Malware analysis Wave Browser.exe Malicious activity | ANY.RUN

Add for printing

File name:	Wave Browser.exe
Full analysis:	https://app.any.run/tasks/d952a651-eda4-401a-8889-e06562ecb38d
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 14, 2025, 05:33:05
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	EDB7FF3F27109A37E425475790A4618C
SHA1:	D58690DBD9A9C3683FE72D20C18A57030ACFB617
SHA256:	651AB9A8456F76D2A8C63CA903CEDC4D500C6C83FD9689E5E493732A00E57F61
SSDEEP:	49152:0So3U1o477Q7gb3tUaYcPE6+hTXALAz15B7eA5x/O6X0IknHD6WI3cuGBmcW6KJz:yE1o47XbdUaj+hTXt15tBxXXyDs3ctmp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - SWUpdater.exe (PID: 3432)
- Actions looks like stealing of personal data
  - wavebrowser.exe (PID: 7584)
  - wavebrowser.exe (PID: 8196)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Wave Browser.exe (PID: 6188)
  - SWUpdater.exe (PID: 3432)
  - setup.exe (PID: 4900)
  - setup.exe (PID: 7332)
  - SWUpdater.exe (PID: 3988)
- Reads the date of Windows installation
  - Wave Browser.exe (PID: 6188)
- Executable content was dropped or overwritten
  - Wave Browser.exe (PID: 6188)
  - SWUpdaterSetup.exe (PID: 148)
  - SWUpdater.exe (PID: 3432)
  - WaveInstaller-v1.5.21.11.exe (PID: 4792)
  - setup.exe (PID: 4900)
- Starts itself from another location
  - SWUpdater.exe (PID: 3432)
- Creates/Modifies COM task schedule object
  - SWUpdaterComRegisterShell64.exe (PID: 6016)
  - SWUpdaterComRegisterShell64.exe (PID: 2220)
  - SWUpdaterComRegisterShell64.exe (PID: 2156)
  - SWUpdater.exe (PID: 2928)
- Application launched itself
  - setup.exe (PID: 4900)
  - setup.exe (PID: 7332)
  - wavebrowser.exe (PID: 7584)
  - SWUpdater.exe (PID: 3988)
- Searches for installed software
  - setup.exe (PID: 4900)
INFO
- Checks proxy server information
  - Wave Browser.exe (PID: 6188)
  - SWUpdater.exe (PID: 476)
  - setup.exe (PID: 4900)
  - SWUpdater.exe (PID: 3988)
  - setup.exe (PID: 7332)
  - wavebrowser.exe (PID: 7584)
  - SWUpdater.exe (PID: 5656)
- Reads the computer name
  - Wave Browser.exe (PID: 6188)
  - SWUpdater.exe (PID: 3432)
  - SWUpdater.exe (PID: 2928)
  - SWUpdater.exe (PID: 476)
  - setup.exe (PID: 4900)
  - SWUpdater.exe (PID: 6940)
  - SWUpdater.exe (PID: 3988)
  - setup.exe (PID: 7332)
  - SWUpdater.exe (PID: 5656)
  - wavebrowser.exe (PID: 7584)
  - wavebrowser.exe (PID: 3680)
  - wavebrowser.exe (PID: 5848)
  - wavebrowser.exe (PID: 8196)
  - wavebrowser.exe (PID: 8528)
  - wavebrowser.exe (PID: 8540)
  - wavebrowser.exe (PID: 3548)
- Checks supported languages
  - Wave Browser.exe (PID: 6188)
  - SWUpdaterSetup.exe (PID: 148)
  - SWUpdater.exe (PID: 3432)
  - SWUpdater.exe (PID: 2928)
  - SWUpdaterComRegisterShell64.exe (PID: 6016)
  - SWUpdaterComRegisterShell64.exe (PID: 2220)
  - SWUpdaterComRegisterShell64.exe (PID: 2156)
  - SWUpdater.exe (PID: 6940)
  - SWUpdater.exe (PID: 476)
  - setup.exe (PID: 4900)
  - setup.exe (PID: 5284)
  - WaveInstaller-v1.5.21.11.exe (PID: 4792)
  - setup.exe (PID: 7332)
  - setup.exe (PID: 7352)
  - wavebrowser.exe (PID: 7604)
  - SWUpdater.exe (PID: 5656)
  - wavebrowser.exe (PID: 5848)
  - wavebrowser.exe (PID: 7584)
  - wavebrowser.exe (PID: 3680)
  - wavebrowser.exe (PID: 5392)
  - wavebrowser.exe (PID: 4972)
  - wavebrowser.exe (PID: 2188)
  - wavebrowser.exe (PID: 8196)
  - wavebrowser.exe (PID: 8296)
  - wavebrowser.exe (PID: 8452)
  - wavebrowser.exe (PID: 8540)
  - wavebrowser.exe (PID: 8528)
  - wavebrowser.exe (PID: 8660)
  - wavebrowser.exe (PID: 8580)
  - wavebrowser.exe (PID: 8592)
  - wavebrowser.exe (PID: 8628)
  - wavebrowser.exe (PID: 8692)
  - wavebrowser.exe (PID: 8684)
  - wavebrowser.exe (PID: 8644)
  - wavebrowser.exe (PID: 8572)
  - wavebrowser.exe (PID: 8604)
  - wavebrowser.exe (PID: 8304)
  - wavebrowser.exe (PID: 2880)
  - wavebrowser.exe (PID: 6640)
  - wavebrowser.exe (PID: 8680)
  - wavebrowser.exe (PID: 8600)
  - wavebrowser.exe (PID: 8656)
  - wavebrowser.exe (PID: 8676)
  - wavebrowser.exe (PID: 9068)
  - wavebrowser.exe (PID: 8980)
  - wavebrowser.exe (PID: 8972)
  - wavebrowser.exe (PID: 8588)
  - wavebrowser.exe (PID: 9072)
  - wavebrowser.exe (PID: 9092)
  - wavebrowser.exe (PID: 8224)
  - wavebrowser.exe (PID: 9120)
  - wavebrowser.exe (PID: 3548)
  - wavebrowser.exe (PID: 8560)
  - wavebrowser.exe (PID: 8340)
  - wavebrowser.exe (PID: 8636)
  - wavebrowser.exe (PID: 8544)
  - wavebrowser.exe (PID: 8612)
  - wavebrowser.exe (PID: 9064)
  - wavebrowser.exe (PID: 6640)
  - wavebrowser.exe (PID: 9176)
  - wavebrowser.exe (PID: 9092)
  - wavebrowser.exe (PID: 9236)
  - wavebrowser.exe (PID: 8676)
  - wavebrowser.exe (PID: 9272)
  - wavebrowser.exe (PID: 9512)
  - wavebrowser.exe (PID: 9520)
  - wavebrowser.exe (PID: 9496)
  - wavebrowser.exe (PID: 9488)
  - wavebrowser.exe (PID: 9572)
  - wavebrowser.exe (PID: 10004)
  - wavebrowser.exe (PID: 9904)
  - wavebrowser.exe (PID: 9612)
  - wavebrowser.exe (PID: 9696)
  - wavebrowser.exe (PID: 9656)
  - wavebrowser.exe (PID: 9932)
  - wavebrowser.exe (PID: 8200)
  - wavebrowser.exe (PID: 8304)
  - wavebrowser.exe (PID: 9536)
  - wavebrowser.exe (PID: 10044)
  - wavebrowser.exe (PID: 9468)
  - wavebrowser.exe (PID: 10204)
  - wavebrowser.exe (PID: 10088)
  - wavebrowser.exe (PID: 10128)
  - wavebrowser.exe (PID: 10168)
  - wavebrowser.exe (PID: 9384)
  - wavebrowser.exe (PID: 9540)
  - wavebrowser.exe (PID: 9548)
  - wavebrowser.exe (PID: 9856)
  - wavebrowser.exe (PID: 9064)
  - wavebrowser.exe (PID: 10036)
  - wavebrowser.exe (PID: 10056)
  - SWUpdater.exe (PID: 3988)
  - wavebrowser.exe (PID: 8200)
  - wavebrowser.exe (PID: 9688)
  - wavebrowser.exe (PID: 9780)
  - wavebrowser.exe (PID: 9896)
  - wavebrowser.exe (PID: 9736)
  - wavebrowser.exe (PID: 9768)
  - wavebrowser.exe (PID: 9812)
  - wavebrowser.exe (PID: 9900)
  - wavebrowser.exe (PID: 9972)
  - wavebrowser.exe (PID: 9672)
  - wavebrowser.exe (PID: 9708)
  - wavebrowser.exe (PID: 9476)
  - wavebrowser.exe (PID: 9848)
  - wavebrowser.exe (PID: 8440)
  - wavebrowser.exe (PID: 8556)
- Disables trace logs
  - Wave Browser.exe (PID: 6188)
- Reads the software policy settings
  - Wave Browser.exe (PID: 6188)
  - SWUpdater.exe (PID: 476)
  - SWUpdater.exe (PID: 3988)
  - setup.exe (PID: 4900)
  - setup.exe (PID: 7332)
  - SWUpdater.exe (PID: 5656)
- Reads the machine GUID from the registry
  - Wave Browser.exe (PID: 6188)
  - setup.exe (PID: 4900)
  - setup.exe (PID: 7332)
  - wavebrowser.exe (PID: 7584)
- Reads Environment values
  - Wave Browser.exe (PID: 6188)
- Create files in a temporary directory
  - Wave Browser.exe (PID: 6188)
  - SWUpdaterSetup.exe (PID: 148)
  - svchost.exe (PID: 6836)
  - WaveInstaller-v1.5.21.11.exe (PID: 4792)
  - setup.exe (PID: 4900)
  - wavebrowser.exe (PID: 8196)
  - wavebrowser.exe (PID: 7584)
  - SWUpdater.exe (PID: 3988)
- The sample compiled with english language support
  - Wave Browser.exe (PID: 6188)
  - SWUpdaterSetup.exe (PID: 148)
  - SWUpdater.exe (PID: 3432)
  - WaveInstaller-v1.5.21.11.exe (PID: 4792)
  - setup.exe (PID: 4900)
- Process checks computer location settings
  - Wave Browser.exe (PID: 6188)
  - SWUpdater.exe (PID: 3432)
  - SWUpdater.exe (PID: 3988)
  - wavebrowser.exe (PID: 7584)
  - wavebrowser.exe (PID: 2188)
  - wavebrowser.exe (PID: 4972)
  - wavebrowser.exe (PID: 8196)
  - wavebrowser.exe (PID: 8296)
  - wavebrowser.exe (PID: 8692)
  - wavebrowser.exe (PID: 8604)
  - wavebrowser.exe (PID: 8580)
  - wavebrowser.exe (PID: 8684)
  - wavebrowser.exe (PID: 8644)
  - wavebrowser.exe (PID: 8592)
  - wavebrowser.exe (PID: 2880)
  - wavebrowser.exe (PID: 8628)
  - wavebrowser.exe (PID: 8572)
  - wavebrowser.exe (PID: 8660)
  - wavebrowser.exe (PID: 8656)
  - wavebrowser.exe (PID: 9120)
  - wavebrowser.exe (PID: 9384)
  - wavebrowser.exe (PID: 9548)
  - wavebrowser.exe (PID: 9064)
  - wavebrowser.exe (PID: 9672)
  - wavebrowser.exe (PID: 9972)
  - wavebrowser.exe (PID: 9736)
  - wavebrowser.exe (PID: 9688)
  - wavebrowser.exe (PID: 9540)
  - wavebrowser.exe (PID: 9468)
  - wavebrowser.exe (PID: 9780)
  - wavebrowser.exe (PID: 9768)
  - wavebrowser.exe (PID: 9812)
  - wavebrowser.exe (PID: 9708)
  - wavebrowser.exe (PID: 9896)
  - wavebrowser.exe (PID: 8440)
  - wavebrowser.exe (PID: 9476)
  - wavebrowser.exe (PID: 9856)
  - wavebrowser.exe (PID: 8556)
- Wave updater related mutex has been found
  - SWUpdater.exe (PID: 3432)
  - SWUpdater.exe (PID: 2928)
  - SWUpdater.exe (PID: 476)
  - SWUpdater.exe (PID: 3988)
  - SWUpdater.exe (PID: 5656)
- Launching a file from a Registry key
  - SWUpdater.exe (PID: 3432)
- Creates files or folders in the user directory
  - setup.exe (PID: 4900)
  - setup.exe (PID: 7332)
  - wavebrowser.exe (PID: 7604)
  - wavebrowser.exe (PID: 3680)
  - wavebrowser.exe (PID: 7584)
- Creates a software uninstall entry
  - setup.exe (PID: 4900)
- Application launched itself
  - msedge.exe (PID: 7576)
  - msedge.exe (PID: 7664)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2078:06:10 21:30:56+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	1449984
InitializedDataSize:	180736
UninitializedDataSize:	-
EntryPoint:	0x163ec6
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.5.21.7
ProductVersionNumber:	1.5.21.7
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	WaveBrowser
CompanyName:	Wavesor Software
FileDescription:	WaveBrowser
FileVersion:	1.5.21.7
InternalName:	Wave Browser.exe
LegalCopyright:	Copyright 2025 Wavesor Software. All rights reserved.
LegalTrademarks:	-
OriginalFileName:	Wave Browser.exe
ProductName:	WaveBrowser
ProductVersion:	1.5.21.7
AssemblyVersion:	1.5.21.7

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

272

Monitored processes

122

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

148

"C:\Users\admin\AppData\Local\Temp\Wave\SWUpdaterSetup.exe" /install "bundlename=WaveBrowser&appguid={EB149AD2-CE4E-4F51-B7FC-A149FAA4CCAF}&appname=WaveBrowser&needsadmin=False&lang=en&usagestats=1&installdataindex=1"

C:\Users\admin\AppData\Local\Temp\Wave\SWUpdaterSetup.exe

Wave Browser.exe

User:

admin

Company:

Wavesor Software

Integrity Level:

MEDIUM

Description:

Wavesor SWUpdater Setup

Exit code:

Version:

1.3.139.0

Modules

Images
c:\users\admin\appdata\local\temp\wave\swupdatersetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

408

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=5908,i,13762675837816812143,17968670809495949525,262144 --variations-seed-version --mojo-platform-channel-handle=1588 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

476

"C:\Users\admin\Wavesor Software\SWUpdater\SWUpdater.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJTV1VwZGF0ZXIiIHVwZGF0ZXJ2ZXJzaW9uPSIxLjMuMTM5LjAiIHNoZWxsX3ZlcnNpb249IjEuMy4xMzkuMCIgaXNtYWNoaW5lPSIwIiBzZXNzaW9uaWQ9Ins1NDA0OEZFNC1EREY3LTQ4RkYtQTlCRi1ENzg0NjcwOTFCNUN9IiB1c2VyaWQ9InsyOGNlODlmMC1hYjk5LTQ1MGMtYTQyYi0wZGUxOTk3ZDAyM2F9IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHJlcXVlc3RpZD0iezYwQkUzREE5LTlDNDEtNEQzNS05MzI5LTNDMjY1RkIyNzk1OX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NS40MDQ2IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7RjZGNjBBQ0UtNzFBRC00NjEwLTgwRDQtOTI1MzcyOUZCNEI3fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjEzOS4wIiBsYW5nPSJlbiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNTQ3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Users\admin\Wavesor Software\SWUpdater\SWUpdater.exe

SWUpdater.exe

User:

admin

Company:

Wavesor Software

Integrity Level:

MEDIUM

Description:

Wavesor SWUpdater

Exit code:

Version:

1.3.139.0

Modules

Images
c:\users\admin\wavesor software\swupdater\swupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1688

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=5900,i,13762675837816812143,17968670809495949525,262144 --variations-seed-version --mojo-platform-channel-handle=5920 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2156

"C:\Users\admin\Wavesor Software\SWUpdater\1.3.139.0\SWUpdaterComRegisterShell64.exe" /user

C:\Users\admin\Wavesor Software\SWUpdater\1.3.139.0\SWUpdaterComRegisterShell64.exe

—

SWUpdater.exe

User:

admin

Company:

Wavesor Software

Integrity Level:

MEDIUM

Description:

Wavesor SWUpdater

Exit code:

Version:

1.3.139.0

Modules

Images
c:\users\admin\wavesor software\swupdater\1.3.139.0\swupdatercomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2188

"C:\Users\admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3312,i,14392237455291782748,16561830203070990609,262144 --variations-seed-version=15 --mojo-platform-channel-handle=3400 /prefetch:2

C:\Users\admin\Wavesor Software\WaveBrowser\wavebrowser.exe

—

wavebrowser.exe

User:

admin

Company:

Wavesor Software

Integrity Level:

LOW

Description:

WaveBrowser

Version:

1.5.21.11

Modules

Images
c:\users\admin\wavesor software\wavebrowser\wavebrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\wavesor software\wavebrowser\1.5.21.11\wavebrowser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

2220

"C:\Users\admin\Wavesor Software\SWUpdater\1.3.139.0\SWUpdaterComRegisterShell64.exe" /user

C:\Users\admin\Wavesor Software\SWUpdater\1.3.139.0\SWUpdaterComRegisterShell64.exe

—

SWUpdater.exe

User:

admin

Company:

Wavesor Software

Integrity Level:

MEDIUM

Description:

Wavesor SWUpdater

Exit code:

Version:

1.3.139.0

Modules

Images
c:\users\admin\wavesor software\swupdater\1.3.139.0\swupdatercomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2256

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=5924,i,13762675837816812143,17968670809495949525,262144 --variations-seed-version --mojo-platform-channel-handle=5828 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2880

"C:\Users\admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6596,i,14392237455291782748,16561830203070990609,262144 --variations-seed-version=15 --mojo-platform-channel-handle=5112 /prefetch:1

C:\Users\admin\Wavesor Software\WaveBrowser\wavebrowser.exe

—

wavebrowser.exe

User:

admin

Company:

Wavesor Software

Integrity Level:

LOW

Description:

WaveBrowser

Version:

1.5.21.11

Modules

Images
c:\users\admin\wavesor software\wavebrowser\wavebrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\wavesor software\wavebrowser\1.5.21.11\wavebrowser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

2928

"C:\Users\admin\Wavesor Software\SWUpdater\SWUpdater.exe" /regserver

C:\Users\admin\Wavesor Software\SWUpdater\SWUpdater.exe

—

SWUpdater.exe

User:

admin

Company:

Wavesor Software

Integrity Level:

MEDIUM

Description:

Wavesor SWUpdater

Exit code:

Version:

1.3.139.0

Modules

Images
c:\users\admin\wavesor software\swupdater\swupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

15 534

Read events

14 612

Write events

851

Delete events

Modification events


(PID) Process:	(6188) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6188) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6188) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6188) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6188) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6188) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6188) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(6188) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6188) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6188) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

Add for printing

Executable files

Suspicious files

557

Text files

513

Unknown types

Dropped files

PID	Process	Filename		Type
148	SWUpdaterSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3369.tmp\SWUpdater.exe		executable
		MD5:6DC889107D15512BD4A8F544F96B751A	SHA256:0F990FA4CC71C1954B300D2B56CEF02D1C0D3CD33FB4981B02D64F6488A51CE9
6188	Wave Browser.exe	C:\Users\admin\AppData\Local\Temp\Wave\SWUpdaterSetup.exe		executable
		MD5:5813F14260ADB068F4B289003DC97FEF	SHA256:0F7C252831041C590B60F1CA997750C58A8F10A1B1AA8A7B4AD8CE844C7E413F
148	SWUpdaterSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3369.tmp\psmachine.dll		executable
		MD5:E7FFAB130261A1653EF4604AA5C3CB4B	SHA256:745621681B9A699549A71A1903806DB9B46ACE2A01FFFF70BE8123F2EC749766
148	SWUpdaterSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3369.tmp\swupdater.dll		executable
		MD5:F8D2134C1DB5B9110C869C6D093F2C12	SHA256:E60ECF8A974A7210DF2F1EA06E1B19CD3DCF5CAC6024C2B1CEF509AA6AF4F1D2
148	SWUpdaterSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3369.tmp\SWUpdaterBroker.exe		executable
		MD5:AA476B0F86AA1DED20A69B8F70FD6688	SHA256:7F0CF244AE86A32FD9296FF8AE4EBAB2E44663AD90C9F5BEC8BE8E94B51B4FDB
148	SWUpdaterSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3369.tmp\SWUpdaterOnDemand.exe		executable
		MD5:CBC3F8783D640E261136A75530E30C25	SHA256:CA4AB0A584CB97ECA35848ACE35FBB918E811DBD7CD046C60200E22799428935
148	SWUpdaterSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3369.tmp\SWUpdaterComRegisterShell64.exe		executable
		MD5:0B66C4A341A2DE0525C4EA3203934629	SHA256:3452CF4B6419BC78C4B59FB907761AA4FBE2B13EDF354194BF571AB2404B8B7C
3432	SWUpdater.exe	C:\Users\admin\Wavesor Software\SWUpdater\1.3.139.0\psuser_64.dll		executable
		MD5:7A7549EDA44453563FA88D594E8C8200	SHA256:9947C3A4ADE9EBA68E6818E2031463691F1BFA614ECBB125BF6E8813DD1975A9
6836	svchost.exe	C:\Users\admin\AppData\Local\Temp\BIT3D3C.tmp		—
		MD5:—	SHA256:—
6836	svchost.exe	C:\Users\admin\AppData\Local\Temp\{569684D7-7E41-4F3E-A2ED-D389C88A1232}-WaveInstaller-v1.5.21.11.exe		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

140

DNS requests

140

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4900	setup.exe	GET	200	18.66.136.67:80	http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D	US	binary	1.40 Kb	whitelisted
5972	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	binary	471 b	whitelisted
4900	setup.exe	GET	200	18.245.65.219:80	http://ocsp.r2m02.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRmbQtwnInkvkvr7BNFR%2BS2lTYPjAQUwDFSzVpQw4J8dHHOy%2Bmc%2BXrrguICEAzNhCMvqqerLFbI47OQv1Q%3D	US	binary	471 b	whitelisted
7420	SIHClient.exe	GET	200	2.22.42.103:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl	SE	binary	813 b	whitelisted
7420	SIHClient.exe	GET	200	2.22.42.103:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	SE	binary	814 b	whitelisted
7420	SIHClient.exe	GET	200	2.22.42.103:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl	SE	binary	401 b	whitelisted
7420	SIHClient.exe	GET	200	2.22.42.103:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	SE	binary	813 b	whitelisted
7420	SIHClient.exe	GET	200	2.22.42.103:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	SE	binary	402 b	whitelisted
7928	msedge.exe	GET	200	150.171.27.11:80	http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:_r4f--Ks6TWknr0mc6fCBh6C7Wz_2nNFS1Fi5rISOYc&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	US	text	100 b	whitelisted
5596	MoUsoCoreWorker.exe	GET	200	2.16.16.148:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4824	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5596	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5972	svchost.exe	20.190.159.73:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6188	Wave Browser.exe	107.23.87.66:443	api.wavebrowserbase.com	AMAZON-AES	US	suspicious
476	SWUpdater.exe	18.206.19.43:443	swupdater.com	AMAZON-AES	US	unknown
3988	SWUpdater.exe	18.206.19.43:443	swupdater.com	AMAZON-AES	US	unknown
4092	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
6836	svchost.exe	18.245.86.129:443	cdn.swupdater.com	—	US	suspicious

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	whitelisted
login.live.com	20.190.159.73 40.126.31.67 40.126.31.73 20.190.159.2 20.190.159.0 40.126.31.3 20.190.159.129 20.190.159.71	whitelisted
google.com	142.250.186.142	whitelisted
api.wavebrowserbase.com	107.23.87.66 13.223.126.71 100.30.80.17 34.237.86.53 52.3.205.188 34.237.91.229	unknown
swupdater.com	18.206.19.43 44.207.133.247	unknown
cdn.swupdater.com	18.245.86.129 18.245.86.68 18.245.86.84 18.245.86.19	unknown
crl.microsoft.com	2.16.16.148 2.16.16.155	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
dct.wavesecure.net	13.223.126.71 34.237.91.229 107.23.87.66 52.3.205.188 100.30.80.17 34.237.86.53	unknown

Threats

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Potentially Bad Traffic	ET INFO Executable served from Amazon S3

Add for printing

No debug info

General Info

Wave Browser.exe

EDB7FF3F27109A37E425475790A4618C

D58690DBD9A9C3683FE72D20C18A57030ACFB617

651AB9A8456F76D2A8C63CA903CEDC4D500C6C83FD9689E5E493732A00E57F61

49152:0So3U1o477Q7gb3tUaYcPE6+hTXALAz15B7eA5x/O6X0IknHD6WI3cuGBmcW6KJz:yE1o47XbdUaj+hTXt15tBxXXyDs3ctmp

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Executable content was dropped or overwritten

Starts itself from another location

Creates/Modifies COM task schedule object

Application launched itself

Searches for installed software

INFO

Checks proxy server information

Reads the computer name

Checks supported languages

Disables trace logs

Reads the software policy settings

Reads the machine GUID from the registry

Reads Environment values

Create files in a temporary directory

The sample compiled with english language support

Process checks computer location settings

Wave updater related mutex has been found

Launching a file from a Registry key

Creates files or folders in the user directory

Creates a software uninstall entry

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings