Malware Analysis Report

2024-11-16 13:35

Sample ID 240526-vlfxesec59
Target Wave DOWNLOAD.zip
SHA256 d01cffe070482ab9514faca52a0709b4dacd9e4e7e9a9cbab85764a5e2697227
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d01cffe070482ab9514faca52a0709b4dacd9e4e7e9a9cbab85764a5e2697227

Threat Level: Known bad

The file Wave DOWNLOAD.zip was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Drops startup file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 17:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 17:04

Reported

2024-05-26 17:07

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemFiles.lnk C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemFiles.lnk C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemFiles = "C:\\Users\\Admin\\AppData\\Roaming\\SystemFiles.exe" C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KrampUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1984 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 728 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 728 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 864 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 864 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4544 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4544 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1400 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1400 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1360 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1360 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1632 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1632 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 2452 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 2452 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4816 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4816 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4176 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4176 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 3284 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 3284 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 3100 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 3100 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4232 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4232 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1568 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1568 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 2924 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 2924 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4144 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4144 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4820 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4820 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4864 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4864 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4868 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4868 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 2812 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 2812 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4472 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4472 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1292 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1292 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1924 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1924 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4328 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4328 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4284 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4284 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 2980 wrote to memory of 5152 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 2980 wrote to memory of 5152 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 5152 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 5152 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 5236 wrote to memory of 5304 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 5236 wrote to memory of 5304 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 5304 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 5304 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 5356 wrote to memory of 5420 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 5356 wrote to memory of 5420 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 5420 wrote to memory of 5480 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 5420 wrote to memory of 5480 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 5480 wrote to memory of 5536 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 5480 wrote to memory of 5536 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe'

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RobloxWave.exe'

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SystemFiles.exe'

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemFiles.exe'

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemFiles" /tr "C:\Users\Admin\AppData\Roaming\SystemFiles.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe"

C:\Users\Admin\AppData\Roaming\SystemFiles.exe

C:\Users\Admin\AppData\Roaming\SystemFiles.exe

C:\Users\Admin\AppData\Roaming\SystemFiles.exe

C:\Users\Admin\AppData\Roaming\SystemFiles.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
GB 20.26.156.210:443 api.github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
DE 212.132.117.91:7000 tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 91.117.132.212.in-addr.arpa udp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1984-0-0x0000000000550000-0x0000000000568000-memory.dmp

memory/1984-1-0x00007FFEB3963000-0x00007FFEB3965000-memory.dmp

memory/1984-2-0x00007FFEB3960000-0x00007FFEB4421000-memory.dmp

memory/728-3-0x00007FFEB3960000-0x00007FFEB4421000-memory.dmp

memory/728-4-0x00007FFEB3960000-0x00007FFEB4421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

MD5 502b4c8dccb8a1e6b90b8032194108c2
SHA1 ad69c21be3cd3e83be40501bdf76a6fe96024cbc
SHA256 20db1859e65932b3323b235f733f33634aa26a3022013f4fc84f3fda57e868e4
SHA512 434876fbdb026a2d89bf7d37b224f7b64f3895dfc21efe8895b4f1543a9db10a4db12980286f507eb52b6a24a5b0ff277425fd0e627007effd1cd0e9db7332d0

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

MD5 8caf34cb994e9158a4653c9bc768b4e4
SHA1 ff734d32b734f51bc3465d1324637b2af13b8523
SHA256 45bf11f807615f20f9d7e96eb0ea13ea3d3c256ca01a1b888b9a0c99f12c19da
SHA512 a6e0ec8244d0dfa62d682b05b0732e81cfa86df7175fffa789d1f9c9d7eadd689341b4c5d306307af0b4c36fc702db34c3d8b85fe26461bd896b43d150c5083f

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

MD5 e243e91e82b9fc62ac0c2ed9dce9d852
SHA1 f1be023d3ac37f8adaf2c56772a6db5a33b9a9a1
SHA256 7ac50babc952e142cc0db8e6e806f7515557952bcdc8b52cb2c47124f0719420
SHA512 8aec13035e4216ee2193d893a55a52273cccee0bb65828d6a702c179f6ca7ed44307a43d3c27b45e09fe014c83db71bd10d88c6911a1922558421d53ca472d79

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

MD5 df4856ec53cf95fd4fffb1f7006ae48e
SHA1 baf89c93c782629e3bd70bb4c14b5c3643ce3f31
SHA256 7553592fed3ce4a03b915c1e8e01672db8f43c609030ba8e2309c3654d9f7b68
SHA512 a0ab3427f6b8396d5f13f7de7e46426978ffda0b892858bc56becd96e99d20a3cb39d7f53984ce7d5bb82b95491a604f862f1bf6212b7c6737f28f85d9f2a272

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

MD5 898643f9b1ee99a7801f283e2348d84b
SHA1 e8c2cfcd8bc2f1ad498a5f85bca18cb835e3996c
SHA256 122748cd4c77c507bd225cebcf47285cd6941ea23c3c1672fc1a9decc1946a64
SHA512 aaf1a129ad426e039bfc572accd8e900a2695e89a91627467075e89d51b0e451b1cc4de49a96089ee2dd92acf02221b09630d731e87c7013f668be8e9c12b4f6

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

MD5 906222de39e992a88c776a1ee489c73e
SHA1 7ba53c90374aebdf0ae9e621bcb68190a3855306
SHA256 61ab41beae3d34ff3739097d9f50ab3ea8f979fea21d5a54dac593a19b399f55
SHA512 e1b390c6a48a8eccacc88f95b03aa62103a26c3b59dd2447830a2cba0034f690f2b0d0b146ab1d3eb9bf854abc04c5370c29bdb381ad4b563405ad476febd061

C:\Users\Admin\AppData\Local\Temp\RobloxWave.exe

MD5 50f7714ef6047f2a28181da9084ba49b
SHA1 76431463450d17c71a6425bf4d27130915767832
SHA256 42f7bcde1494abad80e8ee4d9c4391f60263b01c06981b48f9bf1d1fe5bd5060
SHA512 9fb9b9b1ff22eb36e187b75507f1998f60f88229c474765334292696ed99459fe792025ba1d7343d66c0a831dd5fd6c59cf99ff554f54795bc1f50b90e45a3f4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Wave.exe.log

MD5 b78f0793c3ef1d417e56d34b656b40bb
SHA1 4a622f8022516098cb5aae35a5953bde039111a7
SHA256 67090a383e35cf075d5c0f0c1d78c4e4b805de6aa951b5d4dd01fd9ae8ccdcfb
SHA512 ab3fb91602bd6f070d9b060da4a26d01869e9b23e319db9164d2e251b2c47db690da0f832e69a45c03bc99919942ef516a0b157cfa0aaea84e64b1e90ae5b933

memory/7692-72-0x0000000000C20000-0x0000000000C3A000-memory.dmp

memory/8580-89-0x000001E6D3EC0000-0x000001E6D3EE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dzyc2k4.jxg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1984-136-0x00007FFEB3963000-0x00007FFEB3965000-memory.dmp

memory/16348-138-0x00007FFED1910000-0x00007FFED1B05000-memory.dmp

memory/1984-139-0x00007FFEB3960000-0x00007FFEB4421000-memory.dmp

memory/728-140-0x00007FFEB3960000-0x00007FFEB4421000-memory.dmp