lumma | hxxps://github[.]com/ena88parkerpsh/Wave-Executor/releases/download/Release/Wave-Executorh[.]zip

Analysis

max time kernel
155s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2024, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ena88parkerpsh/Wave-Executor/releases/download/Release/Wave-Executorh.zip

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Extracted

Family

lumma

https://fancywaxxers.shop/api

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 1600 set thread context of 1760	1600	Wave-Executor.exe	118
PID 3724 set thread context of 4816	3724	Wave-Executor.exe	121
PID 4556 set thread context of 4332	4556	Wave-Executor.exe	125
PID 316 set thread context of 2236	316	Wave-Executor.exe	128
PID 2176 set thread context of 4916	2176	Wave-Executor.exe	131
PID 4432 set thread context of 392	4432	Wave-Executor.exe	136
PID 3844 set thread context of 2680	3844	Wave-Executor.exe	140
PID 904 set thread context of 4924	904	Wave-Executor.exe	144
PID 1760 set thread context of 3560	1760	Wave-Executor.exe	147
PID 4264 set thread context of 396	4264	Wave-Executor.exe	151
PID 2032 set thread context of 2948	2032	Wave-Executor.exe	170
PID 1240 set thread context of 2116	1240	Wave-Executor.exe	173
PID 2176 set thread context of 1780	2176	Wave-Executor.exe	176
PID 3532 set thread context of 4248	3532	Wave-Executor.exe	179

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wave-Executor.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\쓄蠰̀踀\ = "qm_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\.qm	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\qm_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\쓄蠰̀踀	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\qm_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\qm_auto_file\shell\open	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\.qm\ = "qm_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\qm_auto_file\shell\edit	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\qm_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\qm_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\qm_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\qm_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
816	msedge.exe
816	msedge.exe
2212	msedge.exe
2212	msedge.exe
1480	identity_helper.exe
1480	identity_helper.exe
2332	msedge.exe
2332	msedge.exe
3368	msedge.exe
3368	msedge.exe
3984	msedge.exe
3984	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4052	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
3984	msedge.exe
3984	msedge.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe
4052	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 528	2212	msedge.exe	83
PID 2212 wrote to memory of 528	2212	msedge.exe	83
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 1388	2212	msedge.exe	84
PID 2212 wrote to memory of 816	2212	msedge.exe	85
PID 2212 wrote to memory of 816	2212	msedge.exe	85
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86
PID 2212 wrote to memory of 3244	2212	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/ena88parkerpsh/Wave-Executor/releases/download/Release/Wave-Executorh.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff877c546f8,0x7ff877c54708,0x7ff877c54718
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,10310017381755631884,6964040745460878778,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,10310017381755631884,6964040745460878778,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,10310017381755631884,6964040745460878778,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10310017381755631884,6964040745460878778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10310017381755631884,6964040745460878778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,10310017381755631884,6964040745460878778,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,10310017381755631884,6964040745460878778,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,10310017381755631884,6964040745460878778,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10310017381755631884,6964040745460878778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,10310017381755631884,6964040745460878778,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10310017381755631884,6964040745460878778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10310017381755631884,6964040745460878778,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10310017381755631884,6964040745460878778,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10310017381755631884,6964040745460878778,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:3032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2164

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\Temp1_Wave-Executorh.zip\Wave-Executor\Wave-Executor.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Wave-Executorh.zip\Wave-Executor\Wave-Executor.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1600
- C:\Users\Admin\AppData\Local\Temp\Temp1_Wave-Executorh.zip\Wave-Executor\Wave-Executor.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_Wave-Executorh.zip\Wave-Executor\Wave-Executor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1760

C:\Users\Admin\AppData\Local\Temp\Temp1_Wave-Executorh.zip\Wave-Executor\Wave-Executor.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Wave-Executorh.zip\Wave-Executor\Wave-Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3724
- C:\Users\Admin\AppData\Local\Temp\Temp1_Wave-Executorh.zip\Wave-Executor\Wave-Executor.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_Wave-Executorh.zip\Wave-Executor\Wave-Executor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4816

C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe
"C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4556
- C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe
  "C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4332

C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe
"C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:316
- C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe
  "C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2236

C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe
"C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:2176
- C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe
  "C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4916

C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe
"C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4432
- C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe
  "C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe"
  2⤵
  PID:3360
- C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe
  "C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe"
  2⤵
  PID:1472
- C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe
  "C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\Wave-Executor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:392

C:\Users\Admin\Desktop\Wave-Executor.exe
"C:\Users\Admin\Desktop\Wave-Executor.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3844
- C:\Users\Admin\Desktop\Wave-Executor.exe
  "C:\Users\Admin\Desktop\Wave-Executor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680

C:\Users\Admin\Desktop\Wave-Executor.exe
"C:\Users\Admin\Desktop\Wave-Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:904
- C:\Users\Admin\Desktop\Wave-Executor.exe
  "C:\Users\Admin\Desktop\Wave-Executor.exe"
  2⤵
  PID:4588
- C:\Users\Admin\Desktop\Wave-Executor.exe
  "C:\Users\Admin\Desktop\Wave-Executor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4924

C:\Users\Admin\Desktop\Wave-Executor.exe
"C:\Users\Admin\Desktop\Wave-Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:1760
- C:\Users\Admin\Desktop\Wave-Executor.exe
  "C:\Users\Admin\Desktop\Wave-Executor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3560

C:\Users\Admin\Desktop\Wave-Executor.exe
"C:\Users\Admin\Desktop\Wave-Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4264
- C:\Users\Admin\Desktop\Wave-Executor.exe
  "C:\Users\Admin\Desktop\Wave-Executor.exe"
  2⤵
  PID:1520
- C:\Users\Admin\Desktop\Wave-Executor.exe
  "C:\Users\Admin\Desktop\Wave-Executor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff877c546f8,0x7ff877c54708,0x7ff877c54718
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,507219470440614664,10695952411228701540,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,507219470440614664,10695952411228701540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,507219470440614664,10695952411228701540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3148 /prefetch:8
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,507219470440614664,10695952411228701540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,507219470440614664,10695952411228701540,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4232

C:\Users\Admin\Desktop\Wave-Executor.exe
"C:\Users\Admin\Desktop\Wave-Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:2032
- C:\Users\Admin\Desktop\Wave-Executor.exe
  "C:\Users\Admin\Desktop\Wave-Executor.exe"
  2⤵
  PID:1084
- C:\Users\Admin\Desktop\Wave-Executor.exe
  "C:\Users\Admin\Desktop\Wave-Executor.exe"
  2⤵
  PID:2464
- C:\Users\Admin\Desktop\Wave-Executor.exe
  "C:\Users\Admin\Desktop\Wave-Executor.exe"
  2⤵
  PID:5040
- C:\Users\Admin\Desktop\Wave-Executor.exe
  "C:\Users\Admin\Desktop\Wave-Executor.exe"
  2⤵
  PID:2248
- C:\Users\Admin\Desktop\Wave-Executor.exe
  "C:\Users\Admin\Desktop\Wave-Executor.exe"
  2⤵
  PID:2144
- C:\Users\Admin\Desktop\Wave-Executor.exe
  "C:\Users\Admin\Desktop\Wave-Executor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2948

C:\Users\Admin\Desktop\Wave-Executor.exe
"C:\Users\Admin\Desktop\Wave-Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:1240
- C:\Users\Admin\Desktop\Wave-Executor.exe
  "C:\Users\Admin\Desktop\Wave-Executor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2116

C:\Users\Admin\Desktop\Wave-Executor.exe
"C:\Users\Admin\Desktop\Wave-Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:2176
- C:\Users\Admin\Desktop\Wave-Executor.exe
  "C:\Users\Admin\Desktop\Wave-Executor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1780

C:\Users\Admin\Desktop\Wave-Executor.exe
"C:\Users\Admin\Desktop\Wave-Executor.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3532
- C:\Users\Admin\Desktop\Wave-Executor.exe
  "C:\Users\Admin\Desktop\Wave-Executor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4248

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4052
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Wave-Executorh\Wave-Executor\qt_de.qm
  2⤵
  PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\463a3a07-b406-4ac2-a2b8-f886ebab688b.tmp

Filesize
10KB

MD5
ded7e4e75bbd803438cf4f9a46044c84

SHA1
56a12e012e94355486443474e6fb3a251f348876

SHA256
d538bd5e99b6e85b2b2f40222327432cf27ffe6afc46cc5fc08b35328f7f2254

SHA512
6ea79496e796cbc0fc8401bc9a1f120e68b79b2129b8b3de891769a95735efe5119e9c5ac2ce6f035b39cf35cc8f568dbe040d2e01d5092ff261d7096d43620f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e26da1b29a3c8cc97fe4711eb07a2b3

SHA1
b5152b6130757f920c2e20a55510b2e878f6a17e

SHA256
4fb90f4906bb05bcb697a13269ba075f02a7b3b9b1c9630fc10c34d336a0fc7b

SHA512
431ea106b2059d9d31649a82e7fd76d9e3097f88df466c50fc1a8c289b999c34d54297e0a8c0704924f4cc93a8bd925c29d782fa24be6791d2f472ffca286148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c5bf5c93e78963c50b471adb48706c41

SHA1
a8b119e854b9e8d7dad2c42d98a596fda1b0409c

SHA256
86e1a5d7b96d12f539f55819fc194b8b516e7475e170f909402ee4ce43caead0

SHA512
d9d82a747a060970c1b400131af675b9b46c075d34e927235028b51dae49e198b633fe90cea581750e1caae22e072e2701e9be811997436377c1fcf9cf45e757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
7966c2c5ae225bb33626ced659f6a1f2

SHA1
123dc05c4d3be94827029dabf0d4ab1731d64ec1

SHA256
b30626c099e5db70b437f3f28e98916b3fea87efdc91e84162ccfe780d4f4537

SHA512
018a9d064e20d489ecd2a427271f951c4bdde64614ca9ffc7a1ae82edc4b8e2a9dfea76e69807950881249537b27185ea684942087efed25f864464bcb98e214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
de3d9db4ce9ed2668f5519bc243033ac

SHA1
1901b1aa7f45e20c20f9d2ec6fcbe55a112b79aa

SHA256
f99fcdb92772333a769d295fb8e05a705f9ff1c960592eb20ca8ca67aba0a3cd

SHA512
8f86971799eb3145b3dcf10a55bb8366094b2d0271700693c2579c54af32f912fbd6e60cafa14582f1fe2993a41e2071df96de56694db2c612242d33c17a4430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
ed07d30a1a1ff904c820c9753e338d77

SHA1
6a9a7a46383463b92fe86769ae485439f5182312

SHA256
322f7fbf719fb123c7931fb3f7c6c2222aa8176ef2233084ae0f52fed113452b

SHA512
2b8c9c1cf757491859cb517f83d9a6b60515ba369f957543b4da2e361f97ab9a76849649654fa66059145e1cfc9c0003eae73952720044d6fdc56594556ecf3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
d1939dec7f30fa38d23ea29835bb5cf9

SHA1
b3815b94dd3fcf646480836e23905bb1cb1da1c5

SHA256
7bc379ac2cad4a9cd1dc061654cb0c3ff5eb8522223af0f61872b1c081c5bd65

SHA512
cb0d8c7f03d0ca0c79996e5cdffa2a96d369215808d541cd2856b2e299d2658f78b962b76609a829395fcdb658440d4b84533cd73de8e1857a8d8287ebd3ec96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
974e7729676d93b018e2ce241a337065

SHA1
5e1bd1e2b0574abcff1fd506f04fd1d1f467508b

SHA256
d4d35cfc675dccecfe9a4556ce9a5933019e115a80800ee17becbc53bbd3af0c

SHA512
d901069a2f77b47282bebf5550a30be161a4c5eec1e4467c488b4818d66ab3ef2a510a4b295345d60546e4f0eb4208461cc847d05822ac2224538fdc15e1c3a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
ce6067b6591af661ce8c2ceb4b093769

SHA1
baeb02099ff547877448962decd00af98ec23862

SHA256
549da6d09f08db8bc9e78b681e8729060004989254d93acf3c07477f6f52d8e9

SHA512
f17d5c36f9efb09044c58a074f2595ca09da367884f005cdad55cb65bdaa3c65a9fd93c5f6c50ca53239fdfddf73453d864e05577643188570aa625ea00d5c15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
048712cf17bbe6c8d2b6aa10768e7588

SHA1
d1b9aa7b8e94a5d799b36bb821d5c2fe4ddc92cd

SHA256
426fd964eb040a7865203e2088a862b8f911bcbabae131e32570e1de9a874ee2

SHA512
dc4d55ab89e3d65947316a45714a97fae77add832670d513a77ebf4dbb128f35688707aa6cc28ec5e03205d8edfc2d33ca6a2e996c535583f2e6b96d3e102822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
0af7920878b30234eb1642e14b1c9a84

SHA1
d55b8de170cf293fc523d2ccc4f68fd2d26dca92

SHA256
9e14dd09f4467b0e79416dbf16de1e3dcd352d4a2447f5a7f3f1aa105aa9eaa5

SHA512
006b38fd84a13854593f3af6f5369f87a2cc6793bfe1fe2d84db6971377adfa8cc536cbaa8bcd863a45001d29f89f2bdd05198fd37f30d7ed4158384572bf1e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c881c0c072a33dcbcd8f57b799e6d97

SHA1
9007dec2d0535e3b64c0ca36d73e3e9b49465f87

SHA256
8ec7767fbdb253cee12babe148b27e06df56b5f48ee740b0373ea50818d4c8e0

SHA512
a8d2ed75fc9fe6803b7117cc3be35bcd89000f162861d274ce94f5d0f9af8dd8d523c9b53c0c2bbea1cc473734142e649842ea8bcc347afaad68ba4abc5e206e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
835339c2133263a1ce77cc68c4cf74f2

SHA1
82ed629bcf654bc83a047c148a7ffc4ed214f3c2

SHA256
a1d36b80db4000ee1fb65808f6d3c6a7bd2c9c460c5d8664fb6b4d76bfe4f605

SHA512
ee42771968f316175f022eeff59a47753ef64e242179f8addcffebde6c4e92a1faf71bfb4bd068fe40e22e4a558affd20a8414c100bb813b88a4cbc4696633c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6636074459befcc9d0c9141bb3e4d8aa

SHA1
0c596045232cfc908ef19ed022f1ef10609daba6

SHA256
f20c7232ce40c31a3476410385588cc9f14c5f1b9c0ce536d85a23482de8aa3d

SHA512
bd459f3d9712b4afb0d59e8bdd18e21daf730e0ca9c59cebcfb84f9373f8d30839f64884233ede42a209a5ba4f3fb864173548b5d94c0eb5187dc08711af078a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6c3cc69627874d9c0f8d6c2d788f4cb0

SHA1
361869ecaad649936f7211546608ae3c9150e4d0

SHA256
f6c1425a25a955656933b3ecd9b9bdd5aa395fbb9b1d36ada1ff4822d4106b30

SHA512
a8a6969b400ebf82a75f35f0a58f923626668bcdefcb6bd264b510efc1f2e1c7c0e4e65da1ae8b4b026160a283333a489d7528ce50f9de997b597e245b2f0b33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
afc5ea713a7765804d5c403bed2dfcc1

SHA1
ad00061e51247a8637a0468c37f98b6cca6a539d

SHA256
88430b1c56bdc12c2657e62476d7aaf497390200971fa054629eff87c14ef38c

SHA512
8334251835fe240ac8bd16aa70f6fedfc42c83232dc03a852138761350ebf29488b165b4d6e455f235ef995aa246bc5abe86f0e302225bc2c56cae296a22158f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
175B

MD5
6153ae3a389cfba4b2fe34025943ec59

SHA1
c5762dbae34261a19ec867ffea81551757373785

SHA256
93c2b2b9ce1d2a2f28fac5aadc19c713b567df08eaeef4167b6543a1cd094a61

SHA512
f2367664799162966368c4a480df6eb4205522eaae32d861217ba8ed7cfabacbfbb0f7c66433ff6d31ec9638da66e727e04c2239d7c6a0d5fd3356230e09ab6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
7914d6132d9144c39deb839c7cc58b62

SHA1
a4c2c6ee82c6eab491dc5191bc2bb59716ea07c1

SHA256
e4ce00a14ff60f4bcb52139a4bab0b1816a70f9eed8a7c2e8e7aa3842eb7c6eb

SHA512
0adce7b4249ca725c614d978d5fd0e82f701f22599f8809d7529e515d58c4bf4ed82b9e1558c56e2cc056778690c4ad75d70392fa505223db37c5115585d0e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13380057670261248

Filesize
491B

MD5
212291540064b41375f8145842530478

SHA1
56e8d6e758af3907e92aefaeb255acc68a742c86

SHA256
cb8f4c6b439df16d60279a6c381c813fd36768c38ddce0f74f2d4ff189cabde6

SHA512
3d58a68daba337be21453cc721ba44acd08f2bd5c7c7b1c19bc7e11f87ceb3be100733d52a7f676d3c7de1b0e4029bb7c5a2fdd0735e22ec4a80d7bcdf572839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13380057670449248

Filesize
933B

MD5
1237e9055c8625adf726112aeb0c49bf

SHA1
33cebc48ee165f4a61086196cb6e979ca8d34deb

SHA256
65d0ffe34a3e2cd7d188ce0833157850ce63ffb9c571ec21b18b724f92f80e6c

SHA512
fb5b1dc4623fa6287bdb7746b80d96ee8bad3e1a8c0d8ed2591e8766ac9f19e963b64073a7c3739b1819c7c3101316e840a237edc4deafaf4fa1f0afcc38e72d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
bab1347c389995ce0ddca7bfbaf9c589

SHA1
866e6dbff8fe7e6a4451ebca83b86a963a54994b

SHA256
a6145d5175ae4c806926c27472986ce63ac2fc5a82846614f178bacbfe97a66a

SHA512
65913b91c659fe32272cf14ebe44a3674818fcbe8a059bf5255a5c5ef47ececca11a8578ccca70f61d9ebe162fa417b1a5ab5a1063ac40172ad0d17bbc051318

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
481ee1ef9feb80260df1214b1075d998

SHA1
d69704eba8556311747067177dd35fe5a391dee0

SHA256
563ac5ad5d0833170a1d612eab4541915b94b9874c11514cb97362b81dbb4e22

SHA512
568abebe26a40dfd941060480c16cc7fd9e12e811e1a8a04af3d1164022dc96fe7f115e9633bff83758e87b614e5b0df331006b75b571f526020e8824962d71c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
674bd1eea8dc1df2f20d504b95fb3326

SHA1
2fbabee73dff132cd1c8663a2f2b92af60f254e6

SHA256
c01ce786160cd4d3ac2e20b7c6298d96dad9b7beb9d788138d43b4399a1c0f42

SHA512
99c6c808ebfd9180d043056d789fffec6bfb3bf15cae02cf5bf525cfa9cd466d7c51adc4d952245d798902317b0177f9dce867e4ff6a08f58b1c5d2ac55a1d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
29aed0b36ec4d4ee30e17850544ba55c

SHA1
73873b707bd27a79a72a8152fd9cf08ecca3a289

SHA256
827bd3109b736a38e10d2dcb7e81f8d71f04621ca2d2969bd5d8fb0675f94183

SHA512
93a9da484386ec9edfcd24a9b73895ad3715aa119f99704ba71225a991d548e455b197ce158ceb972d857d4064d9f0e3bf79151c9ad43db7d9b37c410100a842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
10f1cddfc635484214d91fb3d183b5cc

SHA1
db4b30ca8724c9085bcd1118db777960de369d3f

SHA256
4812ac2a25aadf0be20974fcbc5bc881c1bb8e35d28067623bebb251852be301

SHA512
8b56859cde61cd0968fee07ef65a038be05ac9cf0d5fb18cc213f9240ddbae60ea1220f618c22fa782e90a264b31cdf7eda0dd24cca7f26cadab1875b1a1dfbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
8ae74d2d06c46d321e8ace16c20b2b67

SHA1
1de89fd032af9c7a44f4f75f24a3e90e066a763c

SHA256
a7ab0076914e52e3975c00ff5658d0bc4800cffb10fcd4818a8afceab5d24141

SHA512
dbb1d79ce321d1b4f13f1f4c9033d6bb58c2369550469fab96bb41a3873a6de376864df6b744caeaa492013dba818d8e28beb61ddd85d942799d664d2f5b1be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
eaffb1aed5a1b461bb39c1c3abe16e42

SHA1
f636de33525a55aa992fd74150f844c1888552d1

SHA256
9cdb16e283fc29ecf536e89bcd97a28c27c6462f82f88b8d8bd6c5350208ac9b

SHA512
664fbfce0bf416e30ad84da61d3f181fedf074569bd1305fb218117ff4de831c77f95f26aca8e0c8258085061ea17ac79644e3a2484991b596dc49e03434a9af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
1c584f26809fcd5bd995f32f89f7d23d

SHA1
e496451ad44a9672e4a18ca2eb139c062da95993

SHA256
03b9f02fbb6b194026ce9f94ec036426fc14923aa80080a52684964b29321821

SHA512
1b410ed8c57b749393355297ae8081cde6ad1d64536366724db2e2f9dd5785faac9052dca4b7c818f5e055979382b297fff5a64f5f0e5296a9a84a648d6d776a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
e3a11dd61f467331d86157bc076e671a

SHA1
1d23d40910e8d01518882f3ed4a67aaf1d83194e

SHA256
13c28964e79fde11d9013cd589a892f0f715591dcee983b766e8795fb57bbda0

SHA512
578e6160efef6ef306f58e04958c4ea1eeccf6bb8f0c5940e7167d21f25c281bd90e06aaf38e0b1691fc190fc5e60a0eee389f06eb234cbabf4e73bca077d853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
84c1080754fe2ffb2b8fd36cb3c006f2

SHA1
8b3dc175e26bc3c86a4392b23378e1ae7cca0f92

SHA256
c8efe9521d04926fd7f26de168bcc68dba3e1de215d90cd72e45fc4fe1aca346

SHA512
e7f0e4f507bd38a135ac1ed449ab650a0e77664e9ef9bdd42167abb0825e3678f9bedd2124b9e35f92150a32fae4e3a7105bfce1beab4f7af161bf5b85ad1351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
8dde455e76a63c88b6cea02abe85d33e

SHA1
719715120ebb99efe5498540491ba3bea3d3ef37

SHA256
376f24a56696138d0d028ca6372e8fcd77a1a2b55679156462394d77f5fe4f02

SHA512
2040869ffec1d82fe3a6b65424a8c41ad74c8926c4d60de472913edc191b20a5685e3a39b2103e4d15d88d6f2455d28100b9d03809946760d821166147b297dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2a13d43f5d1ed60fcba2853fd206e4b7

SHA1
90df986c45002458c1bdd120240056844531aa2c

SHA256
2d8f92c3cc4dbf7a69cba3b3debd8ede4762aca6239f8b93524d568a37bfb912

SHA512
1936ad5a7a3f01bb43b58a4759a1c2413025ec718b4308db1e8416317fb9b67190fea4d565217a85a140e1c9c5ac62378003ad8d428636b8a38fff1b0fa3c71a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9af7efee5539453a9df31ceb3c341180

SHA1
f268afbe814a88514d34a71f0b80823253a78a87

SHA256
3a7ca1c15768759b28a464a72ded326f43833c71f469c6c9375d8d613b5d464d

SHA512
09347a74132b749067f95d6cc737095b99f1800b63eefcc47f0602b8126790ccaab7ba222ed8b281e75d557dc8e87d44f1996e6672e770b5e41ff209087a7510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
455e76133f2725da05c800f86df92537

SHA1
c1e497c25880614980d368c816dcb6b93639a5d9

SHA256
c0d4267987c0ff852446e365a318c4bcd609919b9508440f47a255850b2c3e2e

SHA512
301436121c7714e4a1e5e136cb5eb76746cb0cb2e0fa6a030611bfbd3f524d45b9cca852db3cf85d89fd816702df532f208810c1df6bd582c79d5f054d9affcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
490683a030dde1464908386bb3b6bb24

SHA1
c384508282306f533541741b561d087f983320e9

SHA256
81ac78c469cdabf4eb44f89b5e19bd56e9bef4c596de3bd0446c9a4cea884515

SHA512
72127ff33e6cb992a1386f54c7f196120bcb40c5968971757aae495fefc1754274c06566aa269b7a8ff4dff71bf921da4143fb6f3bf03456c9b350b6ba849b83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
768f34bfe7a1e4bdd79ef550889f0cc7

SHA1
adb7f6220efb1e2ea6b379ad7ea5c951aeca1114

SHA256
cf25ecd6b21a46a04ee0e7bae5f8deac36ac1fe6f497ea5e6f6f57c87139bbed

SHA512
1a2dab2d8e0b3fb962c8d7b25f770dadd984842572fdf9ad2d084540e5498df2b58f4937c19f827343d0e5210daee2e9f1706f2bddf2d88f62d06700f28892e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
e9cf9aac6a89265da2baf9d0dab9cbfc

SHA1
101f9189ce8b3dccd0f91ed321019111ab4719f9

SHA256
de097e43affd05aebfc8909acabe4e849a67bb9c16785fee6bda785dcd6bb84b

SHA512
1d79df0232fe7ccf63deb729d52e13f2891f3be84b2380bb5736f0c4bfb0772d65f5734bd43518fe83eb159f6993eb6d8ac22e5bfa4d3a00b97f8dbe57f9a73c

Download Submit
C:\Users\Admin\Downloads\Wave-Executorh.zip

Filesize
9.5MB

MD5
f667e5c2b3a5dc2ba44d94142fe4ed13

SHA1
9e880f0887d563db9ae4a049aaed4fac5a381275

SHA256
c287dcca66807c6e9aa78b171e4d342828c3b70a09ccb899644f24f407994a34

SHA512
24da775bcb8282952c11a2e07577eee281a06f38531b3c9c320cb883916de746f6005e226af32c245bc7e571a5945a562f0d145c027d49078008ef6c90d4963a

Download Submit
memory/392-192-0x00000000007E0000-0x00000000008B1000-memory.dmp

Filesize
836KB

Download
memory/1760-86-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1760-85-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download