344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a

Analysis

max time kernel
616s
max time network
617s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveInstaller (1).exe
Size

1.5MB
MD5

c822ab5332b11c9185765b157d0b6e17
SHA1

7fe909d73a24ddd87171896079cceb8b03663ad4
SHA256

344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a
SHA512

a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d
SSDEEP

24576:9viinbT3ipyqwPx4x3RyFoBkkAd04wJAAh/jV1gJcPNZI6fntX3HOt2pbs81ind2:EinbT3ipTD0anywJAaD/3U2pb7indT

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WaveInstaller (1).exeWaveBootstrapper.exeWaveWindows.exeBloxstrap.exeWaveBootstrapper.exeWaveWindows.exeWaveBootstrapper.exeWaveWindows.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WaveInstaller (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Bloxstrap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WaveWindows.exe

Executes dropped EXE 10 IoCs

Processes:

WaveBootstrapper.exeWaveWindows.exenode.exeBloxstrap.exeWaveBootstrapper.exeWaveWindows.exenode.exeWaveBootstrapper.exeWaveWindows.exenode.exe

pid	process
3616	WaveBootstrapper.exe
3256	WaveWindows.exe
4480	node.exe
3408	Bloxstrap.exe
2232	WaveBootstrapper.exe
320	WaveWindows.exe
5548	node.exe
6024	WaveBootstrapper.exe
4528	WaveWindows.exe
4592	node.exe

Checks for any installed AV software in registry 1 TTPs 18 IoCs

Security Software Discovery

T1518.001

Processes:

WaveWindows.exeWaveWindows.exeWaveWindows.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\KasperskyLab\Session = "Bearer c0108e76-5626-4d8b-bc4e-09cf710628f9"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\KasperskyLab\LastUsername	WaveWindows.exe
Key queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\KasperskyLab	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\KasperskyLab\LastUsername = "kutay"	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\KasperskyLab\LastUsername = "kutaynpipisi"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\KasperskyLab\Session	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\KasperskyLab\LastUsername = "kutaynpipisi"	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\KasperskyLab\Session = "Bearer c451d192-baed-4132-958b-153716e3d26a"	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\KasperskyLab\LastUsername	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\KasperskyLab\Session	WaveWindows.exe
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\KasperskyLab	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\KasperskyLab\Session	WaveWindows.exe
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\KasperskyLab	WaveWindows.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\KasperskyLab	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\KasperskyLab\LastUsername = "kutay uak"	WaveWindows.exe
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\KasperskyLab	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\KasperskyLab\LastUsername	WaveWindows.exe
Key queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\KasperskyLab	WaveWindows.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WaveWindows.exeWaveWindows.exe

description	ioc	process
File opened (read-only)	\??\Z:	WaveWindows.exe
File opened (read-only)	\??\B:	WaveWindows.exe
File opened (read-only)	\??\J:	WaveWindows.exe
File opened (read-only)	\??\P:	WaveWindows.exe
File opened (read-only)	\??\I:	WaveWindows.exe
File opened (read-only)	\??\X:	WaveWindows.exe
File opened (read-only)	\??\Z:	WaveWindows.exe
File opened (read-only)	\??\R:	WaveWindows.exe
File opened (read-only)	\??\S:	WaveWindows.exe
File opened (read-only)	\??\V:	WaveWindows.exe
File opened (read-only)	\??\H:	WaveWindows.exe
File opened (read-only)	\??\K:	WaveWindows.exe
File opened (read-only)	\??\L:	WaveWindows.exe
File opened (read-only)	\??\M:	WaveWindows.exe
File opened (read-only)	\??\U:	WaveWindows.exe
File opened (read-only)	\??\A:	WaveWindows.exe
File opened (read-only)	\??\S:	WaveWindows.exe
File opened (read-only)	\??\T:	WaveWindows.exe
File opened (read-only)	\??\P:	WaveWindows.exe
File opened (read-only)	\??\Y:	WaveWindows.exe
File opened (read-only)	\??\E:	WaveWindows.exe
File opened (read-only)	\??\G:	WaveWindows.exe
File opened (read-only)	\??\G:	WaveWindows.exe
File opened (read-only)	\??\R:	WaveWindows.exe
File opened (read-only)	\??\X:	WaveWindows.exe
File opened (read-only)	\??\Y:	WaveWindows.exe
File opened (read-only)	\??\B:	WaveWindows.exe
File opened (read-only)	\??\N:	WaveWindows.exe
File opened (read-only)	\??\V:	WaveWindows.exe
File opened (read-only)	\??\A:	WaveWindows.exe
File opened (read-only)	\??\H:	WaveWindows.exe
File opened (read-only)	\??\Q:	WaveWindows.exe
File opened (read-only)	\??\E:	WaveWindows.exe
File opened (read-only)	\??\I:	WaveWindows.exe
File opened (read-only)	\??\L:	WaveWindows.exe
File opened (read-only)	\??\J:	WaveWindows.exe
File opened (read-only)	\??\O:	WaveWindows.exe
File opened (read-only)	\??\K:	WaveWindows.exe
File opened (read-only)	\??\N:	WaveWindows.exe
File opened (read-only)	\??\T:	WaveWindows.exe
File opened (read-only)	\??\M:	WaveWindows.exe
File opened (read-only)	\??\O:	WaveWindows.exe
File opened (read-only)	\??\Q:	WaveWindows.exe
File opened (read-only)	\??\U:	WaveWindows.exe
File opened (read-only)	\??\W:	WaveWindows.exe
File opened (read-only)	\??\W:	WaveWindows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
47	raw.githubusercontent.com
64	raw.githubusercontent.com
65	raw.githubusercontent.com
66	raw.githubusercontent.com
67	raw.githubusercontent.com
46	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\devmgmt.msc mmc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\devmgmt.msc	mmc.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Drops file in Windows directory 57 IoCs

Processes:

mmc.exe

description	ioc	process
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4020 3256 WerFault.exe WaveWindows.exe
3776 320 WerFault.exe WaveWindows.exe

pid	pid_target	process	target process
4020	3256	WerFault.exe	WaveWindows.exe
3776	320	WerFault.exe	WaveWindows.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WaveWindows.exeWaveWindows.exeDllHost.exeWaveWindows.exeDllHost.exeWaveInstaller (1).exeWaveBootstrapper.exeWaveBootstrapper.exeWaveBootstrapper.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveWindows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveWindows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveWindows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveBootstrapper.exe

Checks SCSI registry key(s) 3 TTPs 23 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exemmc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133699372276549127"	chrome.exe

Modifies registry class 45 IoCs

Processes:

explorer.exeWaveWindows.exemsedge.exemsedge.exeWaveWindows.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{7E62DA7A-42D6-422A-A980-FD537FF5A02A}	WaveWindows.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{E3D35B08-8447-4ACC-8FE1-2E117B507286}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e007180000000000000000000002f492640692fb846b9bf5654fc07e4230000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{246EA778-4D77-445D-A2DB-B9CC74D5DF0F}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{D3C46796-69DA-4A40-944C-93A0D172126F}	WaveWindows.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39050000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

4512 explorer.exe

pid	process
4512	explorer.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

taskmgr.exeWaveWindows.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeWaveWindows.exeWaveWindows.exechrome.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3256	WaveWindows.exe
3256	WaveWindows.exe
3196	msedge.exe
3196	msedge.exe
4312	msedge.exe
4312	msedge.exe
1140	msedge.exe
1140	msedge.exe
3084	identity_helper.exe
3084	identity_helper.exe
5156	msedge.exe
5156	msedge.exe
5156	msedge.exe
5156	msedge.exe
320	WaveWindows.exe
4528	WaveWindows.exe
5272	chrome.exe
5272	chrome.exe
4164	msedge.exe
4164	msedge.exe
2152	msedge.exe
2152	msedge.exe
2584	msedge.exe
2584	msedge.exe
5756	identity_helper.exe
5756	identity_helper.exe
968	msedge.exe
968	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mmc.exe

pid process

3752 mmc.exe

pid	process
3752	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 48 IoCs

Processes:

msedge.exechrome.exemsedge.exe

pid	process
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
5272	chrome.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WaveInstaller (1).exetaskmgr.exeWaveBootstrapper.exeWaveWindows.exeAUDIODG.EXEWaveBootstrapper.exeWaveWindows.exeWaveBootstrapper.exeWaveWindows.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2232	WaveInstaller (1).exe
Token: SeDebugPrivilege	3676	taskmgr.exe
Token: SeSystemProfilePrivilege	3676	taskmgr.exe
Token: SeCreateGlobalPrivilege	3676	taskmgr.exe
Token: 33	3676	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3676	taskmgr.exe
Token: SeDebugPrivilege	3616	WaveBootstrapper.exe
Token: SeDebugPrivilege	3256	WaveWindows.exe
Token: SeShutdownPrivilege	3256	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3256	WaveWindows.exe
Token: SeShutdownPrivilege	3256	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3256	WaveWindows.exe
Token: 33	5476	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5476	AUDIODG.EXE
Token: 33	3256	WaveWindows.exe
Token: SeIncBasePriorityPrivilege	3256	WaveWindows.exe
Token: SeShutdownPrivilege	3256	WaveWindows.exe
Token: SeCreatePagefilePrivilege	3256	WaveWindows.exe
Token: SeDebugPrivilege	2232	WaveBootstrapper.exe
Token: SeDebugPrivilege	320	WaveWindows.exe
Token: SeShutdownPrivilege	320	WaveWindows.exe
Token: SeCreatePagefilePrivilege	320	WaveWindows.exe
Token: SeShutdownPrivilege	320	WaveWindows.exe
Token: SeCreatePagefilePrivilege	320	WaveWindows.exe
Token: 33	320	WaveWindows.exe
Token: SeIncBasePriorityPrivilege	320	WaveWindows.exe
Token: SeShutdownPrivilege	320	WaveWindows.exe
Token: SeCreatePagefilePrivilege	320	WaveWindows.exe
Token: SeShutdownPrivilege	320	WaveWindows.exe
Token: SeCreatePagefilePrivilege	320	WaveWindows.exe
Token: SeShutdownPrivilege	320	WaveWindows.exe
Token: SeCreatePagefilePrivilege	320	WaveWindows.exe
Token: SeShutdownPrivilege	320	WaveWindows.exe
Token: SeCreatePagefilePrivilege	320	WaveWindows.exe
Token: SeDebugPrivilege	6024	WaveBootstrapper.exe
Token: SeDebugPrivilege	4528	WaveWindows.exe
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe
Token: SeShutdownPrivilege	5272	chrome.exe
Token: SeCreatePagefilePrivilege	5272	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exemsedge.exe

pid	process
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exemsedge.exe

pid	process
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
3676	taskmgr.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

node.exenode.exemmc.exe

pid process

5548 node.exe
4592 node.exe
3752 mmc.exe
3752 mmc.exe

pid	process
5548	node.exe
4592	node.exe
3752	mmc.exe
3752	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WaveInstaller (1).exeWaveBootstrapper.exeWaveWindows.exemsedge.exe

description	pid	process	target process
PID 2232 wrote to memory of 3616	2232	WaveInstaller (1).exe	WaveBootstrapper.exe
PID 2232 wrote to memory of 3616	2232	WaveInstaller (1).exe	WaveBootstrapper.exe
PID 2232 wrote to memory of 3616	2232	WaveInstaller (1).exe	WaveBootstrapper.exe
PID 3616 wrote to memory of 3256	3616	WaveBootstrapper.exe	WaveWindows.exe
PID 3616 wrote to memory of 3256	3616	WaveBootstrapper.exe	WaveWindows.exe
PID 3616 wrote to memory of 3256	3616	WaveBootstrapper.exe	WaveWindows.exe
PID 3256 wrote to memory of 4480	3256	WaveWindows.exe	node.exe
PID 3256 wrote to memory of 4480	3256	WaveWindows.exe	node.exe
PID 3256 wrote to memory of 3408	3256	WaveWindows.exe	Bloxstrap.exe
PID 3256 wrote to memory of 3408	3256	WaveWindows.exe	Bloxstrap.exe
PID 4312 wrote to memory of 4864	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 4864	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1432	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 3196	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 3196	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1540	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1540	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1540	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1540	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1540	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1540	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1540	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1540	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1540	4312	msedge.exe	msedge.exe
PID 4312 wrote to memory of 1540	4312	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\WaveInstaller (1).exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller (1).exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=3256
4⤵
- Executes dropped EXE
PID:4480

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 5800
4⤵
- Program crash
PID:4020

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd20b446f8,0x7ffd20b44708,0x7ffd20b44718
2⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
2⤵
PID:1432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
2⤵
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
2⤵
PID:4032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:3676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
2⤵
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
2⤵
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
2⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
2⤵
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3676 /prefetch:8
2⤵
PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3612 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
2⤵
PID:1088

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
2⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
2⤵
PID:2536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
2⤵
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
2⤵
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
2⤵
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
2⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
2⤵
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
2⤵
PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
2⤵
PID:2840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
2⤵
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
2⤵
PID:568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
2⤵
PID:5252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
2⤵
PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
2⤵
PID:5784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
2⤵
PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
2⤵
PID:5644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2000 /prefetch:1
2⤵
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
2⤵
PID:6084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6516 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
2⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11123197694347713033,14806370170649422752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
2⤵
PID:5980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x528 0x304
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3256 -ip 3256
1⤵
PID:5040

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=320
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 5672
3⤵
- Program crash
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 320 -ip 320
1⤵
PID:5684

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6024

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=4528
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:5272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd20edcc40,0x7ffd20edcc4c,0x7ffd20edcc58
2⤵
PID:3284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1856,i,2167657736824417025,8393524750930732892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1848 /prefetch:2
2⤵
PID:3748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1600,i,2167657736824417025,8393524750930732892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2008 /prefetch:3
2⤵
PID:5984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,2167657736824417025,8393524750930732892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2072 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,2167657736824417025,8393524750930732892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1
2⤵
PID:6008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3312,i,2167657736824417025,8393524750930732892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3408 /prefetch:1
2⤵
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3144,i,2167657736824417025,8393524750930732892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4516 /prefetch:1
2⤵
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,2167657736824417025,8393524750930732892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4848 /prefetch:8
2⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,2167657736824417025,8393524750930732892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5056 /prefetch:8
2⤵
PID:4276

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
- Drops file in Program Files directory
PID:4928

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff72b404698,0x7ff72b4046a4,0x7ff72b4046b0
3⤵
- Drops file in Program Files directory
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4824,i,2167657736824417025,8393524750930732892,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4532 /prefetch:1
2⤵
PID:776

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5724

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultca99e6bah9527h4e1dhb4c6h6549efe572d0
1⤵
PID:1928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd20b446f8,0x7ffd20b44708,0x7ffd20b44718
2⤵
PID:5880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5402202566550574348,5002888893094174155,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
2⤵
PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,5402202566550574348,5002888893094174155,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,5402202566550574348,5002888893094174155,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
2⤵
PID:1276

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:868

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd20b446f8,0x7ffd20b44708,0x7ffd20b44718
2⤵
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
2⤵
PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
2⤵
PID:6100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
2⤵
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
2⤵
PID:2612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
2⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3576 /prefetch:8
2⤵
PID:5704

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3576 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
2⤵
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
2⤵
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
2⤵
PID:1788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
2⤵
PID:3748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4068 /prefetch:8
2⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4076 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
2⤵
PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
2⤵
PID:728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
2⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
2⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
2⤵
PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
2⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
2⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
2⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
2⤵
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,9018918165678531756,12849699356966212403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
2⤵
PID:6136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Software Discovery

T1518

Security Software Discovery

T1518.001

Peripheral Device Discovery

T1120

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.dll
Filesize
4.3MB

MD5
6546ceb273f079342df5e828a60f551b

SHA1
ede41c27df51c39cd731797c340fcb8feda51ea3

SHA256
e440da74de73212d80da3f27661fcb9436d03d9e8dbbb44c9c148aaf38071ca5

SHA512
f0ea83bf836e93ff7b58582329a05ba183a25c92705fab36f576ec0c20cf687ce16a68e483698bda4215d441dec5916ffbdfa1763fb357e14ab5e0f1ffcaf824

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
Filesize
249KB

MD5
772c9fecbd0397f6cfb3d866cf3a5d7d

SHA1
6de3355d866d0627a756d0d4e29318e67650dacf

SHA256
2f88ea7e1183d320fb2b7483de2e860da13dc0c0caaf58f41a888528d78c809f

SHA512
82048bd6e50d38a863379a623b8cfda2d1553d8141923acf13f990c7245c833082523633eaa830362a12bfff300da61b3d8b3cccbe038ce2375fdfbd20dbca31

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.runtimeconfig.json
Filesize
372B

MD5
d94cf983fba9ab1bb8a6cb3ad4a48f50

SHA1
04855d8b7a76b7ec74633043ef9986d4500ca63c

SHA256
1eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a

SHA512
09a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
4f67fdf000dc4e7a4bb1b64ef9d4d568

SHA1
2c3366727a71b8f30788379075e9bb161669db46

SHA256
96601496eaccb2d30aecb38171118708965fe679b8c1b277f68727e7c2c52889

SHA512
341febf532b309fcc2caf967581e4df112520e2b15513ba6c727b505e0223d7ee859e9c765e3d3cbc4f5df70bf1abe701b6e830bc1121bed586e078c7fe61793

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002
Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
216B

MD5
b3ac92d678cba530b7276d77917d47eb

SHA1
32dae4d66158c925dcf30fac8af0449149d789ee

SHA256
61681320d85f5aa1bac200244727d36a02bbfe83979ff5320fcb7d1d4c73b408

SHA512
3367a0e718c3df46aa0e6a2fbea39f8cf78715310e84844a406f32f1e18c2e8f4abe92a960d526ef3cf9f890fa432da2ff2be0690184d49c60399696be6103e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
216B

MD5
94702bd0eb7548941c08038aac194478

SHA1
20154824d4579fabf87f744b3bae9c7817c66afd

SHA256
8af204be1e0b1692565675f90e0d06d6a2ed1a5a00386692ee72121bc0095e88

SHA512
aec53c4f74c140fd75ce8b0e5be24ec1e21bcf7829aabae37c8e977da25d9bac458d8dc19885246492290ac342a9feac938b3e6f0a046249b53e781151ca53bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
216B

MD5
fb427049f3ac386514b9c3528e9fd866

SHA1
05d87218a7a1425422bb76ba216e5c04c77314b0

SHA256
c99353469f2e2af1bb50e115afc6108a738ca090cf3cde5b18ee3beef0cf4502

SHA512
b5d007a44696ddfe2796fa873b2183bae51c963ce0033fd73130e27b9480e8d86ee1121566dc5d75b57e70e7ffff48735e142df6e6ff424a6b3ba7ab9d7d8a80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
0659d4cf4aa9e83b9b3b8988fbc81f87

SHA1
d66702c5dbabbc0fa1812f4a09986a14d617d184

SHA256
d60a096071d49cfdf0cfef9a9b29f46a128b4c2eac83a6d81de263e111176eac

SHA512
5a0559ed60382eda83a241bbed93501149b35ef2232d3e58504f1a19aa0541fe0e4a805bea12b5c8c2969a836b8061ca16c1c31dcbf4df3a857eb5445b5e5a21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
a3f01ad4eb98deb0a9327dabb8a7f2f6

SHA1
7223967aaa117cbd9906decf38c339d885142462

SHA256
0afd49ac0162e3d2ed1e823364caffc3c6bd40f4243f1d0284f4b566c5421ee1

SHA512
96fb80665c1f65608c546514dff6968c39cfaa9f8858eef6f4c323343322ef4189a84f4a86dba52e2b841e9c229a5bbe0ce488d7d1872287066394fec1f3b461

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
d4780c74a3f9769ec32692d0e58bae28

SHA1
f5619345fa7c034eb6dd6458d7bc364e9486e8c2

SHA256
8b0385510e20778fd1c57b9d34b4630f1488845f0d44b21c15aed78cde3edd4b

SHA512
7dc0490472c55d21648cbb4185caf848023fceeae99ef5be471f29ab05b6c34905e24e17103ed1ea01d5bb7a4196e06ec80648262636384e62d1758a7c2a5ac8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
d2b61cdb94edaa9e9ed00f180a7ef3ce

SHA1
4db19b37c21f69d5016aa53138a4423e31ee23b9

SHA256
6535251be00b17ddcf829ba4ec544c291248868c8462e00941e3f42759e56956

SHA512
9a98c15f7cfee758094880057fd29e3803c226af31eb82b3499089223ac41b941b243e0b17d3a19e91308bef277b432437e28bf6cbced4da9e122a3c28cd4e9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
f927de161b41634c06c6b455bddaf322

SHA1
2dda0796c95ae8576c41e0d2eb2e94e46f22aafa

SHA256
51139e63682447926c427e29e0646bd11c32d2a013c8be5441c8fcbda102543e

SHA512
e9f396346d75381bca20943188f53e7b4a9edd7a8574be9b9514a78104c166283f1e2f79064d933fd2b277377818134ace9f5fb89daaf558b6af12ebd78bba96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
fa6e2e1be37b79dbcb54a9822572fbe7

SHA1
0b8f2794fae092a71b0e72ec0f38f58a7f595383

SHA256
f38293b9218188771b7366f2e9fd4a86ee35ced15fe76e13292891eb1dc37054

SHA512
f4eeaa6d7ae5045b906a4605b2386d6a7997cb9e2c9ca722f8e0fee6000e7631e2eb1520c87277588ac5ed469b1219d15a0f4288d5ba7890e8d13d03823f65ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
86f928819ed952bd0fc2e22997d8054c

SHA1
1572366ea48ca7876a3b58a7480a5242b877fff5

SHA256
ced2687f38c812ba90c772ee7877d4659daaed0977be3b16ec6417e4acf5004c

SHA512
69a4078a6b773192f916154a844bfe3407f19823aa505949f91e5668eab8842cc3857758eda203a7bd1db4925c84655cd895c8c6c102e0f0968ce8da36d88779

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
dc62f6590aa81b66741b2a3939d5eb32

SHA1
cacfc6cf07e179b059e152383f4e54960616fd69

SHA256
a3891fe1bdfc9e14dd9221b05945b2e0702e8f4a1a51dd5e45032412a511db06

SHA512
3a22ab9b9d9fb8c376a760257b9feb91bad7805ae2469038e898fffcece08e42d622aef2c8969ecfbbd6d786804533abd34b3c8e3f35ebec83e4e3afaf6c8cfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
30bae1a35cd3fa425cfc76efec6be17d

SHA1
d05e2e05b3a4ae2b8b9254815e385db1dcd365b5

SHA256
97b2fbd4a2433b305439352f4ed46843e4be8f5451a53771dc0fe077d9a6380c

SHA512
64d1fce676e547952b060103827a7530b1f0a942461c55a4805aaae57929336efc5c122c54979270c0f1f736a88213560f9b23164ce49087dee7f448ce2587b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
5fd4a9e9f66aeee355365e2e8dff94b1

SHA1
4741295d8832268138831c84ba77df56b9d7f079

SHA256
fa643eb509874f262a2f7a8eb71b58563c3a00e1f5afe03f13ec8ebc1cd4cdc7

SHA512
c8d6b17324424127624588390d1d200d44d00455eaf53d3d74829ecfe9fb9bbf5ba88f10e50d0a13b496211b5b13a2845c418b4e081566e25b7494f61f6020c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
6bdcd75a80439fd208a98e0ba8834017

SHA1
fde9e8f417964b3ec5a8b7f203abed2d7a9cfebd

SHA256
0d0f7ebdf6b2fd718f0b75f837060142b674abfaae1abbe776eb0991977825c4

SHA512
e52ecaeedd0e4634e6c868c29a74ff664785839ae4035ba2d1a88e8f4c223e21c96d9860d196224b88693d39619b6fdaaf6db7c3ce6fe6c3c2c6967254d63e72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
18ed909966f84343a797c8028eefaeb8

SHA1
246194288c99309da823d3191bf3cd6a93268379

SHA256
d2fa43a4e46309b50a608264a13247c96e588db42377d2b0247d2bbd0e78e645

SHA512
8b908b2c851cf315b3d68f242cad963f3aeea78c20afcac45b091a1abbd8f5e6d2db674514541d3c2602e2fc727fa7cbc024e9cb442744143105c278afbcfdac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
9b40bfd84256ceada9a70076bfee8b61

SHA1
c47cf132707785a47b6eedc9e1e14ee16ee9c37a

SHA256
50562228fb149ec87c2fdd70bbd155e9a80647d950700ea37a66c3a3d7305218

SHA512
50e0c68d525fcdaa1f82ebf1223cc908549b0317ae5ba41e7c0aed693e27e77040630f93b4c5ffef8f6f10adfdc0b434ce0d4efabe741519c8a1d0139c6c654a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
205KB

MD5
6773fec9f9d9e0d0f4cc67a0a0bfa497

SHA1
0fb7d28d00e7450dc90eafc19923e0c20ffc637c

SHA256
741f770bed8d42c7c9334d8f25c9522c1c64436702ee4240e764a0714dbaa02a

SHA512
871cca199a675a167e14f62515c2c1d35afb153337f3f74ec7bd757e65f2d2998f6641045c9e415ad5d9c426ac09160ab2199a7c64701d14b5f59e570cab9967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
205KB

MD5
815406df8154a42b2ed63c1451a9c359

SHA1
9b9c9def58370f53cdd930994dcab948f8c0fd43

SHA256
cce95197e4a98d0d5b5b657d41670fbc3501f331304f96ffed4c654c6bf4cb2b

SHA512
1360ab66ba10b9aaf262e56d282dbcf9116c0bf2358f70efbac1351e54089c35214851d76ad7bffdaee1a6dfa6bac0426704cc5a03a6ba36c9f9d2c9e723962d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
205KB

MD5
225381404a8299e61229e764c9f66747

SHA1
ba26e97e7e5c8b511fd44ea07671eaa5364e6820

SHA256
a054b3a8b9fb1aabf7bec0db258fde95dc696e91768f0856fb0d3c76bc2905eb

SHA512
a8dd1817bfc14b92082d3855a421a41219b118a3c017597d4e49cb56864932762af6273f5ccf4e6edd9c3c6620909ff7680196787afb6c4cbdaa0646510627a2

Download Submit
C:\Users\Admin\AppData\Local\Luau Language Server\server\index.js
Filesize
6.1MB

MD5
6b1cad741d0b6374435f7e1faa93b5e7

SHA1
7b1957e63c10f4422421245e4dc64074455fd62a

SHA256
6f17add2a8c8c2d9f592adb65d88e08558e25c15cedd82e3f013c8146b5d840f

SHA512
a662fc83536eff797b8d59e2fb4a2fb7cd903be8fc4137de8470b341312534326383bb3af58991628f15f93e3bdd57621622d9d9b634fb5e6e03d4aa06977253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WaveBootstrapper.exe.log
Filesize
2KB

MD5
ebb67c89c3d4eb103fff16a4e76ea76e

SHA1
f9c7d4633305b971bd774e22c9b8885870c41b45

SHA256
4dea672914bb09196c2e33d23e412dfaf1411c9f699591950ce164e360ddd0e6

SHA512
822aa9517f78c240c118dd0381e0fe95c584317c5b3b06d093578c718e6436da41c3c47795bd513d1cfa90a7192e8c4e91b1b8a4dba0faf5d3b22e3f4b122bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9753bdd0e3b37678d87044dfd3ffeabe

SHA1
cb6a2a97b07f26590ecada046b4a037431552d52

SHA256
b5a8c9755ed152a71de2066489da777762bf054f6368d82fad02121d0587f3f9

SHA512
46c61c9d99a9be26d7b496ba5ae9cf544752d75677813c70dc9f419ffcf1769911405538042e782d37f3f9b0372de53e98e31edb68638d2618ddbf0f621570f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
177ceba495d72ea5420b08343f5fa7fc

SHA1
31e56ace4e1f130f897f072dfecdb113c6b68fe9

SHA256
67758043e08114016c317f6dc0151f4d16ed15622da5d8d83af007e5ab892827

SHA512
ebee321c029178ef455e42e27bb63ecccf5aa80af8c8b32f20925d7d33a5ed0ecd5315fd2eaf3399255bc4236f39eeaaecb057be040692b1c341a4e733f71359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7058e3da-dd7a-4e70-93d9-c8ba3c5697ac.tmp
Filesize
2KB

MD5
a0a9ca0b7a365a304f492b7b19b00262

SHA1
324a18c72d56f2043e5298632d2cb7109a2e4373

SHA256
c860c94602645b14678d9d997f1325b875de596e36175f1077b5d757138b4eb6

SHA512
a253439725b6d226c11c2053d22dd18db9c512a376db03635ce718c134e84d700b87f925f42fac5e8182c1a0a759e79316033eff2b54c82392e54b976fed0608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
41KB

MD5
f3d0a156d6ecb39d1805d60a28c8501d

SHA1
d26dd641e0b9d7c52b19bc9e89b53b291fb1915c

SHA256
e8be4436fcedf9737ea35d21ec0dcc36c30a1f41e02b3d40aa0bfa2be223a4a3

SHA512
076acfd19e4a43538f347ab460aa0b340a2b60d33f8be5f9b0ef939ef4e9f365277c4ff886d62b7edb20a299aacf50976321f9f90baba8ccd97bc5ac24a580bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
67KB

MD5
ed124bdf39bbd5902bd2529a0a4114ea

SHA1
b7dd9d364099ccd4e09fd45f4180d38df6590524

SHA256
48232550940208c572ebe487aa64ddee26e304ba3e310407e1fc31a5c9deed44

SHA512
c4d180292afa484ef9556d15db1d3850416a85ad581f6f4d5eb66654991fa90f414029b4ce13ed142271a585b46b3e53701735ee3e0f45a78b67baa9122ba532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
Filesize
1.2MB

MD5
540af416cc54fd550dcdd8d00b632572

SHA1
644a9d1dfcf928c1e4ed007cd50c2f480a8b7528

SHA256
e4e53d750c57e4d92ab9de185bb37f5d2cc5c4fcc6a2be97386af78082115cbb

SHA512
7692e046e49fcde9c29c7d6ea06ed4f16216ec9fb7ea621d3cc4493364743c03925e74244785588d1a4bfc2bedd32b41e7e66e244990d4076e781d7f4bbb270f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013
Filesize
51KB

MD5
ee37244c496400caa7613f9fea0f28b7

SHA1
443088aa8e11f362603053a6938b4e157ee08d67

SHA256
9dfa9bc4ca849ef67bc8d091cd263adec66313fe80eb1a194f8b90e9dec782ff

SHA512
cd9de70b87536e431a536dac11f385202a196c0f752088121bffe13c7b2040e3da1e459cc7e0f72d7393aea81373f6dd45652e0c341a51daf885b8731bef9dff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024
Filesize
20KB

MD5
18df7928a52af11d173dcef857512442

SHA1
d157427eb9f62a54a8ab0e96086f11950fb1059b

SHA256
3a8211045d40f79825327521a2fbc95d17d21962df0f4c9f9b9ae77bd2b7d51f

SHA512
d19d2fba70f9215d593a1287af67a025ac2992f7e279253d43359fb93ce8aa9e5585327daeb0dabe5a8c777d8808dec990e73e48253abedc7f823029ac6f3aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d
Filesize
63KB

MD5
a2b03561cabc0d346e9a6be3f5b11b5e

SHA1
ba0aea2acc1c20700c4c09c5b2b8d0bfbd33ce6b

SHA256
09588f4db755d8d88d9e521f5189d97c2ac781ee7ad782bb0c644eb9f69feef1

SHA512
3602c58bf569bbf22d2a559f0a62c4ac8d6c9868dd956cf0d75d694d104eaf2f82d22c9427636a46ec82cc24e758ad1eaad75fab771ce843308c1b2fe57c6ddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a
Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000064
Filesize
30KB

MD5
4d97cdc610097cb2b94c4869a1620256

SHA1
a6cda837a8d8713eec24eac6d573ed8bd604bc1e

SHA256
c15d098dd1bead228eac61bbf399c4aad9cea830403e6a1a954c8113b9672e8b

SHA512
0e97e1088be2c24909c5a0f09cda14314596d184a14a30fad3ac4eba879a0159ac6dcbcc95e563df5c1ae3aa52fbf9f51ba404a4bae189469fe7e364118cb956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006d
Filesize
20KB

MD5
64cbe9bd3451732dc33c4d6a63cba992

SHA1
751b63971d4c34f0198900a65c30f05d78cc93af

SHA256
8ed384eeda895127e87014a54f73ed782d653980eef52a0d5a030cd4007500c7

SHA512
b0cbb5f3a5301b55c3e63608d9dc41eee27e3a9ccd7e70721723bc09a6bd0ecf9ea1696884aeef71df4af86d6c3a63c8f36ac8c9a67ea3a4b1e9864f902f4cb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000070
Filesize
57KB

MD5
706921470c4fbfc08d38b212a8522a23

SHA1
7c1713bd323ed0f6b5053e930713de6b192beb4d

SHA256
712d3159611ea65baef38bf0ad305613a0329ea416650f8209e457f4dce36c7c

SHA512
b8ae188838cefbe20935af6634d9fb43e7b65c320142b5c57aff434bc14e685a75e306c7f749937bb08004372df83a5bcd6054ca0991dd00a49a0dfba415efa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000071
Filesize
20KB

MD5
d834f8c84ae2caf1d826424ad16580b2

SHA1
abf084cde4603bd2a8a38635c1e4a4dbd189f3ff

SHA256
2afd8b4aada9e0d65d38e52e1ddc128abb12933d2f19449ecc31be9ccf9eed62

SHA512
65e8578b2445a8cd20808e6e228b5ede28c28f979fb042486bc3b7b52ecdbe277b0473907305fdebbc62b9ebb8b4e5540639041b0ce9129b80272b54a8b5a688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000085
Filesize
47KB

MD5
015c126a3520c9a8f6a27979d0266e96

SHA1
2acf956561d44434a6d84204670cf849d3215d5f

SHA256
3c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa

SHA512
02a20f2788bb1c3b2c7d3142c664cdec306b6ba5366e57e33c008edb3eb78638b98dc03cdf932a9dc440ded7827956f99117e7a3a4d55acadd29b006032d9c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
dc8db1122e32ac56ffc05f6b346689e2

SHA1
d627588d397e261191438ca965dd8bd011d90aca

SHA256
811c163a2e20f0962940bbf6ff3770a361857d32014e45616516ea2d723e74f5

SHA512
6fb59e9b6749880128c584774e2a4a8cc4cef8f72c6a2733e850a91c6c1715caf54cd368d21033ca1b3d6a0674fee72b5041c1cec826eab331cc4358d0963a06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
df8d0011719f92e9468af8ae8d95378a

SHA1
afc9fb25cc03585fc847eb5fafe950059d3f0d52

SHA256
90030c72449efcfcf1ced18c55418b461d7f5867ac5851fac47a92e586e85c66

SHA512
7d73b2a3410930d0ee3b4bf3101ac1adf0533b1b5a9c93df1cdc22ad93c2cba2bf0cd423d2ac4eed101253f1660093760fece214a670109811edeebb688d0c93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
09854d4f402e648aea3b2e3c69b9fd6e

SHA1
980a4b62c785d334abe8b5cdcd06038dada4b347

SHA256
5a87bee7a107c32fb4b3bf3d661ebc620a2f58457e62d3d444321b1d86cd3612

SHA512
01f7e513610c7692758297dbd137b2eb965cd9062192b5f759ab04968d4401f3c641d9c8b68951ac4b776d54d9bdec8e1f7661f4a6dddd4fe98f83cd41148e05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
e4239f8ffee87cd3c0d3ca4e71a8fb98

SHA1
b601973e2d97e50738b26cb008c5ab7bbe344b0e

SHA256
45b55c6caa8f837e642fd3d71fc2f14f31f5552e359b597080b7b81cd11eced4

SHA512
6282063cf765249f7f5259074e430482b29a709265bd49b6a183119e2ab6abc79cdd7a7065d019d94ac9bc4502d5ac5cf141677a9940a963a8a29379ad1e5fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
d092ade144315497f027114106289d1d

SHA1
9cc4df445e1a6fdc42f33333a4ffe197f3ea2b67

SHA256
2bcd6b05027a2776a30a15c0153ba9b9bd4d76216d184686713b2d83978ca623

SHA512
f84fe897f2b92a21a26517d4cf4e10eab71e57df55e4d03b66c50e31bb3c9f311e8bdafa15c78774f8d90daa9264fa8a86e95f3a46ed5696db9c8621b06066fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
4ac4d287f0420d74c222563e9a44cb38

SHA1
217877c053c78cff465ced15dd8fca634d2f38d6

SHA256
6d8dd09a15af3f61601a44c43b9ae43dfebac5c0d93b9d2e91a2aae28089fdca

SHA512
32e5ebb1196f91d39e64a84da4ab309cb08fa163cfc6a0eb9efdd2602040ccff94151747ef9bed875feb473fd950d39593f35fb0958474c57fd5442ef322cca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
c8fdc84e38974d6a1ecef83ce8d15de7

SHA1
dbf2dda531b5d7010777f5c0f90734842516d2c6

SHA256
4e88d15fcecef5d7e05ccc3e99e4845b631259f2df44eb2793140da2da502e6d

SHA512
aa1bdd85b46c8a16ec638e57a92b0614870e724d591056ec6fe7acbe855b048da4e0f8168ea376295bbf90afad9be4e76c286fb8793eb19852e6358cc539f2ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
9912b265722c9df61a2cc8e94988c2ad

SHA1
b1115736d1f1f15b1ebb4eed4684c556079c3b7d

SHA256
a3a5b00a2e85cbe9fcc6adbbf01908b81fc8b6001c7d63d2b133a01ffb914339

SHA512
bb2abfad962c6e507c2d869083e3441f8b9ca2a4f6151816ea18601952c2ee7692d2d8b4d88d2c23fb9d05e1d6b550b0d2424ca5d445f9017afb02885e647e61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
41c6696e8e84623a12515f741f7e1d08

SHA1
f9569ae530a530e890f85a43212fada8043103dd

SHA256
d462ae3ad3380c260963e73ec5b97224b47dcdf92b6529a81d6bd8a1b844f8f0

SHA512
7521bfad626e33dadf7669b3c857b0d5119238cc417bd6fef58cd856b55a4a906ff943fd0ebe5a81ba546ac645e755d7bda47747abbea182f2f9d43cd169a5c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
4631616f4d940f1212c9b73d9ba2cf39

SHA1
f0f37afdc32b8e973bf9b106e25b637442bf3b64

SHA256
721f2553774bd55d026ccd3ed608b2dbbc6a0283eadab3699cee97824e6dca68

SHA512
f7e18a42e4193cac6d256cb2dcd31fe56bb63f016994306b58d080efd4a270954069a138c59236c51dc12a31d50dad6d25ae0f39feeb6cf25c97386c09989d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c11654055eba29f29b085ade86475084

SHA1
31c448ba01f8d040236b04fc8064abcdb0715966

SHA256
601dd4db3988d3e7c9a41086ad5b4ca0bef42e8e3a768c0b46a14a07d8e535f3

SHA512
dd1dc06e4c4bec804ccb3f6e00979c1f34eeda415fa6d31d5c2ff51dc34adea4d6c5a12767af843e8997db863ee4b8a2002afe610e6ac04c72df40f4b81065f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
87bb62dd794920cd255fcb1f47310f58

SHA1
e5afbe9c7ead3f8ebe8dbe5b1b34d8db126153e3

SHA256
db7ae4e03df40447dbdcea26b511a36e938b00c6909de337369099b8c2bbea2d

SHA512
acad7f7953f9071ccec45c47642fe36d13b5466b6f1afcf1ea3199ca0cf0f7b3ca4fbfda4e913b1e04c04cf41968e9e8188b4bab09656f71f253e59a3ff5826b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
672e00fc12b096c4349f120c4581d768

SHA1
7b71f883908813de99a00a9640e102621e1f9c27

SHA256
486c964096056dd445de7234aa464ed1962b855e1d88cb0f687e585d9820a3b2

SHA512
bc5191cf08b05cd322388b578cd8b8af6b1bf4959d38911591f392a7c96698b8c133aa563d145dc3400b36e1d875d5a0d79d1054d29b372430b752716edf091a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
92d6bf81e0d27bffb30d581a4d11fe00

SHA1
29f3515e3eb1d1abb515f644b3e63163431bace9

SHA256
9e74148fbed1c6e14903041a412c3d87a6d86c3069f9f70d1761ef8c9b03742c

SHA512
4a464b5d1d47b3ce8907d027c343c196d65de8b0d1709a8c0ae5b679dca758649bf24a918c6cfa00bdcc1128a2966cea4a8fe8e142d9f5a123577d17474f70c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
15KB

MD5
a5c6b04950f31e68652895eaad8743a4

SHA1
0fe366c502c4c0647242a30abd6220a55afc6735

SHA256
a6cd02fb5f49f52209153b3ceed297b45c84b942707633bb2c857dd09f34dde8

SHA512
e6d9c143b6189b7a2327bbfe39f973aa8798c5b92a6bbfbff92f0b4e56fe20088163f89da7cee1932b679055224b2543e709a96ff6303f2b78f73d0cc3b968bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
14KB

MD5
86c14984ea80aa81bb1247985a1bf561

SHA1
14a7bbfebe19f6f1c4b63ea2936aa2d652706b44

SHA256
145296f61e76f01e399c17c7b06fd623236b3fb9fff5d333aa403dd0f0a1b485

SHA512
82d1db55682b70f4fb2c5da6fb8bd9cb0a69f5413732eb2ce56c5ace831fd41ff8a88d30fae97a95e78629c44e932f2bef8bf021e5efe852b282456e0d86203e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
eb8c99d53ce9547dac94a8aefa4b7173

SHA1
14d51e8bedfef984e8f01831787ebfb1d105e1a5

SHA256
68b58bd5c3cc5bf9812230faccdfd128b29653dc95195759a2f7f1c92f493588

SHA512
e4cdda485e3b3da95441c62e69a0fb89b457f43b5d620a3569383717f4a8a60048d7948e591775a58bb1075a83e4c418955cc9736228ec38cca48e6ae14c6b79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
13KB

MD5
712ae55ce6c95c02adffbe100fea620a

SHA1
e02350b105acfbb338a300b4f92cf98bb9ce906b

SHA256
d70cce193b6a4328e14cdc719a6d4135584993c3d4c007b028137269c9a5b597

SHA512
05ca2f4dc6e91eac6579afe8d1965486714785de03b3d10048dc294253d33bab48d02c3d3cd6f6902690d73563c2eafa09a7ea8d586db6c5e231faab6cd15dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
ed8aeb8cf5bcfb17322b7c8f4355d338

SHA1
5013cb0842439d16d8d5c966b960f19fb4858f5c

SHA256
064b9b3b0ae1e225abd005f3cf8ff480a7c386985fbcbf517c3e30a50a71f560

SHA512
3305bc8020df038f0a2da684da5574f9a1f775e385c99963112158c92f4b91acd32f9df45c7d37f8c086f0cbb1fa76a4212a0413987bb08e16c6cd4b11a25fc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
ea0bd47c39ef4629d7491958b8cfdddd

SHA1
6e2b7eaaf7023325b58d1dce48db2e90498b83d1

SHA256
49010348a4e37c9156838dabc92896e2ab522d1280ededa095eb25ba5d54bc64

SHA512
9879f26935a520996cb42909744526d4dc0086952d83a9ff692ef0564bb469b9e08048bd5ffb04c71fbb2fb892ddc340fad75ef54d28bf1b12e33d4dd0ef59ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
995d5331baba3fe6582292abc30f4597

SHA1
a1f33e816c5d8abc6bcf059341c9b53a1428c2c0

SHA256
1c0abb1bd9ca4bf81676ebd30c64373005bcfde38de4ae2dde36be1d06bad25b

SHA512
8f900e47f8ddf0f460d3efb1824bcaaf44e87a3e0b8c2720eca2e61c644e5f8b2fbcbe25d876a7a06a51d14b5a3e3774d0e70658f169c916540c206c8b53ea1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
0a1574a5898be8767b919cd6198c0b76

SHA1
6b70020f30e4ce6da359abd42549538d16140d2d

SHA256
d787f97bd84caae5ae404d22fb347f27755c8108ad80ba41af7b1439b0b92852

SHA512
f48a4f2b278ce65e240383ff67d61ff19bd197acb6149145d52acbf7b34b2eef6a53fdf07da40d2f872d11e182f33038c41bbe11bccb479ea71f27d8b006eaa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
5KB

MD5
b832cda7388063cced593c43240b37a6

SHA1
78dc4e28308a19a446c565952f15507b5852b789

SHA256
c0b90665f3d20b1cd51d9bd6b0473044818fbe46abba13739988a5c4423ab43f

SHA512
cb573f55bccc9c3a593a1188c3c783d0c2f24d3ac2888d7a61e6cf0e285a1dffaf27304919d85082e3cc05d50426851e020d72979f27c1991732d6dc922ad369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
9e900dac6d5b5477632463f30dba601a

SHA1
fa9cac946b5e874e8b031971ac1c6ab75003a02e

SHA256
963b1621f5cac32c22584ef63ab419a9cd00116960527b868b2a844730edc65b

SHA512
dbdd2d0c5196000a21f5d7a7460123ce2c5150c7e45eb902240fe92220caaee68d8981d857e312c2b8a29ec6615e049014b6b00c3895c44ac2275cfdd6f4e27d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
5KB

MD5
5a88b1b62537f2ec018f1be8bb412e32

SHA1
dcea1f0a21271b2e85ae21e5ddf90120718467e0

SHA256
48317ee42e717ca2985daa6d87811a06c5b66b3f5da62bb28d6e762b43446b8b

SHA512
844a6f45cee0425aea10b7bd4b9b02236b70f21ec04dbf0df6a9af477ed41bb5e7983e5bfc9611c2b8bb96ea2730473b66f27c05d2888e1a2cca7f47a51520ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
5KB

MD5
139422158994937078566478e2a95d47

SHA1
b71e07dbc37dfdae583877add89ba3a96b88c0f3

SHA256
d5e4cf6ea53014922eee0b5bd9054ccb0912cdc07f2d5ff61bc04f3d01af98cd

SHA512
ffe3de7d7003cc418368e810358d2b2ba503b122335afa75cc1d49390562dfcef8c14c923aab6ee1638e635bb0ccd7fad68d2fcfb3bc0d01ac311d79d92e70d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
8b19cff5052ece164142b7de89895a80

SHA1
82c516d998724453db197c827790a735b3deaac9

SHA256
a52b441d4ce540d7de19efa9da2b747b0c660704752469d5a6e97540626d02bb

SHA512
faf2896574a80fc19f80ae7aebfcb8dad697bed44df3c309517569036aa687844ed27a1dcc2dbfd20477fe2660154891361dd4c3dc0f1456e1cb9d078156be2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
fa9571f68dd87ed0f40b4c419d16577e

SHA1
406eb2d172fbbe8994c0dd11e3c2432ecc3599f6

SHA256
6d981f635087eb65c966c5b7a1993cdd25df6d3a6f2529c222b8f9ebb2985013

SHA512
98687b04d4cf3509dce776330a4a90406a38465c274915c31cc9c109856619054d8883aa6756e3a94c2f5f11ecfa5fd4332dd4752c8755e56a0f3d1b1c40ed99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592dec.TMP
Filesize
538B

MD5
9f243e26be838b1e8070438ea0ed59f9

SHA1
760c15f1122b605b848cb6f1e7f4645c8cc4ded8

SHA256
4584982ac9520e0feea7155b8dbdc5f1fbde580f87bbcfbb01867eb759973388

SHA512
07b1827f5e2d0f49e9092f498303ab31616f2b244edfb421bf16adeb81d7b532d47b41903ff5b6e203912161763d8b9b29f65687113257ff41692abe1b0f0b22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f6a6b5c1-d4fb-4628-8dad-3bd4aadb9bac.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
318c269dbf3096b357ca4d9f29ac2631

SHA1
593c82c248c091bacc6e7cf643b16f6734a02f68

SHA256
53a46c559a17956973cecc257b072140553dd520e2d3c1bfeccdb28e44092d1a

SHA512
09712a3076c507a0b4e30b93e2201ce6612a1382acad2a757f0028ca8c8bc55080e91048973c1f72dbfb45789eb60ba4d385e82717cb8139fda0cdf8e54dd26d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
6fb853182b8d3b9618fceb27d224c0e0

SHA1
0656f55250b699ef97278cc56dfa4248cb05a4d8

SHA256
ea9b39be05332675ddeb6a9e24fa0ff2952f63371950b3bc0d90eca3acb47fca

SHA512
e37708f4af0b5bd592f63bc6085c8af1be7986faf86741a22863e1cf4193491a91e23f76d7a05344675963cdfdfb3ebfe32ac88f6315430563f59e1765f7f95d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
1d84e9ceb585f35a608b40551488e9b0

SHA1
7e8c80bae887b028d850b15bb19ba2cd32d8f003

SHA256
8805f8e6809067778b69b3b9781ef2b0de054dc233070acb4c91ac2f3f96866a

SHA512
7d3bc41558f483a6d36d858cd2a0014d1bac9574b425688ec1e63a0dc93284ff5c82897992f1eddc178173dd19a0a4b5b000c5d5ef4cd686667e8213d7080b9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
8f73d845f8585d372406d1f765388dd1

SHA1
a7b0c1d6c6358238527e817690782437a02d8a3a

SHA256
7136858f3e1d75f1776d1e60ea5ba8c9bdd8fc842e98dffef321475090b5c4ef

SHA512
ec6381b1201eca69f34f493c53eb2cadc1087bd2ecf23d85860f556591c07e3823ebee50a4a22502ba4ba53afaf73804cbc0b7e7e5c15fc7756167b66ad81fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
249f44257db5555ef49afedaaa3ac6b7

SHA1
817a250644f3456702efcbef61780316fd018757

SHA256
54d90372ac16b6546e22f52f3151c1fb5d6e4407926a5546e107c3b15f49d6a1

SHA512
8cd88e64faead412909d6133b71f92738ea41baf89c7a239facbc6eb4ed8876061567287dfb06bb21f7618db07c62efc3b7542e01ca95709946aa0986ae9ea98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
704KB

MD5
b80fedb19e2433f414a8ef87ce30f65e

SHA1
4cc3ab3a496649b8515f0278b44963944092f16d

SHA256
80dd259651c5474722e2295dac433e409b3716f7abbdec358bd3cf4f1dcf436e

SHA512
43981f3668da9b9e406915f816db0847566b360c1c49be1d456f561e27c26daa6830e4de6f58484910a30d47568c64cc5a04ecab73d4479ec3cc334bdc08d00c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
896KB

MD5
50c09f2694e2b571c60486cfdfd372e9

SHA1
0953b665ee3eba86cec45fdb81124148bcfbbaa1

SHA256
31f766c92ddc5473412316d09d7bea0297392e33f2acdeec7f53d1a4b7f690b2

SHA512
ddd3a0e8032547cb835e831b9f4d7259d5211d72b2ecb724b4fb7c91db35995e2488d8e60500a76a6fc47e789145cfa60452891835e9289c1e0fa35a0956be27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Sentry\565BEE8550E2E5F1B7BAFF132ECD72B7217F6160\.installation
Filesize
36B

MD5
8758e328ff2b50878904631ffcc90ddc

SHA1
6e1f9100cc116b1eb01e6aafedf5e702f64d1e50

SHA256
823a2cbb43a52119caffcf59bcbc3fbdbebf43da3bf79926a97784804463a757

SHA512
f18c300b17f799df55ad5d4dd3e81824b3828b2e89863de8d559940d4997ca3110eeb3595fead23e9a53110b830614dd21f06c2871f99f4edfc33e3e6dec6959

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
Filesize
949KB

MD5
495df8a4dee554179394b33daece4d1e

SHA1
0a67a0e43b4b4e3e25a736d08de4cec22033b696

SHA256
201263498c60fa595f394650c53a08d0b82850349123b97d41565e145ddf2f42

SHA512
ce3bef1038741f7a0f90cc131a4a1883fd84b006654024d591f5451e73166b4cae546e307c358b5b90aa0e6517bf7b6098f1f59a3ecc01598d4feb26e6b6af33

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
Filesize
4KB

MD5
cef81732a759fd667ca8b5859d057975

SHA1
dd9f114c04bbab69b3c228e9ad91accbb80073bd

SHA256
b9bf0bd32b13eeb923162c3e428a00284dd898c6c62dc4aba0d1db39a35115e1

SHA512
a9e9477a8efd043a5e88c634bb6e2fc4094ab17a8d4a0cac227c836a39688926391ce6f6f350b52d995368159e73c67153471f3331c1014ebc9ba69104276d22

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
Filesize
8.0MB

MD5
b8631bbd78d3935042e47b672c19ccc3

SHA1
cd0ea137f1544a31d2a62aaed157486dce3ecebe

SHA256
9cfda541d595dc20a55df5422001dfb58debd401df3abff21b1eee8ede28451c

SHA512
0c51d6247e39f7851538a5916b24972e845abfe429f0abdc7b532f654b4afe73dc6e1936f1b062da63bfc90273d3cbc297bf6c802e615f3711d0f180c070aa26

Download Submit
C:\Users\Admin\AppData\Local\Wave\bin\Background.mp4
Filesize
4.6MB

MD5
9782180eb68f73030fe24ef6a1735932

SHA1
589827fe098ba048c9f871a28db8eae3e3537ff4

SHA256
3a1cbb800f8f25c2ab703ba8bfdb01e938e4143c3bc0fea8ca734fb5ba779ba7

SHA512
dc768638bae2d6d47d8910252ae64a656d8a6fd88efdf24165ddce51b7afdb4acb3fddd41dfe788737a2cab4fab66174db2f0d2f48bc8669af76d1656bca8be1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
10KB

MD5
abed8f56675c8b62cb028b311ec1f5e0

SHA1
68d6f058f993b832fb11ab84ea79326179e3645f

SHA256
fea7dab000990bfa34c3ad61223e4e0d7b1e5d1a61f621f0b2b7a1a8c9ed522c

SHA512
06ffeee62d1233a97625e62504924ee8f518d7bd3dc0566a6eaca32d9d6d18591bf935b11322ebb518b626f4ad1a6e7d0831c0a5765ccb768f12bb4aa6362b99

Download Submit
C:\Users\Admin\Desktop\Wave.lnk
Filesize
1KB

MD5
6c2a291fc7ab9335fb4465615df752a9

SHA1
df4d3c0325aa73e47150c0f853d62215c0b23ab8

SHA256
00c99f986935a8e16faaa03fa838523bae5c71cc256253493d02d366504067c3

SHA512
67f2374d983869887a2660df9ce788ae0af82e713c00f82bc203cc114a22044cc9eed13b64441624e109a0cf868d815b588061467ba7a862324669f16a03e34c

Download Submit
\??\pipe\LOCAL\crashpad_4312_DEKFSBBHMDQEEFJF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/320-1402-0x000000000BA00000-0x000000000BA10000-memory.dmp

Filesize
64KB

Download
memory/320-1398-0x000000000B1A0000-0x000000000B4F4000-memory.dmp

Filesize
3.3MB

Download
memory/320-1420-0x0000000016770000-0x00000000168F6000-memory.dmp

Filesize
1.5MB

Download
memory/320-1418-0x000000000C630000-0x000000000C640000-memory.dmp

Filesize
64KB

Download
memory/320-1417-0x000000000C630000-0x000000000C640000-memory.dmp

Filesize
64KB

Download
memory/320-1400-0x000000000BA00000-0x000000000BA10000-memory.dmp

Filesize
64KB

Download
memory/320-1401-0x000000000BA00000-0x000000000BA10000-memory.dmp

Filesize
64KB

Download
memory/320-1403-0x000000000BA00000-0x000000000BA10000-memory.dmp

Filesize
64KB

Download
memory/320-1408-0x000000000C630000-0x000000000C640000-memory.dmp

Filesize
64KB

Download
memory/320-1409-0x000000000C630000-0x000000000C640000-memory.dmp

Filesize
64KB

Download
memory/320-1410-0x000000000BA00000-0x000000000BA10000-memory.dmp

Filesize
64KB

Download
memory/320-1411-0x000000000BA00000-0x000000000BA10000-memory.dmp

Filesize
64KB

Download
memory/320-1412-0x000000000C2C0000-0x000000000C2D0000-memory.dmp

Filesize
64KB

Download
memory/320-1413-0x000000000C630000-0x000000000C640000-memory.dmp

Filesize
64KB

Download
memory/320-1414-0x000000000C630000-0x000000000C640000-memory.dmp

Filesize
64KB

Download
memory/320-1415-0x000000000BA00000-0x000000000BA10000-memory.dmp

Filesize
64KB

Download
memory/320-1416-0x000000000BA00000-0x000000000BA10000-memory.dmp

Filesize
64KB

Download
memory/320-1407-0x000000000C2C0000-0x000000000C2D0000-memory.dmp

Filesize
64KB

Download
memory/320-1404-0x000000000BA00000-0x000000000BA10000-memory.dmp

Filesize
64KB

Download
memory/320-1405-0x000000000BA00000-0x000000000BA10000-memory.dmp

Filesize
64KB

Download
memory/320-1406-0x000000000BA00000-0x000000000BA10000-memory.dmp

Filesize
64KB

Download
memory/320-1399-0x000000000BA00000-0x000000000BA10000-memory.dmp

Filesize
64KB

Download
memory/2232-35-0x000000000B6A0000-0x000000000B6AA000-memory.dmp

Filesize
40KB

Download
memory/2232-0-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/2232-1-0x0000000000E20000-0x0000000000FB2000-memory.dmp

Filesize
1.6MB

Download
memory/2232-2-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/2232-3-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/2232-4-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/2232-5-0x0000000009E60000-0x0000000009E98000-memory.dmp

Filesize
224KB

Download
memory/2232-6-0x0000000009E40000-0x0000000009E4E000-memory.dmp

Filesize
56KB

Download
memory/2232-7-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/2232-8-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/2232-9-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/2232-10-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/2232-30-0x000000000C320000-0x000000000C3B6000-memory.dmp

Filesize
600KB

Download
memory/2232-31-0x000000000B640000-0x000000000B666000-memory.dmp

Filesize
152KB

Download
memory/2232-32-0x000000000B680000-0x000000000B688000-memory.dmp

Filesize
32KB

Download
memory/2232-34-0x000000000C9E0000-0x000000000CA52000-memory.dmp

Filesize
456KB

Download
memory/2232-36-0x000000000B6B0000-0x000000000B6BA000-memory.dmp

Filesize
40KB

Download
memory/2232-253-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/3256-274-0x0000000005960000-0x0000000005A00000-memory.dmp

Filesize
640KB

Download
memory/3256-1216-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/3256-1226-0x000000000D900000-0x000000000D910000-memory.dmp

Filesize
64KB

Download
memory/3256-1224-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/3256-1225-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/3256-1229-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/3256-1222-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/3256-1221-0x0000000013940000-0x0000000013A9B000-memory.dmp

Filesize
1.4MB

Download
memory/3256-1220-0x000000000D900000-0x000000000D910000-memory.dmp

Filesize
64KB

Download
memory/3256-1219-0x000000000D810000-0x000000000D8F6000-memory.dmp

Filesize
920KB

Download
memory/3256-1196-0x000000000B090000-0x000000000B0F6000-memory.dmp

Filesize
408KB

Download
memory/3256-1218-0x000000000D920000-0x000000000D96A000-memory.dmp

Filesize
296KB

Download
memory/3256-1195-0x0000000001560000-0x000000000159E000-memory.dmp

Filesize
248KB

Download
memory/3256-900-0x000000000DA40000-0x000000000DF6C000-memory.dmp

Filesize
5.2MB

Download
memory/3256-899-0x0000000001640000-0x0000000001678000-memory.dmp

Filesize
224KB

Download
memory/3256-286-0x000000000BBC0000-0x000000000BF14000-memory.dmp

Filesize
3.3MB

Download
memory/3256-285-0x000000000B850000-0x000000000B872000-memory.dmp

Filesize
136KB

Download
memory/3256-280-0x000000000A160000-0x000000000A212000-memory.dmp

Filesize
712KB

Download
memory/3256-275-0x0000000005A40000-0x0000000005A48000-memory.dmp

Filesize
32KB

Download
memory/3256-1234-0x0000000018850000-0x0000000018882000-memory.dmp

Filesize
200KB

Download
memory/3256-273-0x00000000058A0000-0x0000000005952000-memory.dmp

Filesize
712KB

Download
memory/3256-272-0x0000000000730000-0x0000000000F32000-memory.dmp

Filesize
8.0MB

Download
memory/3256-1211-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/3256-1212-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/3256-1210-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/3256-1209-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/3256-1230-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/3256-1228-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/3256-1197-0x0000000005D10000-0x0000000005D18000-memory.dmp

Filesize
32KB

Download
memory/3256-1227-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/3256-1217-0x0000000008EC0000-0x0000000008EE4000-memory.dmp

Filesize
144KB

Download
memory/3256-1223-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/3256-1231-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/3256-1233-0x00000000116E0000-0x0000000011756000-memory.dmp

Filesize
472KB

Download
memory/3256-1232-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/3256-1215-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/3256-1214-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/3256-1248-0x000000001CE40000-0x000000001CEB6000-memory.dmp

Filesize
472KB

Download
memory/3256-1213-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/3616-254-0x00000000096B0000-0x00000000097B4000-memory.dmp

Filesize
1.0MB

Download
memory/3616-251-0x0000000000F20000-0x0000000001012000-memory.dmp

Filesize
968KB

Download
memory/3616-258-0x000000000A4A0000-0x000000000A4BE000-memory.dmp

Filesize
120KB

Download
memory/3616-257-0x000000000A440000-0x000000000A448000-memory.dmp

Filesize
32KB

Download
memory/3616-256-0x000000000A400000-0x000000000A40A000-memory.dmp

Filesize
40KB

Download
memory/3616-255-0x000000000A3C0000-0x000000000A3D6000-memory.dmp

Filesize
88KB

Download
memory/3676-21-0x0000029689710000-0x0000029689711000-memory.dmp

Filesize
4KB

Download
memory/3676-23-0x0000029689710000-0x0000029689711000-memory.dmp

Filesize
4KB

Download
memory/3676-20-0x0000029689710000-0x0000029689711000-memory.dmp

Filesize
4KB

Download
memory/3676-19-0x0000029689710000-0x0000029689711000-memory.dmp

Filesize
4KB

Download
memory/3676-17-0x0000029689710000-0x0000029689711000-memory.dmp

Filesize
4KB

Download
memory/3676-22-0x0000029689710000-0x0000029689711000-memory.dmp

Filesize
4KB

Download
memory/3676-11-0x0000029689710000-0x0000029689711000-memory.dmp

Filesize
4KB

Download
memory/3676-12-0x0000029689710000-0x0000029689711000-memory.dmp

Filesize
4KB

Download
memory/3676-13-0x0000029689710000-0x0000029689711000-memory.dmp

Filesize
4KB

Download
memory/3676-18-0x0000029689710000-0x0000029689711000-memory.dmp

Filesize
4KB

Download