Edit tour

Windows Analysis Report
WaveInstaller.exe

Overview

General Information

Sample name:	WaveInstaller.exe
Analysis ID:	1502445
MD5:	215d509bc217f7878270c161763b471e
SHA1:	bfe0a2580d54cfa28d3ff5ef8dc754fdc73adcd9
SHA256:	984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

Uses Windows timers to delay execution

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Potential time zone aware malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

WaveInstaller.exe (PID: 7464 cmdline: "C:\Users\user\Desktop\WaveInstaller.exe" MD5: 215D509BC217F7878270C161763B471E)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
WaveInstaller.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1637430102.0000000000B82000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2895806482.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: WaveInstaller.exe PID: 7464	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.WaveInstaller.exe.b80000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://cdn.getwave.gg/bootstrapper/WaveWindows.exe-Wave	Avira URL Cloud: Label: malware
Source: https://cdn.getwave.gg/bootstrapper/WaveWindows.exeio	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: https://cdn.getwave.gg/bootstrapper/WaveWindows.exe-Wave

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for submitted file

Source: WaveInstaller.exe	ReversingLabs: Detection: 31%
Source: WaveInstaller.exe	Virustotal: Detection: 44%			Perma Link

Source: WaveInstaller.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: WaveInstaller.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\imaxi\Desktop\WaveInstaller\obj\Release\WaveInstaller.pdb source: WaveInstaller.exe
Source:	Binary string: costura.costura.pdb.compressed source: WaveInstaller.exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: WaveInstaller.exe
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: WaveInstaller.exe

Source: WaveInstaller.exe	String found in binary or memory: https://cdn.getwave.gg/bootstrapper/WaveWindows.exe-Wave
Source: WaveInstaller.exe, 00000000.00000002.2895806482.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.getwave.gg/bootstrapper/WaveWindows.exeio
Source: WaveInstaller.exe, 00000000.00000002.2895806482.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar
Source: WaveInstaller.exe	String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar1CefSharp.Wpf.124.3.8.rar
Source: WaveInstaller.exe	String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Wpf.124.3.8.rar
Source: WaveInstaller.exe	String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/Luau-x64.rar
Source: WaveInstaller.exe	String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/Wave-x64.rar
Source: WaveInstaller.exe, 00000000.00000002.2895806482.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.8
Source: WaveInstaller.exe	String found in binary or memory: https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.87CefSharp.Comm

Source: WaveInstaller.exe, 00000000.00000002.2894838722.000000000133E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs WaveInstaller.exe

Source: WaveInstaller.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: WaveInstaller.exe, MainWindow.cs

Suspicious URL: 'https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.8'

Source: classification engine

Classification label: mal76.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\WaveInstaller.exe

Mutant created: NULL

Source: WaveInstaller.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WaveInstaller.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\WaveInstaller.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WaveInstaller.exe	ReversingLabs: Detection: 31%
Source: WaveInstaller.exe	Virustotal: Detection: 44%

Source: WaveInstaller.exe	String found in binary or memory: :includes/images/installer.png0includes/images/logo.png
Source: WaveInstaller.exe	String found in binary or memory: Includes/Images/Installer.png
Source: WaveInstaller.exe	String found in binary or memory: The installation process will take some time. Sit back, relax and let this process finish. Please do not turn off your computer.-Installation Completed

Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\WaveInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\WaveInstaller.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: WaveInstaller.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: WaveInstaller.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: WaveInstaller.exe

Static file information: File size 2377216 > 1048576

Source: WaveInstaller.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x210c00

Source: WaveInstaller.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: WaveInstaller.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\imaxi\Desktop\WaveInstaller\obj\Release\WaveInstaller.pdb source: WaveInstaller.exe
Source:	Binary string: costura.costura.pdb.compressed source: WaveInstaller.exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: WaveInstaller.exe
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: WaveInstaller.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: WaveInstaller.exe, AssemblyLoader.cs

.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: WaveInstaller.exe, type: SAMPLE
Source: Yara match	File source: 0.0.WaveInstaller.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1637430102.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2895806482.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WaveInstaller.exe PID: 7464, type: MEMORYSTR

Source: WaveInstaller.exe

Static PE information: 0x8C34F576 [Sat Jul 16 11:22:30 2044 UTC]

Source: C:\Users\user\Desktop\WaveInstaller.exe	Code function: 0_2_018A4442 push esp; retf	0_2_018A4451
Source: C:\Users\user\Desktop\WaveInstaller.exe	Code function: 0_2_018A1762 pushfd ; iretd	0_2_018A1779
Source: C:\Users\user\Desktop\WaveInstaller.exe	Code function: 0_2_018A3F7A pushad ; iretd	0_2_018A3F89

Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Uses Windows timers to delay execution

Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 125ms	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 10ms	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 985ms	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 125ms	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 1ms	Jump to behavior

Source: C:\Users\user\Desktop\WaveInstaller.exe	Memory allocated: 15E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\WaveInstaller.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\WaveInstaller.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Users\user\Desktop\WaveInstaller.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\WaveInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WaveInstaller.exe	32%	ReversingLabs	Win32.Trojan.Generic
WaveInstaller.exe	45%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar	0%	Avira URL Cloud	safe
https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Wpf.124.3.8.rar	0%	Avira URL Cloud	safe
https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.8	0%	Avira URL Cloud	safe
https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.87CefSharp.Comm	0%	Avira URL Cloud	safe
https://cdn.getwave.gg/bootstrapper/WaveWindows.exe-Wave	100%	Avira URL Cloud	malware
https://github.com/dxgi/wave-binaries/raw/main/Wave-x64.rar	0%	Avira URL Cloud	safe
https://github.com/dxgi/wave-binaries/raw/main/Luau-x64.rar	0%	Avira URL Cloud	safe
https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Wpf.124.3.8.rar	0%	Virustotal		Browse
https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.8	0%	Virustotal		Browse
https://cdn.getwave.gg/bootstrapper/WaveWindows.exeio	100%	Avira URL Cloud	malware
https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar1CefSharp.Wpf.124.3.8.rar	0%	Avira URL Cloud	safe
https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar	0%	Virustotal		Browse
https://github.com/dxgi/wave-binaries/raw/main/Luau-x64.rar	0%	Virustotal		Browse
https://github.com/dxgi/wave-binaries/raw/main/Wave-x64.rar	0%	Virustotal		Browse
https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar1CefSharp.Wpf.124.3.8.rar	0%	Virustotal		Browse
https://cdn.getwave.gg/bootstrapper/WaveWindows.exe-Wave	11%	Virustotal		Browse
https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.87CefSharp.Comm	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://cdn.getwave.gg/bootstrapper/WaveWindows.exe-Wave	WaveInstaller.exe	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Wpf.124.3.8.rar	WaveInstaller.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.8	WaveInstaller.exe, 00000000.00000002.2895806482.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.87CefSharp.Comm	WaveInstaller.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar	WaveInstaller.exe, 00000000.00000002.2895806482.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dxgi/wave-binaries/raw/main/Luau-x64.rar	WaveInstaller.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dxgi/wave-binaries/raw/main/Wave-x64.rar	WaveInstaller.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.getwave.gg/bootstrapper/WaveWindows.exeio	WaveInstaller.exe, 00000000.00000002.2895806482.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar1CefSharp.Wpf.124.3.8.rar	WaveInstaller.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502445
Start date and time:	2024-09-01 16:20:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WaveInstaller.exe
Detection:	MAL
Classification:	mal76.evad.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 96% Number of executed functions: 38 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WaveInstaller.exe, PID 7464 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.874597413262029
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	WaveInstaller.exe
File size:	2'377'216 bytes
MD5:	215d509bc217f7878270c161763b471e
SHA1:	bfe0a2580d54cfa28d3ff5ef8dc754fdc73adcd9
SHA256:	984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886
SHA512:	68e615dfcb1b7770ad64175438a913744c14bdd3af93b339c2b526271bdd0d23334e78d049fdae8ca9fe66672a8cf252ebf891be9ab6c46a3d8f1fb00fa8c83b
SSDEEP:	49152:LinbT3qpTDQSmanAmwJAaDMg33U2pLOiniT:LinKpTJmWAmmAMP8in
TLSH:	6DB512192A3CC8CBEC3907B15AFAE15A7B39317782490748ECCCC14C62F9E56F5B6529
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.4..........."...0...!..8......N+!.. ........@.. ........................$...........`................................

File Icon


Icon Hash:	2340020b0bbf733f

Static PE Info

General

Entrypoint:	0x612b4e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8C34F576 [Sat Jul 16 11:22:30 2044 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x212af4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x214000	0x33568	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x248000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x212a60	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x210b54	0x210c00	41e0a54accebca40bf945a207af8a88f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x214000	0x33568	0x33600	32ec3b22a5cf4afe774f17b0bc6fcb20	False	0.5065579379562044	data	6.519047836554647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x248000	0xc	0x200	b8becffedd18a9b187b1a5d4a2499a67	False	0.044921875	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "!"	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x214200	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5669 x 5669 px/m	0.875
RT_ICON	0x214678	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 5669 x 5669 px/m	0.7729508196721312
RT_ICON	0x215010	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5669 x 5669 px/m	0.6744840525328331
RT_ICON	0x2160c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5669 x 5669 px/m	0.5504149377593361
RT_ICON	0x218680	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 5669 x 5669 px/m	0.4750236183278224
RT_ICON	0x21c8b8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 5669 x 5669 px/m	0.4406192236598891
RT_ICON	0x221d50	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 5669 x 5669 px/m	0.36519865461425266
RT_ICON	0x22b208	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 5669 x 5669 px/m	0.2990949958594582
RT_ICON	0x23ba40	0xa9e7	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9990343717668697
RT_GROUP_ICON	0x246438	0x84	data	0.7272727272727273
RT_VERSION	0x2464cc	0x33c	data	0.41304347826086957
RT_MANIFEST	0x246818	0xd4c	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.38689776733254994

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	10:20:51
Start date:	01/09/2024
Path:	C:\Users\user\Desktop\WaveInstaller.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WaveInstaller.exe"
Imagebase:	0xb80000
File size:	2'377'216 bytes
MD5 hash:	215D509BC217F7878270C161763B471E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1637430102.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2895806482.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 018A67C5 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

^, xrefs: 018A6968

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: ba43bd09cc1a9edb9fdbbcd503ad7c4fc1a104534c9fb39333b98191fac0f8a0
Instruction ID: a5b0c858932c18038da981c6fedf654df498c4aaa4c5bceff9d39086f7c01fa8
Opcode Fuzzy Hash: ba43bd09cc1a9edb9fdbbcd503ad7c4fc1a104534c9fb39333b98191fac0f8a0
Instruction Fuzzy Hash: 3921FF71F24281CBDF093BB4A82E11C3EA6AF51311399086AB093CF599FE398D49DB45

Function 018A6828 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

^, xrefs: 018A6968

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 0563e11945831d84f5a53693e147d2ca959d95bf2687859778c664bf5cf3d7b2
Instruction ID: 4a5aaf1bc22a80dce21266a95c649212b38dec1b9003580603091366479212c6
Opcode Fuzzy Hash: 0563e11945831d84f5a53693e147d2ca959d95bf2687859778c664bf5cf3d7b2
Instruction Fuzzy Hash: 78218F71E24241CBDF0D3BB4E82E11D3E66AF61312399086AB053CF598FE398D499B45

Function 018A6BB8 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

$^q, xrefs: 018A6C23

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 8621be0e6d42ae9796acae278c45f3a36be67b1408bac9dfd7b20fe564e9623b
Instruction ID: f96e225fcc357d66f640b0b072582ac4f8e7cbe5f2406412a5585ace0c7c2bb4
Opcode Fuzzy Hash: 8621be0e6d42ae9796acae278c45f3a36be67b1408bac9dfd7b20fe564e9623b
Instruction Fuzzy Hash: 6FF04C76B402195FE729A67C68607BF26EAFFC4654F140437C908DB385ED704C0247A2

Function 018A6BC8 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

$^q, xrefs: 018A6C23

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 71d6496b76d3e8a7cce6eb143e053e90f9d08733c21193b0a515382539d3f8f7
Instruction ID: fb559612cf80587857e1a5c730d99fa95f988b8d68b45043fe5f0ff9bf43af6a
Opcode Fuzzy Hash: 71d6496b76d3e8a7cce6eb143e053e90f9d08733c21193b0a515382539d3f8f7
Instruction Fuzzy Hash: 48F02B31B001191FE718A67D585067F36EAF7C4A14F54083AD509C7384ED709D0247E6

Function 018A7B48 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588547aae50ebef1d8cefe312921132b88be51254f47f6907c192284a8a86f5e
Instruction ID: 5f57ef12b319cc701f588e3fe81ae4e5bfb55d25cb8c01905140336cc6438d00
Opcode Fuzzy Hash: 588547aae50ebef1d8cefe312921132b88be51254f47f6907c192284a8a86f5e
Instruction Fuzzy Hash: E5814034680202DFEB09EB65F9799457BA2FB84341B518621E4020F39DCF78ADDE9BD1

Function 018A7B58 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f343f74489a54f9be93cdb36c2d5bc592a97886fc70d99d2ad8f84e2dd82636
Instruction ID: 29e2d1340a02874013546a1161d64f9ada7de6c032240c25d42b4279924c8d86
Opcode Fuzzy Hash: 9f343f74489a54f9be93cdb36c2d5bc592a97886fc70d99d2ad8f84e2dd82636
Instruction Fuzzy Hash: BF814134690202DFEB09EB65F9798457BA2FB84341B518621E4020F39DCF78ADDE9BD1

Function 018A18F9 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2b7afe60e9dc7e41afbd874f864adcc3bb7dddd8d5d191c070961e282f2144
Instruction ID: 1c777ca36bab8366694150df0f9bac1032caab4c3eabe18e81c8a06d00e69c0f
Opcode Fuzzy Hash: ca2b7afe60e9dc7e41afbd874f864adcc3bb7dddd8d5d191c070961e282f2144
Instruction Fuzzy Hash: 6351ED316406079FC706EB38E580AA9B7A2FB85304F108A29C4199F765DF75FC9B8B91

Function 018A6038 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b1f1b455f1f2d84dd664712d95b1f747ec0bb50503cde3d8633acd6b7755d3
Instruction ID: df68f191575a046666e953858ed72d5f96bca1ce2b0d2e87e54e581e60fe1b37
Opcode Fuzzy Hash: 21b1f1b455f1f2d84dd664712d95b1f747ec0bb50503cde3d8633acd6b7755d3
Instruction Fuzzy Hash: 4341C230B00109DFEB08AB6AD8146AEBFF6FFC4710F658469E506EB394DE359D458B50

Function 018A1908 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a3d3bef81ec262c8b71d6dc18e092033bc2a34c4def7eee1cba481756d72f9
Instruction ID: 7e6395100d96af5421bd2e26e958f86b9b6378f23d6cd1d6fe5458f3f423aef0
Opcode Fuzzy Hash: 15a3d3bef81ec262c8b71d6dc18e092033bc2a34c4def7eee1cba481756d72f9
Instruction Fuzzy Hash: A851EE316406079FC706EB39E940AA9B7A6FB85304F108A28C4199F764DF75FC9B8B91

Function 0159EAF8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895352883.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661141004f10ff73f9f93338284b1e24cf9f30fe3a5dc5c3dd25359629b6890a
Instruction ID: c885a210d98eb39d53bef62eac6dfcae7172ac637f66a382e28e6bc743c780d8
Opcode Fuzzy Hash: 661141004f10ff73f9f93338284b1e24cf9f30fe3a5dc5c3dd25359629b6890a
Instruction Fuzzy Hash: C531D572504240EFDF06DF54C9C1F1ABFA7FB88314F2485A9E90A4E25AC336D455DB62

Function 0159E9FC Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895352883.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508da8af4b8b4c69a8b59db56e7319547b3e0a4f9cf4f042717d996ba152c317
Instruction ID: 0368116363e66045fe150dc21fe06f4e334f433882b0ddaadbb53e4886141b65
Opcode Fuzzy Hash: 508da8af4b8b4c69a8b59db56e7319547b3e0a4f9cf4f042717d996ba152c317
Instruction Fuzzy Hash: 9B210A71500200EFDF06DF54D9C5B1ABFA5FB88314F24C5A9ED094E266C37AD456CB62

Function 0159D5E8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895352883.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d8d0807d4e3495a630c06c8a8bd4297196a3a04de8bb7b50c18560d87f5e78
Instruction ID: 1f974c0939f67204279e50be54215c041325b57d4b54c98c8bf20b1d382a8dbd
Opcode Fuzzy Hash: 67d8d0807d4e3495a630c06c8a8bd4297196a3a04de8bb7b50c18560d87f5e78
Instruction Fuzzy Hash: EC21D376500240DFCF059F98D980B1ABFB5FB88314F2485A9E90D4E256C33AD416CBA2

Function 0158D06C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895304615.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_158d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76939726d4822d23d142bcd52a55c8b2a679080c0d1f572ceedd496fa3da7945
Instruction ID: 194c32ce1fee4f0d6ca32e28569014610e690512cc2c45dc1610090b1eee4272
Opcode Fuzzy Hash: 76939726d4822d23d142bcd52a55c8b2a679080c0d1f572ceedd496fa3da7945
Instruction Fuzzy Hash: 3D21F771504240DFDB05EF94D9C4B1ABFF5FB88314F248569E9091E296C33AD416CB61

Function 0159D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895352883.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e6e9c297b11e33f1e582f025835e8a7dba1fe33c07860a628e2e7df772f263
Instruction ID: 00dfbe48ba87d42ea57407b0dffe9910d865167b8039cd5d593a6a31dea570b3
Opcode Fuzzy Hash: b3e6e9c297b11e33f1e582f025835e8a7dba1fe33c07860a628e2e7df772f263
Instruction Fuzzy Hash: 2B210071604200DFDF15DF68D984B2ABBB5FB84354F20C969D80A4F256D33AD446CA62

Function 018A7F5C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de361055b8732a7c0d591be95ab2eb9c04fae9ad3c015b62f0e312818827af6
Instruction ID: dfcd63c6aac99a408edb083299e38ee236aa376ce3108ba7d61d5bf16652f0da
Opcode Fuzzy Hash: 9de361055b8732a7c0d591be95ab2eb9c04fae9ad3c015b62f0e312818827af6
Instruction Fuzzy Hash: 113123B0D00248CFEB24CFAAC884BCEBFF5AF89314F148429E404BB250DB755989CB60

Function 018A7F68 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb97bda9be6136b1c5fc55c3614f704058e887873d4962b44f8d88139dbd6d2
Instruction ID: 70bf1f23c820c3b3bc5d72243cf79f779d2c350973b7853d62ad3f8439ec1abf
Opcode Fuzzy Hash: 5eb97bda9be6136b1c5fc55c3614f704058e887873d4962b44f8d88139dbd6d2
Instruction Fuzzy Hash: 7831F2B0D01248DFEB14CFAAC984BCDBBF5AF49314F548419E404BB254DBB55985CB61

Function 0159EAF3 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895352883.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cfb7dd041e002c130cd1539feb2bbdfd134433b7a32c8f6d204d752fbd68790
Instruction ID: a7d7e94c2f8e5a57a0f5d02ec6b5a7e869a422f7bfdb2620bfb6061c011612fd
Opcode Fuzzy Hash: 7cfb7dd041e002c130cd1539feb2bbdfd134433b7a32c8f6d204d752fbd68790
Instruction Fuzzy Hash: 04219D76404280DFCF02CF44C9C4B5ABF72FB48314F248699ED090E66AC336D466DBA2

Function 018A6970 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546a0f3ceabcab506fd66c4eaa1926eea8235c41eed0575956eb8ba9ba80835b
Instruction ID: 6c5876b4c0480845df321299091e5d93652c78b066f6152b4d9bf51b9f1ad773
Opcode Fuzzy Hash: 546a0f3ceabcab506fd66c4eaa1926eea8235c41eed0575956eb8ba9ba80835b
Instruction Fuzzy Hash: 0111F975A20241CBDF0C7BB8E42E11D3EA6AF913123950939B053CF698FE399D45AB45

Function 0159D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895352883.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad12d037e148dd97e183e04848247494c9e249270dc2dec521abfcd6f1db811e
Instruction ID: 07e1db9252aba8b810ec0cf09e98012d91cc805873e04b90b2a0c6060f6e1bd2
Opcode Fuzzy Hash: ad12d037e148dd97e183e04848247494c9e249270dc2dec521abfcd6f1db811e
Instruction Fuzzy Hash: 5B219D755093808FDB03CF64D994B15BF71FB46214F28C5EAD8498F2A7C33A980ACB62

Function 0159E9F7 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895352883.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8d3571c4b9cc2845d5b9732b44ba54f756556ea458328d5f45100f7847987e
Instruction ID: bb4a64dbffd835ece3dd78fe38dcaf31ef739188a5a0e01ce110eb3ab33ebd28
Opcode Fuzzy Hash: 4b8d3571c4b9cc2845d5b9732b44ba54f756556ea458328d5f45100f7847987e
Instruction Fuzzy Hash: 12217F72404240DFDF06CF54D9C4B5ABF62FB48314F28C299ED080E266C33AD456DB52

Function 018A6AF7 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdf2ba31af1b4c5d0738e23fdf5711924730ca1d250c2f016bac93959e87ba9
Instruction ID: 839c738c3dc8a47977d226929730bde530bcd3dc12f251c8195fea78ff00e626
Opcode Fuzzy Hash: ffdf2ba31af1b4c5d0738e23fdf5711924730ca1d250c2f016bac93959e87ba9
Instruction Fuzzy Hash: 4C1121317401126FC315AB39E560A2E3BEAFB88AD4349426ADD49C7348FF24DD0387C6

Function 0159D5E3 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895352883.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114eaa811b2ef5832592fdbefb37b7eae827b65112d33cbcecf77d4cb3c2ffc0
Instruction ID: 1d55ea737b794ddaaa8bf347e236da29bcd4afa7e933a8d6f833b99db6972db1
Opcode Fuzzy Hash: 114eaa811b2ef5832592fdbefb37b7eae827b65112d33cbcecf77d4cb3c2ffc0
Instruction Fuzzy Hash: 6E21AE76404280DFCF06CF54D9C4B1ABFB2FB88314F2486A9D9480E256C33AD426CB92

Function 0158D067 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895304615.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_158d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction ID: 5105b04400a13de623a6f3b83ede6a8c4f606e5c99fa545eb720e8231fcb9e6d
Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction Fuzzy Hash: DD21AC76404280DFDB06DF44D9C4B1ABFB2FB88314F24C2A9D9481E256C33AD426CB91

Function 0158DA05 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895304615.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_158d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3adb60b879deac9543e31377ccb2f6973a544cefe78c0714bab14d6263a29126
Instruction ID: 209aad6085ddf7bce7a645d994adfba21ba8c51b005c980a28e74e3a6df43527
Opcode Fuzzy Hash: 3adb60b879deac9543e31377ccb2f6973a544cefe78c0714bab14d6263a29126
Instruction Fuzzy Hash: 3601D43100D3409AE7109A6AC98476BFFE8EF45364F28C82AED091E2C6C6B9D840C671

Function 0158D8A3 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895304615.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_158d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc8ab98f535ae7edf2120b089965609f773680075668cadea01f1d1436f8343
Instruction ID: 074cc2c6cd35dfd9f9e4ec886431cb43a221b54cb2795f8581174dc9f9fd5318
Opcode Fuzzy Hash: cbc8ab98f535ae7edf2120b089965609f773680075668cadea01f1d1436f8343
Instruction Fuzzy Hash: 69010876100A00AF97619F4AD980C27FBFAFF88720305885DE94A4BA22C632F851DF60

Function 0158D894 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895304615.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_158d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e87c281b0b83083c6b076db86f28617ba9acd75c033e36f03350f838559e8b6
Instruction ID: 97ae3eaa82e08445b3d557e944dbb72d7678017fac954ed6321553778b8c9e05
Opcode Fuzzy Hash: 7e87c281b0b83083c6b076db86f28617ba9acd75c033e36f03350f838559e8b6
Instruction Fuzzy Hash: 34010C35104740AFD7229F55C980C63BFFAFF89720719888DE9864BA62C632F812DF60

Function 0158DA04 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895304615.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_158d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32eb1703a6bfe4f83a288cf48615a88307190e49158e3bd81e764edfbe937032
Instruction ID: 74dbc764d45d4558121268bffc10b12673984ef305a564924e9501a4b30eb288
Opcode Fuzzy Hash: 32eb1703a6bfe4f83a288cf48615a88307190e49158e3bd81e764edfbe937032
Instruction Fuzzy Hash: 4DF0C272008340EEE7108E1AD8C4B66FFE8EB45724F28C45AED081F286C2799840CA70

Function 018A0B69 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d74c43f369ca7a0f9ed492177cb26a2231a5f691dd92081e1b0c6c9cada8797
Instruction ID: 0b3d4425ed7eadb8c2c1f0ca1f9ee99b01babaf3297dbb43670dbc66ea4dbcb5
Opcode Fuzzy Hash: 3d74c43f369ca7a0f9ed492177cb26a2231a5f691dd92081e1b0c6c9cada8797
Instruction Fuzzy Hash: 92E04F327417109BDB592B78E4152ED77A6EBD6736B06086ED503CB380CE2D9C06C7C6

Function 018A0B78 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b065d23e6d3c3d1a26046a23ecbfbbee4c4ef2affb88850a62bf0eb2ef1572c
Instruction ID: 92aae17394bdc9125047b88d9b3020f36049a7169097de5bb636f0a5fdd272b9
Opcode Fuzzy Hash: 4b065d23e6d3c3d1a26046a23ecbfbbee4c4ef2affb88850a62bf0eb2ef1572c
Instruction Fuzzy Hash: 4CD05B3570121497CB09377990182AD358EF7C5525B01041CD507C7340CE29DC01C7D6

Function 018A5F98 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2916087a356f928cce462249d5281ad637432d2ecd2a8454639689d014819ac4
Instruction ID: 22f57017f7c6c5b4c73b77189b94d65a0b6a55b43974feb25c5f41a8b44bd8af
Opcode Fuzzy Hash: 2916087a356f928cce462249d5281ad637432d2ecd2a8454639689d014819ac4
Instruction Fuzzy Hash: B5E026725443C04FCB068BA4F9751943F33FF41306B0508A2D4468B26BDB28B89DC788

Function 018A7F28 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00bbb33f9075927569915b15683a3a87fa3e8567bc51c22dc5c12d63674b0140
Instruction ID: 20c217144ccc4b4ed0f72582256b14b72ee0e5b892d3f48e644a90739fbf2536
Opcode Fuzzy Hash: 00bbb33f9075927569915b15683a3a87fa3e8567bc51c22dc5c12d63674b0140
Instruction Fuzzy Hash: 26D01774A00309EBDF09DFA4DD0679AB7F8EB22211F1141A6E80597280EF319B51AA80

Function 018A5FE7 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf5339e22e829510a1f7618e0cdacdfe476cc40616d298279c6f76b34ca9a63
Instruction ID: 711915f4c375c4f25626ffe7e214179a3fef83eeb6ba2b746c33484a21200c0a
Opcode Fuzzy Hash: 5cf5339e22e829510a1f7618e0cdacdfe476cc40616d298279c6f76b34ca9a63
Instruction Fuzzy Hash: 25D0A7316082809FE71A0B3484903E03FF15F5A700BAE44DAC64ADB3A6F9169686D761

Function 018A5FA8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d7d56ecb5a291576ac00aceb7095958a52b0d9444cf880a679de084e5a3ff7
Instruction ID: 49b6293cfd219be3d2df83001601571ff89e5a6191e167a6f08ea6a662695404
Opcode Fuzzy Hash: f2d7d56ecb5a291576ac00aceb7095958a52b0d9444cf880a679de084e5a3ff7
Instruction Fuzzy Hash: 5AD0A7355503058FCB05DBA9F5698553B26FF84301B114A32E5060B359CF78BCDD8BC8

Function 018A5FF8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9393f4be4f1724b5f3a2e8f722a915f1c2883f607e9f25149b08d156fcb46bd
Instruction ID: caa475451e9a66e11f6d6708601fcfcfe67e000e4c9e0cbfb6ae228b5b45afa6
Opcode Fuzzy Hash: f9393f4be4f1724b5f3a2e8f722a915f1c2883f607e9f25149b08d156fcb46bd
Instruction Fuzzy Hash: B0C012307802058BE718573C941472239F56FC4700BFD8869930BE73A8FD22D9C2D271

Function 018A0841 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb76ddade5f852e64c8e1269b147e6d8fc12bb309b7952abaa1e29f20222532
Instruction ID: 647b0ce6964089ddbd701ab855d304855487991874ab08f28ee499d572ab226e
Opcode Fuzzy Hash: 6fb76ddade5f852e64c8e1269b147e6d8fc12bb309b7952abaa1e29f20222532
Instruction Fuzzy Hash: 9CD012738893808FCBD20BA0B0054E43FB0EA2367030700DBD0548A062E2AA0D068B52

Function 018A6AD0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cad67f4923e2e42606dde8acbad2cb94a54fadc4c86bb2f8b329cda5cf2051d
Instruction ID: c44dec99c62a8728d1b18745a3abf6feda29a79aa61e37423c0a9d6774241afa
Opcode Fuzzy Hash: 8cad67f4923e2e42606dde8acbad2cb94a54fadc4c86bb2f8b329cda5cf2051d
Instruction Fuzzy Hash: 1DC08C3004030A8FD7121F24EA0A38DB7A8FF8031CF000060FE0C0C10EAF7928ADAA80

Function 018A6AE0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6a86af0748de99d3e657390de1849f9dcd63024ec3b06b1585f05e8faeae61
Instruction ID: 52feec04fece1e32dbf7870a93917faf7cd4986d403e8690dfebed7322f1292c
Opcode Fuzzy Hash: 6c6a86af0748de99d3e657390de1849f9dcd63024ec3b06b1585f05e8faeae61
Instruction Fuzzy Hash: 9CB0123009034D4FC5016779F5465087B1DF5C0219B400531F10C0D21D6E6A7C9C46C4

Function 018A0850 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45798fa64e8ec568832bc2383c3e801b29277cc9ecdb3e5f34bb1a0f91fa3f4a
Instruction ID: 9f269ff3105b0d5a6f689c18d7d8aa956576f573c7a6c88f0793274e6cd289ce
Opcode Fuzzy Hash: 45798fa64e8ec568832bc2383c3e801b29277cc9ecdb3e5f34bb1a0f91fa3f4a
Instruction Fuzzy Hash: E890223000020CCB02002B80B008000330CA0000083820080A00C000000A00280002CA

Non-executed Functions

Function 018A27B8 Relevance: 9.0, Strings: 7, Instructions: 242COMMON

Download Yara Rule

Strings

fQl, xrefs: 018A2855
fQl, xrefs: 018A2AA1
C!q^, xrefs: 018A2ABB
S!q^, xrefs: 018A2927
c!q^, xrefs: 018A286F
fQl, xrefs: 018A290D
s!q^, xrefs: 018A280F

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID: C!q^$S!q^$c!q^$fQl$fQl$fQl$s!q^
API String ID: 0-688012200
Opcode ID: e55b5e1073bdc9f80a510e70c0f00fe23933ea62ac606473fd20ff0c8bac7005
Instruction ID: 67f4398dca24acce34ada904f30dcd31a3789a3701c2d9803e5747741f98651f
Opcode Fuzzy Hash: e55b5e1073bdc9f80a510e70c0f00fe23933ea62ac606473fd20ff0c8bac7005
Instruction Fuzzy Hash: 25814D31B48325DBE7365A28C5102AAF693FF81794F84463AC845EF319DF349E8687D2

Function 018A27A9 Relevance: 8.9, Strings: 7, Instructions: 190COMMON

Download Yara Rule

Strings

fQl, xrefs: 018A2855
fQl, xrefs: 018A2AA1
C!q^, xrefs: 018A2ABB
S!q^, xrefs: 018A2927
c!q^, xrefs: 018A286F
fQl, xrefs: 018A290D
s!q^, xrefs: 018A280F

Memory Dump Source

Source File: 00000000.00000002.2895578675.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_WaveInstaller.jbxd

Similarity

API ID:
String ID: C!q^$S!q^$c!q^$fQl$fQl$fQl$s!q^
API String ID: 0-688012200
Opcode ID: 2a2cb9c94221757a3304b70bc1a9f0fa591cbb7e7cdbedb46e85926bf8b004ec
Instruction ID: 1a8f63fbfcb7b05a5fe02e555cf2f7deeec3dec95bf759cc9124f3557d3c1af5
Opcode Fuzzy Hash: 2a2cb9c94221757a3304b70bc1a9f0fa591cbb7e7cdbedb46e85926bf8b004ec
Instruction Fuzzy Hash: 42610730A09316DFF6369F24C5106A9FB63FF41754FC44A2AD845AB215D738AB8AC7C1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WaveInstaller.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: WaveInstaller.exePID: 7464, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: WaveInstaller.exePID: 7464, Parent PID: 2580COMMON

Executed Functions

Function 018A67C5 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Windows Analysis Report
WaveInstaller.exe