Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 17:04

General

  • Target

    Wave.exe

  • Size

    63KB

  • MD5

    aea7ce1be7c97bca3e8962cd17c6d361

  • SHA1

    f0989ac052b3ea66dd20e499ce3cb41d8c495ece

  • SHA256

    c3ceb18bfa4b4d0d31659159869eeb6239c0964907d25bb4b6f6ae0717e0edfb

  • SHA512

    87a0c425994454399b9837d0d52819122a0bf647061509e9580d41e8418884ea9ffa43d3afe13b960ffddd769fa26cda04f46d81cc2d065f54564f2253d8b629

  • SSDEEP

    768:ds6u91mfDcbr1D4SmZupatSyjkIO7fWOBLzl5oD7L4wF7NkxQoZNCF:FcbBD1k87fxx5oD7L/5kfCF

Malware Config

Extracted

Family

xworm

C2

212.132.117.91:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    SystemFiles.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 64 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 31 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\AppData\Local\Temp\Wave.exe
      "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:728
      • C:\Users\Admin\AppData\Local\Temp\Wave.exe
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:864
        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4544
          • C:\Users\Admin\AppData\Local\Temp\Wave.exe
            "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1400
            • C:\Users\Admin\AppData\Local\Temp\Wave.exe
              "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
              6⤵
              • Checks computer location settings
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1360
              • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                7⤵
                • Checks computer location settings
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1632
                • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                  8⤵
                  • Checks computer location settings
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2452
                  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                    9⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4816
                    • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                      "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                      10⤵
                      • Checks computer location settings
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4176
                      • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                        11⤵
                        • Checks computer location settings
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3284
                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                          12⤵
                          • Checks computer location settings
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:3100
                          • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                            "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                            13⤵
                            • Checks computer location settings
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4232
                            • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                              "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                              14⤵
                              • Checks computer location settings
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1568
                              • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                15⤵
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:2924
                                • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                  16⤵
                                  • Checks computer location settings
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:4144
                                  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                    17⤵
                                    • Checks computer location settings
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:4820
                                    • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                      18⤵
                                      • Checks computer location settings
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:4864
                                      • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                        19⤵
                                        • Checks computer location settings
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:4868
                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                          20⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:2812
                                          • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                            "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                            21⤵
                                            • Checks computer location settings
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of WriteProcessMemory
                                            PID:4472
                                            • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                              "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                              22⤵
                                              • Checks computer location settings
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:1292
                                              • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                23⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:1924
                                                • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                  24⤵
                                                  • Checks computer location settings
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:4328
                                                  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                    25⤵
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:4284
                                                    • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                      26⤵
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2980
                                                      • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                        27⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:5152
                                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                          28⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:5236
                                                          • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                            29⤵
                                                            • Checks computer location settings
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:5304
                                                            • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                              30⤵
                                                              • Checks computer location settings
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:5356
                                                              • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                31⤵
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:5420
                                                                • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                  32⤵
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of WriteProcessMemory
                                                                  PID:5480
                                                                  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                    33⤵
                                                                    • Checks computer location settings
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:5536
                                                                    • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                      34⤵
                                                                      • Checks computer location settings
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:5592
                                                                      • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                        35⤵
                                                                        • Checks computer location settings
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:5652
                                                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                          36⤵
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:5704
                                                                          • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                            37⤵
                                                                            • Checks computer location settings
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:5756
                                                                            • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                              38⤵
                                                                              • Checks computer location settings
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:5812
                                                                              • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                39⤵
                                                                                • Checks computer location settings
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:5872
                                                                                • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                  40⤵
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:5936
                                                                                  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                    41⤵
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:5996
                                                                                    • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                      42⤵
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:6076
                                                                                      • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                        43⤵
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:6220
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                          44⤵
                                                                                          • Checks computer location settings
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:6352
                                                                                          • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                            45⤵
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:6596
                                                                                            • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                              46⤵
                                                                                              • Checks computer location settings
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:6692
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                47⤵
                                                                                                • Checks computer location settings
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:6852
                                                                                                • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                  48⤵
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:7128
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                    49⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:7200
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                      50⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:7352
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                        51⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:7596
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                          52⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:7060
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                            53⤵
                                                                                                            • Checks computer location settings
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:7280
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                              54⤵
                                                                                                                PID:8272
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                  55⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  PID:8384
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                    56⤵
                                                                                                                      PID:8448
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                        57⤵
                                                                                                                        • Checks computer location settings
                                                                                                                        PID:8504
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                          58⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          PID:8588
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                            59⤵
                                                                                                                            • Checks computer location settings
                                                                                                                            PID:8868
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                              60⤵
                                                                                                                                PID:8988
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                  61⤵
                                                                                                                                    PID:6052
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                      62⤵
                                                                                                                                        PID:8720
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                          63⤵
                                                                                                                                          • Checks computer location settings
                                                                                                                                          PID:8100
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                            64⤵
                                                                                                                                              PID:8700
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                65⤵
                                                                                                                                                  PID:7380
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                    66⤵
                                                                                                                                                    • Checks computer location settings
                                                                                                                                                    PID:8832
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                      67⤵
                                                                                                                                                        PID:8696
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                          68⤵
                                                                                                                                                          • Checks computer location settings
                                                                                                                                                          PID:9188
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                            69⤵
                                                                                                                                                              PID:8624
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                70⤵
                                                                                                                                                                  PID:9048
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                    71⤵
                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                    PID:9140
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                      72⤵
                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                      PID:1824
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                        73⤵
                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                        PID:9296
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                          74⤵
                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                          PID:9400
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                            75⤵
                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                            PID:9456
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                              76⤵
                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                              PID:9512
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                77⤵
                                                                                                                                                                                  PID:9636
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                    78⤵
                                                                                                                                                                                      PID:9716
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                        79⤵
                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                        PID:9768
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                          80⤵
                                                                                                                                                                                            PID:9896
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                              81⤵
                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                              PID:10048
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                82⤵
                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                PID:10168
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                  83⤵
                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                  PID:10232
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                    84⤵
                                                                                                                                                                                                      PID:7884
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                        85⤵
                                                                                                                                                                                                          PID:10296
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                            86⤵
                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                            PID:10376
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                              87⤵
                                                                                                                                                                                                                PID:10500
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                  88⤵
                                                                                                                                                                                                                    PID:10672
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                      89⤵
                                                                                                                                                                                                                        PID:10852
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                          90⤵
                                                                                                                                                                                                                            PID:10972
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                              91⤵
                                                                                                                                                                                                                                PID:11124
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                  92⤵
                                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                                  PID:10340
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                    93⤵
                                                                                                                                                                                                                                      PID:9668
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                        94⤵
                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                        PID:11384
                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                          95⤵
                                                                                                                                                                                                                                            PID:11520
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                              96⤵
                                                                                                                                                                                                                                                PID:11708
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                  97⤵
                                                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                                                  PID:11836
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                    98⤵
                                                                                                                                                                                                                                                      PID:12056
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                        99⤵
                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                        PID:12180
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                          100⤵
                                                                                                                                                                                                                                                            PID:11516
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                              101⤵
                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                              PID:12412
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                                102⤵
                                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                                PID:12548
                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                                  103⤵
                                                                                                                                                                                                                                                                    PID:12736
                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                                      104⤵
                                                                                                                                                                                                                                                                        PID:12952
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                                          105⤵
                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                          PID:13172
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                                            106⤵
                                                                                                                                                                                                                                                                              PID:13440
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                                                107⤵
                                                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                                                PID:13688
                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                                                  108⤵
                                                                                                                                                                                                                                                                                    PID:13888
                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                                                      109⤵
                                                                                                                                                                                                                                                                                        PID:14128
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                                                          110⤵
                                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                                          PID:14308
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                                                            111⤵
                                                                                                                                                                                                                                                                                              PID:14424
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                                                                112⤵
                                                                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                                                                PID:14668
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                                                                  113⤵
                                                                                                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                                                                                                  PID:15028
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                                                                    114⤵
                                                                                                                                                                                                                                                                                                      PID:13304
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                                                                        115⤵
                                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                                        PID:15664
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Wave.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
                                                                                                                                                                                                                                                                                                          116⤵
                                                                                                                                                                                                                                                                                                            PID:15948
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                            116⤵
                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                            PID:14632
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            116⤵
                                                                                                                                                                                                                                                                                                              PID:16364
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            115⤵
                                                                                                                                                                                                                                                                                                              PID:16160
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            114⤵
                                                                                                                                                                                                                                                                                                              PID:13932
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                            113⤵
                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                            PID:15380
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            113⤵
                                                                                                                                                                                                                                                                                                              PID:14876
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                            112⤵
                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                            PID:16196
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            112⤵
                                                                                                                                                                                                                                                                                                              PID:9960
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                            111⤵
                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                            PID:14872
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            111⤵
                                                                                                                                                                                                                                                                                                              PID:16360
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                            110⤵
                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                            PID:16348
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            110⤵
                                                                                                                                                                                                                                                                                                              PID:16272
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                            109⤵
                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                            PID:16292
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            109⤵
                                                                                                                                                                                                                                                                                                              PID:13060
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                            108⤵
                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                            PID:16248
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            108⤵
                                                                                                                                                                                                                                                                                                              PID:12060
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                            107⤵
                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                            PID:14188
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            107⤵
                                                                                                                                                                                                                                                                                                              PID:2948
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                            106⤵
                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                            PID:14908
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            106⤵
                                                                                                                                                                                                                                                                                                              PID:15784
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                            105⤵
                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                            PID:16112
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            105⤵
                                                                                                                                                                                                                                                                                                              PID:15552
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                            104⤵
                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                            PID:15828
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            104⤵
                                                                                                                                                                                                                                                                                                              PID:16016
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                            103⤵
                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                            PID:15628
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            103⤵
                                                                                                                                                                                                                                                                                                              PID:15696
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                            102⤵
                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                            PID:15484
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                          101⤵
                                                                                                                                                                                                                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                          PID:13568
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                        100⤵
                                                                                                                                                                                                                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                        • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                        PID:12908
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                        100⤵
                                                                                                                                                                                                                                                                                                          PID:13924
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                        99⤵
                                                                                                                                                                                                                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                        • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                        PID:13876
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                        99⤵
                                                                                                                                                                                                                                                                                                          PID:9228
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                        98⤵
                                                                                                                                                                                                                                                                                                          PID:15196
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                          98⤵
                                                                                                                                                                                                                                                                                                            PID:13316
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                          97⤵
                                                                                                                                                                                                                                                                                                            PID:15036
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            97⤵
                                                                                                                                                                                                                                                                                                              PID:16296
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                            96⤵
                                                                                                                                                                                                                                                                                                              PID:14920
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                              96⤵
                                                                                                                                                                                                                                                                                                                PID:15708
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                              95⤵
                                                                                                                                                                                                                                                                                                                PID:14704
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                95⤵
                                                                                                                                                                                                                                                                                                                  PID:15676
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                94⤵
                                                                                                                                                                                                                                                                                                                  PID:14572
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                  94⤵
                                                                                                                                                                                                                                                                                                                    PID:15048
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                  93⤵
                                                                                                                                                                                                                                                                                                                    PID:14412
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                    93⤵
                                                                                                                                                                                                                                                                                                                      PID:6028
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                    92⤵
                                                                                                                                                                                                                                                                                                                      PID:11992
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                      92⤵
                                                                                                                                                                                                                                                                                                                        PID:14544
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                      91⤵
                                                                                                                                                                                                                                                                                                                        PID:14252
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                        91⤵
                                                                                                                                                                                                                                                                                                                          PID:16148
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                        90⤵
                                                                                                                                                                                                                                                                                                                          PID:14076
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                          90⤵
                                                                                                                                                                                                                                                                                                                            PID:16232
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                          89⤵
                                                                                                                                                                                                                                                                                                                            PID:13968
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                            89⤵
                                                                                                                                                                                                                                                                                                                              PID:16088
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                            88⤵
                                                                                                                                                                                                                                                                                                                              PID:13812
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                              88⤵
                                                                                                                                                                                                                                                                                                                                PID:11980
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                              87⤵
                                                                                                                                                                                                                                                                                                                                PID:13624
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                87⤵
                                                                                                                                                                                                                                                                                                                                  PID:12900
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                86⤵
                                                                                                                                                                                                                                                                                                                                  PID:13468
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                  86⤵
                                                                                                                                                                                                                                                                                                                                    PID:15468
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                  85⤵
                                                                                                                                                                                                                                                                                                                                    PID:13360
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                    85⤵
                                                                                                                                                                                                                                                                                                                                      PID:16364
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                    84⤵
                                                                                                                                                                                                                                                                                                                                      PID:10616
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                      84⤵
                                                                                                                                                                                                                                                                                                                                        PID:16316
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                      83⤵
                                                                                                                                                                                                                                                                                                                                        PID:13184
                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                        83⤵
                                                                                                                                                                                                                                                                                                                                          PID:16164
                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                        82⤵
                                                                                                                                                                                                                                                                                                                                          PID:13076
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                          82⤵
                                                                                                                                                                                                                                                                                                                                            PID:16000
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                          81⤵
                                                                                                                                                                                                                                                                                                                                            PID:12972
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            81⤵
                                                                                                                                                                                                                                                                                                                                              PID:15912
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            80⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:12808
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            80⤵
                                                                                                                                                                                                                                                                                                                                              PID:15752
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            79⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:12656
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            79⤵
                                                                                                                                                                                                                                                                                                                                              PID:15616
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            78⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:12560
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            78⤵
                                                                                                                                                                                                                                                                                                                                              PID:15508
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            77⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:12420
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            77⤵
                                                                                                                                                                                                                                                                                                                                              PID:15364
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            76⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:12296
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            76⤵
                                                                                                                                                                                                                                                                                                                                              PID:15168
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            75⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:12208
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            75⤵
                                                                                                                                                                                                                                                                                                                                              PID:4580
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            74⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:12108
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            74⤵
                                                                                                                                                                                                                                                                                                                                              PID:15260
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            73⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:11984
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            73⤵
                                                                                                                                                                                                                                                                                                                                              PID:15144
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            72⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:11872
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            72⤵
                                                                                                                                                                                                                                                                                                                                              PID:15044
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            71⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:11756
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            71⤵
                                                                                                                                                                                                                                                                                                                                              PID:14980
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            70⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:11648
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            70⤵
                                                                                                                                                                                                                                                                                                                                              PID:14848
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            69⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:11552
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            69⤵
                                                                                                                                                                                                                                                                                                                                              PID:14808
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            68⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:11416
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            68⤵
                                                                                                                                                                                                                                                                                                                                              PID:14628
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            67⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:11328
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            67⤵
                                                                                                                                                                                                                                                                                                                                              PID:14516
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            66⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:10660
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            66⤵
                                                                                                                                                                                                                                                                                                                                              PID:14376
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            65⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:11204
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            65⤵
                                                                                                                                                                                                                                                                                                                                              PID:4312
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            64⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:11036
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            64⤵
                                                                                                                                                                                                                                                                                                                                              PID:14160
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            63⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:10916
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            63⤵
                                                                                                                                                                                                                                                                                                                                              PID:14032
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            62⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:10788
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            62⤵
                                                                                                                                                                                                                                                                                                                                              PID:13896
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            61⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:10664
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            61⤵
                                                                                                                                                                                                                                                                                                                                              PID:13764
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            60⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:10524
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            60⤵
                                                                                                                                                                                                                                                                                                                                              PID:13696
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            59⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:10404
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            59⤵
                                                                                                                                                                                                                                                                                                                                              PID:13548
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            58⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:8012
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            58⤵
                                                                                                                                                                                                                                                                                                                                              PID:13352
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            57⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:9232
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            57⤵
                                                                                                                                                                                                                                                                                                                                              PID:13284
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            56⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:10076
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            56⤵
                                                                                                                                                                                                                                                                                                                                              PID:13032
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                            55⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:9972
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                            55⤵
                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                            PID:12892
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                          54⤵
                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                          PID:9808
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                          54⤵
                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                          PID:12748
                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                        53⤵
                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                        PID:9532
                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                        53⤵
                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                        PID:11536
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                      52⤵
                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                      PID:3356
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                      52⤵
                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                      PID:11948
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                    51⤵
                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                    PID:8916
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                    51⤵
                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                    PID:10984
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                  50⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  PID:9020
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                  50⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  PID:10576
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                                49⤵
                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                PID:8328
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                                49⤵
                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                PID:9924
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                              48⤵
                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                              PID:8028
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                              48⤵
                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                              PID:9652
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                            47⤵
                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                            PID:8144
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                            47⤵
                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                            PID:8068
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                          46⤵
                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                          PID:7780
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                          46⤵
                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                          PID:7384
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                        45⤵
                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                        PID:7752
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                        45⤵
                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                        PID:8084
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                      44⤵
                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                      PID:7504
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                      44⤵
                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                      PID:1064
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                    43⤵
                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                    PID:6908
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                    43⤵
                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                    PID:8216
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                                                                                                  42⤵
                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                  PID:6972
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                  42⤵
                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                  PID:1992
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                                41⤵
                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                PID:8116
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                              40⤵
                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                              PID:8156
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                            39⤵
                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                            PID:7848
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                          38⤵
                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                          PID:7908
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                        37⤵
                                                                                                                                                                                                                                                                                                        • Drops startup file
                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                        PID:7692
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe'
                                                                                                                                                                                                                                                                                                          38⤵
                                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                          PID:8580
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RobloxWave.exe'
                                                                                                                                                                                                                                                                                                          38⤵
                                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                          PID:8956
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SystemFiles.exe'
                                                                                                                                                                                                                                                                                                          38⤵
                                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                          PID:8712
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemFiles.exe'
                                                                                                                                                                                                                                                                                                          38⤵
                                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                          PID:9136
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemFiles" /tr "C:\Users\Admin\AppData\Roaming\SystemFiles.exe"
                                                                                                                                                                                                                                                                                                          38⤵
                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                          PID:9228
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                      36⤵
                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                      PID:7772
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                    35⤵
                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                    PID:7760
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                                33⤵
                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                PID:7872
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                                                                          30⤵
                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                          PID:7840
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  PID:6964
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:3432
                                                                                                                                                                                                                              • C:\Windows\system32\dwm.exe
                                                                                                                                                                                                                                "dwm.exe"
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                PID:13376
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\SystemFiles.exe
                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\SystemFiles.exe
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                  PID:3808
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\SystemFiles.exe
                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\SystemFiles.exe
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                    PID:15636

                                                                                                                                                                                                                                  Network

                                                                                                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                                                  Downloads

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Wave.exe.log

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    b78f0793c3ef1d417e56d34b656b40bb

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    4a622f8022516098cb5aae35a5953bde039111a7

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    67090a383e35cf075d5c0f0c1d78c4e4b805de6aa951b5d4dd01fd9ae8ccdcfb

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    ab3fb91602bd6f070d9b060da4a26d01869e9b23e319db9164d2e251b2c47db690da0f832e69a45c03bc99919942ef516a0b157cfa0aaea84e64b1e90ae5b933

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    16.5MB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    898643f9b1ee99a7801f283e2348d84b

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    e8c2cfcd8bc2f1ad498a5f85bca18cb835e3996c

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    122748cd4c77c507bd225cebcf47285cd6941ea23c3c1672fc1a9decc1946a64

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    aaf1a129ad426e039bfc572accd8e900a2695e89a91627467075e89d51b0e451b1cc4de49a96089ee2dd92acf02221b09630d731e87c7013f668be8e9c12b4f6

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    271KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    502b4c8dccb8a1e6b90b8032194108c2

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    ad69c21be3cd3e83be40501bdf76a6fe96024cbc

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    20db1859e65932b3323b235f733f33634aa26a3022013f4fc84f3fda57e868e4

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    434876fbdb026a2d89bf7d37b224f7b64f3895dfc21efe8895b4f1543a9db10a4db12980286f507eb52b6a24a5b0ff277425fd0e627007effd1cd0e9db7332d0

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    831KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    8caf34cb994e9158a4653c9bc768b4e4

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    ff734d32b734f51bc3465d1324637b2af13b8523

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    45bf11f807615f20f9d7e96eb0ea13ea3d3c256ca01a1b888b9a0c99f12c19da

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    a6e0ec8244d0dfa62d682b05b0732e81cfa86df7175fffa789d1f9c9d7eadd689341b4c5d306307af0b4c36fc702db34c3d8b85fe26461bd896b43d150c5083f

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    7.4MB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    e243e91e82b9fc62ac0c2ed9dce9d852

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    f1be023d3ac37f8adaf2c56772a6db5a33b9a9a1

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    7ac50babc952e142cc0db8e6e806f7515557952bcdc8b52cb2c47124f0719420

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    8aec13035e4216ee2193d893a55a52273cccee0bb65828d6a702c179f6ca7ed44307a43d3c27b45e09fe014c83db71bd10d88c6911a1922558421d53ca472d79

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    14.1MB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    df4856ec53cf95fd4fffb1f7006ae48e

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    baf89c93c782629e3bd70bb4c14b5c3643ce3f31

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    7553592fed3ce4a03b915c1e8e01672db8f43c609030ba8e2309c3654d9f7b68

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    a0ab3427f6b8396d5f13f7de7e46426978ffda0b892858bc56becd96e99d20a3cb39d7f53984ce7d5bb82b95491a604f862f1bf6212b7c6737f28f85d9f2a272

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    48KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    906222de39e992a88c776a1ee489c73e

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    7ba53c90374aebdf0ae9e621bcb68190a3855306

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    61ab41beae3d34ff3739097d9f50ab3ea8f979fea21d5a54dac593a19b399f55

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    e1b390c6a48a8eccacc88f95b03aa62103a26c3b59dd2447830a2cba0034f690f2b0d0b146ab1d3eb9bf854abc04c5370c29bdb381ad4b563405ad476febd061

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    80KB

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    50f7714ef6047f2a28181da9084ba49b

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    76431463450d17c71a6425bf4d27130915767832

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    42f7bcde1494abad80e8ee4d9c4391f60263b01c06981b48f9bf1d1fe5bd5060

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    9fb9b9b1ff22eb36e187b75507f1998f60f88229c474765334292696ed99459fe792025ba1d7343d66c0a831dd5fd6c59cf99ff554f54795bc1f50b90e45a3f4

                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dzyc2k4.jxg.ps1

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    60B

                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                  • memory/728-3-0x00007FFEB3960000-0x00007FFEB4421000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    10.8MB

                                                                                                                                                                                                                                  • memory/728-140-0x00007FFEB3960000-0x00007FFEB4421000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    10.8MB

                                                                                                                                                                                                                                  • memory/728-4-0x00007FFEB3960000-0x00007FFEB4421000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    10.8MB

                                                                                                                                                                                                                                  • memory/1984-136-0x00007FFEB3963000-0x00007FFEB3965000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                  • memory/1984-1-0x00007FFEB3963000-0x00007FFEB3965000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                  • memory/1984-0-0x0000000000550000-0x0000000000568000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    96KB

                                                                                                                                                                                                                                  • memory/1984-139-0x00007FFEB3960000-0x00007FFEB4421000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    10.8MB

                                                                                                                                                                                                                                  • memory/1984-2-0x00007FFEB3960000-0x00007FFEB4421000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    10.8MB

                                                                                                                                                                                                                                  • memory/7692-72-0x0000000000C20000-0x0000000000C3A000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    104KB

                                                                                                                                                                                                                                  • memory/8580-89-0x000001E6D3EC0000-0x000001E6D3EE2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    136KB

                                                                                                                                                                                                                                  • memory/16348-138-0x00007FFED1910000-0x00007FFED1B05000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    2.0MB