4506b.tmp

Filesize
11KB

MD5
b34c7be30856d0411b8d108321fc52d2

SHA1
3f6e98534022d11aa2a818c4f59dfa5cce0f009a

SHA256
02b8f14f21d9aaebdd67d2d13777613a12833c7fb18212a9fb56deb4b1a25738

SHA512
7842b8c362307687511cd7334692e39e72d8c4747786dce8d26a4ec56485e6a447f8d7b47a65387268e9c5b377cc7e4d11e7737290a675ba03e693ac84494bb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eca4bc685c9f730d54904108d6fc1c4e

SHA1
56df0c9a317d4ee343de925c4c58c2f81c39afec

SHA256
aeea26bd958a7ed901f5af8a7b43d54abc65af169970b81d15cf5467dbfde87f

SHA512
148f65594e7d377a1fcebe71e788a16a1e78b675970dfc9bfecd0d2fdececa4d60b7c053e925c6e2b70606df7485a382d26d40369f78c7827b29bf1e16817733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
584971c8ba88c824fd51a05dddb45a98

SHA1
b7c9489b4427652a9cdd754d1c1b6ac4034be421

SHA256
e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307

SHA512
5dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b28ef7d9f6d74f055cc49876767c886c

SHA1
d6b3267f36c340979f8fc3e012fdd02c468740bf

SHA256
fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37

SHA512
491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8c84e1fad5d08f1c970195b53e0fb74f

SHA1
6a54a2a9bd382248f4e365d2f00552515f92474b

SHA256
8d54b3e25c7b04b48a479970c56964555bc2a45c6a87f846ef39e535c9a6cba1

SHA512
a70f22c5f42be5f3a8e9e8fa7d558b321f30708d7311d818f1333f2009b4335a6878d86e872359c13b96ace430b4cfabb58fcd68f5b1ccc5a54315964a9012a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9261d5703d0652fb0ee3f2445b6b0f8

SHA1
aad68569f0e5e663559849397e67182f4aad656d

SHA256
c56e1ea6dd73446fc12d7639be4d9791c231310e6ed5bbb853c9c90654a9c6e2

SHA512
638b9da59f86a83e188ad62d9597a07b11292734e35e653b7eb58ac563e894601b743204f28b3c738fc2b3d04d5e20a109b6b177eb897458153fe6953ced954b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
408B

MD5
4f25e3e8621bca5469b47c1de8c1c073

SHA1
83c24d3bfa11dcc27b3536050200bab034ecf9aa

SHA256
a7009b298d44987192c4e5d6311e571c7a4dc5de9f6a98016a7aacd8dec6ac9c

SHA512
37f44f3cbe6f0e490be3e08ead5100df23fb4f5e083f94b81fd62f5de1485128977005f736fd2aa7cc1b0fa52f4f9819bb8cee94f8f8ad464f2f988c1b4789aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
d0af899269c930e3801761f1037f2e6b

SHA1
8c7536ee1facadb35f12f72b4cf5b4814c2cbe33

SHA256
28bd37ef6c3849fa7af2db84bb7e2c289a5efdc8162d44b653a14cecb561ca32

SHA512
438afb2b726d2f5f0eae03420190fe1ed07cbf4d668ce86919417a5b943b4136747c4ed0cfb283c5afe4c4a049e4df678073e75dc8c9bb1741425f2e1b5aec5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
03facbaa5cf067238c015bfc819ff01e

SHA1
0f44e62d1bb2717163ca7adebcf695cb1386bdec

SHA256
66d7e0702708d66fe4561bb090d85e8aa6a6163b36aa50688d774fd1203d4fda

SHA512
89a5ef0a5264642de91513cedbe7e1590bec23b47e0f0a2de25ba1110348062d3554c89c618dbf4bc5111bcb32153cc03e633aa875eac7c7487e7cc95cea5a4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
44732e65f17ea505b9b280d0c6c778c5

SHA1
91a082785ea368c6046e743e136deaf5b2daff25

SHA256
06bf469dfb5ef454b7ccc8290b5b31cde75a93f4920fb9733f604e778119c9ca

SHA512
63041dc7c452e93c79dbcbc92ae01fa86132dbd81770d55e840a2769d48be21fd9963fabbc5c4135353f29a9a4cf67ddafebf40e1b16373371a05588ca5b7609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
d585325242bc6137db45e4fff55943bd

SHA1
929ed94fef39f17e551cb8f96616d4fad581cec1

SHA256
ce624385dfea77265cec1074c2b7a5b85cb047444c0d2a2e9c8f3b98e9b11a96

SHA512
2ae2096c2822f3a1907a96edc8e7aca698c5fa2c173a82092854b86cf438b2f11cf40423691a300fa72f9de9b19be472889fffcc0afb8489597b4faab49a44b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f1e7944e06cb8127e5b1d30851608f2c

SHA1
3f4d86ac9ffe0c6515ebb7150f8862090e69679a

SHA256
67f24c8caaf86d17e48df6b7f8c343803ad117b1a46154967ad98c20a2b75651

SHA512
03177e3d14c49310b341f3424835a5035614fef2583f812e161f64a7dc295ddca5d4747b0bee5df4c6dd5a54f016641e200b905fc1add69073730b9fbea67736

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ed136e91cbf6c14a4ff9058ea73380fe

SHA1
4105938f659338fca81ddc864893a8f97b457f6e

SHA256
e4a3d7c735beac253f5504f011d53aaeb8bb99a245b641d5410dbf2579792400

SHA512
106f33671f5abdb025e772abe249e43ba8c4e5fbda7537aca5e216cfeeba265e65d8fecd20bbe788067ac4fae4de459cf0be5415fa2b0d84d5912587238f1970

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f7d8da2a3d3638e99303992cec8db23e

SHA1
25868428e71c7e0160da2a4ef0c575199b0aacb6

SHA256
7193ce9718be8e252e02297b495d7d44a359ae2ce09aa65362f81b7d6a71ed6b

SHA512
5cc4d5c1b18631bf603da08d9992148810e2ea7286cabf58083df0e8595f5061f8ad9eccb2c3cdac462c730e03960b4ee1f23b70c511c58e4ad927583118f268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
91d24860ffd735b6eca18a74b0f493d0

SHA1
c2832439974defc5500bccce950b01999e17b870

SHA256
e78bf83e5234b26479d76cd0ee66eab518dd3ecced960f211fdcef855974a20a

SHA512
511dde979477e55852d208b4bbff3bdf2c639174696a7ce1b8de9df51729f7e8c905c30c0ea52f6acfac2ebdee45a3ddc9efdb9442b0f8a7ce73e490c8ad940c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
71334548934a53ecc945a26e2f3321ff

SHA1
59a88262e0917d452890553a48ef4374b429fa75

SHA256
c1b204fdf995a39640200fb3702a926035441bf4b8d8108efc3f15ef4abd52bd

SHA512
b682dd6e02e9b97fbb70ea34b19bf3cb7bd03a743c3f0f3a49395d0a99d94bed51b176d49879f82349470c819378a572f7a45e70e79d4ac95188a46ce454af67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c67ba053f76dd7fbaf51876c6133f76c

SHA1
826be520f6f9ea1c6bc6276b891ead08ec5e4d71

SHA256
4e05558ef66ae3d404e849809d9a7974e8dee651968ce81957697073d22283c3

SHA512
5fdc74cc8b8d7946267eae02132999fff7d929079ed101121a62a49801b8c2dcdd88fbe49213e875d938568193c0425c75d94e8fd0c4dfdfc259b5169d243dd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c63bb535a162b1bbe77484dc1aeeb8a5

SHA1
85cd311daeaa0b569dd2dfbd2995bdb3fc26759e

SHA256
e827e25d720d5426345425603da283cc84dba3dae564f76f298058e19e9b264e

SHA512
803183dc30ef3984f6b39dd50986567e2c3d0e335f68144d1043af5e1e84b56fa9bc8d9eabf91b03f21226bbb99c5e4fd6503798c84703b6e6fbfaccbbfede38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
76e9eea0153036d6f5f758b408da7e3e

SHA1
762d899c9b9e99b9691c06b1da7b9a496288c689

SHA256
92e4535b22153cfcb857e245a9b884747500552f4d42a25f85ca129a51ea54f6

SHA512
a16226b2ab529017b3c9b0747d8716640613084cce45428a2c005cc8d8764c4c1d802db780826fa37a9215e9a19d3283af8b41aafe91ec732d8dd8045504ff73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3b928d1b8f485d06a987f9597d787f34

SHA1
4c135cbba074af2ad2247971b1164476d3811a6e

SHA256
2b366759e05fc9fea2ad934e307e40b58b437c4cac0a433e6f1dc3198980916c

SHA512
2c4e239eb7b0ffb73dc4cdd6bb4c02c3cb92ccc93267d65ad3ad50feb5474095036c154ea5139b4d6862d5f443934172d3c601ab4f8ab40ec1d007562ad65513

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
77939dcea66a020c35dfcb03de9483c1

SHA1
72aa9abacc503e0f72080edc237c7a97f18bb3e2

SHA256
d34fa654b534215a3bcf3b27e9b9c8dc70e3a7116a76e337d422c6df327c860d

SHA512
4c6f68068f5935d0a4926eedff22e68f9641c67966ac7a7a8699f5f4a1aac437f41fcb6bae7316001d8bb1051a85fc68690cc4f9b2b45ceb9e45febba7de08b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a8c0e7d9-2a5c-4911-9c35-90af14f39e48.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
af2b76364417e981186b1fdbc233aeb4

SHA1
b9865ccdf1428659cdcc1fea83cae26b2a62dc19

SHA256
5a43902ea052d55f5fde55dcce3bc0350f5e25f6d35bb6b108bab393c17ef142

SHA512
9034b6fbb6d3149bf4b8b33f4a4858df901afdd97b110f64c10dc61f3c7556ed0961f06cc28e988c85bdaf8cd6d7bab1134b29b1b64d972bad5c9a1cc2c0746b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e374717e5a17fa6af293655db6cc94dd

SHA1
795d2ff902d42a60e2ae96f3db4ed405f5e7f8de

SHA256
5d19114ee40dccadaaaf4549822f37804498832b688c035d7835a3171fca4b32

SHA512
4bb3d7a26f802dd71c432113c95bfcd80fa3304afef9f264a80c33b0664034274c1bc4d121a67990f1a8292a440f3d50c713c3ed7987c5cde2693b660e1fa677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cb03d4087d00e247ad06c485e73f7538

SHA1
983a015200c17c320f3571d14128d74ac5974c88

SHA256
a495c8bc10079d4fe7af307e8abe7bf879cbe559109ae46ddc0f3b201aad4077

SHA512
7050397284fd57a68f83da349127f95b6491c4d7c0468fc47fcdb6ca1cd9088c2c0ccd85f96f7b71a1ddc9aa70adda15f1d758c3b197e4e00338ab264aa05a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
382ed97dd815cf311cc8672eba04a429

SHA1
c7667d0123f1852eb7e7fef0d71456edb257ed23

SHA256
f1dba4d9533392e1abf10bdb5523033ba77a07c64516d9551919e2fc24aa1a77

SHA512
515db8b19155f45362931a31f700ddc879b803b621554996d167603259200a5eca3fce470422f3ff03a05daadb98a4b2e1e9f7b13d96c72e0b236150a0d3acc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
3a16ce313f0aedba14943c83ef4a853a

SHA1
e3d635fcf3471a638153e8756da3d3e06cf102f1

SHA256
0d6943432a32c38e203c1a2eace24145e470b06d9d73bdf3a82a32955124d00d

SHA512
a89b9b75ca9a0556eff3ddfc202ac17e3d78c2a5334b61a1f97d9aa802234b2bbcb43b20fe2440d45c6a742e69a4032cdae5e92e491d1a5b79fe21cdf475ae6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\23f7284c.dll

Filesize
10KB

MD5
d0b0669374e69be483c04e0bc7c18caf

SHA1
33dd016fe5ba76ae45c1444a6defa1f5afbd0556

SHA256
c9e3daa7fe44f7599826c93286956b10c452ae5344264b2c751efbd5698f32f5

SHA512
13695a52101da7858acbf2bc26e8d711105e0bcc83f9f8787622a134427ace971f93cae4801b2c7e875b5272795b987cdc9bde06e4b59822dda9e8febab6c529

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.Core.dll

Filesize
915KB

MD5
100c32f77e68a2ce962e1a28997567ea

SHA1
a80a1f4019b8d44df6b5833fb0c51b929fa79843

SHA256
c0b9e29b240d8328f2f9a29ca0298ca4d967a926f3174a3442c3730c00d5a926

SHA512
f95530ef439fa5c4e3bc02db249b6a76e9d56849816ead83c9cd9bcd49d3443ccb88651d829165c98a67af40b3ef02b922971114f29c5c735e662ca35c0fb6ed

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe

Filesize
7KB

MD5
516ff62b2e1f4642caa954c0968719e8

SHA1
e349d0ce82e2109dd0d18416d9cf46e8411b7f15

SHA256
19da58849cec5933860116e60a1e94b08e30d90e0f955768270b47998d612045

SHA512
7aa4a0c87b29c2a84f585a884d8208fc2352a43f2cdb549c100e3b121837ad5f8dadb1101f57d1d3fcb7ebec9d9f22e07dc14239b7d2e2d25793c999becf288b

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.Core.Runtime.dll

Filesize
1.3MB

MD5
09cba584aa0aae9fc600745567393ef6

SHA1
bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279

SHA256
0babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5

SHA512
5f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.Core.dll

Filesize
898KB

MD5
1bb24b22d9bd996c038d26b600ed18a8

SHA1
c2629a8a26c9c0969501923f84874838087cca2b

SHA256
944b987a0b677d354e24ee15bba65f73b0f051338f576234a975a49493399873

SHA512
38578e0d1a39ccc9851ff80d3a0f5342a34303229e2898c3ca32dad11017d4277720f54b472c2f1a0b73f47d5ba6352aa7be8ae2ed72b3b25a01dd8292591421

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.Wpf.dll

Filesize
114KB

MD5
ceaf0bad83fac8ce71853cd820e4ed9d

SHA1
4eed686fbba7d4603b596fb8e494b8f452a05886

SHA256
eaced1f76adb8ee756033baee29a47b1f4d4b657ebd105a7e25c8dc4fbc48cba

SHA512
4ed3f83e797eade8f0d1c6b80ce49d18f00daaf5d69421a4920e3cea2e7d78c3622193ca65b6ab1dab14c57e7f893a7b1edb27b83f343ea4df731d80aa21ff82

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.dll

Filesize
272KB

MD5
9ca06a8f9e5f7239ca225ab810274023

SHA1
e1a219f567a7b7d3af9386df51b14c76e769c044

SHA256
5fd00ae3e83e6ca156647ff6df87b49ffc7cad47c23fe3ae07c067c5adf6f74a

SHA512
430c9bceed5439b987d5bd4840cfe32411ca61594f18597aca1948aa39a22c9d70beadf3bb9b1dd0373f81a94a25dcba17fa8e8c73abf06cba28d0971d5614c5

Download Submit
C:\Users\Admin\AppData\Local\Wave\D3DCOMPILER_47.dll

Filesize
3.9MB

MD5
3b4647bcb9feb591c2c05d1a606ed988

SHA1
b42c59f96fb069fd49009dfd94550a7764e6c97c

SHA256
35773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7

SHA512
00cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe

Filesize
949KB

MD5
8fb51b92d496c6765f7ba44e6d4a8990

SHA1
d3e5a8465622cd5adae05babeb7e34b2b5c777d7

SHA256
ab49d6166a285b747e5f279620ab9cea12f33f7656d732aa75900fcb981a5394

SHA512
20de93a52fff7b092cb9d77bd26944abed5f5cb67146e6d2d70be6a431283b6de52eb37a0e13dc8bc57dcf8be2d5a95b9c11b3b030a3e2f03dd6e4efc23527a6

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe

Filesize
8.0MB

MD5
b8631bbd78d3935042e47b672c19ccc3

SHA1
cd0ea137f1544a31d2a62aaed157486dce3ecebe

SHA256
9cfda541d595dc20a55df5422001dfb58debd401df3abff21b1eee8ede28451c

SHA512
0c51d6247e39f7851538a5916b24972e845abfe429f0abdc7b532f654b4afe73dc6e1936f1b062da63bfc90273d3cbc297bf6c802e615f3711d0f180c070aa26

Download Submit
C:\Users\Admin\AppData\Local\Wave\bin\Background.mp4

Filesize
4.6MB

MD5
9782180eb68f73030fe24ef6a1735932

SHA1
589827fe098ba048c9f871a28db8eae3e3537ff4

SHA256
3a1cbb800f8f25c2ab703ba8bfdb01e938e4143c3bc0fea8ca734fb5ba779ba7

SHA512
dc768638bae2d6d47d8910252ae64a656d8a6fd88efdf24165ddce51b7afdb4acb3fddd41dfe788737a2cab4fab66174db2f0d2f48bc8669af76d1656bca8be1

Download Submit
C:\Users\Admin\AppData\Local\Wave\chrome_100_percent.pak

Filesize
667KB

MD5
ae195e80859781a20414cf5faa52db06

SHA1
b18ecb5ec141415e3a210880e2b3d37470636485

SHA256
9957802c0792e621f76bbdb1c630fbad519922743b5d193294804164babda552

SHA512
c6fef84615fe20d1760ca496c98629feb4e533556724e9631d4282622748e7601225cf19dfb8351f4b540ae3f83785c1bcea6fe8c246cf70388e527654097c1c

Download Submit
C:\Users\Admin\AppData\Local\Wave\chrome_200_percent.pak

Filesize
1.0MB

MD5
1abf6bad0c39d59e541f04162e744224

SHA1
db93c38253338a0b85e431bd4194d9e7bddb22c6

SHA256
01cb663a75f18bb2d0d800640a114f153a34bd8a5f2aa0ed7daa9b32967dc29e

SHA512
945d519221d626421094316f13b818766826b3bedddab0165c041540dddadc93136e32784c0562d26a420cb29479d04d2aa317b8d605cd242e5152bf05af197e

Download Submit
C:\Users\Admin\AppData\Local\Wave\chrome_elf.dll

Filesize
1020KB

MD5
7191d97ce7886a1a93a013e90868db96

SHA1
52dd736cb589dd1def87130893d6b9449a6a36e3

SHA256
32f925f833aa59e3f05322549fc3c326ac6fc604358f4efbf94c59d5c08b8dc6

SHA512
38ebb62c34d466935eabb157197c7c364d4345f22aa3b2641b636196ca1aeaa2152ac75d613ff90817cb94825189612ddd12fb96df29469511a46a7d9620e724

Download Submit
C:\Users\Admin\AppData\Local\Wave\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\Wave\locales\en-US.pak

Filesize
456KB

MD5
4430b1833d56bc8eb1f7dc82bb7f4bc9

SHA1
dc15e6306625f155683326e859d83f846153c547

SHA256
b44ddcfac9df4934007e6c55a3c7f5e7f14c7e5e29f35c81de917fc3b22aabbc

SHA512
faf93bf371b2a88c1b874a5e2c54e4487fd152ad19c2a406a46f55ae75ecd421a779888c2e4c170857b16bfb5d8744bc1815a4732ed50b064b3cbd0c5ffad889

Download Submit
C:\Users\Admin\AppData\Local\Wave\resources.pak

Filesize
8.0MB

MD5
4933d92c99afa246fc59eef010d5c858

SHA1
98d443654e93c73dd317f9f847f71fba3d5b3135

SHA256
62f4674daa15245ee081920b8ee191e72f36ca8fe24f6b986a832f45676915b2

SHA512
a3a69523c8e7310716daeebc06c2ba4fce673eccd1958e824ff179b82f4502d0ec095190179bbb387342e4150f952ea7533182fb6ba90377d17dafba8f4da623

Download Submit
C:\Users\Admin\Desktop\WaveInstaller (5).exe

Filesize
2.3MB

MD5
8ad8b6593c91d7960dad476d6d4af34f

SHA1
0a95f110c8264cde7768a3fd76db5687fda830ea

SHA256
43e6ae7e38488e95741b1cad60843e7ce49419889285433eb4e697c175a153ab

SHA512
09b522da0958f8b173e97b31b6c7141cb67de5d30db9ff71bc6e61ca9a97c09bff6b17d6eaa03c840500996aad25b3419391af64de1c59e98ff6a8eac636b686

Download Submit
C:\Users\Admin\Downloads\Downloads.zip

Filesize
27.7MB

MD5
a3afaf6a35a8d9f498621f099b954340

SHA1
ad4fec23fabf5f48b0f87bd570d9458775688b5d

SHA256
369098d40c02418c92dc54f4350820b810004e1834f84aea05f50b992fb0fc99

SHA512
8b6213d25930e6480289ccef1adb5c6c7dc2ae93c31244dd538eb23adabe527df6a77d5a288ba5070177d0f988a0cf652a4378e2c4d80642a810616b93d6206c

Download Submit
memory/1976-616-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/1976-627-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/1976-667-0x0000000000E50000-0x0000000000E58000-memory.dmp

Filesize
32KB

Download
memory/1976-625-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/1976-626-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/1976-629-0x0000000180000000-0x00000001806A7000-memory.dmp

Filesize
6.7MB

Download
memory/1976-632-0x0000000180000000-0x00000001806A7000-memory.dmp

Filesize
6.7MB

Download
memory/1976-657-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/1976-668-0x0000000000E50000-0x0000000000E58000-memory.dmp

Filesize
32KB

Download
memory/1976-654-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/1976-919-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/1976-628-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/1976-658-0x0000000000E70000-0x0000000000E81000-memory.dmp

Filesize
68KB

Download
memory/1976-643-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/1976-674-0x0000000003B40000-0x0000000003B56000-memory.dmp

Filesize
88KB

Download
memory/1976-681-0x0000000000E90000-0x0000000000E99000-memory.dmp

Filesize
36KB

Download
memory/1976-682-0x0000000000E90000-0x0000000000E99000-memory.dmp

Filesize
36KB

Download
memory/1976-675-0x0000000003B40000-0x0000000003B56000-memory.dmp

Filesize
88KB

Download
memory/1976-688-0x0000000003B90000-0x0000000003BBD000-memory.dmp

Filesize
180KB

Download
memory/1976-691-0x0000000003B90000-0x0000000003BBD000-memory.dmp

Filesize
180KB

Download
memory/1976-782-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/1976-661-0x0000000000E70000-0x0000000000E81000-memory.dmp

Filesize
68KB

Download
memory/3324-538-0x000000000B630000-0x000000000B640000-memory.dmp

Filesize
64KB

Download
memory/3324-564-0x000000000F310000-0x000000000F3F6000-memory.dmp

Filesize
920KB

Download
memory/3324-560-0x0000000008C80000-0x0000000008CCA000-memory.dmp

Filesize
296KB

Download
memory/3324-556-0x0000000008C00000-0x0000000008C24000-memory.dmp

Filesize
144KB

Download
memory/3324-568-0x000000000C9F0000-0x000000000CB4B000-memory.dmp

Filesize
1.4MB

Download
memory/3324-551-0x000000001D2B0000-0x000000001D436000-memory.dmp

Filesize
1.5MB

Download
memory/3324-537-0x000000000B630000-0x000000000B640000-memory.dmp

Filesize
64KB

Download
memory/3324-533-0x000000000B630000-0x000000000B640000-memory.dmp

Filesize
64KB

Download
memory/3324-534-0x000000000B630000-0x000000000B640000-memory.dmp

Filesize
64KB

Download
memory/3324-535-0x000000000CBD0000-0x000000000CBE0000-memory.dmp

Filesize
64KB

Download
memory/3324-536-0x000000000CBD0000-0x000000000CBE0000-memory.dmp

Filesize
64KB

Download
memory/3324-532-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/3324-530-0x000000000CBD0000-0x000000000CBE0000-memory.dmp

Filesize
64KB

Download
memory/3324-529-0x000000000CBD0000-0x000000000CBE0000-memory.dmp

Filesize
64KB

Download
memory/3324-531-0x000000000CBD0000-0x000000000CBE0000-memory.dmp

Filesize
64KB

Download
memory/3324-528-0x000000000B630000-0x000000000B640000-memory.dmp

Filesize
64KB

Download
memory/3324-527-0x000000000B630000-0x000000000B640000-memory.dmp

Filesize
64KB

Download
memory/3324-526-0x000000000B620000-0x000000000B630000-memory.dmp

Filesize
64KB

Download
memory/3324-525-0x000000000CBD0000-0x000000000CBE0000-memory.dmp

Filesize
64KB

Download
memory/3324-524-0x000000000CBD0000-0x000000000CBE0000-memory.dmp

Filesize
64KB

Download
memory/3324-523-0x000000000CBD0000-0x000000000CBE0000-memory.dmp

Filesize
64KB

Download
memory/3324-522-0x000000000CBD0000-0x000000000CBE0000-memory.dmp

Filesize
64KB

Download
memory/3324-510-0x000000000B6F0000-0x000000000B6F8000-memory.dmp

Filesize
32KB

Download
memory/3324-509-0x000000000BB70000-0x000000000BBD6000-memory.dmp

Filesize
408KB

Download
memory/3324-508-0x000000000AE50000-0x000000000AE8E000-memory.dmp

Filesize
248KB

Download
memory/3324-507-0x000000000C4C0000-0x000000000C9EC000-memory.dmp

Filesize
5.2MB

Download
memory/3324-506-0x000000000BC30000-0x000000000BF84000-memory.dmp

Filesize
3.3MB

Download
memory/3324-505-0x000000000AF80000-0x000000000AFA2000-memory.dmp

Filesize
136KB

Download
memory/3324-504-0x00000000092F0000-0x0000000009328000-memory.dmp

Filesize
224KB

Download
memory/3324-499-0x0000000009E80000-0x0000000009F32000-memory.dmp

Filesize
712KB

Download
memory/3324-494-0x0000000005540000-0x00000000055E0000-memory.dmp

Filesize
640KB

Download
memory/3324-493-0x0000000000300000-0x0000000000B02000-memory.dmp

Filesize
8.0MB

Download
memory/4296-487-0x0000000009E40000-0x0000000009E5E000-memory.dmp

Filesize
120KB

Download
memory/4296-486-0x0000000009DA0000-0x0000000009DAA000-memory.dmp

Filesize
40KB

Download
memory/4296-485-0x0000000009D60000-0x0000000009D76000-memory.dmp

Filesize
88KB

Download
memory/4296-484-0x0000000009090000-0x0000000009194000-memory.dmp

Filesize
1.0MB

Download
memory/4296-482-0x0000000000910000-0x0000000000A02000-memory.dmp

Filesize
968KB

Download
memory/4524-589-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

Filesize
32KB

Download
memory/4524-593-0x0000000005710000-0x00000000057FA000-memory.dmp

Filesize
936KB

Download
memory/5820-268-0x0000000000F90000-0x0000000000F9A000-memory.dmp

Filesize
40KB

Download
memory/5820-267-0x0000000000F80000-0x0000000000F8A000-memory.dmp

Filesize
40KB

Download
memory/5820-266-0x0000000000FC0000-0x0000000001032000-memory.dmp

Filesize
456KB

Download
memory/5820-263-0x0000000001040000-0x0000000001066000-memory.dmp

Filesize
152KB

Download
memory/5820-264-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/5820-262-0x000000000ACD0000-0x000000000AD66000-memory.dmp

Filesize
600KB

Download
memory/5820-255-0x0000000009BD0000-0x0000000009BDE000-memory.dmp

Filesize
56KB

Download
memory/5820-254-0x0000000009C00000-0x0000000009C38000-memory.dmp

Filesize
224KB

Download
memory/5820-253-0x0000000005230000-0x0000000005238000-memory.dmp

Filesize
32KB

Download
memory/5820-252-0x0000000005220000-0x0000000005228000-memory.dmp

Filesize
32KB

Download
memory/5820-251-0x0000000005190000-0x0000000005212000-memory.dmp

Filesize
520KB

Download
memory/5820-250-0x00000000050E0000-0x0000000005192000-memory.dmp

Filesize
712KB

Download
memory/5820-249-0x0000000000420000-0x000000000066A000-memory.dmp

Filesize
2.3MB

Download