76eee256f1223082e8396611baca498542c656edd0fac5fe903e06e6cb5677e2

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wavesor SWUpdater = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\SWUpdaterCore.exe\""	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Download Manager = "\"C:\\Program Files\\Softdeluxe\\Free Download Manager\\fdm.exe\" --hidden"	fdm.exe

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	setup50657680.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	setup50657680.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	setup50657680.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	setup50657680.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	setup50657680.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	setup50657680.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	setup50657680.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	setup50657680.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWUpdater.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	fdm.exe
File opened (read-only)	\??\F:	fdm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
199	camo.githubusercontent.com
201	camo.githubusercontent.com
203	camo.githubusercontent.com

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
7056	netsh.exe
7644	netsh.exe

Checks computer location settings 2 TTPs 62 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	fdm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	SWUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	SWUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	SWUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Solara_50657680.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wavebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	setup50657680.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	wavebrowser.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	wavebrowser.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	wavebrowser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	wavebrowser.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_147464029\manifest.json	wavebrowser.exe
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Imagine\is-QAQTR.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\translations\main\is-M6M1J.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\IM	wavebrowser.exe
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\DO	wavebrowser.exe
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\Qt5Compat\GraphicalEffects\is-0340D.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Basic\is-PU0AK.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Material\is-R8GFN.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qmltooling\is-3GBI1.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\translations\is-0GU4Q.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\translations\is-NORA7.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_902313293\manifest.fingerprint	wavebrowser.exe
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-CQ2F1.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Imagine\is-SVHHS.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Windows\is-5FRVD.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\translations\is-SCVPH.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\MS	wavebrowser.exe
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\CO	wavebrowser.exe
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_1703186317\cr_en-us_500000_index.bin	wavebrowser.exe
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Fusion\is-QI66U.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_193530383\hyph-pt.hyb	wavebrowser.exe
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\MM	wavebrowser.exe
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\KR	wavebrowser.exe
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Basic\is-6SRTD.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Imagine\is-6SKO9.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Universal\is-B53MM.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Dialogs\quickimpl\qml\+Fusion\is-867MH.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_193530383\hyph-ka.hyb	wavebrowser.exe
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_902313293\_metadata\verified_contents.json	wavebrowser.exe
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Dialogs\quickimpl\qml\is-5JK1R.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\KP	wavebrowser.exe
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\IN	wavebrowser.exe
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\HU	wavebrowser.exe
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Fusion\is-HDPGJ.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qmltooling\is-VUGJ7.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\translations\main\is-3VI61.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\NC	wavebrowser.exe
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-70MS1.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\PT	wavebrowser.exe
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-0QM9E.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Fusion\is-QSSUL.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Imagine\is-G8PG4.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Material\is-U45H1.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\SH	wavebrowser.exe
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\SA	wavebrowser.exe
File created	C:\Program Files (x86)\Wavesor\Temp\GUMECED.tmp\swupdaterres_en.dll	SWUpdaterSetup.exe
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-7699C.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\imageformats\is-MLSKT.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Basic\is-HQ6N6.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Material\impl\is-7F8IR.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\PG	wavebrowser.exe
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\KH	wavebrowser.exe
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-FN6CD.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-22DSR.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\imageformats\is-MV4PT.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\translations\is-T32N3.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\PY	wavebrowser.exe
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\LS	wavebrowser.exe
File created	C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping3204_459339897\IR	wavebrowser.exe
File created	C:\Program Files\Softdeluxe\Free Download Manager\translations\torrents\is-E6VPB.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Imagine\is-C1GHA.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Imagine\is-104R2.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-7A7FE.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\qml\QtQuick\Controls\Material\is-V7P3T.tmp	fdm_x64_setup.tmp

Executes dropped EXE 64 IoCs

pid	Process
1540	setup50657680.exe
4760	setup50657680.exe
2804	OfferInstaller.exe
4756	Steam.exe
1836	Steam.exe
4612	Wave Browser.exe
664	SWUpdaterSetup.exe
4904	SWUpdater.exe
4108	SWUpdater.exe
968	SWUpdaterComRegisterShell64.exe
3376	SWUpdaterComRegisterShell64.exe
4200	SWUpdaterComRegisterShell64.exe
4036	SWUpdater.exe
2608	SWUpdater.exe
1540	SWUpdater.exe
4488	WaveInstaller-v1.3.16.5.exe
1820	setup.exe
2420	setup.exe
4976	setup.exe
1140	setup.exe
3204	wavebrowser.exe
532	wavebrowser.exe
2804	wavebrowser.exe
2312	wavebrowser.exe
1332	wavebrowser.exe
1176	wavebrowser.exe
4352	wavebrowser.exe
2100	wavebrowser.exe
5652	SWUpdater.exe
5864	wavebrowser.exe
4592	wavebrowser.exe
3352	wavebrowser.exe
1236	wavebrowser.exe
976	wavebrowser.exe
3852	wavebrowser.exe
5140	wavebrowser.exe
5324	wavebrowser.exe
5416	wavebrowser.exe
5420	wavebrowser.exe
5628	wavebrowser.exe
5636	wavebrowser.exe
5244	wavebrowser.exe
5392	wavebrowser.exe
6124	wavebrowser.exe
4964	wavebrowser.exe
2380	wavebrowser.exe
5976	wavebrowser.exe
1356	wavebrowser.exe
6032	wavebrowser.exe
4960	wavebrowser.exe
5188	wavebrowser.exe
5988	wavebrowser.exe
5224	wavebrowser.exe
1996	wavebrowser.exe
5248	wavebrowser.exe
5580	wavebrowser.exe
2236	wavebrowser.exe
5692	wavebrowser.exe
6008	wavebrowser.exe
6092	wavebrowser.exe
6244	wavebrowser.exe
6256	wavebrowser.exe
6312	wavebrowser.exe
6324	wavebrowser.exe

Loads dropped DLL 64 IoCs

pid	Process
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe
4760	setup50657680.exe

Registers COM server for autorun 1 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ThreadingModel = "Both"	SWUpdater.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{1BE9D40C-2307-4213-830E-7E3CE9EDF0C2}\LocalServer32	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{D12748C8-5013-45E2-9A24-2FB7C2EEFB7C}\LocalServer32	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{9CD78CBC-FD21-4FFF-B452-9D792A58B7C4}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser.dll"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{1BE9D40C-2307-4213-830E-7E3CE9EDF0C2}\LocalServer32\ = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\SWUpdaterOnDemand.exe\""	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{D12748C8-5013-45E2-9A24-2FB7C2EEFB7C}\LocalServer32\ = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\SWUpdaterOnDemand.exe\""	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{9E0CE9B5-C498-40A8-B7F2-B89AF1C56FFF}\LocalServer32\ = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\SWUpdater.exe\""	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{3C41B0C4-B5B6-4293-BED4-C927CCFDB909}\LocalServer32	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{30FB944E-9455-49DD-81C6-7542E47AA3E7}\LocalServer32\ = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\SWUpdaterOnDemand.exe\""	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser.dll"	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ThreadingModel = "Both"	SWUpdater.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{9CD78CBC-FD21-4FFF-B452-9D792A58B7C4}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\Wavesor Software\\WaveBrowser\\1.3.16.5\\notification_helper.exe"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ThreadingModel = "Both"	SWUpdater.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32	SWUpdaterComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{30FB944E-9455-49DD-81C6-7542E47AA3E7}\LocalServer32	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{3C41B0C4-B5B6-4293-BED4-C927CCFDB909}\LocalServer32\ = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\SWUpdaterOnDemand.exe\""	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser.dll"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{9E0CE9B5-C498-40A8-B7F2-B89AF1C56FFF}\LocalServer32	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F87D77DF-DEF2-4294-9F4B-A92E5A6725DE}\InprocServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{9CD78CBC-FD21-4FFF-B452-9D792A58B7C4}\LocalServer32\ = "\"C:\\Users\\Admin\\Wavesor Software\\WaveBrowser\\1.3.16.5\\notification_helper.exe\""	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000800000002364f-1943.dat	nsis_installer_1
behavioral1/files/0x000800000002364f-1943.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2412	schtasks.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
4212	timeout.exe
3052	timeout.exe
3908	timeout.exe
964	timeout.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
1736	tasklist.exe
2912	tasklist.exe
5040	tasklist.exe
3280	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	wavebrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	wavebrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	wavebrowser.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING	fdm_x64_setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\fdm.exe = "1"	fdm_x64_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	fdm_x64_setup.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fdm.exe = "11000"	fdm_x64_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	fdm_x64_setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fdm.exe = "11000"	fdm_x64_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING	fdm_x64_setup.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\fdm.exe = "1"	fdm_x64_setup.tmp

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133623356875936047"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	wavebrowser.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{068FAC78-4F23-4F74-99A0-F7C4797D5ECA}\NumMethods	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{30FB944E-9455-49DD-81C6-7542E47AA3E7}\ = "SWUpdater Update3Web"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WavesorSWUpdater.CredentialDialogUser	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WaveBrwsHTM.4OPPJG22QRONWAOP4YFYZ4RZ6Y\Application\ApplicationName = "WaveBrowser"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{E053F7BD-D525-49F4-9ADE-5D7E6FCEE775}\NumMethods\ = "4"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32\ThreadingModel = "Both"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{C5E89508-3927-4EF5-A3B3-C479F0D4E36F}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{97518FC7-7CA2-4921-BC40-F4A07E221C1C}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WavesorSWUpdater.Update3COMClassUser.1.0\CLSID	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{DA4EFC2D-B243-4BA8-8A14-8937D867B699}\ = "IAppBundle"	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{894ADE70-1E5F-4520-A281-CE3BF0309CE6}\ = "IAppCommandWeb"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{50363C3E-2FB2-4EC0-A827-CD3314F526C5}\NumMethods	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{894ADE70-1E5F-4520-A281-CE3BF0309CE6}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{C0151E6C-8D24-485D-BEC8-B6C6C82E26E8}\ProxyStubClsid32\ = "{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{8129608C-48BD-42A6-9EBC-7B0933A5CFA3}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{9E0CE9B5-C498-40A8-B7F2-B89AF1C56FFF}\LocalServer32\ = "\"C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\SWUpdater.exe\""	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{8129608C-48BD-42A6-9EBC-7B0933A5CFA3}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{62A51DF2-CCB8-4DD9-9069-34B8461617FC}\ = "IPackage"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{3BE77C6E-0029-4F24-B677-32C9E15CD8F1}\ProxyStubClsid32\ = "{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{2B2AD342-8BBC-40AD-AF1B-6887EAB9D3D0}	SWUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{7DFF302B-EA41-49F8-97B1-9413CEF98C68}\ = "IGoogleUpdate3"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{0D311A22-BD24-4C7A-8FC1-117F8D62A781}	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WavesorSWUpdater.Update3WebUser.1.0\CLSID\ = "{30FB944E-9455-49DD-81C6-7542E47AA3E7}"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.xht	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\InProcServer32	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{2C53B9D4-A718-4972-B28E-2E7AF1055602}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{1BE9D40C-2307-4213-830E-7E3CE9EDF0C2}	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{068FAC78-4F23-4F74-99A0-F7C4797D5ECA}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}\ = "PSFactoryBuffer"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{E4E4854F-9D7B-4120-A207-CF52C875F08E}	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{DA4EFC2D-B243-4BA8-8A14-8937D867B699}	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{068FAC78-4F23-4F74-99A0-F7C4797D5ECA}\NumMethods\ = "41"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{B2083DCC-1D29-45E6-8386-BEE1488D11AA}\NumMethods\ = "24"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{DDF98EF0-2728-4A8D-8B0F-32627DC56437}\ = "ICurrentState"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{E44DDEE0-3097-499E-9DD5-7D5D5DCC401D}\ = "IGoogleUpdate3Web"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{E44DDEE0-3097-499E-9DD5-7D5D5DCC401D}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{7DFF302B-EA41-49F8-97B1-9413CEF98C68}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{CFDE680E-8700-4808-BAAF-8B1F50F2CC87}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{C5E89508-3927-4EF5-A3B3-C479F0D4E36F}\ = "IAppCommand"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{DA4EFC2D-B243-4BA8-8A14-8937D867B699}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{3BE77C6E-0029-4F24-B677-32C9E15CD8F1}\ = "IGoogleUpdate3WebSecurity"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{2C53B9D4-A718-4972-B28E-2E7AF1055602}	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{C5E89508-3927-4EF5-A3B3-C479F0D4E36F}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface\{E053F7BD-D525-49F4-9ADE-5D7E6FCEE775}\ProxyStubClsid32\ = "{D7EC6DDA-90E9-44BA-863B-6C3500BB5BDF}"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{E44DDEE0-3097-499E-9DD5-7D5D5DCC401D}\ProxyStubClsid32	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{617E37E1-AC79-4162-BACC-C797A1D31D3E}\ = "IGoogleUpdate"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{2B2AD342-8BBC-40AD-AF1B-6887EAB9D3D0}\InprocHandler32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{62A51DF2-CCB8-4DD9-9069-34B8461617FC}\NumMethods	SWUpdaterComRegisterShell64.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{2B2AD342-8BBC-40AD-AF1B-6887EAB9D3D0}	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{E053F7BD-D525-49F4-9ADE-5D7E6FCEE775}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{97518FC7-7CA2-4921-BC40-F4A07E221C1C}\NumMethods	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser.dll"	SWUpdater.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{DA4EFC2D-B243-4BA8-8A14-8937D867B699}\NumMethods	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{50363C3E-2FB2-4EC0-A827-CD3314F526C5}	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{D669BD5D-A9B6-47FD-B558-81508AEF48C4}	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{F6994161-37C3-47C9-BE83-C84C33A1CF2A}\InprocServer32\ = "C:\\Users\\Admin\\Wavesor Software\\SWUpdater\\1.3.133.0\\psuser_64.dll"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{B2083DCC-1D29-45E6-8386-BEE1488D11AA}\NumMethods\ = "24"	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{7DFF302B-EA41-49F8-97B1-9413CEF98C68}\NumMethods\ = "10"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{E4E159E0-7B9C-4D75-AC11-A80628173DE3}	SWUpdaterComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Interface\{730EBDF4-7AD2-4516-BF1A-6C6F28C60CF9}\ = "IProcessLauncher"	SWUpdaterComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.shtml	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Solara_50657680.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	setup50657680.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup50657680.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup50657680.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
7968	fdm.exe
8116	fdm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
1540	setup50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2324	Solara_50657680.exe
2804	OfferInstaller.exe
2804	OfferInstaller.exe
2804	OfferInstaller.exe
2804	OfferInstaller.exe
2804	OfferInstaller.exe
2804	OfferInstaller.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
1480	chrome.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
1480	chrome.exe
1480	chrome.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	setup50657680.exe
Token: SeDebugPrivilege	2804	OfferInstaller.exe
Token: SeDebugPrivilege	1736	tasklist.exe
Token: SeDebugPrivilege	2912	tasklist.exe
Token: SeDebugPrivilege	5040	tasklist.exe
Token: SeDebugPrivilege	3280	tasklist.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
4976	setup.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe
3204	wavebrowser.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2324	Solara_50657680.exe
2324	Solara_50657680.exe
1540	setup50657680.exe
4756	Steam.exe
1836	Steam.exe
8116	fdm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1540	2324	Solara_50657680.exe	81
PID 2324 wrote to memory of 1540	2324	Solara_50657680.exe	81
PID 2324 wrote to memory of 1540	2324	Solara_50657680.exe	81
PID 2324 wrote to memory of 4760	2324	Solara_50657680.exe	85
PID 2324 wrote to memory of 4760	2324	Solara_50657680.exe	85
PID 2324 wrote to memory of 4760	2324	Solara_50657680.exe	85
PID 1540 wrote to memory of 2804	1540	setup50657680.exe	90
PID 1540 wrote to memory of 2804	1540	setup50657680.exe	90
PID 1540 wrote to memory of 2804	1540	setup50657680.exe	90
PID 1540 wrote to memory of 1552	1540	setup50657680.exe	91
PID 1540 wrote to memory of 1552	1540	setup50657680.exe	91
PID 1540 wrote to memory of 1552	1540	setup50657680.exe	91
PID 1552 wrote to memory of 1736	1552	cmd.exe	93
PID 1552 wrote to memory of 1736	1552	cmd.exe	93
PID 1552 wrote to memory of 1736	1552	cmd.exe	93
PID 1552 wrote to memory of 3020	1552	cmd.exe	94
PID 1552 wrote to memory of 3020	1552	cmd.exe	94
PID 1552 wrote to memory of 3020	1552	cmd.exe	94
PID 1552 wrote to memory of 4212	1552	cmd.exe	95
PID 1552 wrote to memory of 4212	1552	cmd.exe	95
PID 1552 wrote to memory of 4212	1552	cmd.exe	95
PID 2804 wrote to memory of 4640	2804	OfferInstaller.exe	96
PID 2804 wrote to memory of 4640	2804	OfferInstaller.exe	96
PID 2804 wrote to memory of 4640	2804	OfferInstaller.exe	96
PID 4640 wrote to memory of 2912	4640	cmd.exe	98
PID 4640 wrote to memory of 2912	4640	cmd.exe	98
PID 4640 wrote to memory of 2912	4640	cmd.exe	98
PID 4640 wrote to memory of 2640	4640	cmd.exe	99
PID 4640 wrote to memory of 2640	4640	cmd.exe	99
PID 4640 wrote to memory of 2640	4640	cmd.exe	99
PID 4640 wrote to memory of 3052	4640	cmd.exe	100
PID 4640 wrote to memory of 3052	4640	cmd.exe	100
PID 4640 wrote to memory of 3052	4640	cmd.exe	100
PID 4640 wrote to memory of 5040	4640	cmd.exe	101
PID 4640 wrote to memory of 5040	4640	cmd.exe	101
PID 4640 wrote to memory of 5040	4640	cmd.exe	101
PID 4640 wrote to memory of 1068	4640	cmd.exe	102
PID 4640 wrote to memory of 1068	4640	cmd.exe	102
PID 4640 wrote to memory of 1068	4640	cmd.exe	102
PID 4640 wrote to memory of 3908	4640	cmd.exe	103
PID 4640 wrote to memory of 3908	4640	cmd.exe	103
PID 4640 wrote to memory of 3908	4640	cmd.exe	103
PID 4640 wrote to memory of 3280	4640	cmd.exe	104
PID 4640 wrote to memory of 3280	4640	cmd.exe	104
PID 4640 wrote to memory of 3280	4640	cmd.exe	104
PID 4640 wrote to memory of 1300	4640	cmd.exe	105
PID 4640 wrote to memory of 1300	4640	cmd.exe	105
PID 4640 wrote to memory of 1300	4640	cmd.exe	105
PID 4640 wrote to memory of 964	4640	cmd.exe	106
PID 4640 wrote to memory of 964	4640	cmd.exe	106
PID 4640 wrote to memory of 964	4640	cmd.exe	106
PID 2324 wrote to memory of 4756	2324	Solara_50657680.exe	107
PID 2324 wrote to memory of 4756	2324	Solara_50657680.exe	107
PID 2324 wrote to memory of 4756	2324	Solara_50657680.exe	107
PID 2324 wrote to memory of 1836	2324	Solara_50657680.exe	110
PID 2324 wrote to memory of 1836	2324	Solara_50657680.exe	110
PID 2324 wrote to memory of 1836	2324	Solara_50657680.exe	110
PID 1480 wrote to memory of 3444	1480	chrome.exe	116
PID 1480 wrote to memory of 3444	1480	chrome.exe	116
PID 1480 wrote to memory of 2616	1480	chrome.exe	117
PID 1480 wrote to memory of 2616	1480	chrome.exe	117
PID 1480 wrote to memory of 2616	1480	chrome.exe	117
PID 1480 wrote to memory of 2616	1480	chrome.exe	117
PID 1480 wrote to memory of 2616	1480	chrome.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Solara_50657680.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_50657680.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\setup50657680.exe
  C:\Users\Admin\AppData\Local\setup50657680.exe hhwnd=1114480 hreturntoinstaller hextras=id:d8d090d10951db6-AU-error
  2⤵
  - Checks for any installed AV software in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 2804" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "2804"
        5⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3052
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 2804" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "2804"
        5⤵
        
        PID:1068
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:3908
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 2804" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "2804"
        5⤵
        
        PID:1300
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "PID eq 1540" /fo csv
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1736
  - - C:\Windows\SysWOW64\find.exe
      find /I "1540"
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:4212
- C:\Users\Admin\AppData\Local\setup50657680.exe
  C:\Users\Admin\AppData\Local\setup50657680.exe hready
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4760
- C:\Users\Admin\AppData\Local\Temp\Steam.exe
  "C:\Users\Admin\AppData\Local\Temp\Steam.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4756
- C:\Users\Admin\AppData\Local\Temp\Steam.exe
  "C:\Users\Admin\AppData\Local\Temp\Steam.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb5637ab58,0x7ffb5637ab68,0x7ffb5637ab78
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:2
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4376 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4896 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4316 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4384 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5096 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3364 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2624 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4008 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3336 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4000 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5012 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:2
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4724 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3176 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=1652 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4548 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6056 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6136 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=4016 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=3320 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=872 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5592 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=3356 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=4808 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6204 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=4448 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6576 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4276 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4432 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6332 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:3932
- C:\Users\Admin\Downloads\Wave Browser.exe
  "C:\Users\Admin\Downloads\Wave Browser.exe"
  2⤵
  - Executes dropped EXE
  PID:4612
- - C:\Users\Admin\AppData\Local\Temp\nsiDDCB.tmp\SWUpdaterSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\nsiDDCB.tmp\SWUpdaterSetup.exe" /install "bundlename=WaveBrowser&appguid={EB149AD2-CE4E-4F51-B7FC-A149FAA4CCAF}&appname=WaveBrowser&needsadmin=False&lang=en&usagestats=1&installdataindex=1"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    PID:664
  - - C:\Program Files (x86)\Wavesor\Temp\GUMECED.tmp\SWUpdater.exe
      "C:\Program Files (x86)\Wavesor\Temp\GUMECED.tmp\SWUpdater.exe" /install "bundlename=WaveBrowser&appguid={EB149AD2-CE4E-4F51-B7FC-A149FAA4CCAF}&appname=WaveBrowser&needsadmin=False&lang=en&usagestats=1&installdataindex=1"
      4⤵
      Adds Run key to start application
      Checks whether UAC is enabled
      Checks computer location settings
      Executes dropped EXE
      PID:4904
    - - C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /regserver
        5⤵
        Checks whether UAC is enabled
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:4108
      - C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe" /user
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:968
      - C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe" /user
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:3376
      - C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\1.3.133.0\SWUpdaterComRegisterShell64.exe" /user
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:4200
    - - C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJTV1VwZGF0ZXIiIHVwZGF0ZXJ2ZXJzaW9uPSIxLjMuMTMzLjAiIHNoZWxsX3ZlcnNpb249IjEuMy4xMzMuMCIgaXNtYWNoaW5lPSIwIiBzZXNzaW9uaWQ9Ins3NzRDMDUyRS1GRDVFLTQwQ0ItQkVEMi1FNUU3QTBBOEU0Qzl9IiB1c2VyaWQ9Ins4YTg2OGVkYS02NDkzLTQ5NGQtODJkMi00NjA0ZThhMjhkNGV9IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHJlcXVlc3RpZD0ie0NBMEQyQzhELTMyRDItNDZEMS05MTY2LUZCMzlCMkRDNTYzQn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7RjZGNjBBQ0UtNzFBRC00NjEwLTgwRDQtOTI1MzcyOUZCNEI3fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjEzMy4wIiBsYW5nPSJlbiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNDgwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Checks whether UAC is enabled
        Executes dropped EXE
        
        PID:4036
    - - C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
        
        "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /handoff "bundlename=WaveBrowser&appguid={EB149AD2-CE4E-4F51-B7FC-A149FAA4CCAF}&appname=WaveBrowser&needsadmin=False&lang=en&usagestats=1&installdataindex=1" /installsource otherinstallcmd /sessionid "{774C052E-FD5E-40CB-BED2-E5E7A0A8E4C9}"
        5⤵
        Checks whether UAC is enabled
        Executes dropped EXE
        
        PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2976 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=4548 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:7876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=5800 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:7088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6204 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:6420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6392 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=6392 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:8392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6552 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:9104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3328 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:8776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5948 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:8788
- C:\Users\Admin\Downloads\fdm_x64_setup.exe
  "C:\Users\Admin\Downloads\fdm_x64_setup.exe"
  2⤵
  PID:5788
- - C:\Users\Admin\AppData\Local\Temp\is-ROKMU.tmp\fdm_x64_setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-ROKMU.tmp\fdm_x64_setup.tmp" /SL5="$8024A,39071125,832512,C:\Users\Admin\Downloads\fdm_x64_setup.exe"
    3⤵
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    PID:6692
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /end /tn FreeDownloadManagerHelperService
      4⤵
      PID:7220
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /create /RU SYSTEM /tn FreeDownloadManagerHelperService /f /xml "C:\Program Files\Softdeluxe\Free Download Manager\service.xml"
      4⤵
      Creates scheduled task(s)
      PID:2412
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /change /tn FreeDownloadManagerHelperService /tr "\"C:\Program Files\Softdeluxe\Free Download Manager\helperservice.exe"\"
      4⤵
      PID:4560
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /run /tn FreeDownloadManagerHelperService
      4⤵
      PID:4388
  - - C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe
      "C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe" --install
      4⤵
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      PID:7968
    - - C:\Program Files\Softdeluxe\Free Download Manager\importwizard.exe
        
        "C:\Program Files\Softdeluxe\Free Download Manager\importwizard" 3FE02402165644D986B63DE6638495E4
        5⤵
        
        PID:7864
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --single-argument https://www.freedownloadmanager.org/afterinstall.html?os=windows&osversion=10.0&osarchitecture=x86_64&architecture=x86_64&version=6.22.0.5714&uuid=05889b4c-65de-4250-92d2-50951176c9ea&locale=en_US&ac=1&au=1
        5⤵
        
        PID:3956
      - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\WaveBrowser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\WaveBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\WaveBrowser\User Data" --annotation=channel= --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=ver=1.3.16.5 --initial-client-data=0xa4,0x158,0x15c,0xa8,0xb4,0x7ffb53c648b0,0x7ffb53c648c0,0x7ffb53c648d0
        6⤵
        
        PID:8564
  - - C:\Program Files\Softdeluxe\Free Download Manager\fdm5rhwin.exe
      "C:\Program Files\Softdeluxe\Free Download Manager\fdm5rhwin.exe" 21907CB0205CFF989F82C03684A01B86 phase1
      4⤵
      PID:7976
  - - C:\Program Files\Softdeluxe\Free Download Manager\fdm5rhwin.exe
      "C:\Program Files\Softdeluxe\Free Download Manager\fdm5rhwin.exe" 21907CB0205CFF989F82C03684A01B86 phase2
      4⤵
      PID:5744
  - - C:\Windows\system32\netsh.exe
      "netsh.exe" firewall add allowedprogram program="C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe" name="Free Download Manager" ENABLE scope=ALL profile=ALL
      4⤵
      Modifies Windows Firewall
      PID:7056
  - - C:\Windows\system32\netsh.exe
      "netsh.exe" firewall add allowedprogram program="C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe" name="Free Download Manager" ENABLE scope=ALL profile=CURRENT
      4⤵
      Modifies Windows Firewall
      PID:7644
  - - C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe
      "C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe" --byinstaller
      4⤵
      Enumerates connected drives
      Checks computer location settings
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:8116
    - - C:\Program Files\Softdeluxe\Free Download Manager\importwizard.exe
        
        "C:\Program Files\Softdeluxe\Free Download Manager\importwizard" 3FE02402165644D986B63DE6638495E4 --printFdm5Setting=ExpectingUpdateToVersion
        5⤵
        
        PID:7852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=6436 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=1076 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=5628 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=6372 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=6428 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:7724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=6516 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:8228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6324 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:6804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6208 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:8536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=3260 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:7572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=1600 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:6716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=1656 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:7112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=5888 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=1660 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:1
  2⤵
  PID:9212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 --field-trial-handle=1892,i,10796105604546472440,7852153407129210856,131072 /prefetch:8
  2⤵
  PID:324

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2460

C:\Users\Admin\Desktop\Solara\luajit.exe
"C:\Users\Admin\Desktop\Solara\luajit.exe"
1⤵
PID:2024

C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
"C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" -Embedding
1⤵
- Checks whether UAC is enabled
- Checks computer location settings
- Executes dropped EXE
PID:1540
- C:\Users\Admin\Wavesor Software\SWUpdater\Install\{4E326880-61B4-4F18-BD18-50B4A56850BC}\WaveInstaller-v1.3.16.5.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\Install\{4E326880-61B4-4F18-BD18-50B4A56850BC}\WaveInstaller-v1.3.16.5.exe" /installerdata="C:\Users\Admin\AppData\Local\Temp\gui3A51.tmp"
  2⤵
  - Executes dropped EXE
  PID:4488
- - C:\Users\Admin\AppData\Local\Temp\nsq3D7F.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\nsq3D7F.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\nsq3D7F.tmp\wavebrowser.packed.7z" --wid=e89uhi4q --make-chrome-default --installerdata="C:\Users\Admin\AppData\Local\Temp\gui3A51.tmp"
    3⤵
    - Executes dropped EXE
    - Registers COM server for autorun
    - Modifies registry class
    PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\nsq3D7F.tmp\setup.exe
      C:\Users\Admin\AppData\Local\Temp\nsq3D7F.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\WaveBrowser\User Data\Crashpad" --annotation=channel= --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=ver=1.3.16.5 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x260,0x7ff6b371ea10,0x7ff6b371ea20,0x7ff6b371ea30
      4⤵
      Executes dropped EXE
      PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\nsq3D7F.tmp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\nsq3D7F.tmp\setup.exe" --verbose-logging --installerdata="C:\Users\Admin\AppData\Local\Temp\gui3A51.tmp" --create-shortcuts=0 --install-level=0
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      PID:4976
    - - C:\Users\Admin\AppData\Local\Temp\nsq3D7F.tmp\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsq3D7F.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\WaveBrowser\User Data\Crashpad" --annotation=channel= --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=ver=1.3.16.5 --initial-client-data=0x290,0x294,0x298,0x260,0x29c,0x7ff6b371ea10,0x7ff6b371ea20,0x7ff6b371ea30
        5⤵
        Executes dropped EXE
        
        PID:1140
  - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
      "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --prevdefbrowser=6 --install-type=1 --from-installer
      4⤵
      Checks computer location settings
      Checks system information in the registry
      Drops file in Program Files directory
      Executes dropped EXE
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3204
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\WaveBrowser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\WaveBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\WaveBrowser\User Data" --annotation=channel= --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=ver=1.3.16.5 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffb53c648b0,0x7ffb53c648c0,0x7ffb53c648d0
        5⤵
        Executes dropped EXE
        
        PID:532
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2008 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:2804
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2068 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:2312
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2388 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:1332
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3488 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1176
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3780 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4352
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:2100
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5864
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4552 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3352
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4528 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4592
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4752 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1236
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4892 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:976
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5008 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3852
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5128 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5140
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5416 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5324
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5620 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5420
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --instant-process --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5788 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5416
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5928 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5628
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6084 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5636
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6164 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5244
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6528 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6124
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6492 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5392
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6780 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:4964
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6784 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:2380
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6944 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5976
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7248 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:1356
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6952 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6032
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5440 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:5156
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7268 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:4960
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7800 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5188
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7968 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5988
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8032 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5224
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8100 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:1996
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8244 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5248
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8368 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5580
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8624 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:2236
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8780 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:5692
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8920 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6008
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8944 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6092
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9080 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6244
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9232 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6256
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9540 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6312
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9680 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:6324
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9812 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:6416
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9932 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:6520
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10092 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:6652
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9396 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:7108
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10324 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:5996
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10300 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:6188
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10616 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:6440
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10304 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:6608
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9432 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:6828
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=11012 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:7092
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=11148 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:6260
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=11312 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6720
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=5424 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:7004
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=11608 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:5204
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=11752 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:6596
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=11916 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:6620
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=12060 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:6776
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=11944 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:7052
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10104 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:6984
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=11628 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6488
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=8188 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6252
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=8720 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:7020
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=8228 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:2688
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5928 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:6268
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=13692 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:2572
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=13656 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:5584
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=13372 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6216
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=13476 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6212
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=13440 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6500
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=13084 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:7852
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=12872 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:8496
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=12480 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:8540
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=12400 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:8552
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=13936 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:7232
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --mojo-platform-channel-handle=14196 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:7992
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9232 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:8656
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --mojo-platform-channel-handle=14056 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6976
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --mojo-platform-channel-handle=12340 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:7420
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6540 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:5632
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --mojo-platform-channel-handle=4964 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6344
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6248 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:8844
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --mojo-platform-channel-handle=8116 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:7096
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --mojo-platform-channel-handle=12676 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:4712
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --mojo-platform-channel-handle=4960 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:3848
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --mojo-platform-channel-handle=4936 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:8292
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --mojo-platform-channel-handle=3580 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:4852
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --mojo-platform-channel-handle=12980 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:3452
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --mojo-platform-channel-handle=5984 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:8480
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --mojo-platform-channel-handle=13888 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:8352
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --mojo-platform-channel-handle=13452 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:3644
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --mojo-platform-channel-handle=4800 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:8312
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --mojo-platform-channel-handle=14260 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:8344
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --mojo-platform-channel-handle=12528 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:8356
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --mojo-platform-channel-handle=4164 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:1768
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --mojo-platform-channel-handle=5736 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:3700
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --mojo-platform-channel-handle=6356 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6148
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --mojo-platform-channel-handle=5364 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:8196
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9192 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:9076
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=13068 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:6760
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3480 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:8668
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=13136 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:7044
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --start-stack-profiler --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=11764 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:2
        5⤵
        Drops file in System32 directory
        
        PID:6748
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=12708 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:4836
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5924 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:5280
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=109 --mojo-platform-channel-handle=4424 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:8648
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9180 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:2464
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3704 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:2408
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=112 --mojo-platform-channel-handle=13008 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:8380
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:7624
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8668 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:3452
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=115 --mojo-platform-channel-handle=3592 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:7188
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=11884 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:6372
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=14196 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:8560
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=118 --mojo-platform-channel-handle=4460 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:6284
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1036 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:8144
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=120 --mojo-platform-channel-handle=6612 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:5592
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:4488
    - - C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe
        
        "C:\Users\Admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=13600 --field-trial-handle=2012,i,1881132324298793331,16068702163425944070,262144 /prefetch:8
        5⤵
        
        PID:1484
- C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJTV1VwZGF0ZXIiIHVwZGF0ZXJ2ZXJzaW9uPSIxLjMuMTMzLjAiIHNoZWxsX3ZlcnNpb249IjEuMy4xMzMuMCIgaXNtYWNoaW5lPSIwIiBzZXNzaW9uaWQ9Ins3NzRDMDUyRS1GRDVFLTQwQ0ItQkVEMi1FNUU3QTBBOEU0Qzl9IiB1c2VyaWQ9Ins4YTg2OGVkYS02NDkzLTQ5NGQtODJkMi00NjA0ZThhMjhkNGV9IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHJlcXVlc3RpZD0ie0NCQkFDNDU3LTM3MDItNDc0Ni05RjM5LTRDRUEzM0EzNUQ1Rn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7RUIxNDlBRDItQ0U0RS00RjUxLUI3RkMtQTE0OUZBQTRDQ0FGfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE2LjUiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHBzOi8vY2RuLnN3dXBkYXRlci5jb20vYnVpbGQvV2F2ZUJyb3dzZXIvc3RhYmxlL3dpbi8xMTEyMzk3NTc4MjQ1LzY0L1dhdmVJbnN0YWxsZXItdjEuMy4xNi41LmV4ZSIgZG93bmxvYWRlZD0iOTYwMzM3MjAiIHRvdGFsPSI5NjAzMzcyMCIgZG93bmxvYWRfdGltZV9tcz0iMTEzNzciLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI1ODciIGRvd25sb2FkX3RpbWVfbXM9IjEyMTQwIiBkb3dubG9hZGVkPSI5NjAzMzcyMCIgdG90YWw9Ijk2MDMzNzIwIiBpbnN0YWxsX3RpbWVfbXM9IjEyMzA2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Checks whether UAC is enabled
  - Executes dropped EXE
  PID:5652

C:\Program Files\Softdeluxe\Free Download Manager\helperservice.exe
"C:\Program Files\Softdeluxe\Free Download Manager\helperservice.exe"
1⤵
PID:8008

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4dc 0x4e8
1⤵
PID:7964

C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
"C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /ua /installsource scheduler
1⤵
- Checks whether UAC is enabled
- Checks computer location settings
PID:8536
- C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /registermsihelper
  2⤵
  - Checks whether UAC is enabled
  PID:9104

C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
"C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /c
1⤵
- Checks whether UAC is enabled
PID:9084
- C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /cr
  2⤵
  - Checks whether UAC is enabled
  PID:6732
- C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
  "C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" /ua /installsource core
  2⤵
  - Checks whether UAC is enabled
  PID:7184

C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe
"C:\Users\Admin\Wavesor Software\SWUpdater\SWUpdater.exe" -Embedding
1⤵
- Checks whether UAC is enabled
PID:5280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery