File name:

WavesLicenseEngine.bundle.exe

Full analysis: https://app.any.run/tasks/cf925575-a71a-4640-a478-fe4182e180a2
Verdict: Suspicious activity
Analysis date: September 12, 2019, 15:04:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

67F71BD40042BC7D42119E7BD0A0DDD1

SHA1:

A1CB97861E8FC720FC353840F9EAF7532781C19E

SHA256:

A2AB4B08ACA7872619AD2917ED1119EE5117BB6ECFDAB01A4AE5215C1CF6C4AD

SSDEEP:

49152:8bSI4K9kklU1kpk42tdJ/8bcU1KPh988GUJDXA8RIgfnjCr:FI4K9XSkpkVdR8BI988GUJdIgfnjm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the program directory

      • WavesLicenseEngine.bundle.exe (PID: 2180)

    • Reads internet explorer settings

      • WavesLicenseEngine.bundle.exe (PID: 2180)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • WavesLicenseEngine.bundle.exe (PID: 2180)

    • Executable content was dropped or overwritten

      • WavesLicenseEngine.bundle.exe (PID: 2180)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WavesLicenseEngine.bundle.exe (PID: 2180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:09:30 20:01:44+02:00
PEType: PE32
LinkerVersion: 14
CodeSize: 190976
InitializedDataSize: 440832
UninitializedDataSize: -
EntryPoint: 0x1d549
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-Sep-2018 18:01:44
Detected languages:
  • English - United States
  • Process Default Language
Debug artifacts:
  • D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000120

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 30-Sep-2018 18:01:44
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0002E924
0x0002EA00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.69845
.rdata
0x00030000
0x00009A8C
0x00009C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.13014
.data
0x0003A000
0x000203A0
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.23545
.gfids
0x0005B000
0x000000E8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.09308
.rsrc
0x0005C000
0x0005EFAC
0x0005F000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.10097
.reloc
0x000BB000
0x00001FDC
0x00002000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.67876

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.26192
1875
Latin 1 / Western European
English - United States
RT_MANIFEST
2
4.16444
67624
Latin 1 / Western European
Process Default Language
RT_ICON
3
4.57078
16936
Latin 1 / Western European
Process Default Language
RT_ICON
4
4.72664
9640
Latin 1 / Western European
Process Default Language
RT_ICON
5
5.30274
4264
Latin 1 / Western European
Process Default Language
RT_ICON
6
5.70579
1128
Latin 1 / Western European
Process Default Language
RT_ICON
7
3.1586
482
Latin 1 / Western European
English - United States
RT_STRING
8
3.11685
460
Latin 1 / Western European
English - United States
RT_STRING
9
3.15447
494
Latin 1 / Western European
English - United States
RT_STRING
10
2.99727
326
Latin 1 / Western European
English - United States
RT_STRING

Imports

KERNEL32.dll
USER32.dll (delay-loaded)
gdiplus.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start waveslicenseengine.bundle.exe waveslicenseengine.bundle.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2180"C:\Users\admin\AppData\Local\Temp\WavesLicenseEngine.bundle.exe" C:\Users\admin\AppData\Local\Temp\WavesLicenseEngine.bundle.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\waveslicenseengine.bundle.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
3708"C:\Users\admin\AppData\Local\Temp\WavesLicenseEngine.bundle.exe" C:\Users\admin\AppData\Local\Temp\WavesLicenseEngine.bundle.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\waveslicenseengine.bundle.exe
c:\systemroot\system32\ntdll.dll
Total events
50
Read events
46
Write events
4
Delete events
0

Modification events

(PID) Process:(2180) WavesLicenseEngine.bundle.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2180) WavesLicenseEngine.bundle.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
6
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2180WavesLicenseEngine.bundle.exeC:\ProgramData\Waves Audio\Modules\WavesLicenseEngine.bundle\desktop.iniini
MD5:2062A28B5A17126042A97D85C30F2017
SHA256:AA76D44F83486CDD2CD6E0D8C08BDF2D0BC863F1782B018953D00013EF2AB4FC
2180WavesLicenseEngine.bundle.exeC:\ProgramData\Waves Audio\Modules\WavesLicenseEngine.bundle\Contents\Win32\WavesLicenseEngine.dllexecutable
MD5:F3FD05FC26FA5C9F62A844DE60068C85
SHA256:372B6872A15CEB801787300DB85E9529F28E7E92A59FA1606F8D01038E896F78
2180WavesLicenseEngine.bundle.exeC:\ProgramData\Waves Audio\Modules\WavesLicenseEngine.bundle\Contents\Win64\WavesLicenseEngine.dllexecutable
MD5:7C2486EAD09373A86B5CB2FDFE818F41
SHA256:A40F0D8EE64DD7ECCC96360F8C8DFED3CBDF62F9B79B1E3C29F60710A8349464
2180WavesLicenseEngine.bundle.exeC:\ProgramData\Waves Audio\Modules\WavesLicenseEngine.bundle\Contents\Win32\curl.exeexecutable
MD5:F9C33DDB983611732CA68240324AC003
SHA256:113B9963011999DC2FC5C1231230AE9580079D9342517F67FC9215C5E7CD4E3B
2180WavesLicenseEngine.bundle.exeC:\ProgramData\Waves Audio\Modules\WavesLicenseEngine.bundle\Contents\Win32\ssleay32.dllexecutable
MD5:16AF443B6944EC540FBF7C549D8EB154
SHA256:AFFCB9A74D5A0784BC9B8FA10EE0B128D7BF4B752C587A044D5019F2F9435740
2180WavesLicenseEngine.bundle.exeC:\ProgramData\Waves Audio\Modules\WavesLicenseEngine.bundle\WavesLicenseEngine.icoimage
MD5:B4BF8090CC52BCB8587DDD89EF1EC3D2
SHA256:6387BA600ADD1FD6E72D607AB11A853947551384404CF8B9B20578E77F90942A
2180WavesLicenseEngine.bundle.exeC:\ProgramData\Waves Audio\Modules\WavesLicenseEngine.bundle\Contents\Win32\libeay32.dllexecutable
MD5:BD4739F7AF4CD0FF8E6585988F551534
SHA256:502E60F760C92DCE0EFEA1E24D6FECD9CC7985D92BE8BC5B56CDBFB849A05A57
2180WavesLicenseEngine.bundle.exeC:\ProgramData\Waves Audio\Modules\WavesLicenseEngine.bundle\Contents\SharedSupport\wle.exeexecutable
MD5:EF39D6BAD9E7086527995DA4F821A786
SHA256:9BBC7B6B53C7F3CF496BDD9B6E28BDB23539952A18EF28D4505D7F007936CC9A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
WavesLicenseEngine.bundle.exe