Windows Analysis Report
Wave-Executor.exe

Overview

General Information

Sample name: Wave-Executor.exe
Analysis ID: 1579548
MD5: ff63ff29530a05383c1b9efc181312f6
SHA1: e52073b3cfb567bc6db7b7b04576224161de53fd
SHA256: 16e432c3b5c0fab127ca33d87dd6a28489d3860b95045a5d0d2e42dfb6ce8c14
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Sample uses string decryption to hide its real strings
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection

barindex
Source: 3.2.Wave-Executor.exe.400000.1.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["smash-boiling.cyou", "greywe-snotty.cyou", "cuddlyready.xyz", "ripe-blade.cyou", "supporse-comment.cyou", "steppriflej.xyz", "pollution-raker.cyou", "sendypaster.xyz", "hosue-billowy.cyou"], "Build id": "yau6Na--899083440"}
Source: Wave-Executor.exe ReversingLabs: Detection: 39%
Source: Wave-Executor.exe Virustotal: Detection: 27% Perma Link
Source: Submited Sample Integrated Neural Analysis Model: Matched 86.7% probability
Source: Wave-Executor.exe Joe Sandbox ML: detected
Source: 00000003.00000002.3134286799.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: pollution-raker.cyou
Source: 00000003.00000002.3134286799.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: hosue-billowy.cyou
Source: 00000003.00000002.3134286799.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: ripe-blade.cyou
Source: 00000003.00000002.3134286799.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: smash-boiling.cyou
Source: 00000003.00000002.3134286799.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: supporse-comment.cyou
Source: 00000003.00000002.3134286799.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: greywe-snotty.cyou
Source: 00000003.00000002.3134286799.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: steppriflej.xyz
Source: 00000003.00000002.3134286799.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: sendypaster.xyz
Source: 00000003.00000002.3134286799.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: cuddlyready.xyz
Source: 00000003.00000002.3134286799.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.3134286799.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.3134286799.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000003.00000002.3134286799.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.3134286799.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000003.00000002.3134286799.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: yau6Na--899083440
Source: Wave-Executor.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.6:49922 version: TLS 1.2
Source: Wave-Executor.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_00299075 FindFirstFileExW, 0_2_00299075
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_00299126 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00299126
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00299075 FindFirstFileExW, 3_2_00299075
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00299126 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_00299126
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], AF697AECh 3_2_0043ACA1
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov ecx, eax 3_2_00414040
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov ebx, eax 3_2_004090A0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax+000000A8h] 3_2_0042B124
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_00433130
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov ecx, eax 3_2_00415196
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-0000008Fh] 3_2_004391B0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx+1Dh] 3_2_0042A216
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-28DB6A02h] 3_2_0042A216
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov ecx, eax 3_2_0040E2D1
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov esi, ecx 3_2_004182DD
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov word ptr [edx], cx 3_2_004182DD
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov eax, dword ptr [edi+0Ch] 3_2_004022B0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 3_2_00424320
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0040A39C
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h] 3_2_004073A0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 3_2_004073A0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax+06h] 3_2_0040C433
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2DE6A924h] 3_2_0043D430
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx] 3_2_004224E0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then test eax, eax 3_2_00436490
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then push eax 3_2_00436490
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov byte ptr [edx], al 3_2_0042A67D
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov byte ptr [edx], al 3_2_0042A615
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx edi, byte ptr [ecx] 3_2_00419620
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+78h] 3_2_00419620
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+1Ch] 3_2_00425620
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+1B4BB045h] 3_2_00425620
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then jmp eax 3_2_004276F0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov word ptr [edi], ax 3_2_0041C720
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx esi, byte ptr [esp+ebx+0Ah] 3_2_0041C720
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov esi, edx 3_2_0040C7E8
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000106h] 3_2_00415800
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx ebp, byte ptr [esp+edx-0000009Bh] 3_2_00438800
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 3_2_00428930
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx esi, byte ptr [ebp+edx+00h] 3_2_004029C0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+08h] 3_2_004359F0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov eax, edx 3_2_004359F0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov ebx, eax 3_2_004359F0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-6Fh] 3_2_004359F0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 3_2_0043C9A0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx ebx, byte ptr [esp+eax+6BC763FCh] 3_2_0041EA40
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then cmp word ptr [edx+eax], 0000h 3_2_0041EA40
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov ecx, eax 3_2_00416B1F
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-3E4A6BB3h] 3_2_0043ABCC
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov ecx, eax 3_2_0040DBDB
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov edx, ecx 3_2_0040DBDB
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx edx, byte ptr [ecx+esi] 3_2_00402BA0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78168CD7h] 3_2_00438D60
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov esi, ecx 3_2_00422D28
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx+1Dh] 3_2_0042AD95
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-28DB6A02h] 3_2_0042AD95
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov byte ptr [edi], bl 3_2_00408E40
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then jmp eax 3_2_00426E70
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then jmp eax 3_2_0040BE22
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov ecx, eax 3_2_00439E20
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h 3_2_00428EC0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], AF697AECh 3_2_0043AEB0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-24B7157Ah] 3_2_0043AF20
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then mov esi, ecx 3_2_00422FD0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+1Ch] 3_2_0043AF8A
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+2376781Ah] 3_2_0041BFA0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 4x nop then cmp word ptr [edi+ecx], 0000h 3_2_0041BFA0

Networking

barindex
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49922 -> 23.55.153.106:443
Source: Malware configuration extractor URLs: smash-boiling.cyou
Source: Malware configuration extractor URLs: greywe-snotty.cyou
Source: Malware configuration extractor URLs: cuddlyready.xyz
Source: Malware configuration extractor URLs: ripe-blade.cyou
Source: Malware configuration extractor URLs: supporse-comment.cyou
Source: Malware configuration extractor URLs: steppriflej.xyz
Source: Malware configuration extractor URLs: pollution-raker.cyou
Source: Malware configuration extractor URLs: sendypaster.xyz
Source: Malware configuration extractor URLs: hosue-billowy.cyou
Source: DNS query: cuddlyready.xyz
Source: DNS query: sendypaster.xyz
Source: DNS query: steppriflej.xyz
Source: Joe Sandbox View IP Address: 23.55.153.106 23.55.153.106
Source: Joe Sandbox View ASN Name: BITWEB-ASRU BITWEB-ASRU
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49707 -> 193.143.1.9:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49772 -> 193.143.1.9:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49845 -> 193.143.1.9:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49922 -> 23.55.153.106:443
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: .fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=699df05071997568ab873dbf; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 22 Dec 2024 22:52:37 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control%% equals www.youtube.com (Youtube)
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: cuddlyready.xyz
Source: global traffic DNS traffic detected: DNS query: sendypaster.xyz
Source: global traffic DNS traffic detected: DNS query: steppriflej.xyz
Source: global traffic DNS traffic detected: DNS query: greywe-snotty.cyou
Source: global traffic DNS traffic detected: DNS query: supporse-comment.cyou
Source: global traffic DNS traffic detected: DNS query: smash-boiling.cyou
Source: global traffic DNS traffic detected: DNS query: ripe-blade.cyou
Source: global traffic DNS traffic detected: DNS query: hosue-billowy.cyou
Source: global traffic DNS traffic detected: DNS query: pollution-raker.cyou
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000002.3134453720.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000002.3134453720.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000002.3134453720.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000002.3134453720.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: Wave-Executor.exe, 00000003.00000003.3094339040.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://greywe-snotty.cyou/api
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: Wave-Executor.exe, 00000003.00000002.3134453720.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://hosue-billowy.cyou:443/api
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: Wave-Executor.exe, 00000003.00000002.3134453720.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pollution-raker.cyou:443/api
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: Wave-Executor.exe, 00000003.00000002.3134453720.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://smash-boiling.cyou:443/apipi
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000002.3134453720.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000002.3134453720.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Wave-Executor.exe, 00000003.00000002.3134453720.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133632330.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000002.3134570473.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: Wave-Executor.exe, 00000003.00000002.3134453720.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900d
Source: Wave-Executor.exe, 00000003.00000002.3134453720.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steppriflej.xyz:443/api3
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000002.3134761785.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: Wave-Executor.exe, 00000003.00000002.3134761785.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000002.3134453720.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shopT
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133632330.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3133529344.0000000000B47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: Wave-Executor.exe, 00000003.00000003.3133583262.0000000000B09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.6:49922 version: TLS 1.2
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00431070 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 3_2_00431070
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00431070 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 3_2_00431070
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004316D2 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 3_2_004316D2
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_00271000 0_2_00271000
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_0028C040 0_2_0028C040
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_00286194 0_2_00286194
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_00291250 0_2_00291250
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_0029EB72 0_2_0029EB72
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_0028AC41 0_2_0028AC41
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_0029CD97 0_2_0029CD97
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00271000 3_2_00271000
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0028C040 3_2_0028C040
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00286194 3_2_00286194
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00291250 3_2_00291250
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0029EB72 3_2_0029EB72
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0028AC41 3_2_0028AC41
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0029CD97 3_2_0029CD97
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004084B0 3_2_004084B0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0043C6F0 3_2_0043C6F0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0040ADD0 3_2_0040ADD0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00414040 3_2_00414040
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0043D050 3_2_0043D050
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004090A0 3_2_004090A0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00421170 3_2_00421170
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0042E17E 3_2_0042E17E
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00427110 3_2_00427110
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00435110 3_2_00435110
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0042B124 3_2_0042B124
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00406130 3_2_00406130
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004361D0 3_2_004361D0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0042F1A0 3_2_0042F1A0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004391B0 3_2_004391B0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004182DD 3_2_004182DD
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0041D280 3_2_0041D280
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00425280 3_2_00425280
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00404290 3_2_00404290
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00415300 3_2_00415300
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0041132E 3_2_0041132E
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004343ED 3_2_004343ED
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004073A0 3_2_004073A0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00428452 3_2_00428452
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00417428 3_2_00417428
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0043D430 3_2_0043D430
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004224E0 3_2_004224E0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00436490 3_2_00436490
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0042A497 3_2_0042A497
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00426502 3_2_00426502
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004065C0 3_2_004065C0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004295C0 3_2_004295C0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00409580 3_2_00409580
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00435670 3_2_00435670
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00419620 3_2_00419620
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00425620 3_2_00425620
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004276F0 3_2_004276F0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0041570C 3_2_0041570C
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0041C720 3_2_0041C720
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00415800 3_2_00415800
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00438800 3_2_00438800
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00425804 3_2_00425804
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00433821 3_2_00433821
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0043B820 3_2_0043B820
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004058D0 3_2_004058D0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004038E0 3_2_004038E0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0041D940 3_2_0041D940
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0043B940 3_2_0043B940
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0043B95B 3_2_0043B95B
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0043B959 3_2_0043B959
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0040A900 3_2_0040A900
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004029C0 3_2_004029C0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004359F0 3_2_004359F0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0041B9A6 3_2_0041B9A6
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0041EA40 3_2_0041EA40
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0043CAC0 3_2_0043CAC0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0043BAD0 3_2_0043BAD0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0043BB60 3_2_0043BB60
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00404BC0 3_2_00404BC0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00414BD0 3_2_00414BD0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0040DBDB 3_2_0040DBDB
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0043BBF0 3_2_0043BBF0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00423C21 3_2_00423C21
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0042BCB4 3_2_0042BCB4
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00421D48 3_2_00421D48
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00416D50 3_2_00416D50
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0042A497 3_2_0042A497
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00436D5C 3_2_00436D5C
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0043CD60 3_2_0043CD60
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00422D28 3_2_00422D28
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00405D90 3_2_00405D90
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00411D90 3_2_00411D90
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00430D90 3_2_00430D90
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0042AD95 3_2_0042AD95
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00408E40 3_2_00408E40
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00426E70 3_2_00426E70
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00427E7A 3_2_00427E7A
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00420E10 3_2_00420E10
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00402EE0 3_2_00402EE0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00434EB0 3_2_00434EB0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00422FD0 3_2_00422FD0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00415F8B 3_2_00415F8B
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0041BFA0 3_2_0041BFA0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0041CFB0 3_2_0041CFB0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: String function: 0028F55E appears 42 times
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: String function: 00414030 appears 49 times
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: String function: 00407EF0 appears 38 times
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: String function: 002941C4 appears 34 times
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: String function: 002866A0 appears 100 times
Source: Wave-Executor.exe, 00000000.00000002.2131972723.0000000003077000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRpcPing.exej% vs Wave-Executor.exe
Source: Wave-Executor.exe, 00000000.00000002.2131738880.00000000002FF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRpcPing.exej% vs Wave-Executor.exe
Source: Wave-Executor.exe, 00000003.00000002.3134263604.00000000002FF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRpcPing.exej% vs Wave-Executor.exe
Source: Wave-Executor.exe, 00000003.00000003.2130958981.000000000268E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRpcPing.exej% vs Wave-Executor.exe
Source: Wave-Executor.exe Binary or memory string: OriginalFilenameRpcPing.exej% vs Wave-Executor.exe
Source: Wave-Executor.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Wave-Executor.exe Static PE information: Section: .bss ZLIB complexity 1.0003266550522647
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/1@10/2
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0042F4B0 CoCreateInstance, 3_2_0042F4B0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
Source: Wave-Executor.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Wave-Executor.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Wave-Executor.exe ReversingLabs: Detection: 39%
Source: Wave-Executor.exe Virustotal: Detection: 27%
Source: C:\Users\user\Desktop\Wave-Executor.exe File read: C:\Users\user\Desktop\Wave-Executor.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Wave-Executor.exe "C:\Users\user\Desktop\Wave-Executor.exe"
Source: C:\Users\user\Desktop\Wave-Executor.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Wave-Executor.exe Process created: C:\Users\user\Desktop\Wave-Executor.exe "C:\Users\user\Desktop\Wave-Executor.exe"
Source: C:\Users\user\Desktop\Wave-Executor.exe Process created: C:\Users\user\Desktop\Wave-Executor.exe "C:\Users\user\Desktop\Wave-Executor.exe" Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Section loaded: dpapi.dll Jump to behavior
Source: Wave-Executor.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
Source: Wave-Executor.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Wave-Executor.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Wave-Executor.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Wave-Executor.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Wave-Executor.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_002867C3 push ecx; ret 0_2_002867D6
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_002867C3 push ecx; ret 3_2_002867D6
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_004202A3 push edx; ret 3_2_004202AC
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0043B7B0 push eax; mov dword ptr [esp], 4D4C4B9Ah 3_2_0043B7B3
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00441BF1 push FFFFFFFEh; ret 3_2_00441BF5
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00444DFC push edi; iretd 3_2_00444DFD
Source: C:\Users\user\Desktop\Wave-Executor.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\Wave-Executor.exe API coverage: 3.4 %
Source: C:\Users\user\Desktop\Wave-Executor.exe TID: 6440 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_00299075 FindFirstFileExW, 0_2_00299075
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_00299126 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00299126
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00299075 FindFirstFileExW, 3_2_00299075
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00299126 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_00299126
Source: Wave-Executor.exe, 00000003.00000002.3134453720.0000000000A9C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWpO
Source: Wave-Executor.exe, 00000003.00000003.3133632330.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000002.3134570473.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp, Wave-Executor.exe, 00000003.00000003.3094339040.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0043A0F0 LdrInitializeThunk, 3_2_0043A0F0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_0028F2B0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0028F2B0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_002AF19E mov edi, dword ptr fs:[00000030h] 0_2_002AF19E
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_002716C0 mov edi, dword ptr fs:[00000030h] 0_2_002716C0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_002716C0 mov edi, dword ptr fs:[00000030h] 3_2_002716C0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_00294ABC GetProcessHeap, 0_2_00294ABC
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_0028616C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0028616C
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_0028F2B0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0028F2B0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_00286528 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00286528
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_0028651C SetUnhandledExceptionFilter, 0_2_0028651C
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0028616C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0028616C
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0028F2B0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0028F2B0
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_00286528 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00286528
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 3_2_0028651C SetUnhandledExceptionFilter, 3_2_0028651C

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_002AF19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_002AF19E
Source: C:\Users\user\Desktop\Wave-Executor.exe Memory written: C:\Users\user\Desktop\Wave-Executor.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: Wave-Executor.exe, 00000000.00000002.2131972723.0000000003077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: steppriflej.xyz
Source: Wave-Executor.exe, 00000000.00000002.2131972723.0000000003077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: sendypaster.xyz
Source: Wave-Executor.exe, 00000000.00000002.2131972723.0000000003077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: cuddlyready.xyz
Source: C:\Users\user\Desktop\Wave-Executor.exe Process created: C:\Users\user\Desktop\Wave-Executor.exe "C:\Users\user\Desktop\Wave-Executor.exe" Jump to behavior
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: EnumSystemLocalesW, 0_2_002943A7
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_002983DF
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: EnumSystemLocalesW, 0_2_00298630
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_002986CB
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: EnumSystemLocalesW, 0_2_0029891E
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: GetLocaleInfoW, 0_2_0029897D
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: EnumSystemLocalesW, 0_2_00298A52
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: GetLocaleInfoW, 0_2_00298A9D
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00298B44
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: GetLocaleInfoW, 0_2_00298C4A
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: GetLocaleInfoW, 0_2_00293EAC
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: EnumSystemLocalesW, 3_2_002943A7
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_002983DF
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: EnumSystemLocalesW, 3_2_00298630
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_002986CB
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: EnumSystemLocalesW, 3_2_0029891E
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: GetLocaleInfoW, 3_2_0029897D
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: EnumSystemLocalesW, 3_2_00298A52
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: GetLocaleInfoW, 3_2_00298A9D
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_00298B44
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: GetLocaleInfoW, 3_2_00298C4A
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: GetLocaleInfoW, 3_2_00293EAC
Source: C:\Users\user\Desktop\Wave-Executor.exe Code function: 0_2_00287110 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00287110
Source: C:\Users\user\Desktop\Wave-Executor.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs