Malware analysis https://install.convertwithwave.com?src=d-d-cp22691052656&ob=obgcobedobem&dvc=c&k=&crt=767327656216&adp=&plc=www.francaisfacile.com&tgt=&sl=&cpd=22691052656&iid=wav-cvt&gad_source=5&gad_campaignid=22691052656&gclid=eaiaiqobchmiydhhx4ivkgmvruowbr1kqa1neaeyasaaegj5bfd_bwe Malicious activity

Add for printing

URL:	https://install.convertwithwave.com?src=d-d-cp22691052656&ob=obgcobedobem&dvc=c&k=&crt=767327656216&adp=&plc=www.francaisfacile.com&tgt=&sl=&cpd=22691052656&iid=wav-cvt&gad_source=5&gad_campaignid=22691052656&gclid=eaiaiqobchmiydhhx4ivkgmvruowbr1kqa1neaeyasaaegj5bfd_bwe
Full analysis:	https://app.any.run/tasks/d3663cf6-f38e-4bc5-95e2-a04e738aa25c
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 29, 2026, 11:22:16
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader stealer arch-exec
Indicators:
MD5:	C0038A2BB862A12AA604787050E85060
SHA1:	B2D6CE3B86DE2D92F942183D3B49299C3CF01FF4
SHA256:	F49BDC2AA2591C969768088E20EDCAD640F9C954665EE49A3FD0F779E3B72F0F
SSDEEP:	6:2lgbn2zWpoFKHbzYyEh6aSL57J6uGVuwUcXYXAfUo17CfXFHDMyAn:2lgbMKHbzHIghkuGVuGC6pJmXFpAn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - SWUpdater.exe (PID: 3508)
- Actions looks like stealing of personal data
  - wavebrowser.exe (PID: 8160)
SUSPICIOUS
- Reads the date of Windows installation
  - Wave Browser.exe (PID: 4216)
  - setup.exe (PID: 8892)
- Executable content was dropped or overwritten
  - Wave Browser.exe (PID: 4216)
  - SWUpdaterSetup.exe (PID: 6068)
  - SWUpdater.exe (PID: 3508)
  - WaveInstaller-v1.5.24.8.exe (PID: 1824)
  - setup.exe (PID: 8028)
- Starts itself from another location
  - SWUpdater.exe (PID: 3508)
- Creates/Modifies COM task schedule object
  - SWUpdaterComRegisterShell64.exe (PID: 6080)
  - SWUpdaterComRegisterShell64.exe (PID: 5408)
  - SWUpdater.exe (PID: 6948)
  - SWUpdaterComRegisterShell64.exe (PID: 5780)
- Application launched itself
  - setup.exe (PID: 8028)
  - setup.exe (PID: 8892)
  - wavebrowser.exe (PID: 8264)
  - SWUpdater.exe (PID: 8648)
- Searches for installed software
  - setup.exe (PID: 8028)
- Delegate execute modification
  - setup.exe (PID: 8028)
- Connects to unusual port
  - wavebrowser.exe (PID: 8684)
INFO
- Executable content was dropped or overwritten
  - chrome.exe (PID: 5048)
  - chrome.exe (PID: 4128)
- Drops script file
  - chrome.exe (PID: 4128)
  - wavebrowser.exe (PID: 6676)
  - wavebrowser.exe (PID: 8344)
  - wavebrowser.exe (PID: 8892)
  - wavebrowser.exe (PID: 8264)
  - wavebrowser.exe (PID: 4924)
  - wavebrowser.exe (PID: 8432)
  - wavebrowser.exe (PID: 2096)
  - wavebrowser.exe (PID: 6940)
  - wavebrowser.exe (PID: 7232)
  - wavebrowser.exe (PID: 8604)
  - wavebrowser.exe (PID: 3376)
  - wavebrowser.exe (PID: 1672)
- Application launched itself
  - chrome.exe (PID: 4128)
  - chrome.exe (PID: 8404)
- Reads the computer name
  - Wave Browser.exe (PID: 4216)
  - SWUpdater.exe (PID: 3508)
  - SWUpdater.exe (PID: 6948)
  - SWUpdater.exe (PID: 1860)
  - SWUpdater.exe (PID: 5224)
  - SWUpdater.exe (PID: 8648)
  - setup.exe (PID: 8028)
  - setup.exe (PID: 8892)
  - wavebrowser.exe (PID: 8264)
  - SWUpdater.exe (PID: 8736)
  - wavebrowser.exe (PID: 4636)
  - wavebrowser.exe (PID: 8684)
  - wavebrowser.exe (PID: 8160)
  - wavebrowser.exe (PID: 7612)
  - wavebrowser.exe (PID: 2780)
  - wavebrowser.exe (PID: 4828)
- Checks supported languages
  - Wave Browser.exe (PID: 4216)
  - SWUpdaterSetup.exe (PID: 6068)
  - SWUpdater.exe (PID: 3508)
  - SWUpdater.exe (PID: 6948)
  - SWUpdaterComRegisterShell64.exe (PID: 6080)
  - SWUpdaterComRegisterShell64.exe (PID: 5780)
  - SWUpdaterComRegisterShell64.exe (PID: 5408)
  - SWUpdater.exe (PID: 1860)
  - SWUpdater.exe (PID: 5224)
  - SWUpdater.exe (PID: 8648)
  - WaveInstaller-v1.5.24.8.exe (PID: 1824)
  - setup.exe (PID: 8028)
  - setup.exe (PID: 524)
  - setup.exe (PID: 8892)
  - setup.exe (PID: 5600)
  - wavebrowser.exe (PID: 8264)
  - wavebrowser.exe (PID: 664)
  - SWUpdater.exe (PID: 8736)
  - wavebrowser.exe (PID: 8684)
  - wavebrowser.exe (PID: 4636)
  - wavebrowser.exe (PID: 3208)
  - wavebrowser.exe (PID: 8160)
  - wavebrowser.exe (PID: 676)
  - wavebrowser.exe (PID: 6940)
  - wavebrowser.exe (PID: 2780)
  - wavebrowser.exe (PID: 2100)
  - wavebrowser.exe (PID: 7612)
  - wavebrowser.exe (PID: 9072)
  - wavebrowser.exe (PID: 8860)
  - wavebrowser.exe (PID: 8052)
  - wavebrowser.exe (PID: 4664)
  - wavebrowser.exe (PID: 1672)
  - wavebrowser.exe (PID: 8184)
  - wavebrowser.exe (PID: 8780)
  - wavebrowser.exe (PID: 4404)
  - wavebrowser.exe (PID: 7608)
  - wavebrowser.exe (PID: 792)
  - wavebrowser.exe (PID: 5516)
  - wavebrowser.exe (PID: 1156)
  - wavebrowser.exe (PID: 772)
  - wavebrowser.exe (PID: 8312)
  - wavebrowser.exe (PID: 8952)
  - wavebrowser.exe (PID: 148)
  - wavebrowser.exe (PID: 8148)
  - wavebrowser.exe (PID: 6300)
  - wavebrowser.exe (PID: 4372)
  - wavebrowser.exe (PID: 2096)
  - wavebrowser.exe (PID: 1428)
  - wavebrowser.exe (PID: 4828)
  - wavebrowser.exe (PID: 684)
  - wavebrowser.exe (PID: 8432)
  - wavebrowser.exe (PID: 7540)
  - wavebrowser.exe (PID: 8344)
  - wavebrowser.exe (PID: 6500)
  - wavebrowser.exe (PID: 8892)
  - wavebrowser.exe (PID: 4924)
  - wavebrowser.exe (PID: 3376)
  - wavebrowser.exe (PID: 8604)
  - wavebrowser.exe (PID: 6940)
  - wavebrowser.exe (PID: 7232)
  - wavebrowser.exe (PID: 6676)
  - wavebrowser.exe (PID: 8636)
  - wavebrowser.exe (PID: 6484)
  - wavebrowser.exe (PID: 7240)
  - wavebrowser.exe (PID: 6928)
  - wavebrowser.exe (PID: 4332)
  - wavebrowser.exe (PID: 8544)
  - wavebrowser.exe (PID: 1956)
  - wavebrowser.exe (PID: 7472)
  - wavebrowser.exe (PID: 7608)
  - wavebrowser.exe (PID: 8284)
  - wavebrowser.exe (PID: 1516)
  - wavebrowser.exe (PID: 1836)
  - wavebrowser.exe (PID: 3032)
  - wavebrowser.exe (PID: 8892)
  - wavebrowser.exe (PID: 6928)
  - wavebrowser.exe (PID: 5224)
  - wavebrowser.exe (PID: 7708)
  - wavebrowser.exe (PID: 6496)
  - wavebrowser.exe (PID: 9320)
  - wavebrowser.exe (PID: 6692)
  - wavebrowser.exe (PID: 7240)
  - wavebrowser.exe (PID: 1700)
  - wavebrowser.exe (PID: 8496)
  - wavebrowser.exe (PID: 9304)
  - wavebrowser.exe (PID: 6940)
  - wavebrowser.exe (PID: 9312)
  - wavebrowser.exe (PID: 9916)
  - wavebrowser.exe (PID: 10008)
  - wavebrowser.exe (PID: 9664)
  - wavebrowser.exe (PID: 10016)
  - wavebrowser.exe (PID: 10036)
  - wavebrowser.exe (PID: 10024)
  - wavebrowser.exe (PID: 10048)
  - wavebrowser.exe (PID: 1672)
  - wavebrowser.exe (PID: 2332)
  - wavebrowser.exe (PID: 9580)
  - wavebrowser.exe (PID: 10212)
  - wavebrowser.exe (PID: 9648)
- Launching a file from the Downloads directory
  - chrome.exe (PID: 4128)
- Reads the machine GUID from the registry
  - Wave Browser.exe (PID: 4216)
  - setup.exe (PID: 8028)
  - setup.exe (PID: 8892)
  - wavebrowser.exe (PID: 8264)
- Disables trace logs
  - Wave Browser.exe (PID: 4216)
- Checks proxy server information
  - Wave Browser.exe (PID: 4216)
  - SWUpdater.exe (PID: 1860)
  - SWUpdater.exe (PID: 8648)
  - setup.exe (PID: 8028)
  - setup.exe (PID: 8892)
  - wavebrowser.exe (PID: 8264)
  - SWUpdater.exe (PID: 8736)
  - slui.exe (PID: 3164)
- Reads Environment values
  - Wave Browser.exe (PID: 4216)
- Reads security settings of Internet Explorer
  - Wave Browser.exe (PID: 4216)
  - SWUpdater.exe (PID: 3508)
  - setup.exe (PID: 8028)
  - setup.exe (PID: 8892)
  - SWUpdater.exe (PID: 8648)
  - wavebrowser.exe (PID: 8264)
- Create files in a temporary directory
  - Wave Browser.exe (PID: 4216)
  - SWUpdaterSetup.exe (PID: 6068)
  - svchost.exe (PID: 7532)
  - SWUpdater.exe (PID: 8648)
  - WaveInstaller-v1.5.24.8.exe (PID: 1824)
  - setup.exe (PID: 8028)
  - wavebrowser.exe (PID: 8160)
  - wavebrowser.exe (PID: 8264)
- Process checks computer location settings
  - Wave Browser.exe (PID: 4216)
  - SWUpdater.exe (PID: 3508)
  - SWUpdater.exe (PID: 8648)
  - wavebrowser.exe (PID: 8264)
  - wavebrowser.exe (PID: 2100)
  - wavebrowser.exe (PID: 676)
  - wavebrowser.exe (PID: 8160)
  - wavebrowser.exe (PID: 8780)
  - wavebrowser.exe (PID: 8860)
  - wavebrowser.exe (PID: 9072)
  - wavebrowser.exe (PID: 8052)
  - wavebrowser.exe (PID: 8184)
  - wavebrowser.exe (PID: 4404)
  - wavebrowser.exe (PID: 1836)
  - wavebrowser.exe (PID: 3032)
  - wavebrowser.exe (PID: 5224)
  - wavebrowser.exe (PID: 8892)
  - wavebrowser.exe (PID: 6928)
  - wavebrowser.exe (PID: 7708)
  - wavebrowser.exe (PID: 9320)
  - wavebrowser.exe (PID: 7240)
  - wavebrowser.exe (PID: 6496)
  - wavebrowser.exe (PID: 6692)
  - wavebrowser.exe (PID: 1516)
  - wavebrowser.exe (PID: 1700)
  - wavebrowser.exe (PID: 6940)
  - wavebrowser.exe (PID: 9312)
  - wavebrowser.exe (PID: 9304)
  - wavebrowser.exe (PID: 8496)
  - wavebrowser.exe (PID: 9664)
  - wavebrowser.exe (PID: 10048)
  - wavebrowser.exe (PID: 10016)
  - wavebrowser.exe (PID: 10036)
  - wavebrowser.exe (PID: 9580)
  - wavebrowser.exe (PID: 9648)
- The sample compiled with english language support
  - Wave Browser.exe (PID: 4216)
  - SWUpdaterSetup.exe (PID: 6068)
  - SWUpdater.exe (PID: 3508)
  - WaveInstaller-v1.5.24.8.exe (PID: 1824)
  - setup.exe (PID: 8028)
- Launching a file from a Registry key
  - SWUpdater.exe (PID: 3508)
- Wave updater related mutex has been found
  - SWUpdater.exe (PID: 3508)
  - SWUpdater.exe (PID: 6948)
  - SWUpdater.exe (PID: 1860)
  - SWUpdater.exe (PID: 8648)
  - SWUpdater.exe (PID: 8736)
- Creates files or folders in the user directory
  - setup.exe (PID: 8028)
  - setup.exe (PID: 524)
  - setup.exe (PID: 8892)
  - wavebrowser.exe (PID: 664)
  - wavebrowser.exe (PID: 8264)
  - wavebrowser.exe (PID: 8684)
- Creates a software uninstall entry
  - setup.exe (PID: 8028)
- Reads CPU info
  - wavebrowser.exe (PID: 8264)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

298

Monitored processes

146

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

148

"C:\Users\admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --force-high-res-timeticks=disabled --field-trial-handle=2012,i,3956268043274189108,1942717514518465911,262144 --variations-seed-version=15 --mojo-platform-channel-handle=7016 /prefetch:8

C:\Users\admin\Wavesor Software\WaveBrowser\wavebrowser.exe

—

wavebrowser.exe

User:

admin

Company:

Wavesor Software

Integrity Level:

LOW

Description:

WaveBrowser

Exit code:

Version:

1.5.24.8

Modules

Images
c:\users\admin\wavesor software\wavebrowser\wavebrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\wavesor software\wavebrowser\1.5.24.8\wavebrowser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

416

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=6444,i,13192155955516187431,2913002768132431787,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=6388 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

524

C:\Users\admin\AppData\Local\Temp\nslF358.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\WaveBrowser\User Data\Crashpad" --url=https://sentry.epresources.io/api/37/minidump/?sentry_key=6d70218a5e72941a159dd0c8fde06ae8 --annotation=channel= --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=ver=1.5.24.8 --initial-client-data=0x280,0x284,0x288,0x25c,0x28c,0x7ff681ef66b8,0x7ff681ef66c4,0x7ff681ef66d0

C:\Users\admin\AppData\Local\Temp\nslF358.tmp\setup.exe

—

setup.exe

User:

admin

Company:

Wavesor Software

Integrity Level:

MEDIUM

Description:

WaveBrowser Installer

Exit code:

Version:

1.5.24.8

Modules

Images
c:\users\admin\appdata\local\temp\nslf358.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shell32.dll

664

"C:\Users\admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\WaveBrowser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\WaveBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\WaveBrowser\User Data" --url=https://sentry.epresources.io/api/37/minidump/?sentry_key=6d70218a5e72941a159dd0c8fde06ae8 --annotation=channel= --annotation=iid=wav-cvt --annotation=plat=Win64 --annotation=prod=WaveBrowser --annotation=src=d-d-cp22691052656-lp0-obgc-wav-igoXBufbXlUuGyFKGRxPPw-ab15-w64-brwsr --annotation=uc=20260129 --annotation=uid=42932790-496b-49bf-8c38-710c9a3ab2fb --annotation=ver=1.5.24.8 --initial-client-data=0x128,0x12c,0x130,0xe4,0x134,0x7ffd653e62e0,0x7ffd653e62ec,0x7ffd653e62f8

C:\Users\admin\Wavesor Software\WaveBrowser\wavebrowser.exe

—

wavebrowser.exe

User:

admin

Company:

Wavesor Software

Integrity Level:

MEDIUM

Description:

WaveBrowser

Version:

1.5.24.8

Modules

Images
c:\users\admin\wavesor software\wavebrowser\wavebrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\wavesor software\wavebrowser\1.5.24.8\wavebrowser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll

676

"C:\Users\admin\Wavesor Software\WaveBrowser\wavebrowser.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --force-high-res-timeticks=disabled --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2012,i,3956268043274189108,1942717514518465911,262144 --variations-seed-version=15 --mojo-platform-channel-handle=3708 /prefetch:2

C:\Users\admin\Wavesor Software\WaveBrowser\wavebrowser.exe

—

wavebrowser.exe

User:

admin

Company:

Wavesor Software

Integrity Level:

LOW

Description:

WaveBrowser

Exit code:

Version:

1.5.24.8

Modules

Images
c:\users\admin\wavesor software\wavebrowser\wavebrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\wavesor software\wavebrowser\1.5.24.8\wavebrowser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

684

C:\Users\admin\Wavesor Software\WaveBrowser\wavebrowser.exe

—

wavebrowser.exe

User:

admin

Company:

Wavesor Software

Integrity Level:

LOW

Description:

WaveBrowser

Exit code:

Version:

1.5.24.8

Modules

Images
c:\users\admin\wavesor software\wavebrowser\wavebrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\wavesor software\wavebrowser\1.5.24.8\wavebrowser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

772

C:\Users\admin\Wavesor Software\WaveBrowser\wavebrowser.exe

—

wavebrowser.exe

User:

admin

Company:

Wavesor Software

Integrity Level:

LOW

Description:

WaveBrowser

Exit code:

Version:

1.5.24.8

Modules

Images
c:\users\admin\wavesor software\wavebrowser\wavebrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\wavesor software\wavebrowser\1.5.24.8\wavebrowser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

792

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=4320,i,13192155955516187431,2913002768132431787,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=6068 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

792

C:\Users\admin\Wavesor Software\WaveBrowser\wavebrowser.exe

—

wavebrowser.exe

User:

admin

Company:

Wavesor Software

Integrity Level:

LOW

Description:

WaveBrowser

Exit code:

Version:

1.5.24.8

Modules

Images
c:\users\admin\wavesor software\wavebrowser\wavebrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\wavesor software\wavebrowser\1.5.24.8\wavebrowser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1156

C:\Users\admin\Wavesor Software\WaveBrowser\wavebrowser.exe

—

wavebrowser.exe

User:

admin

Company:

Wavesor Software

Integrity Level:

LOW

Description:

WaveBrowser

Exit code:

Version:

1.5.24.8

Modules

Images
c:\users\admin\wavesor software\wavebrowser\wavebrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\wavesor software\wavebrowser\1.5.24.8\wavebrowser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

18 268

Read events

17 261

Write events

936

Delete events

Modification events


(PID) Process:	(4216) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4216) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(4216) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(4216) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(4216) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(4216) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(4216) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(4216) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4216) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(4216) Wave Browser.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wave Browser_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

Add for printing

Executable files

Suspicious files

824

Text files

744

Unknown types

Dropped files

PID	Process	Filename		Type
4128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RF1e5baa.TMP		—
		MD5:—	SHA256:—
4128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old		—
		MD5:—	SHA256:—
4128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF1e5baa.TMP		—
		MD5:—	SHA256:—
4128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RF1e5bba.TMP		—
		MD5:—	SHA256:—
4128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF1e5bba.TMP		—
		MD5:—	SHA256:—
4128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old		—
		MD5:—	SHA256:—
4128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old		—
		MD5:—	SHA256:—
4128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
4128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\LOG.old~RF1e5bba.TMP		—
		MD5:—	SHA256:—
4128	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF1e5bba.TMP		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

476

TCP/UDP connections

193

DNS requests

237

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5048	chrome.exe	GET	200	216.58.206.46:80	http://clients2.google.com/time/1/current?cup2key=8:auWxTpJ3DRRiWowtp0meNAj1sNbAIK37Zv3vJofjJKE&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	unknown	—	—	whitelisted
5048	chrome.exe	GET	200	142.250.187.234:443	https://safebrowsingohttpgateway.googleapis.com/v1/ohttp/hpkekeyconfig?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE	unknown	binary	41 b	whitelisted
5048	chrome.exe	POST	200	142.251.127.84:443	https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	unknown	text	17 b	whitelisted
5048	chrome.exe	GET	200	172.217.208.94:443	https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=133	unknown	compressed	81.2 Kb	whitelisted
5048	chrome.exe	GET	200	100.49.190.52:443	https://install.convertwithwave.com/?src=d-d-cp22691052656&ob=obgcobedobem&dvc=c&k=&crt=767327656216&adp=&plc=www.francaisfacile.com&tgt=&sl=&cpd=22691052656&iid=wav-cvt&gad_source=5&gad_campaignid=22691052656&gclid=eaiaiqobchmiydhhx4ivkgmvruowbr1kqa1neaeyasaaegj5bfd_bwe	unknown	html	3.09 Kb	unknown
5048	chrome.exe	GET	200	100.49.190.52:443	https://install.convertwithwave.com/assets/index-71315e89.css	unknown	text	128 Kb	unknown
5048	chrome.exe	GET	200	100.49.190.52:443	https://install.convertwithwave.com/assets/index-a65adea6.js	unknown	text	128 Kb	unknown
5048	chrome.exe	GET	200	23.53.40.208:443	https://use.typekit.net/rgb4vnm.css	unknown	text	4.63 Kb	whitelisted
5048	chrome.exe	GET	200	23.53.40.208:443	https://use.typekit.net/vpi5heu.css	unknown	text	3.90 Kb	whitelisted
5048	chrome.exe	GET	200	23.53.40.208:443	https://use.typekit.net/akm6clp.css	unknown	text	1.20 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
7600	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
876	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	4.213.25.242:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
5048	chrome.exe	142.250.187.234:443	safebrowsingohttpgateway.googleapis.com	GOOGLE	US	whitelisted
5048	chrome.exe	216.58.206.46:80	clients2.google.com	GOOGLE	US	whitelisted
5048	chrome.exe	172.217.208.94:443	clientservices.googleapis.com	GOOGLE	US	whitelisted
5048	chrome.exe	142.251.127.84:443	accounts.google.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
self.events.data.microsoft.com	20.189.173.16 51.116.246.106	whitelisted
google.com	142.250.185.174	whitelisted
client.wns.windows.com	4.213.25.242	whitelisted
clients2.google.com	216.58.206.46	whitelisted
safebrowsingohttpgateway.googleapis.com	142.250.187.234 142.251.208.170 142.251.141.106 142.250.184.234 142.251.141.74 216.58.206.74 142.250.185.138 142.251.141.138 142.250.185.170 172.217.16.170 142.250.201.74 172.217.18.10 172.217.16.202 142.251.208.10 172.217.20.138 142.251.140.170	whitelisted
clientservices.googleapis.com	172.217.208.94	whitelisted
install.convertwithwave.com	100.49.190.52 100.51.70.87 67.202.20.161 107.23.138.210 35.171.96.1 44.216.143.40	unknown
accounts.google.com	142.251.127.84	whitelisted
use.typekit.net	23.53.40.208 23.53.40.177	whitelisted
p.typekit.net	23.53.41.97 23.53.40.177	whitelisted

Threats

PID	Process	Class	Message
5048	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5048	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5048	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
876	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
5048	chrome.exe	Potentially Bad Traffic	ET INFO PE EXE or DLL Windows file download HTTP
5048	chrome.exe	Potentially Bad Traffic	ET INFO Executable served from Amazon S3
7532	svchost.exe	Potentially Bad Traffic	ET INFO PE EXE or DLL Windows file download HTTP
7532	svchost.exe	Potentially Bad Traffic	ET INFO Executable served from Amazon S3
8028	setup.exe	Misc activity	ET INFO Observed UA-CPU Header

Add for printing

No debug info

General Info

https://install.convertwithwave.com?src=d-d-cp22691052656&ob=obgcobedobem&dvc=c&k=&crt=767327656216&adp=&plc=www.francaisfacile.com&tgt=&sl=&cpd=22691052656&iid=wav-cvt&gad_source=5&gad_campaignid=22691052656&gclid=eaiaiqobchmiydhhx4ivkgmvruowbr1kqa1neaeyasaaegj5bfd_bwe

C0038A2BB862A12AA604787050E85060

B2D6CE3B86DE2D92F942183D3B49299C3CF01FF4

F49BDC2AA2591C969768088E20EDCAD640F9C954665EE49A3FD0F779E3B72F0F

6:2lgbn2zWpoFKHbzYyEh6aSL57J6uGVuwUcXYXAfUo17CfXFHDMyAn:2lgbMKHbzHIghkuGVuGC6pJmXFpAn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Actions looks like stealing of personal data

SUSPICIOUS

Reads the date of Windows installation

Executable content was dropped or overwritten

Starts itself from another location

Creates/Modifies COM task schedule object

Application launched itself

Searches for installed software

Delegate execute modification

Connects to unusual port

INFO

Executable content was dropped or overwritten

Drops script file

Application launched itself

Reads the computer name

Checks supported languages

Launching a file from the Downloads directory

Reads the machine GUID from the registry

Disables trace logs

Checks proxy server information

Reads Environment values

Reads security settings of Internet Explorer

Create files in a temporary directory

Process checks computer location settings

The sample compiled with english language support

Launching a file from a Registry key

Wave updater related mutex has been found

Creates files or folders in the user directory

Creates a software uninstall entry

Reads CPU info

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings