hxxps://drive[.]google[.]com/file/d/1_RVEpnP7H-42DnsVPNVej8iVxQerIpm0/view?usp=sharing

Analysis

max time kernel
1013s
max time network
771s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1_RVEpnP7H-42DnsVPNVej8iVxQerIpm0/view?usp=sharing

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	wave_bypass.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	wave_bypass.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	wave_bypass.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	wave_bypass.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wave_bypass.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	CefSharp.BrowserSubprocess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	node.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	CefSharp.BrowserSubprocess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WaveInstaller (5).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	Bloxstrap.exe

Executes dropped EXE 17 IoCs

pid	Process
5600	WaveInstaller (5).exe
2964	WaveBootstrapper.exe
4872	WaveWindows.exe
2124	node.exe
3528	Bloxstrap.exe
4820	CefSharp.BrowserSubprocess.exe
3888	CefSharp.BrowserSubprocess.exe
1288	CefSharp.BrowserSubprocess.exe
1780	CefSharp.BrowserSubprocess.exe
5100	CefSharp.BrowserSubprocess.exe
4908	wave-luau.exe
5924	wave_bypass.exe
440	wave_bypass.exe
4092	CefSharp.BrowserSubprocess.exe
2408	CefSharp.BrowserSubprocess.exe
1568	wave_bypass.exe
1364	wave_bypass.exe

Loads dropped DLL 64 IoCs

pid	Process
2964	WaveBootstrapper.exe
4872	WaveWindows.exe
4872	WaveWindows.exe
4872	WaveWindows.exe
4872	WaveWindows.exe
4872	WaveWindows.exe
4872	WaveWindows.exe
4872	WaveWindows.exe
4872	WaveWindows.exe
4872	WaveWindows.exe
4872	WaveWindows.exe
4872	WaveWindows.exe
4872	WaveWindows.exe
4820	CefSharp.BrowserSubprocess.exe
4820	CefSharp.BrowserSubprocess.exe
4820	CefSharp.BrowserSubprocess.exe
4820	CefSharp.BrowserSubprocess.exe
4820	CefSharp.BrowserSubprocess.exe
4820	CefSharp.BrowserSubprocess.exe
4820	CefSharp.BrowserSubprocess.exe
4820	CefSharp.BrowserSubprocess.exe
4820	CefSharp.BrowserSubprocess.exe
4820	CefSharp.BrowserSubprocess.exe
4820	CefSharp.BrowserSubprocess.exe
3888	CefSharp.BrowserSubprocess.exe
3888	CefSharp.BrowserSubprocess.exe
3888	CefSharp.BrowserSubprocess.exe
3888	CefSharp.BrowserSubprocess.exe
3888	CefSharp.BrowserSubprocess.exe
3888	CefSharp.BrowserSubprocess.exe
3888	CefSharp.BrowserSubprocess.exe
1288	CefSharp.BrowserSubprocess.exe
1288	CefSharp.BrowserSubprocess.exe
1288	CefSharp.BrowserSubprocess.exe
1288	CefSharp.BrowserSubprocess.exe
1288	CefSharp.BrowserSubprocess.exe
1288	CefSharp.BrowserSubprocess.exe
1288	CefSharp.BrowserSubprocess.exe
1780	CefSharp.BrowserSubprocess.exe
1780	CefSharp.BrowserSubprocess.exe
1780	CefSharp.BrowserSubprocess.exe
1780	CefSharp.BrowserSubprocess.exe
1780	CefSharp.BrowserSubprocess.exe
1780	CefSharp.BrowserSubprocess.exe
1780	CefSharp.BrowserSubprocess.exe
5100	CefSharp.BrowserSubprocess.exe
5100	CefSharp.BrowserSubprocess.exe
5100	CefSharp.BrowserSubprocess.exe
5100	CefSharp.BrowserSubprocess.exe
5100	CefSharp.BrowserSubprocess.exe
5100	CefSharp.BrowserSubprocess.exe
5100	CefSharp.BrowserSubprocess.exe
5924	wave_bypass.exe
5924	wave_bypass.exe
5924	wave_bypass.exe
5924	wave_bypass.exe
5924	wave_bypass.exe
5924	wave_bypass.exe
440	wave_bypass.exe
440	wave_bypass.exe
440	wave_bypass.exe
440	wave_bypass.exe
440	wave_bypass.exe
440	wave_bypass.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/5924-634-0x0000000140000000-0x0000000144C21000-memory.dmp	themida
behavioral1/memory/5924-643-0x0000000140000000-0x0000000144C21000-memory.dmp	themida
behavioral1/memory/5924-644-0x0000000140000000-0x0000000144C21000-memory.dmp	themida
behavioral1/memory/5924-645-0x0000000140000000-0x0000000144C21000-memory.dmp	themida
behavioral1/memory/5924-646-0x0000000140000000-0x0000000144C21000-memory.dmp	themida
behavioral1/memory/5924-833-0x0000000140000000-0x0000000144C21000-memory.dmp	themida

Checks for any installed AV software in registry 1 TTPs 29 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\FirstHash = "\"cad1a09ebb8ec6983968373e739268b4-2\""	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\FontSize	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\FirstHash	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\LastUsername = "5wzx22"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\UsePerformanceMode	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\InlayHints	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\SendCurrentDocument = "1"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\SecondHash	WaveWindows.exe
Key opened	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\KasperskyLab	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\TopMost	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\Minimap = "0"	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\InlayHints = "1"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\Session	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\FontSize = "14"	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\RedirectCompilerError = "1"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\RefreshRate	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\RefreshRate = "60"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\Minimap	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\Session = "Bearer d70f8a01-0a23-4cf0-b256-f6477acd51a6"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\ContinueOnStartUp	WaveWindows.exe
Key queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\ContinueOnStartUp = "0"	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\TopMost = "0"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\RedirectCompilerError	WaveWindows.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\UsePerformanceMode = "0"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\SendCurrentDocument	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\SecondHash = "\"a625cdef16860630acdae42d81b038aa\""	WaveWindows.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\KasperskyLab	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\KasperskyLab\LastUsername	WaveWindows.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wave_bypass.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	WaveWindows.exe
File opened (read-only)	\??\W:	WaveWindows.exe
File opened (read-only)	\??\Y:	WaveWindows.exe
File opened (read-only)	\??\V:	WaveWindows.exe
File opened (read-only)	\??\G:	WaveWindows.exe
File opened (read-only)	\??\H:	WaveWindows.exe
File opened (read-only)	\??\K:	WaveWindows.exe
File opened (read-only)	\??\L:	WaveWindows.exe
File opened (read-only)	\??\O:	WaveWindows.exe
File opened (read-only)	\??\U:	WaveWindows.exe
File opened (read-only)	\??\X:	WaveWindows.exe
File opened (read-only)	\??\J:	WaveWindows.exe
File opened (read-only)	\??\M:	WaveWindows.exe
File opened (read-only)	\??\N:	WaveWindows.exe
File opened (read-only)	\??\P:	WaveWindows.exe
File opened (read-only)	\??\R:	WaveWindows.exe
File opened (read-only)	\??\T:	WaveWindows.exe
File opened (read-only)	\??\A:	WaveWindows.exe
File opened (read-only)	\??\B:	WaveWindows.exe
File opened (read-only)	\??\E:	WaveWindows.exe
File opened (read-only)	\??\Q:	WaveWindows.exe
File opened (read-only)	\??\S:	WaveWindows.exe
File opened (read-only)	\??\Z:	WaveWindows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
175	raw.githubusercontent.com
176	raw.githubusercontent.com
10	drive.google.com
13	drive.google.com
156	raw.githubusercontent.com
157	raw.githubusercontent.com
173	raw.githubusercontent.com
174	raw.githubusercontent.com

Network Service Discovery 1 TTPs 7 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2408	CefSharp.BrowserSubprocess.exe
4820	CefSharp.BrowserSubprocess.exe
3888	CefSharp.BrowserSubprocess.exe
1780	CefSharp.BrowserSubprocess.exe
5100	CefSharp.BrowserSubprocess.exe
1288	CefSharp.BrowserSubprocess.exe
4092	CefSharp.BrowserSubprocess.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
5924	wave_bypass.exe
440	wave_bypass.exe
1568	wave_bypass.exe
1364	wave_bypass.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4872_1100578888\_platform_specific\win_x86\widevinecdm.dll	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4872_1100578888\LICENSE	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4872_1100578888\manifest.json	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4872_1100578888\_metadata\verified_contents.json	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4872_1100578888\manifest.fingerprint	WaveWindows.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4872_1100578888\_platform_specific\win_x86\widevinecdm.dll.sig	WaveWindows.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller (5).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveWindows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2636447293-1148739154-93880854-1000\{BF205FA7-603F-4C57-A8D0-186CF287D8FC}	WaveWindows.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 465166.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 147147.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2096	msedge.exe
2096	msedge.exe
3516	msedge.exe
3516	msedge.exe
3988	identity_helper.exe
3988	identity_helper.exe
5412	msedge.exe
5412	msedge.exe
4872	WaveWindows.exe
4872	WaveWindows.exe
4820	CefSharp.BrowserSubprocess.exe
4820	CefSharp.BrowserSubprocess.exe
3888	CefSharp.BrowserSubprocess.exe
3888	CefSharp.BrowserSubprocess.exe
1288	CefSharp.BrowserSubprocess.exe
1288	CefSharp.BrowserSubprocess.exe
1780	CefSharp.BrowserSubprocess.exe
1780	CefSharp.BrowserSubprocess.exe
5100	CefSharp.BrowserSubprocess.exe
5100	CefSharp.BrowserSubprocess.exe
4456	msedge.exe
4456	msedge.exe
4432	msedge.exe
4432	msedge.exe
5392	identity_helper.exe
5392	identity_helper.exe
4872	WaveWindows.exe
4872	WaveWindows.exe
4092	CefSharp.BrowserSubprocess.exe
4092	CefSharp.BrowserSubprocess.exe
4092	CefSharp.BrowserSubprocess.exe
4092	CefSharp.BrowserSubprocess.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
2408	CefSharp.BrowserSubprocess.exe
2408	CefSharp.BrowserSubprocess.exe
4904	msedge.exe
4904	msedge.exe
3008	msedge.exe
3008	msedge.exe
512	msedge.exe
512	msedge.exe
4956	msedge.exe
4956	msedge.exe
1568	identity_helper.exe
1568	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5700	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
3008	msedge.exe
3008	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5700	7zFM.exe
Token: 35	5700	7zFM.exe
Token: SeSecurityPrivilege	5700	7zFM.exe
Token: SeDebugPrivilege	5600	WaveInstaller (5).exe
Token: SeDebugPrivilege	2964	WaveBootstrapper.exe
Token: SeDebugPrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: 33	2784	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2784	AUDIODG.EXE
Token: 33	4872	WaveWindows.exe
Token: SeIncBasePriorityPrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeDebugPrivilege	4820	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeDebugPrivilege	3888	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	1288	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	1780	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeDebugPrivilege	5100	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4872	WaveWindows.exe
Token: SeShutdownPrivilege	4872	WaveWindows.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
5700	7zFM.exe
3516	msedge.exe
5700	7zFM.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2124	node.exe
3528	Bloxstrap.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 3912	3516	msedge.exe	85
PID 3516 wrote to memory of 3912	3516	msedge.exe	85
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 3360	3516	msedge.exe	86
PID 3516 wrote to memory of 2096	3516	msedge.exe	87
PID 3516 wrote to memory of 2096	3516	msedge.exe	87
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88
PID 3516 wrote to memory of 1960	3516	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1_RVEpnP7H-42DnsVPNVej8iVxQerIpm0/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d09246f8,0x7ff8d0924708,0x7ff8d0924718
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,12089981959109844703,10369750528594525870,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,12089981959109844703,10369750528594525870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,12089981959109844703,10369750528594525870,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12089981959109844703,10369750528594525870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12089981959109844703,10369750528594525870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12089981959109844703,10369750528594525870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,12089981959109844703,10369750528594525870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,12089981959109844703,10369750528594525870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12089981959109844703,10369750528594525870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,12089981959109844703,10369750528594525870,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12089981959109844703,10369750528594525870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,12089981959109844703,10369750528594525870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5540

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Downloads.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5700

C:\Users\Admin\Desktop\WaveInstaller (5).exe
"C:\Users\Admin\Desktop\WaveInstaller (5).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5600
- C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
  "C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- - C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
    "C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
  - - C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
      "C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=4872
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2124
    - - C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave-luau.exe
        
        "C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave-luau.exe" lsp "--definitions=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\globalTypes.d.luau" "--definitions=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\wave.d.luau" "--docs=C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\en-us.json"
        5⤵
        Executes dropped EXE
        
        PID:4908
  - - C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
      "C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3528
  - - C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6464,i,10428455819853599863,16661281151983944631,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=6480 --mojo-platform-channel-handle=6456 /prefetch:2 --host-process-id=4872
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4820
  - - C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=6848,i,10428455819853599863,16661281151983944631,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=6852 --mojo-platform-channel-handle=132 /prefetch:3 --host-process-id=4872
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3888
  - - C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=7596,i,10428455819853599863,16661281151983944631,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7600 --mojo-platform-channel-handle=7592 /prefetch:8 --host-process-id=4872
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1288
  - - C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=7612,i,10428455819853599863,16661281151983944631,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7624 --mojo-platform-channel-handle=7604 --host-process-id=4872 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5100
  - - C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=7632,i,10428455819853599863,16661281151983944631,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=7296 --mojo-platform-channel-handle=7620 --host-process-id=4872 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1780
  - - C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3548,i,10428455819853599863,16661281151983944631,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=3540 --mojo-platform-channel-handle=3572 /prefetch:8 --host-process-id=4872
      4⤵
      Executes dropped EXE
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4092
  - - C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe
      "C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=7584,i,10428455819853599863,16661281151983944631,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2536 --mojo-platform-channel-handle=2704 /prefetch:8 --host-process-id=4872
      4⤵
      Executes dropped EXE
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2408

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x4a8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Users\Admin\Desktop\wave_bypass.exe
"C:\Users\Admin\Desktop\wave_bypass.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5924
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://one.one.one.one/
  2⤵
  PID:676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://one.one.one.one/
    3⤵
    - Enumerates system info in registry
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8d09246f8,0x7ff8d0924708,0x7ff8d0924718
      4⤵
      PID:5056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
      4⤵
      PID:2936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
      4⤵
      PID:416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      PID:436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
      4⤵
      PID:5528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      PID:556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
      4⤵
      PID:2100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
      4⤵
      PID:5864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
      4⤵
      PID:6016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
      4⤵
      PID:4808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5280 /prefetch:8
      4⤵
      PID:4284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
      4⤵
      PID:4980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
      4⤵
      PID:4328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,785615313285414482,60579796917177824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
      4⤵
      PID:400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1568

C:\Users\Admin\Desktop\wave_bypass.exe
"C:\Users\Admin\Desktop\wave_bypass.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:440
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:6136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://one.one.one.one/
  2⤵
  PID:556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://one.one.one.one/
    3⤵
    PID:6000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ff8d09246f8,0x7ff8d0924708,0x7ff8d0924718
      4⤵
      PID:5820

C:\Users\Admin\Desktop\wave_bypass.exe
"C:\Users\Admin\Desktop\wave_bypass.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1568
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:4120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://one.one.one.one/
  2⤵
  PID:4176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://one.one.one.one/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:3008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8d09246f8,0x7ff8d0924708,0x7ff8d0924718
      4⤵
      PID:736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,6966662049365318751,5395611973470530113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
      4⤵
      PID:6108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,6966662049365318751,5395611973470530113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,6966662049365318751,5395611973470530113,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
      4⤵
      PID:212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6966662049365318751,5395611973470530113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
      4⤵
      PID:2108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6966662049365318751,5395611973470530113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:5256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5460

C:\Users\Admin\Desktop\wave_bypass.exe
"C:\Users\Admin\Desktop\wave_bypass.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1364
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:5308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://one.one.one.one/
  2⤵
  PID:5256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://one.one.one.one/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:4956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8d09246f8,0x7ff8d0924708,0x7ff8d0924718
      4⤵
      PID:4252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,3472821790546037303,16416340295980305488,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
      4⤵
      PID:1404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,3472821790546037303,16416340295980305488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,3472821790546037303,16416340295980305488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
      4⤵
      PID:3324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3472821790546037303,16416340295980305488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
      4⤵
      PID:584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3472821790546037303,16416340295980305488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
      4⤵
      PID:1400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3472821790546037303,16416340295980305488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
      4⤵
      PID:3288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3472821790546037303,16416340295980305488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3472821790546037303,16416340295980305488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
      4⤵
      PID:5928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3472821790546037303,16416340295980305488,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
      4⤵
      PID:5212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3472821790546037303,16416340295980305488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
      4⤵
      PID:5176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3472821790546037303,16416340295980305488,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
      4⤵
      PID:6048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping4872_1100578888\manifest.json

Filesize
984B

MD5
0359d5b66d73a97ce5dc9f89ed84c458

SHA1
ce17e52eaac909dd63d16d93410de675d3e6ec0d

SHA256
beeab2f8d3833839399dde15ce9085c17b304445577d21333e883d6db6d0b755

SHA512
8fd94a098a4ab5c0fcd48c2cef2bb03328dd4d25c899bf5ed1ca561347d74a8aab8a214ba2d3180a86df72c52eb26987a44631d0ecd9edc84976c28d6c9dc16a

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.dll

Filesize
4.3MB

MD5
6546ceb273f079342df5e828a60f551b

SHA1
ede41c27df51c39cd731797c340fcb8feda51ea3

SHA256
e440da74de73212d80da3f27661fcb9436d03d9e8dbbb44c9c148aaf38071ca5

SHA512
f0ea83bf836e93ff7b58582329a05ba183a25c92705fab36f576ec0c20cf687ce16a68e483698bda4215d441dec5916ffbdfa1763fb357e14ab5e0f1ffcaf824

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe

Filesize
249KB

MD5
772c9fecbd0397f6cfb3d866cf3a5d7d

SHA1
6de3355d866d0627a756d0d4e29318e67650dacf

SHA256
2f88ea7e1183d320fb2b7483de2e860da13dc0c0caaf58f41a888528d78c809f

SHA512
82048bd6e50d38a863379a623b8cfda2d1553d8141923acf13f990c7245c833082523633eaa830362a12bfff300da61b3d8b3cccbe038ce2375fdfbd20dbca31

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.runtimeconfig.json

Filesize
372B

MD5
d94cf983fba9ab1bb8a6cb3ad4a48f50

SHA1
04855d8b7a76b7ec74633043ef9986d4500ca63c

SHA256
1eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a

SHA512
09a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\LocalPrefs.json

Filesize
738B

MD5
9cc95c80f67596c2a379b02fe9ba5a9d

SHA1
f974945fddcab669428064b13d18333ddcd3f71a

SHA256
481e20fb01fa0be2025d88eb484e853f024b01143d5fc59d42ad31354a584af1

SHA512
98c0d2fad5d5dedcbb865b1fac938a6d06f1b4adad112b15abdd7643555c3c58261b3a6d53682c070e7f90385517b69b026df698939de2bf44b975876a687ba2

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\LocalPrefs.json

Filesize
850B

MD5
ce1a8493152ae0086e3887aa1c28d7a7

SHA1
bfcb4e73788fafe0522108844e29fa79ce544b42

SHA256
b8ad4799fd14393b6ec54e2287819e8de892263e1a158f4f530fe4df5846b058

SHA512
f469085d98a82dcbe00d2b4dc4021146493bc5597039ddab2acc59f4a40dd40ba620947c95b9f76f9599e026ae948654a9cc1726453b320d92832caddddabaf3

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\LocalPrefs.json~RFe5d3098.TMP

Filesize
529B

MD5
431c63dbcbc134c395ef02b574b7ba5d

SHA1
ac1b05f108b2f954bdbba9b567631a2d4f1de14b

SHA256
6646e250c89d096fb0898b96f2992973b3b55306f1131101e6b262ed0c39408c

SHA512
167c187f5d58d795cccad5ee0a5963e2947ae6a9e1cecd47112f8fa55fc27330713ff00ec5bd0c95becfb53ff5e41425ccaecc74629ab88dbf0bb7a6bcf6f1d8

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\ShaderCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Luau Language Server\server\index.js

Filesize
6.1MB

MD5
6b1cad741d0b6374435f7e1faa93b5e7

SHA1
7b1957e63c10f4422421245e4dc64074455fd62a

SHA256
6f17add2a8c8c2d9f592adb65d88e08558e25c15cedd82e3f013c8146b5d840f

SHA512
a662fc83536eff797b8d59e2fb4a2fb7cd903be8fc4137de8470b341312534326383bb3af58991628f15f93e3bdd57621622d9d9b634fb5e6e03d4aa06977253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
32a8febe330ef063faddf03b3173fcf4

SHA1
d260f0a2bc5e61d05517542aa26e4c9cef8d6290

SHA256
135133313aadf846381edabfc3c51987f9d213f694e08f60c74d3fe1c5f844ec

SHA512
901f688803a021644a0ecd31b0afd03107b39f1a73370df9f9b9c02c6131162373b1b021b98cad05e0857e4df3401bfcdba840bb588db8347d9f39de1d1c4934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c00b0d6e0f836dfa596c6df9d3b2f8f2

SHA1
69ad27d9b4502630728f98917f67307e9dd12a30

SHA256
578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1

SHA512
0e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
83bf219a51dd06c1c7b1fcb26aaba79f

SHA1
bff00aea897d1883971b3a5de02968bc50ed0629

SHA256
ca83e4dd4f5e5b145b8d9587c6d496be012338eb26173463f860fe9727fa47ca

SHA512
671ec43b86af2a8c0502f34d5a0dfe80ce28e48b42f8041dc2e247de87762e5ff49eb5196ab83ca238fbe3a7c79d229dc901d3d05974b3d06ab0a99f43b8c324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54f1b76300ce15e44e5cc1a3947f5ca9

SHA1
c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7

SHA256
43dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24

SHA512
ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3c9b72b9d96bc368e3057e3e959dd1b8

SHA1
0af03d309c36fa0cf19d35cdccc425ecaa014115

SHA256
f62af33783aee1e2479a5a1f92e0bac4b2ff985d22fc1f07976d416d3d751680

SHA512
e7311c1b5d713f667b1e59279be878455b4347f0dd46e21d6165df3db9431e0eca7c65eea031979493281318f39c1600816b706dbd26513bf1583505b8f1f93c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fb314b1c618f3878657891ef9c30c5a3

SHA1
caaf335cdd93521a1225988f76d786231721e31e

SHA256
cf58303edf35c6798cfd7504b7a1db944f9819bd1d4dcfde94f85d6e94f34295

SHA512
0ddf7d3c5482931eb2fb066dc92e01c96e68bd1663ac70922799363c216b7bdaacb12ef8d591b3f2b79718a33e9cf5c7c0c21b9dcdfb6675352654c6c659ec35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
b75fc87b569c4b83f5651fde21021294

SHA1
66e26f3ace0671c7bdacf30f44dac979c4d3a649

SHA256
0a3212432190a6231c187327b474a16c82f24c0e463261b812198ceb34ee6042

SHA512
7ac2403c5a7a694de0594a2bf0fa944e59504c9fdaa9ac0f0aabb052b3ca4347a62aacbd68991aadf4dccee74b3f0e4a979f12c6e8241f93f42927f18260db37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
b9283ccb5a115dda43bd074137a4f0c4

SHA1
04c92698f9ea45e567b6b18a7716b5087e3d85c4

SHA256
ea27d8139203b2a15252207bcb9a12cb5ecec49a9ff944f86993cd6334247a93

SHA512
f712beb7fc599711c1a96312e7868cbf2fc429f903303ce0dff95d33e8e49b0467f2aefee904b70f0377a85460f833f6a8457605819df8cf5e33226c975b60e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
25d5b6ad3ae766cd2007dd86cdd01bf9

SHA1
d51941afb9a390fda36a78ae4474043be0ea2446

SHA256
58e1fd93a419a795a0835c29ec451b3deefe0c7fa7d910073da5d2e4ebd38f2c

SHA512
d153b4c1162d65dd1d14c72cfa1ec00f65c3647ad17a1da58827805b10d5b774cfabe4971504c7cb4dddd0e6c4352bac7df47c0679b144fd92273b2603518007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
599dd90b42c90a49d22c7bc277f7e568

SHA1
67ec34877be5e98b2c9e596cb66a8439cc697d34

SHA256
cd5bcf16e0d11d0707f486a97c01c92996b0c03029fe183493aa93101b7a1bf2

SHA512
82572cea2f5f35a2a5b43fffaed149ec40432f1a9d4dbd535f0c2f6e743683ddb8f089e4f5da804f72cecbfef5995ad6259a98c9ac6710949b3ba98fabc191bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
0049fb740b26daecd01736e35f84d5bd

SHA1
a72538f6d84981b6fde88a47ee94d4aae9ddee17

SHA256
3c48248cf48af1901a604b8b3d9a9fb7d719e2f3991f60d309565cd57c6c7c81

SHA512
58885afeb8dd4fdb5c05495ad22ed768741d944f78476584923a555eda7decc3252ecf3d3b605241837f83d6dcbe2ed51289a69dfd110d0b8aea4ad6714a55ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
6ebadf982adf17f59563d564a95556e3

SHA1
a86ad6f3fd071cdfb3f48b54a0515b7f702ee797

SHA256
b1bac4a8df26d2b28aff64192c732cfb397818dd40b21507542b8ebca32543be

SHA512
53d352e3c45819a3197641ea13168a4666796316041138b2a23090fafb494425e6c25361b33cc420e03499c4e53bc40713105a3655b398bf5f5285d90d136086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
72fe48a0af4cd85f7b1448877dd7177b

SHA1
28df8e207eeafb776629ce9f59c51f97140d6de3

SHA256
e181262e78dc1e04ac9df13ebb807c7e834cc839ae9c08722fa580105014552a

SHA512
86dd36186fe63da06837a1c2c902083f72d32dd12abaa5ef8879a3ca70fb91739ea08eb270e4d7392bc5b5e27851c86a81ac187f52f00aeceac66c1dc85f2179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
4e4d8d188cf9ef6354dfed754d252aeb

SHA1
a9f56427f62367838e50e319303c0a58106b571c

SHA256
e3c59aa0cade53cdaf860b2d231234ab69b1431516f3d130dcfdec7363abacf0

SHA512
30cc8f446391463573f801c78ce35a687ae276ca85886e7185c745715f8875fdef1867d7b013a79b6af62562084738a5a436224e069f0c39b279269595c02408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
091db5346ba6dc3fc7cec2e2ab90e1a6

SHA1
6919367d084f8e3c2fea367732424449f1545f01

SHA256
59b9e580ca62aaaf376e728f2fe6caa5c984290a39baa8469e22b448406a4dcd

SHA512
e0339ac0915f2bf25851bbacd4a56ef45683e6138cbf79ef167de4aa0bd1a13d54250c795961a49e370d369ab26e7eab5f7cf07fd479a1ded0dead3db13f1f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
49e728f0b334fec0f21881a6e8e2bf02

SHA1
ba466fccca9d7deaa383f1bd4cc15020ace550d9

SHA256
8847d6f8f0c981b26b6db9e1dcc01792b65c1438bf40af99d7affb34d7f5027e

SHA512
629e80797e1b5f1ba2be73e14fe636feb32f64a91776b890d81028beb1770583f478ff38bd868785ef9c51185a31cc4a5c967af23c266446f2e0fb19d28dfc51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
3670387b47011ebc7d4fe10766756e78

SHA1
88966a6e9b77d94a2000a751f13cec7915a1ae49

SHA256
ee2dc381a05013e7762944147a6274917185626d93758b8fc34b1934b061203d

SHA512
4c961ece938ab4bf337d6cfdaec47fe0f834df63cbad50058213a2a90e2879d90d5f4b6a915caf8ad40569450f5feb7355d618e07657846df66cb23ba1a06105

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
9696ee26a1a0e082664e2dbd2e647369

SHA1
003b2b5a81f7984c0a3764700ca859e203e981c6

SHA256
8ede83de48eec7c8f117cc95fbc1df8c05e46a4ec1144fd8fd73bc615b6d949c

SHA512
28c1a318efb396c72ff1db8c547f8e4c0339421fb667d896e46915dc608cdff72d59290cea2a15d65b6dd06fae6a0fdd9a40475019511661261d70fe7d19bd0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dadfead0f6876138611a4fed3f99a9d8

SHA1
0e4bcc9bcf0cf58462ef34e4582147f3c00f7a5d

SHA256
3bb4cccfe2d5a7559047dd971b992eb49ab826b87ba1b3ab3596b8d1870bfbe5

SHA512
114898f8d042413f346bf803274bb55a96a32a4df65890e571877e33863ce64310829d8e12074967a114424daba9301182737ae5f0d6e0dce6ace8599198dc79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5dd887a1177cf31f2a1b112de30c0895

SHA1
fa54bf40d548e0fb7d0bdd301a3d26060c982dcb

SHA256
751fdfd0d8295f7050940169c2c29317113ef821f11e80afe03a51cad65ee1f3

SHA512
5b27cd8127cf8a573b3a5b6a8c8e83d367f6f95047631706402e7f33fdcd6f46ad683e9ee83492a97052a522e57447effee94608188554ff4f9997e1dbe521e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e41730de489ac581af2399d4bcf37ba5

SHA1
9d21196716891d786a6fcdb662dab3a3bbef7ab4

SHA256
a2625ee6835fadfa3a8a42335ac665a85e6c7c8e7c639d02820e8295f7c24ec4

SHA512
97f1090f2b1f1c68d54f7611ad96c6c05225876810acefc1c31b63371157f0b71afd30481c50fe35e098c4da5f2acc4009f3af955a6283ef508b5b34060aa7ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
81534f1330a30ee88874b1b70af8381f

SHA1
9d380dc31c86dcd9efb153165017b2c631492ae7

SHA256
2533571931354430f2374a7eabfefa81fe904bf8075b35ba950a89b8ff52cc43

SHA512
0cec99491855fda842bec9acf0f2c60487c33f81744b65d31dc04e1f1020a6b50b6c2943eed6bcb2050b65079bcc8256a7f5e260b9e713703bb41d5076aec4b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d5cd33497e3841efecc5df17f83da6fc

SHA1
a2360daf6f343d4aec633736dd10530a2555b039

SHA256
1be7860930f1ddf89f940c2db7bb4df955ef789124c08c0e358a362aa037deff

SHA512
99c234d1ae721b6ac2e2fc72d6473fad81c3c82a64991b9662e6ddcc3523968f87430485f0be88fadfc6b06b39c9f9b5a8a9ed4555eae407c26846e1e70efef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6d2b322a21d42867d94f4810190395aa

SHA1
1d9a6047499ef89e6fbbaccdf172e13c7a9fe941

SHA256
0e0c7bc3f90305442afcdc6eca4aa7811c388bc7b6e72cc69d8857638679c85d

SHA512
49bb7ca22d13c1c698708f929a62c17c8eb00881e6442078b3c9fde2defbf00b2df50c810b5774dee126f8f4136f932a54b6810586664617aaa782baaddf6a04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b7893ec97cb6ea2590af6f8597a68e69

SHA1
cda823f2ff638c427aa93b0786a2e7302015a071

SHA256
282039dc1b336b90c19317fd22826b601bc625dd1e8f1fe7544b3300a12cf644

SHA512
a7b614e752a2ee29e5e14fb66bb7177ce4d7423346d5743033b591044cd8e9cc78d3cf707649abb4af4f2a5ed5db4fd4111b710718cadcb852974910831f391c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3b324c1daa8e1c0d4b14a1eae408b2c4

SHA1
436db9a8bbc66cb92cfd6466ccb28df19f2b9fa1

SHA256
d4917aa0cedd7cc1856ebc41bbf38c428e3f5de9e53f39319920510d69a105f8

SHA512
703e16f48b070a524d43f932c66705154da14b581795fb955ea8a942ceeb4305c75f42ab7705332229ea3dd6984f20a99a34e76f47ef93f4567010c21d45fb3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6c9529332a56f407032efccedc08ff48

SHA1
a50b175992db43fcaae3f848c86fbb5b55fdb51e

SHA256
16f3389c413da82ef3cb88558b5d6597dfdfd326b36eed41f32a2d28ca8f861b

SHA512
52ad5faa478c37ac5dc1f8613d0e19f7fdaa2b1d3c41e798e243abf518d86406d4b15a09855519786e4e7e3c488d0e3997c30e65ca99e7ebad002839530e6a06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
871b6f46d10726c27da6e01873d7799d

SHA1
72ba3f53a0dbafe3544115c0ed583263c1c221e5

SHA256
b535e671db420de3cfe30d54c6ce96155b47bea67e48f1ab530c176825434c23

SHA512
adfb59f9bece7dffc6ea10e1a9083ef7022dcf40682b19dc83440d555f04b118a55710494760e64640782637283e11684094f3e9ab6434f10e2509f54dff5cf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e2c8db1fe58af030ca27c215b75a4aa6

SHA1
fd379205e4fd748deeebffef25ca2dbc3bd5afd8

SHA256
c033e0995e6ce89a7df25aea5d72aa5ce2b6d884a89a3a6641fd28c99de946bc

SHA512
f2f770d8858580a626a0d14ef60d09a01f8e62a0d843d6b51352dd6b61078904ca0d2c6b1e9bc685300973aeca1c56c44e6107dfec90f372f6bba735fa6ea52d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
376f812e4d9b0e6e1cc32dd2b046168c

SHA1
28351131d4c582af473a823d32ba74e3da468df3

SHA256
f8e99bb2b596650cef97a023d6b216eba28f1deaf8ea8e126dd66b14c7156e1e

SHA512
181c04a002e20db4bb7e99032dd95027f7d54d77be8fceb6168854e7a5b531f38a40bddc642784a2a781ac650e589dae9443bff4fcd41d36acd0f42236bee786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ffe8499d39f438960b794d08f7e9ae37

SHA1
2657802c6d2ac588443819f0a9ff791427a2adc0

SHA256
cf6955cd52c0afaaf5ed49e44fb54f450b2e3965a73d199ef6a3cdb98c9a1722

SHA512
e8bc16b14424a414064dc0b8071174afea4473936419c0f1eecd63d47f19d70277db5de7ea2f8ff7d31070e797097e6ca539cfdc91885bab6a5a6d961b27f8f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
82d0bd0b2cc1e2ccccaa0b030cf57cb6

SHA1
219c9620ce502366daebc11b202f91f7fc50a6be

SHA256
2177f21127141e481f3124d4bce3066bb919edc06b53f5b04462b6d55d85e7de

SHA512
ff1156f1b7f4b831d7bf268e8a896b06a0df4b71995c74771f4b3e539c7a7a1912614749145db34aae25d61994636fd83f48898c51545dcf8e8b7f4dc40a84a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bfbefd26-3f51-4071-ab1a-84fa7eb15c17.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
c7db3afa5ba3cc896cf0f8fa91c3cfe2

SHA1
5fcfdc06001a9e622e4964c25be89a3a1cd3082f

SHA256
30e4c3ea8297bfb387ea1586ae35668cb18bbf67d579be9aeac1470bb358b954

SHA512
de1546a869003ed3540c9afea2aa09508bede60335b3adc72c4b9522d20ba6931e596a8f79fabbb04abe4ee2963112cff207869808a482716893c3ba8b81f09c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
df572f2f19feabb14fcaf0605fdc58b3

SHA1
53d833afdcbb98ef49e0e881f9d5b3cf48ccdb92

SHA256
d9e4a9c11117a62840ec3b838a20039e1bd7ff206c41f0cd2bdb01f6134f1334

SHA512
6cfae648fa5159951fb13a1eea26643f20dc8a2a26e5c3ccd7d5420724a942e8b1290d31b5d5bf63770f582dfc15266188ffe1f6c6129adf03a4ce7de1601662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2f4245a191d7ce6c7be71cf9e1b3b7d5

SHA1
3c18d94ed3bfff685f761c3e4f77504d3984b00a

SHA256
0b44550cd9b13a9e96f03978190723de3a44b641fc7ad934dc536130ec2add57

SHA512
653e34df1e77b8dc713e28a0c6fa4fead15d7fb9b4098c6ac4c63f100ac96774868a3288b6de6e3ee7bc7c67c8f9335c0bf89eb3d79053d9133e301d9a356958

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ab49329e5699bf3e15024564b5eb6d93

SHA1
a1d76301268909307e8a58a26feb4f9d7ff8f306

SHA256
307db06919f663727d2ad931b6d36d31a283f8c50a96bb9e5a4afbec0b87eaa1

SHA512
f801d288bbd4d7e7306545b6fcb0dcfa09fcad1e130e8372491c52f3441a818583f67a63f694df440c3801bac41c7253ddeb29a951cbf8c31fbd082e43387beb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6755bd13f2a1de66e4a350e94aac032e

SHA1
7e373cb756e29836c3b1309eb43232b093cf3f01

SHA256
b2c830bfa1212652c98553937fb22eff81996d38857e331f08238e548d337180

SHA512
8d7794e0ae75889798183292ee5882f3a4af6b2d1a09b3531e825b8e1dd30b14ffeaaf67fdde8673af9898e7f6ab8696e309c2d34a64fb865cf0730e96db775d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
077ae7ede42ef65a796ef52532f1249b

SHA1
80c1f96b002bfd39e64553404ea823b910a87d36

SHA256
a4f0d531fca52358945ed85937e1b23f89d185114bb87f1f4cd6aa5de7b11502

SHA512
6d4ccbd53dc68d9e807b69b5479b3c7811d4f8baf02d105d2cff4fc77343d6a89c3c2d8c0aa4eb832b7ba9ab8d184460ab118f70d813f12ecfe068c2a86e1a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e11b84bd00ec578da9fe8908d52038b6

SHA1
7956a6b969d43832a186078198c743fbd7042df8

SHA256
af0e5ab2787becfa8adb9563494b29efc67b35750c502c4e713ffbe41495ebf6

SHA512
157ab253b2b697e803af8f0e4f59d9c3afeaf6d5b37178ca75926550edf1cb61ae48ca3c51cdea4b65c869ed9c20ef5dfc39830bc79131d692e96a019c64ced4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8ec0d967a1a271415ee22ff4a7cc5ca9

SHA1
8475af3e279d2b3796b883f68f4d0b7b4bc98f83

SHA256
b7b8c65bacfb7274ba4875b01cd63dd330fe469f68b9f61801bf435aba4aa966

SHA512
111d5cd74087c010ee6c9079e29cd012bae0997fb988a5dc189e6775e32b38842d0fc640579f908afe31623f1957837d6380dfdf641c5ead571a443647240e7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f7e88d96a1f041a745e18328ddbaba0a

SHA1
26eab6b927b888bf87b6f2ce069179c3ceeb8808

SHA256
146c1e356309e122b3ef0145f6d0d7ade5bc596fedb7fdb05326f98c0c0db891

SHA512
7b036e3c2a1523583568e711cceec30e34977470f9d1b4489cbfa2f6a3708c672b12974d4ad77cfe88f2c54ba475e60a71666aaafbc400b233b51172d58350de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
3f05c4104136fccfd74eddc0f1a8fc11

SHA1
0f84faca66da1bdbece28ff10eaef52d0dd460d7

SHA256
5c4e03bb71b2b9e4e4842c35a9f9e8242af81d5b051c1c4992a335bc4e12106c

SHA512
06bdd967b12f8edd38391a6eb463c7b19a89dcc651411b67270e2e2cd4492c8c49541cb9b6596d520e912802d97a73900415c0878f9af5dced2fd8260d27469d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\23f7284c.dll

Filesize
10KB

MD5
d0b0669374e69be483c04e0bc7c18caf

SHA1
33dd016fe5ba76ae45c1444a6defa1f5afbd0556

SHA256
c9e3daa7fe44f7599826c93286956b10c452ae5344264b2c751efbd5698f32f5

SHA512
13695a52101da7858acbf2bc26e8d711105e0bcc83f9f8787622a134427ace971f93cae4801b2c7e875b5272795b987cdc9bde06e4b59822dda9e8febab6c529

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.Core.dll

Filesize
915KB

MD5
100c32f77e68a2ce962e1a28997567ea

SHA1
a80a1f4019b8d44df6b5833fb0c51b929fa79843

SHA256
c0b9e29b240d8328f2f9a29ca0298ca4d967a926f3174a3442c3730c00d5a926

SHA512
f95530ef439fa5c4e3bc02db249b6a76e9d56849816ead83c9cd9bcd49d3443ccb88651d829165c98a67af40b3ef02b922971114f29c5c735e662ca35c0fb6ed

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.BrowserSubprocess.exe

Filesize
7KB

MD5
516ff62b2e1f4642caa954c0968719e8

SHA1
e349d0ce82e2109dd0d18416d9cf46e8411b7f15

SHA256
19da58849cec5933860116e60a1e94b08e30d90e0f955768270b47998d612045

SHA512
7aa4a0c87b29c2a84f585a884d8208fc2352a43f2cdb549c100e3b121837ad5f8dadb1101f57d1d3fcb7ebec9d9f22e07dc14239b7d2e2d25793c999becf288b

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.Core.Runtime.dll

Filesize
1.3MB

MD5
09cba584aa0aae9fc600745567393ef6

SHA1
bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279

SHA256
0babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5

SHA512
5f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.Core.dll

Filesize
898KB

MD5
1bb24b22d9bd996c038d26b600ed18a8

SHA1
c2629a8a26c9c0969501923f84874838087cca2b

SHA256
944b987a0b677d354e24ee15bba65f73b0f051338f576234a975a49493399873

SHA512
38578e0d1a39ccc9851ff80d3a0f5342a34303229e2898c3ca32dad11017d4277720f54b472c2f1a0b73f47d5ba6352aa7be8ae2ed72b3b25a01dd8292591421

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.Wpf.dll

Filesize
114KB

MD5
ceaf0bad83fac8ce71853cd820e4ed9d

SHA1
4eed686fbba7d4603b596fb8e494b8f452a05886

SHA256
eaced1f76adb8ee756033baee29a47b1f4d4b657ebd105a7e25c8dc4fbc48cba

SHA512
4ed3f83e797eade8f0d1c6b80ce49d18f00daaf5d69421a4920e3cea2e7d78c3622193ca65b6ab1dab14c57e7f893a7b1edb27b83f343ea4df731d80aa21ff82

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.dll

Filesize
272KB

MD5
9ca06a8f9e5f7239ca225ab810274023

SHA1
e1a219f567a7b7d3af9386df51b14c76e769c044

SHA256
5fd00ae3e83e6ca156647ff6df87b49ffc7cad47c23fe3ae07c067c5adf6f74a

SHA512
430c9bceed5439b987d5bd4840cfe32411ca61594f18597aca1948aa39a22c9d70beadf3bb9b1dd0373f81a94a25dcba17fa8e8c73abf06cba28d0971d5614c5

Download Submit
C:\Users\Admin\AppData\Local\Wave\D3DCOMPILER_47.dll

Filesize
3.9MB

MD5
3b4647bcb9feb591c2c05d1a606ed988

SHA1
b42c59f96fb069fd49009dfd94550a7764e6c97c

SHA256
35773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7

SHA512
00cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe

Filesize
949KB

MD5
8fb51b92d496c6765f7ba44e6d4a8990

SHA1
d3e5a8465622cd5adae05babeb7e34b2b5c777d7

SHA256
ab49d6166a285b747e5f279620ab9cea12f33f7656d732aa75900fcb981a5394

SHA512
20de93a52fff7b092cb9d77bd26944abed5f5cb67146e6d2d70be6a431283b6de52eb37a0e13dc8bc57dcf8be2d5a95b9c11b3b030a3e2f03dd6e4efc23527a6

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe

Filesize
8.0MB

MD5
b8631bbd78d3935042e47b672c19ccc3

SHA1
cd0ea137f1544a31d2a62aaed157486dce3ecebe

SHA256
9cfda541d595dc20a55df5422001dfb58debd401df3abff21b1eee8ede28451c

SHA512
0c51d6247e39f7851538a5916b24972e845abfe429f0abdc7b532f654b4afe73dc6e1936f1b062da63bfc90273d3cbc297bf6c802e615f3711d0f180c070aa26

Download Submit
C:\Users\Admin\AppData\Local\Wave\bin\Background.mp4

Filesize
4.6MB

MD5
9782180eb68f73030fe24ef6a1735932

SHA1
589827fe098ba048c9f871a28db8eae3e3537ff4

SHA256
3a1cbb800f8f25c2ab703ba8bfdb01e938e4143c3bc0fea8ca734fb5ba779ba7

SHA512
dc768638bae2d6d47d8910252ae64a656d8a6fd88efdf24165ddce51b7afdb4acb3fddd41dfe788737a2cab4fab66174db2f0d2f48bc8669af76d1656bca8be1

Download Submit
C:\Users\Admin\AppData\Local\Wave\chrome_100_percent.pak

Filesize
667KB

MD5
ae195e80859781a20414cf5faa52db06

SHA1
b18ecb5ec141415e3a210880e2b3d37470636485

SHA256
9957802c0792e621f76bbdb1c630fbad519922743b5d193294804164babda552

SHA512
c6fef84615fe20d1760ca496c98629feb4e533556724e9631d4282622748e7601225cf19dfb8351f4b540ae3f83785c1bcea6fe8c246cf70388e527654097c1c

Download Submit
C:\Users\Admin\AppData\Local\Wave\chrome_200_percent.pak

Filesize
1.0MB

MD5
1abf6bad0c39d59e541f04162e744224

SHA1
db93c38253338a0b85e431bd4194d9e7bddb22c6

SHA256
01cb663a75f18bb2d0d800640a114f153a34bd8a5f2aa0ed7daa9b32967dc29e

SHA512
945d519221d626421094316f13b818766826b3bedddab0165c041540dddadc93136e32784c0562d26a420cb29479d04d2aa317b8d605cd242e5152bf05af197e

Download Submit
C:\Users\Admin\AppData\Local\Wave\chrome_elf.dll

Filesize
1020KB

MD5
7191d97ce7886a1a93a013e90868db96

SHA1
52dd736cb589dd1def87130893d6b9449a6a36e3

SHA256
32f925f833aa59e3f05322549fc3c326ac6fc604358f4efbf94c59d5c08b8dc6

SHA512
38ebb62c34d466935eabb157197c7c364d4345f22aa3b2641b636196ca1aeaa2152ac75d613ff90817cb94825189612ddd12fb96df29469511a46a7d9620e724

Download Submit
C:\Users\Admin\AppData\Local\Wave\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\Wave\libglesv2.dll

Filesize
6.6MB

MD5
8803db5b167fb5a5f8a8c595c4e4d7c6

SHA1
7fde861151f3bea66c65b6c2487a30728048811a

SHA256
52a58d25a41f4bd31cdb4a0d306217862e04ebf7c1925cc85330054a5523d719

SHA512
2fa9a0eda221982896e41eb387b5e156198615ac1a1fbac0acffd13008919368b41a240df416c1fce2e48c20a14cd7af7cca9fba476ada5e64a0cadde84a44b7

Download Submit
C:\Users\Admin\AppData\Local\Wave\locales\en-US.pak

Filesize
456KB

MD5
4430b1833d56bc8eb1f7dc82bb7f4bc9

SHA1
dc15e6306625f155683326e859d83f846153c547

SHA256
b44ddcfac9df4934007e6c55a3c7f5e7f14c7e5e29f35c81de917fc3b22aabbc

SHA512
faf93bf371b2a88c1b874a5e2c54e4487fd152ad19c2a406a46f55ae75ecd421a779888c2e4c170857b16bfb5d8744bc1815a4732ed50b064b3cbd0c5ffad889

Download Submit
C:\Users\Admin\AppData\Local\Wave\resources.pak

Filesize
8.0MB

MD5
4933d92c99afa246fc59eef010d5c858

SHA1
98d443654e93c73dd317f9f847f71fba3d5b3135

SHA256
62f4674daa15245ee081920b8ee191e72f36ca8fe24f6b986a832f45676915b2

SHA512
a3a69523c8e7310716daeebc06c2ba4fce673eccd1958e824ff179b82f4502d0ec095190179bbb387342e4150f952ea7533182fb6ba90377d17dafba8f4da623

Download Submit
C:\Users\Admin\Desktop\WaveInstaller (5).exe

Filesize
2.3MB

MD5
8ad8b6593c91d7960dad476d6d4af34f

SHA1
0a95f110c8264cde7768a3fd76db5687fda830ea

SHA256
43e6ae7e38488e95741b1cad60843e7ce49419889285433eb4e697c175a153ab

SHA512
09b522da0958f8b173e97b31b6c7141cb67de5d30db9ff71bc6e61ca9a97c09bff6b17d6eaa03c840500996aad25b3419391af64de1c59e98ff6a8eac636b686

Download Submit
C:\Users\Admin\Downloads\Downloads.zip

Filesize
27.7MB

MD5
a3afaf6a35a8d9f498621f099b954340

SHA1
ad4fec23fabf5f48b0f87bd570d9458775688b5d

SHA256
369098d40c02418c92dc54f4350820b810004e1834f84aea05f50b992fb0fc99

SHA512
8b6213d25930e6480289ccef1adb5c6c7dc2ae93c31244dd538eb23adabe527df6a77d5a288ba5070177d0f988a0cf652a4378e2c4d80642a810616b93d6206c

Download Submit
memory/2964-489-0x0000000009610000-0x0000000009626000-memory.dmp

Filesize
88KB

Download
memory/2964-490-0x0000000009650000-0x000000000965A000-memory.dmp

Filesize
40KB

Download
memory/2964-488-0x0000000008910000-0x0000000008A14000-memory.dmp

Filesize
1.0MB

Download
memory/2964-486-0x0000000000160000-0x0000000000252000-memory.dmp

Filesize
968KB

Download
memory/2964-491-0x00000000096F0000-0x000000000970E000-memory.dmp

Filesize
120KB

Download
memory/4820-608-0x00000000006F0000-0x00000000006F8000-memory.dmp

Filesize
32KB

Download
memory/4820-612-0x0000000004E00000-0x0000000004EEA000-memory.dmp

Filesize
936KB

Download
memory/4872-497-0x0000000000F70000-0x0000000001772000-memory.dmp

Filesize
8.0MB

Download
memory/4872-510-0x000000000C400000-0x000000000C754000-memory.dmp

Filesize
3.3MB

Download
memory/4872-587-0x0000000019870000-0x00000000199CB000-memory.dmp

Filesize
1.4MB

Download
memory/4872-583-0x0000000019780000-0x0000000019866000-memory.dmp

Filesize
920KB

Download
memory/4872-579-0x000000000E920000-0x000000000E96A000-memory.dmp

Filesize
296KB

Download
memory/4872-558-0x00000000113C0000-0x00000000113D0000-memory.dmp

Filesize
64KB

Download
memory/4872-559-0x00000000113C0000-0x00000000113D0000-memory.dmp

Filesize
64KB

Download
memory/4872-540-0x000000000B600000-0x000000000B610000-memory.dmp

Filesize
64KB

Download
memory/4872-575-0x000000000E8A0000-0x000000000E8C4000-memory.dmp

Filesize
144KB

Download
memory/4872-549-0x00000000113C0000-0x00000000113D0000-memory.dmp

Filesize
64KB

Download
memory/4872-498-0x0000000006210000-0x00000000062B0000-memory.dmp

Filesize
640KB

Download
memory/4872-503-0x000000000A9A0000-0x000000000AA52000-memory.dmp

Filesize
712KB

Download
memory/4872-509-0x000000000BE40000-0x000000000BE62000-memory.dmp

Filesize
136KB

Download
memory/4872-618-0x0000000020EE0000-0x0000000021066000-memory.dmp

Filesize
1.5MB

Download
memory/4872-524-0x000000000B7C0000-0x000000000B7F8000-memory.dmp

Filesize
224KB

Download
memory/4872-525-0x000000000E370000-0x000000000E89C000-memory.dmp

Filesize
5.2MB

Download
memory/4872-526-0x000000000B6E0000-0x000000000B71E000-memory.dmp

Filesize
248KB

Download
memory/4872-527-0x000000000BDC0000-0x000000000BE26000-memory.dmp

Filesize
408KB

Download
memory/4872-528-0x000000000C1B0000-0x000000000C1B8000-memory.dmp

Filesize
32KB

Download
memory/4872-544-0x000000000B600000-0x000000000B610000-memory.dmp

Filesize
64KB

Download
memory/4872-547-0x000000000B600000-0x000000000B610000-memory.dmp

Filesize
64KB

Download
memory/4872-546-0x000000000B600000-0x000000000B610000-memory.dmp

Filesize
64KB

Download
memory/4872-545-0x000000000B600000-0x000000000B610000-memory.dmp

Filesize
64KB

Download
memory/4872-543-0x000000000B600000-0x000000000B610000-memory.dmp

Filesize
64KB

Download
memory/4872-548-0x00000000113B0000-0x00000000113C0000-memory.dmp

Filesize
64KB

Download
memory/4872-542-0x000000000B600000-0x000000000B610000-memory.dmp

Filesize
64KB

Download
memory/4872-550-0x00000000113C0000-0x00000000113D0000-memory.dmp

Filesize
64KB

Download
memory/4872-551-0x000000000B600000-0x000000000B610000-memory.dmp

Filesize
64KB

Download
memory/4872-552-0x000000000B600000-0x000000000B610000-memory.dmp

Filesize
64KB

Download
memory/4872-553-0x00000000113B0000-0x00000000113C0000-memory.dmp

Filesize
64KB

Download
memory/4872-554-0x00000000113C0000-0x00000000113D0000-memory.dmp

Filesize
64KB

Download
memory/4872-541-0x000000000B600000-0x000000000B610000-memory.dmp

Filesize
64KB

Download
memory/4872-555-0x00000000113C0000-0x00000000113D0000-memory.dmp

Filesize
64KB

Download
memory/4872-557-0x000000000B600000-0x000000000B610000-memory.dmp

Filesize
64KB

Download
memory/4872-877-0x0000000001FA0000-0x0000000001FAA000-memory.dmp

Filesize
40KB

Download
memory/4872-556-0x000000000B600000-0x000000000B610000-memory.dmp

Filesize
64KB

Download
memory/5600-272-0x0000000006050000-0x000000000605A000-memory.dmp

Filesize
40KB

Download
memory/5600-253-0x0000000000EC0000-0x000000000110A000-memory.dmp

Filesize
2.3MB

Download
memory/5600-254-0x0000000005BC0000-0x0000000005C72000-memory.dmp

Filesize
712KB

Download
memory/5600-255-0x0000000005C70000-0x0000000005CF2000-memory.dmp

Filesize
520KB

Download
memory/5600-256-0x0000000005A20000-0x0000000005A28000-memory.dmp

Filesize
32KB

Download
memory/5600-257-0x0000000005A30000-0x0000000005A38000-memory.dmp

Filesize
32KB

Download
memory/5600-258-0x000000000A800000-0x000000000A838000-memory.dmp

Filesize
224KB

Download
memory/5600-259-0x000000000A7C0000-0x000000000A7CE000-memory.dmp

Filesize
56KB

Download
memory/5600-266-0x0000000001980000-0x0000000001A16000-memory.dmp

Filesize
600KB

Download
memory/5600-267-0x0000000006020000-0x0000000006046000-memory.dmp

Filesize
152KB

Download
memory/5600-268-0x00000000018D0000-0x00000000018D8000-memory.dmp

Filesize
32KB

Download
memory/5600-270-0x0000000006A80000-0x0000000006AF2000-memory.dmp

Filesize
456KB

Download
memory/5600-271-0x0000000001B30000-0x0000000001B3A000-memory.dmp

Filesize
40KB

Download
memory/5924-677-0x0000000003A40000-0x0000000003A56000-memory.dmp

Filesize
88KB

Download
memory/5924-671-0x00000000039D0000-0x00000000039D8000-memory.dmp

Filesize
32KB

Download
memory/5924-647-0x0000000180000000-0x00000001806A7000-memory.dmp

Filesize
6.7MB

Download
memory/5924-634-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/5924-644-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/5924-645-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/5924-646-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/5924-661-0x0000000003A00000-0x0000000003A11000-memory.dmp

Filesize
68KB

Download
memory/5924-664-0x0000000003A00000-0x0000000003A11000-memory.dmp

Filesize
68KB

Download
memory/5924-643-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/5924-833-0x0000000140000000-0x0000000144C21000-memory.dmp

Filesize
76.1MB

Download
memory/5924-670-0x00000000039D0000-0x00000000039D8000-memory.dmp

Filesize
32KB

Download
memory/5924-678-0x0000000003A40000-0x0000000003A56000-memory.dmp

Filesize
88KB

Download
memory/5924-684-0x00000000039E0000-0x00000000039E9000-memory.dmp

Filesize
36KB

Download
memory/5924-685-0x00000000039E0000-0x00000000039E9000-memory.dmp

Filesize
36KB

Download
memory/5924-691-0x0000000004D30000-0x0000000004D5D000-memory.dmp

Filesize
180KB

Download
memory/5924-695-0x0000000004D30000-0x0000000004D5D000-memory.dmp

Filesize
180KB

Download