Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 17:04
Static task
static1
Behavioral task
behavioral1
Sample
Wave.exe
Resource
win10v2004-20240426-en
General
-
Target
Wave.exe
-
Size
63KB
-
MD5
aea7ce1be7c97bca3e8962cd17c6d361
-
SHA1
f0989ac052b3ea66dd20e499ce3cb41d8c495ece
-
SHA256
c3ceb18bfa4b4d0d31659159869eeb6239c0964907d25bb4b6f6ae0717e0edfb
-
SHA512
87a0c425994454399b9837d0d52819122a0bf647061509e9580d41e8418884ea9ffa43d3afe13b960ffddd769fa26cda04f46d81cc2d065f54564f2253d8b629
-
SSDEEP
768:ds6u91mfDcbr1D4SmZupatSyjkIO7fWOBLzl5oD7L4wF7NkxQoZNCF:FcbBD1k87fxx5oD7L/5kfCF
Malware Config
Extracted
xworm
212.132.117.91:7000
-
Install_directory
%AppData%
-
install_file
SystemFiles.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe family_xworm behavioral1/memory/7692-72-0x0000000000C20000-0x0000000000C3A000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 8580 powershell.exe 8956 powershell.exe 8712 powershell.exe 9136 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Wave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Wave.exe -
Drops startup file 2 IoCs
Processes:
RobloxWave.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemFiles.lnk RobloxWave.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemFiles.lnk RobloxWave.exe -
Executes dropped EXE 64 IoCs
Processes:
KrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeRobloxWave.exeKrampUI.exeRobloxWave.exeRobloxWave.exeKrampUI.exeRobloxWave.exeRobloxWave.exeRobloxWave.exeRobloxWave.exeRobloxWave.exeKrampUI.exeRobloxWave.exeRobloxWave.exeRobloxWave.exeKrampUI.exeRobloxWave.exeKrampUI.exeKrampUI.exeRobloxWave.exeKrampUI.exeRobloxWave.exeRobloxWave.exeRobloxWave.exeKrampUI.exeKrampUI.exeRobloxWave.exeKrampUI.exeRobloxWave.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeRobloxWave.exeKrampUI.exeKrampUI.exeKrampUI.exeRobloxWave.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeRobloxWave.exeKrampUI.exeKrampUI.exeKrampUI.exeRobloxWave.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeRobloxWave.exeKrampUI.exeRobloxWave.exepid process 6964 KrampUI.exe 6972 KrampUI.exe 6908 KrampUI.exe 7504 KrampUI.exe 7692 RobloxWave.exe 7752 KrampUI.exe 7760 RobloxWave.exe 7772 RobloxWave.exe 7780 KrampUI.exe 7848 RobloxWave.exe 7840 RobloxWave.exe 7872 RobloxWave.exe 7908 RobloxWave.exe 8116 RobloxWave.exe 8144 KrampUI.exe 8156 RobloxWave.exe 1992 RobloxWave.exe 3432 RobloxWave.exe 8028 KrampUI.exe 8216 RobloxWave.exe 8328 KrampUI.exe 9020 KrampUI.exe 1064 RobloxWave.exe 8916 KrampUI.exe 8084 RobloxWave.exe 7384 RobloxWave.exe 8068 RobloxWave.exe 3356 KrampUI.exe 9532 KrampUI.exe 9652 RobloxWave.exe 9808 KrampUI.exe 9924 RobloxWave.exe 9972 KrampUI.exe 10076 KrampUI.exe 9232 KrampUI.exe 8012 KrampUI.exe 10404 KrampUI.exe 10524 KrampUI.exe 10576 RobloxWave.exe 10664 KrampUI.exe 10788 KrampUI.exe 10916 KrampUI.exe 10984 RobloxWave.exe 11036 KrampUI.exe 11204 KrampUI.exe 10660 KrampUI.exe 11328 KrampUI.exe 11416 KrampUI.exe 11552 KrampUI.exe 11648 KrampUI.exe 11756 KrampUI.exe 11872 KrampUI.exe 11948 RobloxWave.exe 11984 KrampUI.exe 12108 KrampUI.exe 12208 KrampUI.exe 11536 RobloxWave.exe 12296 KrampUI.exe 12420 KrampUI.exe 12560 KrampUI.exe 12656 KrampUI.exe 12748 RobloxWave.exe 12808 KrampUI.exe 12892 RobloxWave.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RobloxWave.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemFiles = "C:\\Users\\Admin\\AppData\\Roaming\\SystemFiles.exe" RobloxWave.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
Processes:
flow ioc 22 raw.githubusercontent.com 27 raw.githubusercontent.com 32 raw.githubusercontent.com 40 raw.githubusercontent.com 42 raw.githubusercontent.com 45 raw.githubusercontent.com 21 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
dwm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dwm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dwm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS dwm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwm.exe -
Modifies data under HKEY_USERS 18 IoCs
Processes:
dwm.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 8580 powershell.exe 8580 powershell.exe 8580 powershell.exe 8956 powershell.exe 8956 powershell.exe 8956 powershell.exe 8712 powershell.exe 8712 powershell.exe 8712 powershell.exe 9136 powershell.exe 9136 powershell.exe 9136 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Wave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeRobloxWave.exeRobloxWave.exeRobloxWave.exeRobloxWave.exeRobloxWave.exeRobloxWave.exeRobloxWave.exeRobloxWave.exeRobloxWave.exeWave.exeRobloxWave.exeRobloxWave.exeWave.exedescription pid process Token: SeDebugPrivilege 1984 Wave.exe Token: SeDebugPrivilege 728 Wave.exe Token: SeDebugPrivilege 864 Wave.exe Token: SeDebugPrivilege 4544 Wave.exe Token: SeDebugPrivilege 1400 Wave.exe Token: SeDebugPrivilege 1360 Wave.exe Token: SeDebugPrivilege 1632 Wave.exe Token: SeDebugPrivilege 2452 Wave.exe Token: SeDebugPrivilege 4816 Wave.exe Token: SeDebugPrivilege 4176 Wave.exe Token: SeDebugPrivilege 3284 Wave.exe Token: SeDebugPrivilege 3100 Wave.exe Token: SeDebugPrivilege 4232 Wave.exe Token: SeDebugPrivilege 1568 Wave.exe Token: SeDebugPrivilege 2924 Wave.exe Token: SeDebugPrivilege 4144 Wave.exe Token: SeDebugPrivilege 4820 Wave.exe Token: SeDebugPrivilege 4864 Wave.exe Token: SeDebugPrivilege 4868 Wave.exe Token: SeDebugPrivilege 2812 Wave.exe Token: SeDebugPrivilege 4472 Wave.exe Token: SeDebugPrivilege 1292 Wave.exe Token: SeDebugPrivilege 1924 Wave.exe Token: SeDebugPrivilege 4328 Wave.exe Token: SeDebugPrivilege 4284 Wave.exe Token: SeDebugPrivilege 2980 Wave.exe Token: SeDebugPrivilege 5152 Wave.exe Token: SeDebugPrivilege 5236 Wave.exe Token: SeDebugPrivilege 5304 Wave.exe Token: SeDebugPrivilege 5356 Wave.exe Token: SeDebugPrivilege 5420 Wave.exe Token: SeDebugPrivilege 5480 Wave.exe Token: SeDebugPrivilege 5536 Wave.exe Token: SeDebugPrivilege 5592 Wave.exe Token: SeDebugPrivilege 5652 Wave.exe Token: SeDebugPrivilege 5704 Wave.exe Token: SeDebugPrivilege 5756 Wave.exe Token: SeDebugPrivilege 5812 Wave.exe Token: SeDebugPrivilege 5872 Wave.exe Token: SeDebugPrivilege 5936 Wave.exe Token: SeDebugPrivilege 5996 Wave.exe Token: SeDebugPrivilege 6076 Wave.exe Token: SeDebugPrivilege 6220 Wave.exe Token: SeDebugPrivilege 6352 Wave.exe Token: SeDebugPrivilege 6596 Wave.exe Token: SeDebugPrivilege 6692 Wave.exe Token: SeDebugPrivilege 6852 Wave.exe Token: SeDebugPrivilege 7128 Wave.exe Token: SeDebugPrivilege 7200 Wave.exe Token: SeDebugPrivilege 7352 Wave.exe Token: SeDebugPrivilege 7596 Wave.exe Token: SeDebugPrivilege 7692 RobloxWave.exe Token: SeDebugPrivilege 7772 RobloxWave.exe Token: SeDebugPrivilege 7848 RobloxWave.exe Token: SeDebugPrivilege 7840 RobloxWave.exe Token: SeDebugPrivilege 7872 RobloxWave.exe Token: SeDebugPrivilege 7908 RobloxWave.exe Token: SeDebugPrivilege 7760 RobloxWave.exe Token: SeDebugPrivilege 8116 RobloxWave.exe Token: SeDebugPrivilege 8156 RobloxWave.exe Token: SeDebugPrivilege 7060 Wave.exe Token: SeDebugPrivilege 1992 RobloxWave.exe Token: SeDebugPrivilege 3432 RobloxWave.exe Token: SeDebugPrivilege 7280 Wave.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
Processes:
KrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exepid process 13876 KrampUI.exe 13876 KrampUI.exe 12908 KrampUI.exe 12908 KrampUI.exe 15484 KrampUI.exe 13568 KrampUI.exe 15484 KrampUI.exe 13568 KrampUI.exe 15628 KrampUI.exe 15628 KrampUI.exe 15828 KrampUI.exe 15828 KrampUI.exe 16112 KrampUI.exe 16112 KrampUI.exe 14908 KrampUI.exe 14188 KrampUI.exe 14908 KrampUI.exe 14188 KrampUI.exe 16292 KrampUI.exe 16248 KrampUI.exe 14872 KrampUI.exe 16348 KrampUI.exe 16248 KrampUI.exe 16292 KrampUI.exe 14872 KrampUI.exe 16348 KrampUI.exe 16196 KrampUI.exe 16196 KrampUI.exe 15380 KrampUI.exe 14632 KrampUI.exe 14632 KrampUI.exe -
Suspicious use of SendNotifyMessage 23 IoCs
Processes:
KrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exeKrampUI.exepid process 13876 KrampUI.exe 12908 KrampUI.exe 12908 KrampUI.exe 15484 KrampUI.exe 13568 KrampUI.exe 13568 KrampUI.exe 15628 KrampUI.exe 15628 KrampUI.exe 15828 KrampUI.exe 16112 KrampUI.exe 14908 KrampUI.exe 14188 KrampUI.exe 14188 KrampUI.exe 16248 KrampUI.exe 16292 KrampUI.exe 14872 KrampUI.exe 16248 KrampUI.exe 16292 KrampUI.exe 14872 KrampUI.exe 16348 KrampUI.exe 16196 KrampUI.exe 15380 KrampUI.exe 14632 KrampUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Wave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exeWave.exedescription pid process target process PID 1984 wrote to memory of 728 1984 Wave.exe Wave.exe PID 1984 wrote to memory of 728 1984 Wave.exe Wave.exe PID 728 wrote to memory of 864 728 Wave.exe Wave.exe PID 728 wrote to memory of 864 728 Wave.exe Wave.exe PID 864 wrote to memory of 4544 864 Wave.exe Wave.exe PID 864 wrote to memory of 4544 864 Wave.exe Wave.exe PID 4544 wrote to memory of 1400 4544 Wave.exe Wave.exe PID 4544 wrote to memory of 1400 4544 Wave.exe Wave.exe PID 1400 wrote to memory of 1360 1400 Wave.exe Wave.exe PID 1400 wrote to memory of 1360 1400 Wave.exe Wave.exe PID 1360 wrote to memory of 1632 1360 Wave.exe Wave.exe PID 1360 wrote to memory of 1632 1360 Wave.exe Wave.exe PID 1632 wrote to memory of 2452 1632 Wave.exe Wave.exe PID 1632 wrote to memory of 2452 1632 Wave.exe Wave.exe PID 2452 wrote to memory of 4816 2452 Wave.exe Wave.exe PID 2452 wrote to memory of 4816 2452 Wave.exe Wave.exe PID 4816 wrote to memory of 4176 4816 Wave.exe Wave.exe PID 4816 wrote to memory of 4176 4816 Wave.exe Wave.exe PID 4176 wrote to memory of 3284 4176 Wave.exe Wave.exe PID 4176 wrote to memory of 3284 4176 Wave.exe Wave.exe PID 3284 wrote to memory of 3100 3284 Wave.exe Wave.exe PID 3284 wrote to memory of 3100 3284 Wave.exe Wave.exe PID 3100 wrote to memory of 4232 3100 Wave.exe Wave.exe PID 3100 wrote to memory of 4232 3100 Wave.exe Wave.exe PID 4232 wrote to memory of 1568 4232 Wave.exe Wave.exe PID 4232 wrote to memory of 1568 4232 Wave.exe Wave.exe PID 1568 wrote to memory of 2924 1568 Wave.exe Wave.exe PID 1568 wrote to memory of 2924 1568 Wave.exe Wave.exe PID 2924 wrote to memory of 4144 2924 Wave.exe Wave.exe PID 2924 wrote to memory of 4144 2924 Wave.exe Wave.exe PID 4144 wrote to memory of 4820 4144 Wave.exe Wave.exe PID 4144 wrote to memory of 4820 4144 Wave.exe Wave.exe PID 4820 wrote to memory of 4864 4820 Wave.exe Wave.exe PID 4820 wrote to memory of 4864 4820 Wave.exe Wave.exe PID 4864 wrote to memory of 4868 4864 Wave.exe Wave.exe PID 4864 wrote to memory of 4868 4864 Wave.exe Wave.exe PID 4868 wrote to memory of 2812 4868 Wave.exe Wave.exe PID 4868 wrote to memory of 2812 4868 Wave.exe Wave.exe PID 2812 wrote to memory of 4472 2812 Wave.exe Wave.exe PID 2812 wrote to memory of 4472 2812 Wave.exe Wave.exe PID 4472 wrote to memory of 1292 4472 Wave.exe Wave.exe PID 4472 wrote to memory of 1292 4472 Wave.exe Wave.exe PID 1292 wrote to memory of 1924 1292 Wave.exe Wave.exe PID 1292 wrote to memory of 1924 1292 Wave.exe Wave.exe PID 1924 wrote to memory of 4328 1924 Wave.exe Wave.exe PID 1924 wrote to memory of 4328 1924 Wave.exe Wave.exe PID 4328 wrote to memory of 4284 4328 Wave.exe Wave.exe PID 4328 wrote to memory of 4284 4328 Wave.exe Wave.exe PID 4284 wrote to memory of 2980 4284 Wave.exe Wave.exe PID 4284 wrote to memory of 2980 4284 Wave.exe Wave.exe PID 2980 wrote to memory of 5152 2980 Wave.exe Wave.exe PID 2980 wrote to memory of 5152 2980 Wave.exe Wave.exe PID 5152 wrote to memory of 5236 5152 Wave.exe Wave.exe PID 5152 wrote to memory of 5236 5152 Wave.exe Wave.exe PID 5236 wrote to memory of 5304 5236 Wave.exe Wave.exe PID 5236 wrote to memory of 5304 5236 Wave.exe Wave.exe PID 5304 wrote to memory of 5356 5304 Wave.exe Wave.exe PID 5304 wrote to memory of 5356 5304 Wave.exe Wave.exe PID 5356 wrote to memory of 5420 5356 Wave.exe Wave.exe PID 5356 wrote to memory of 5420 5356 Wave.exe Wave.exe PID 5420 wrote to memory of 5480 5420 Wave.exe Wave.exe PID 5420 wrote to memory of 5480 5420 Wave.exe Wave.exe PID 5480 wrote to memory of 5536 5480 Wave.exe Wave.exe PID 5480 wrote to memory of 5536 5480 Wave.exe Wave.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"6⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"8⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"10⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"12⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"13⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"14⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"15⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"16⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"17⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"18⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"19⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"20⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"21⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"22⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"23⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"24⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"25⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"26⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"27⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5152 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"28⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5236 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"29⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5304 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"30⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5356 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"31⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5420 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"32⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5480 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"33⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:5536 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"34⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:5592 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"35⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:5652 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"36⤵
- Suspicious use of AdjustPrivilegeToken
PID:5704 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"37⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:5756 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"38⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:5812 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"39⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:5872 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"40⤵
- Suspicious use of AdjustPrivilegeToken
PID:5936 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"41⤵
- Suspicious use of AdjustPrivilegeToken
PID:5996 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"42⤵
- Suspicious use of AdjustPrivilegeToken
PID:6076 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"43⤵
- Suspicious use of AdjustPrivilegeToken
PID:6220 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"44⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:6352 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"45⤵
- Suspicious use of AdjustPrivilegeToken
PID:6596 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"46⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:6692 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"47⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:6852 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"48⤵
- Suspicious use of AdjustPrivilegeToken
PID:7128 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"49⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:7200 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"50⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:7352 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"51⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:7596 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"52⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:7060 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"53⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:7280 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"54⤵PID:8272
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"55⤵
- Checks computer location settings
PID:8384 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"56⤵PID:8448
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"57⤵
- Checks computer location settings
PID:8504 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"58⤵
- Checks computer location settings
PID:8588 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"59⤵
- Checks computer location settings
PID:8868 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"60⤵PID:8988
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"61⤵PID:6052
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"62⤵PID:8720
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"63⤵
- Checks computer location settings
PID:8100 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"64⤵PID:8700
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"65⤵PID:7380
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"66⤵
- Checks computer location settings
PID:8832 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"67⤵PID:8696
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"68⤵
- Checks computer location settings
PID:9188 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"69⤵PID:8624
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"70⤵PID:9048
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"71⤵
- Checks computer location settings
PID:9140 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"72⤵
- Checks computer location settings
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"73⤵
- Checks computer location settings
PID:9296 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"74⤵
- Checks computer location settings
PID:9400 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"75⤵
- Checks computer location settings
PID:9456 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"76⤵
- Checks computer location settings
PID:9512 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"77⤵PID:9636
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"78⤵PID:9716
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"79⤵
- Checks computer location settings
PID:9768 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"80⤵PID:9896
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"81⤵
- Checks computer location settings
PID:10048 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"82⤵
- Checks computer location settings
PID:10168 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"83⤵
- Checks computer location settings
PID:10232 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"84⤵PID:7884
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"85⤵PID:10296
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"86⤵
- Checks computer location settings
PID:10376 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"87⤵PID:10500
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"88⤵PID:10672
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"89⤵PID:10852
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"90⤵PID:10972
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"91⤵PID:11124
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"92⤵
- Checks computer location settings
PID:10340 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"93⤵PID:9668
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"94⤵
- Checks computer location settings
PID:11384 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"95⤵PID:11520
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"96⤵PID:11708
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"97⤵
- Checks computer location settings
PID:11836 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"98⤵PID:12056
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"99⤵
- Checks computer location settings
PID:12180 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"100⤵PID:11516
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"101⤵
- Checks computer location settings
PID:12412 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"102⤵
- Checks computer location settings
PID:12548 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"103⤵PID:12736
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"104⤵PID:12952
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"105⤵
- Checks computer location settings
PID:13172 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"106⤵PID:13440
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"107⤵
- Checks computer location settings
PID:13688 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"108⤵PID:13888
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"109⤵PID:14128
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"110⤵
- Checks computer location settings
PID:14308 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"111⤵PID:14424
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"112⤵
- Checks computer location settings
PID:14668 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"113⤵
- Checks computer location settings
PID:15028 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"114⤵PID:13304
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"115⤵
- Checks computer location settings
PID:15664 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"116⤵PID:15948
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"116⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:14632
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"116⤵PID:16364
-
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"115⤵PID:16160
-
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"114⤵PID:13932
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"113⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:15380
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"113⤵PID:14876
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"112⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:16196
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"112⤵PID:9960
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"111⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:14872
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"111⤵PID:16360
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"110⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:16348
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"110⤵PID:16272
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"109⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:16292
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"109⤵PID:13060
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"108⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:16248
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"108⤵PID:12060
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"107⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:14188
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"107⤵PID:2948
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"106⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:14908
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"106⤵PID:15784
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"105⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:16112
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"105⤵PID:15552
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"104⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:15828
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"104⤵PID:16016
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"103⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:15628
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"103⤵PID:15696
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"102⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:15484
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"101⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:13568
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"100⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:12908
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"100⤵PID:13924
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"99⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:13876
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"99⤵PID:9228
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"98⤵PID:15196
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"98⤵PID:13316
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"97⤵PID:15036
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"97⤵PID:16296
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"96⤵PID:14920
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"96⤵PID:15708
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"95⤵PID:14704
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"95⤵PID:15676
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"94⤵PID:14572
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"94⤵PID:15048
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"93⤵PID:14412
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"93⤵PID:6028
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"92⤵PID:11992
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"92⤵PID:14544
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"91⤵PID:14252
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"91⤵PID:16148
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"90⤵PID:14076
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"90⤵PID:16232
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"89⤵PID:13968
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"89⤵PID:16088
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"88⤵PID:13812
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"88⤵PID:11980
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"87⤵PID:13624
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"87⤵PID:12900
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"86⤵PID:13468
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"86⤵PID:15468
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"85⤵PID:13360
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"85⤵PID:16364
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"84⤵PID:10616
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"84⤵PID:16316
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"83⤵PID:13184
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"83⤵PID:16164
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"82⤵PID:13076
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"82⤵PID:16000
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"81⤵PID:12972
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"81⤵PID:15912
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"80⤵
- Executes dropped EXE
PID:12808
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"80⤵PID:15752
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"79⤵
- Executes dropped EXE
PID:12656
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"79⤵PID:15616
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"78⤵
- Executes dropped EXE
PID:12560
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"78⤵PID:15508
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"77⤵
- Executes dropped EXE
PID:12420
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"77⤵PID:15364
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"76⤵
- Executes dropped EXE
PID:12296
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"76⤵PID:15168
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"75⤵
- Executes dropped EXE
PID:12208
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"75⤵PID:4580
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"74⤵
- Executes dropped EXE
PID:12108
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"74⤵PID:15260
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"73⤵
- Executes dropped EXE
PID:11984
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"73⤵PID:15144
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"72⤵
- Executes dropped EXE
PID:11872
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"72⤵PID:15044
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"71⤵
- Executes dropped EXE
PID:11756
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"71⤵PID:14980
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"70⤵
- Executes dropped EXE
PID:11648
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"70⤵PID:14848
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"69⤵
- Executes dropped EXE
PID:11552
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"69⤵PID:14808
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"68⤵
- Executes dropped EXE
PID:11416
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"68⤵PID:14628
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"67⤵
- Executes dropped EXE
PID:11328
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"67⤵PID:14516
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"66⤵
- Executes dropped EXE
PID:10660
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"66⤵PID:14376
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"65⤵
- Executes dropped EXE
PID:11204
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"65⤵PID:4312
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"64⤵
- Executes dropped EXE
PID:11036
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"64⤵PID:14160
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"63⤵
- Executes dropped EXE
PID:10916
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"63⤵PID:14032
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"62⤵
- Executes dropped EXE
PID:10788
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"62⤵PID:13896
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"61⤵
- Executes dropped EXE
PID:10664
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"61⤵PID:13764
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"60⤵
- Executes dropped EXE
PID:10524
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"60⤵PID:13696
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"59⤵
- Executes dropped EXE
PID:10404
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"59⤵PID:13548
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"58⤵
- Executes dropped EXE
PID:8012
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"58⤵PID:13352
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"57⤵
- Executes dropped EXE
PID:9232
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"57⤵PID:13284
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"56⤵
- Executes dropped EXE
PID:10076
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"56⤵PID:13032
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"55⤵
- Executes dropped EXE
PID:9972
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"55⤵
- Executes dropped EXE
PID:12892
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"54⤵
- Executes dropped EXE
PID:9808
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"54⤵
- Executes dropped EXE
PID:12748
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"53⤵
- Executes dropped EXE
PID:9532
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"53⤵
- Executes dropped EXE
PID:11536
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"52⤵
- Executes dropped EXE
PID:3356
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"52⤵
- Executes dropped EXE
PID:11948
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"51⤵
- Executes dropped EXE
PID:8916
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"51⤵
- Executes dropped EXE
PID:10984
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"50⤵
- Executes dropped EXE
PID:9020
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"50⤵
- Executes dropped EXE
PID:10576
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"49⤵
- Executes dropped EXE
PID:8328
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"49⤵
- Executes dropped EXE
PID:9924
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"48⤵
- Executes dropped EXE
PID:8028
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"48⤵
- Executes dropped EXE
PID:9652
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"47⤵
- Executes dropped EXE
PID:8144
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"47⤵
- Executes dropped EXE
PID:8068
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"46⤵
- Executes dropped EXE
PID:7780
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"46⤵
- Executes dropped EXE
PID:7384
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"45⤵
- Executes dropped EXE
PID:7752
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"45⤵
- Executes dropped EXE
PID:8084
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"44⤵
- Executes dropped EXE
PID:7504
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"44⤵
- Executes dropped EXE
PID:1064
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"43⤵
- Executes dropped EXE
PID:6908
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"43⤵
- Executes dropped EXE
PID:8216
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"42⤵
- Executes dropped EXE
PID:6972
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:8116
-
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:8156
-
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7848
-
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7908
-
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"37⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:7692 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe'38⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:8580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RobloxWave.exe'38⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:8956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SystemFiles.exe'38⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:8712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemFiles.exe'38⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:9136
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemFiles" /tr "C:\Users\Admin\AppData\Roaming\SystemFiles.exe"38⤵
- Creates scheduled task(s)
PID:9228
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7772
-
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7760
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7872
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"2⤵
- Executes dropped EXE
PID:6964
-
-
C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:13376
-
C:\Users\Admin\AppData\Roaming\SystemFiles.exeC:\Users\Admin\AppData\Roaming\SystemFiles.exe1⤵PID:3808
-
C:\Users\Admin\AppData\Roaming\SystemFiles.exeC:\Users\Admin\AppData\Roaming\SystemFiles.exe1⤵PID:15636
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b78f0793c3ef1d417e56d34b656b40bb
SHA14a622f8022516098cb5aae35a5953bde039111a7
SHA25667090a383e35cf075d5c0f0c1d78c4e4b805de6aa951b5d4dd01fd9ae8ccdcfb
SHA512ab3fb91602bd6f070d9b060da4a26d01869e9b23e319db9164d2e251b2c47db690da0f832e69a45c03bc99919942ef516a0b157cfa0aaea84e64b1e90ae5b933
-
Filesize
16.5MB
MD5898643f9b1ee99a7801f283e2348d84b
SHA1e8c2cfcd8bc2f1ad498a5f85bca18cb835e3996c
SHA256122748cd4c77c507bd225cebcf47285cd6941ea23c3c1672fc1a9decc1946a64
SHA512aaf1a129ad426e039bfc572accd8e900a2695e89a91627467075e89d51b0e451b1cc4de49a96089ee2dd92acf02221b09630d731e87c7013f668be8e9c12b4f6
-
Filesize
271KB
MD5502b4c8dccb8a1e6b90b8032194108c2
SHA1ad69c21be3cd3e83be40501bdf76a6fe96024cbc
SHA25620db1859e65932b3323b235f733f33634aa26a3022013f4fc84f3fda57e868e4
SHA512434876fbdb026a2d89bf7d37b224f7b64f3895dfc21efe8895b4f1543a9db10a4db12980286f507eb52b6a24a5b0ff277425fd0e627007effd1cd0e9db7332d0
-
Filesize
831KB
MD58caf34cb994e9158a4653c9bc768b4e4
SHA1ff734d32b734f51bc3465d1324637b2af13b8523
SHA25645bf11f807615f20f9d7e96eb0ea13ea3d3c256ca01a1b888b9a0c99f12c19da
SHA512a6e0ec8244d0dfa62d682b05b0732e81cfa86df7175fffa789d1f9c9d7eadd689341b4c5d306307af0b4c36fc702db34c3d8b85fe26461bd896b43d150c5083f
-
Filesize
7.4MB
MD5e243e91e82b9fc62ac0c2ed9dce9d852
SHA1f1be023d3ac37f8adaf2c56772a6db5a33b9a9a1
SHA2567ac50babc952e142cc0db8e6e806f7515557952bcdc8b52cb2c47124f0719420
SHA5128aec13035e4216ee2193d893a55a52273cccee0bb65828d6a702c179f6ca7ed44307a43d3c27b45e09fe014c83db71bd10d88c6911a1922558421d53ca472d79
-
Filesize
14.1MB
MD5df4856ec53cf95fd4fffb1f7006ae48e
SHA1baf89c93c782629e3bd70bb4c14b5c3643ce3f31
SHA2567553592fed3ce4a03b915c1e8e01672db8f43c609030ba8e2309c3654d9f7b68
SHA512a0ab3427f6b8396d5f13f7de7e46426978ffda0b892858bc56becd96e99d20a3cb39d7f53984ce7d5bb82b95491a604f862f1bf6212b7c6737f28f85d9f2a272
-
Filesize
48KB
MD5906222de39e992a88c776a1ee489c73e
SHA17ba53c90374aebdf0ae9e621bcb68190a3855306
SHA25661ab41beae3d34ff3739097d9f50ab3ea8f979fea21d5a54dac593a19b399f55
SHA512e1b390c6a48a8eccacc88f95b03aa62103a26c3b59dd2447830a2cba0034f690f2b0d0b146ab1d3eb9bf854abc04c5370c29bdb381ad4b563405ad476febd061
-
Filesize
80KB
MD550f7714ef6047f2a28181da9084ba49b
SHA176431463450d17c71a6425bf4d27130915767832
SHA25642f7bcde1494abad80e8ee4d9c4391f60263b01c06981b48f9bf1d1fe5bd5060
SHA5129fb9b9b1ff22eb36e187b75507f1998f60f88229c474765334292696ed99459fe792025ba1d7343d66c0a831dd5fd6c59cf99ff554f54795bc1f50b90e45a3f4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82