hxxps://wavebrowser[.]co/

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	SWUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	SWUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wavebrowser.exe

Executes dropped EXE 64 IoCs

pid	Process
2000	Wave Browser.exe
3592	SWUpdaterSetup.exe
2324	SWUpdater.exe
4004	SWUpdater.exe
2472	SWUpdaterComRegisterShell64.exe
1576	SWUpdaterComRegisterShell64.exe
3724	SWUpdaterComRegisterShell64.exe
4424	SWUpdater.exe
528	SWUpdater.exe
4940	SWUpdater.exe
2736	WaveInstaller-v1.3.16.1.exe
5000	setup.exe
4048	setup.exe
2152	setup.exe
2072	setup.exe
1548	wavebrowser.exe
908	wavebrowser.exe
1296	wavebrowser.exe
3720	wavebrowser.exe
544	wavebrowser.exe
5168	wavebrowser.exe
5180	wavebrowser.exe
5156	wavebrowser.exe
5852	SWUpdater.exe
6008	wavebrowser.exe
5320	wavebrowser.exe
5428	wavebrowser.exe
5448	wavebrowser.exe
5464	wavebrowser.exe
4612	wavebrowser.exe
5544	wavebrowser.exe
5488	wavebrowser.exe
5532	wavebrowser.exe
5504	wavebrowser.exe
5800	wavebrowser.exe
5816	wavebrowser.exe
2992	wavebrowser.exe
6108	wavebrowser.exe
5832	wavebrowser.exe
4296	wavebrowser.exe
1344	wavebrowser.exe
5680	wavebrowser.exe
5720	wavebrowser.exe
6088	wavebrowser.exe
5316	wavebrowser.exe
5944	wavebrowser.exe
5508	wavebrowser.exe
5916	wavebrowser.exe
880	wavebrowser.exe
5812	wavebrowser.exe
6096	wavebrowser.exe
5352	wavebrowser.exe
5496	wavebrowser.exe
5920	wavebrowser.exe
6056	wavebrowser.exe
4972	wavebrowser.exe
6180	wavebrowser.exe
6196	wavebrowser.exe
6460	wavebrowser.exe
6472	wavebrowser.exe
6712	wavebrowser.exe
6852	wavebrowser.exe
6908	wavebrowser.exe
6396	wavebrowser.exe

Loads dropped DLL 64 IoCs

pid	Process
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2000	Wave Browser.exe
2324	SWUpdater.exe
4004	SWUpdater.exe
2472	SWUpdaterComRegisterShell64.exe
4004	SWUpdater.exe
1576	SWUpdaterComRegisterShell64.exe
4004	SWUpdater.exe
3724	SWUpdaterComRegisterShell64.exe
4004	SWUpdater.exe
4424	SWUpdater.exe
528	SWUpdater.exe
4940	SWUpdater.exe
4940	SWUpdater.exe
528	SWUpdater.exe
1548	wavebrowser.exe
908	wavebrowser.exe
1548	wavebrowser.exe
1296	wavebrowser.exe
3720	wavebrowser.exe
1296	wavebrowser.exe
3720	wavebrowser.exe
1296	wavebrowser.exe
1296	wavebrowser.exe
1296	wavebrowser.exe
1296	wavebrowser.exe
544	wavebrowser.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ThreadingModel = "Both"	SWUpdater.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{3C41B0C4-B5B6-4293-BED4-C927CCFDB909}\LocalServer32\ = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\SWUpdaterOnDemand.exe\""	SWUpdater.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ThreadingModel = "Both"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32	SWUpdater.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{D12748C8-5013-45E2-9A24-2FB7C2EEFB7C}\LocalServer32\ = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\SWUpdaterOnDemand.exe\""	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{9CD78CBC-FD21-4FFF-B452-9D792A58B7C4}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ThreadingModel = "Both"	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser.dll"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{30FB944E-9455-49DD-81C6-7542E47AA3E7}\LocalServer32\ = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\SWUpdaterOnDemand.exe\""	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser.dll"	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{9E0CE9B5-C498-40A8-B7F2-B89AF1C56FFF}\LocalServer32\ = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\SWUpdater.exe\""	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser.dll"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{9E0CE9B5-C498-40A8-B7F2-B89AF1C56FFF}\LocalServer32	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{1BE9D40C-2307-4213-830E-7E3CE9EDF0C2}\LocalServer32\ = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\SWUpdaterOnDemand.exe\""	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{1BE9D40C-2307-4213-830E-7E3CE9EDF0C2}\LocalServer32	SWUpdater.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32	SWUpdaterComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{D12748C8-5013-45E2-9A24-2FB7C2EEFB7C}\LocalServer32	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{9CD78CBC-FD21-4FFF-B452-9D792A58B7C4}\LocalServer32\ = "\"C:\\Users\\Admin\\Wavesor Software\\WaveBrowser\\1.3.16.1\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{9CD78CBC-FD21-4FFF-B452-9D792A58B7C4}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\Wavesor Software\\WaveBrowser\\1.3.16.1\\notification_helper.exe"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{30FB944E-9455-49DD-81C6-7542E47AA3E7}\LocalServer32	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{3C41B0C4-B5B6-4293-BED4-C927CCFDB909}\LocalServer32	SWUpdater.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023475-180.dat	upx
behavioral1/memory/2000-182-0x0000000073C00000-0x0000000073C09000-memory.dmp	upx
behavioral1/memory/2000-208-0x0000000073C00000-0x0000000073C09000-memory.dmp	upx
behavioral1/memory/2000-205-0x0000000073C00000-0x0000000073C09000-memory.dmp	upx
behavioral1/memory/2000-266-0x0000000073730000-0x0000000073739000-memory.dmp	upx
behavioral1/memory/2000-264-0x0000000073730000-0x0000000073739000-memory.dmp	upx
behavioral1/memory/2000-299-0x0000000073140000-0x0000000073149000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wavesor SWUpdater = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\SWUpdaterCore.exe\""	SWUpdater.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	wavebrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	wavebrowser.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Wavesor\Temp\GUME14.tmp\psuser_64.dll	SWUpdaterSetup.exe
File opened for modification	C:\Program Files (x86)\Wavesor\Temp\GUTE15.tmp	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUME14.tmp\SWUpdaterCore.exe	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUME14.tmp\swupdaterres_en.dll	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUME14.tmp\SWUpdaterBroker.exe	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUME14.tmp\swupdater.dll	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUME14.tmp\SWUpdaterOnDemand.exe	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUME14.tmp\psmachine_64.dll	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUME14.tmp\psuser.dll	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUME14.tmp\SWUpdater.exe	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUME14.tmp\psmachine.dll	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUME14.tmp\SWUpdaterSetup.exe	SWUpdaterSetup.exe
File opened for modification	C:\Program Files (x86)\Wavesor\Temp\GUME14.tmp\SWUpdaterSetup.exe	SWUpdaterSetup.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUME14.tmp\SWUpdaterComRegisterShell64.exe	SWUpdaterSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000023467-136.dat	nsis_installer_1
behavioral1/files/0x0007000000023467-136.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	wavebrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	wavebrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	wavebrowser.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133597127589477103"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	wavebrowser.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{617E37E1-AC79-4162-BACC-C797A1D31D3E}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{0D311A22-BD24-4C7A-8FC1-117F8D62A781}\NumMethods	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.webp	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{2C53B9D4-A718-4972-B28E-2E7AF1055602}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WaveBrwsHTM.GIV6OS7XMQB66P4LDNVCNOOI7A\Application	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{DDF98EF0-2728-4A8D-8B0F-32627DC56437}\NumMethods\ = "24"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{7DFF302B-EA41-49F8-97B1-9413CEF98C68}	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{D3C865DD-E36B-432E-9E47-554925B86737}\NumMethods\ = "4"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{9E0CE9B5-C498-40A8-B7F2-B89AF1C56FFF}\ProgID	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{2B2AD342-8BBC-40AD-AF1B-6887EAB9D3D0}\InprocHandler32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{CFDE680E-8700-4808-BAAF-8B1F50F2CC87}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{92333BDA-3022-4A7F-8858-081260EA85DE}\ProxyStubClsid32	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{E4E4854F-9D7B-4120-A207-CF52C875F08E}\NumMethods	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{2C53B9D4-A718-4972-B28E-2E7AF1055602}\NumMethods	SWUpdaterComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{2B2AD342-8BBC-40AD-AF1B-6887EAB9D3D0}	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WavesorSWUpdater.CredentialDialogUser.1.0\ = "SWUpdater CredentialDialog"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{D12748C8-5013-45E2-9A24-2FB7C2EEFB7C}	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{E4E4854F-9D7B-4120-A207-CF52C875F08E}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{D12748C8-5013-45E2-9A24-2FB7C2EEFB7C}\ProgID	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{62A51DF2-CCB8-4DD9-9069-34B8461617FC}\NumMethods\ = "10"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{E44DDEE0-3097-499E-9DD5-7D5D5DCC401D}	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{C5E89508-3927-4EF5-A3B3-C479F0D4E36F}\NumMethods\ = "11"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{DDF98EF0-2728-4A8D-8B0F-32627DC56437}\NumMethods\ = "24"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{E44B162B-4287-40B0-8E7A-6E251D80B3DF}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{DDF98EF0-2728-4A8D-8B0F-32627DC56437}\ProxyStubClsid32\ = "{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}"	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{2C53B9D4-A718-4972-B28E-2E7AF1055602}\ = "IAppVersion"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{6130C56B-9B2C-4D5D-8160-C7A583B5DC3B}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{30FB944E-9455-49DD-81C6-7542E47AA3E7}	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{3C41B0C4-B5B6-4293-BED4-C927CCFDB909}\ = "SWUpdater Policy Status Class"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.shtml\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{E053F7BD-D525-49F4-9ADE-5D7E6FCEE775}\NumMethods\ = "4"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{2B2AD342-8BBC-40AD-AF1B-6887EAB9D3D0}	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{2C53B9D4-A718-4972-B28E-2E7AF1055602}\ProxyStubClsid32\ = "{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}"	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{894ADE70-1E5F-4520-A281-CE3BF0309CE6}\NumMethods\ = "11"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{CEF9DF20-AE5B-4A54-B479-9C2AFC1C2683}	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{068FAC78-4F23-4F74-99A0-F7C4797D5ECA}\ = "IApp"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{30FB944E-9455-49DD-81C6-7542E47AA3E7}\LocalServer32\ = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\SWUpdaterOnDemand.exe\""	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{44367D77-92C0-45E8-840D-0C098E650CE8}	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{0D311A22-BD24-4C7A-8FC1-117F8D62A781}\ = "IProgressWndEvents"	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{3BE77C6E-0029-4F24-B677-32C9E15CD8F1}\ = "IGoogleUpdate3WebSecurity"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{92333BDA-3022-4A7F-8858-081260EA85DE}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{730EBDF4-7AD2-4516-BF1A-6C6F28C60CF9}\ = "IProcessLauncher"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{97518FC7-7CA2-4921-BC40-F4A07E221C1C}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{8129608C-48BD-42A6-9EBC-7B0933A5CFA3}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{0D311A22-BD24-4C7A-8FC1-117F8D62A781}\NumMethods	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{64A19E70-BCFF-4808-A320-774FD11571E5}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{E44DDEE0-3097-499E-9DD5-7D5D5DCC401D}\ProxyStubClsid32	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{92333BDA-3022-4A7F-8858-081260EA85DE}	SWUpdaterComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{DDF98EF0-2728-4A8D-8B0F-32627DC56437}\ProxyStubClsid32	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{730EBDF4-7AD2-4516-BF1A-6C6F28C60CF9}\ProxyStubClsid32	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{894ADE70-1E5F-4520-A281-CE3BF0309CE6}	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WaveBrwsHTM.GIV6OS7XMQB66P4LDNVCNOOI7A\AppUserModelId = "WaveBrowser.GIV6OS7XMQB66P4LDNVCNOOI7A"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{B2083DCC-1D29-45E6-8386-BEE1488D11AA}\ = "IAppBundleWeb"	SWUpdaterComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{2B2AD342-8BBC-40AD-AF1B-6887EAB9D3D0}\InprocHandler32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{CEF9DF20-AE5B-4A54-B479-9C2AFC1C2683}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{DDF98EF0-2728-4A8D-8B0F-32627DC56437}\ProxyStubClsid32\ = "{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{C5E89508-3927-4EF5-A3B3-C479F0D4E36F}\ = "IAppCommand"	SWUpdaterComRegisterShell64.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3136	chrome.exe
3136	chrome.exe
2324	SWUpdater.exe
2324	SWUpdater.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe
5000	setup.exe
2324	SWUpdater.exe
2324	SWUpdater.exe
2324	SWUpdater.exe
2324	SWUpdater.exe
6644	chrome.exe
6644	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
3136	chrome.exe
3136	chrome.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe
Token: SeShutdownPrivilege	3136	chrome.exe
Token: SeCreatePagefilePrivilege	3136	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
2152	setup.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe
1548	wavebrowser.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 3252	3136	chrome.exe	82
PID 3136 wrote to memory of 3252	3136	chrome.exe	82
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4072	3136	chrome.exe	84
PID 3136 wrote to memory of 4240	3136	chrome.exe	85
PID 3136 wrote to memory of 4240	3136	chrome.exe	85
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86
PID 3136 wrote to memory of 628	3136	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://wavebrowser.co/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84b33ab58,0x7ff84b33ab68,0x7ff84b33ab78
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1892,i,7883451753967247404,122625580344786803,131072 /prefetch:2
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1892,i,7883451753967247404,122625580344786803,131072 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2168 --field-trial-handle=1892,i,7883451753967247404,122625580344786803,131072 /prefetch:8
  2⤵
  PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1892,i,7883451753967247404,122625580344786803,131072 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1892,i,7883451753967247404,122625580344786803,131072 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4432 --field-trial-handle=1892,i,7883451753967247404,122625580344786803,131072 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1892,i,7883451753967247404,122625580344786803,131072 /prefetch:8
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 --field-trial-handle=1892,i,7883451753967247404,122625580344786803,131072 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4844 --field-trial-handle=1892,i,7883451753967247404,122625580344786803,131072 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4556 --field-trial-handle=1892,i,7883451753967247404,122625580344786803,131072 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 --field-trial-handle=1892,i,7883451753967247404,122625580344786803,131072 /prefetch:8
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5140 --field-trial-handle=1892,i,7883451753967247404,122625580344786803,131072 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4916 --field-trial-handle=1892,i,7883451753967247404,122625580344786803,131072 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1892,i,7883451753967247404,122625580344786803,131072 /prefetch:8
  2⤵
  PID:4612
- C:\Users\Admin\Downloads\Wave Browser.exe
  "C:\Users\Admin\Downloads\Wave Browser.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\nsq95A9.tmp\SWUpdaterSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\nsq95A9.tmp\SWUpdaterSetup.exe" /install "bundlename=WaveBrowser&appguid={EB149AD2-CE4E-4F51-B7FC-A149FAA4CCAF}&appname=WaveBrowser&needsadmin=False&lang=en&usagestats=1&installdataindex=1"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3592
  - - C:\Program Files (x86)\Wavesor\Temp\GUME14.tmp\SWUpdater.exe
      "C:\Program Files (x86)\Wavesor\Temp\GUME14.tmp\SWUpdater.exe" /install "bundlename=WaveBrowser&appguid={EB149AD2-CE4E-4F51-B7FC-A149FAA4CCAF}&appname=WaveBrowser&needsadmin=False&lang=en&usagestats=1&installdataindex=1"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      PID:2324
    - - C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Checks whether UAC is enabled
        Modifies registry class
        
        PID:4004
      - C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe" /user
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2472
      - C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe" /user
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:1576
      - C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe" /user
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3724
    - - C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJTV1VwZGF0ZXIiIHVwZGF0ZXJ2ZXJzaW9uPSIxLjMuMTMzLjAiIHNoZWxsX3ZlcnNpb249IjEuMy4xMzMuMCIgaXNtYWNoaW5lPSIwIiBzZXNzaW9uaWQ9Ins3QkI4OEJDMi05Qzc3LTRDQUYtOTM4RS1GQkNCOEMxQUY0Njd9IiB1c2VyaWQ9InszNGQ3ODNiYS01ZjQxLTRiOWEtOTM5Ni1hOWExMDgzMjA1YjN9IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHJlcXVlc3RpZD0iezkwRDQwNTZCLUFBMzQtNDZFMy04RjE1LTgxREZDNkE1QTI1Q30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7RjZGNjBBQ0UtNzFBRC00NjEwLTgwRDQtOTI1MzcyOUZCNEI3fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjEzMy4wIiBsYW5nPSJlbiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMzUxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        
        PID:4424
    - - C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /handoff "bundlename=WaveBrowser&appguid={EB149AD2-CE4E-4F51-B7FC-A149FAA4CCAF}&appname=WaveBrowser&needsadmin=False&lang=en&usagestats=1&installdataindex=1" /installsource otherinstallcmd /sessionid "{7BB88BC2-9C77-4CAF-938E-FBCB8C1AF467}"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        
        PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 --field-trial-handle=1892,i,7883451753967247404,122625580344786803,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6644

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1000

C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
"C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" -Embedding
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4940
- C:\Users\Admin\Wavesor Software\SWUpdater\Install\{830FC47E-D197-413A-8FF2-DA9DE039648F}\WaveInstaller-v1.3.16.1.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\Install\{830FC47E-D197-413A-8FF2-DA9DE039648F}\WaveInstaller-v1.3.16.1.exe" /installerdata="C:\Users\Admin\AppData\Local\Temp\gui4CF2.tmp"
  2⤵
  - Executes dropped EXE
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\nsu4FA3.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\nsu4FA3.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\nsu4FA3.tmp\wavebrowser.packed.7z" --wid=i7k50077 --make-chrome-default --installerdata="C:\Users\Admin\AppData\Local\Temp\gui4CF2.tmp"
    3⤵
    - Executes dropped EXE
    - Registers COM server for autorun
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\nsu4FA3.tmp\setup.exe
      C:\Users\Admin\AppData\Local\Temp\nsu4FA3.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\WaveBrowser\User Data\Crashpad" --annotation=channel= --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=ver=1.3.16.1 --initial-client-data=0x274,0x278,0x27c,0x244,0x280,0x7ff6ea42da10,0x7ff6ea42da20,0x7ff6ea42da30
      4⤵
      Executes dropped EXE
      PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\nsu4FA3.tmp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\nsu4FA3.tmp\setup.exe" --verbose-logging --installerdata="C:\Users\Admin\AppData\Local\Temp\gui4CF2.tmp" --create-shortcuts=0 --install-level=0
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      PID:2152
    - - C:\Users\Admin\AppData\Local\Temp\nsu4FA3.tmp\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsu4FA3.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\WaveBrowser\User Data\Crashpad" --annotation=channel= --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=ver=1.3.16.1 --initial-client-data=0x274,0x278,0x27c,0x244,0x280,0x7ff6ea42da10,0x7ff6ea42da20,0x7ff6ea42da30
        5⤵
        Executes dropped EXE
        
        PID:2072
  - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
      "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --prevdefbrowser=6 --install-type=1 --from-installer
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1548
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\WaveBrowser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\WaveBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\WaveBrowser\User Data" --annotation=channel= --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=ver=1.3.16.1 --initial-client-data=0xd4,0xfc,0x108,0xec,0x10c,0x7ff8390548b0,0x7ff8390548c0,0x7ff8390548d0
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:908
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2024 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1296
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2072 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3720
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1668 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:544
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3276 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5156
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3432 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5168
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5180
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6008
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4512 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5320
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4536 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5504
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4748 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5428
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4872 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5448
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4988 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5464
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5104 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4612
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5204 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5544
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5336 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5488
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --instant-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5456 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5532
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6152 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5800
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6288 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5816
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6520 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2992
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6652 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6108
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3500 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5832
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6300 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:4296
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7196 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:1344
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7164 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5680
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7468 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5720
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7616 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6088
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7456 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5944
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7968 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5316
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7960 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5508
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=8032 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5916
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7720 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:880
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7864 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5812
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7508 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6096
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7524 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5352
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8100 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5496
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7996 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5920
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6980 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6056
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6268 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:4972
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8276 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6180
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8416 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6196
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8552 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6460
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8692 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6472
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8840 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6712
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7224 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6852
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9116 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6908
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9100 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6396
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9388 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        
        PID:6424
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9540 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        
        PID:6768
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9680 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        
        PID:6676
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9816 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        
        PID:6220
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9948 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        
        PID:6208
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10088 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        
        PID:6660
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10228 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        
        PID:5036
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3684 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        
        PID:7064
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=10500 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:7120
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=10644 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6344
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=6508 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6280
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=11160 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6500
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=11136 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6616
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=10964 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6808
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=11100 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6840
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=11684 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        
        PID:7024
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=11832 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:7100
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=11968 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:1712
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=12248 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6640
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5436 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:8
        5⤵
        
        PID:4432
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=11924 --field-trial-handle=2028,i,11870086659046989626,4219578227136472153,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6944
- C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJTV1VwZGF0ZXIiIHVwZGF0ZXJ2ZXJzaW9uPSIxLjMuMTMzLjAiIHNoZWxsX3ZlcnNpb249IjEuMy4xMzMuMCIgaXNtYWNoaW5lPSIwIiBzZXNzaW9uaWQ9Ins3QkI4OEJDMi05Qzc3LTRDQUYtOTM4RS1GQkNCOEMxQUY0Njd9IiB1c2VyaWQ9InszNGQ3ODNiYS01ZjQxLTRiOWEtOTM5Ni1hOWExMDgzMjA1YjN9IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHJlcXVlc3RpZD0iezU4OTRBNEM3LUI5OTctNDlBOC1CQjYxLUI1MzZBQUYzODRFNH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7RUIxNDlBRDItQ0U0RS00RjUxLUI3RkMtQTE0OUZBQTRDQ0FGfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE2LjEiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHBzOi8vY2RuLnN3dXBkYXRlci5jb20vYnVpbGQvV2F2ZUJyb3dzZXIvc3RhYmxlL3dpbi8xMTEyMzk3NTc4MjQxLzY0L1dhdmVJbnN0YWxsZXItdjEuMy4xNi4xLmV4ZSIgZG93bmxvYWRlZD0iOTg1MTEyODgiIHRvdGFsPSI5ODUxMTI4OCIgZG93bmxvYWRfdGltZV9tcz0iODIzOCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc291cmNlX3VybF9pbmRleD0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjYyMyIgZG93bmxvYWRfdGltZV9tcz0iOTAwNiIgZG93bmxvYWRlZD0iOTg1MTEyODgiIHRvdGFsPSI5ODUxMTI4OCIgaW5zdGFsbF90aW1lX21zPSIxMDc2NiIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:5852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery