File name:

WutheringWaves_overseas_setup_1.6.4.0.exe

Full analysis: https://app.any.run/tasks/d9bbfe2c-27ea-4ad3-bb52-766ff0fed18f
Verdict: Malicious activity
Analysis date: October 13, 2024, 08:19:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

38C37084833AB6BF9EF9EFEE8EFD56D0

SHA1:

2EBC95B94A6C8186A52440DBD72A227CF183AE4E

SHA256:

BFAA8FC5C1E0F4BD2555DD2D0686C90EF635CF3E909BAC5776564474F1F459CF

SSDEEP:

786432:a9FDfJt74dYE5kiL3BHbm86pWRPca+T966ixJ2Ii57EuK:a9h0RLLxHbjIqPcE5xJ2l57Ej

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • WutheringWaves_overseas_setup_1.6.4.0.exe (PID: 6540)

    • Process drops SQLite DLL files

      • WutheringWaves_overseas_setup_1.6.4.0.exe (PID: 6540)

    • Process drops legitimate windows executable

      • WutheringWaves_overseas_setup_1.6.4.0.exe (PID: 6540)

    • The process creates files with name similar to system file names

      • WutheringWaves_overseas_setup_1.6.4.0.exe (PID: 6540)

    • The process drops C-runtime libraries

      • WutheringWaves_overseas_setup_1.6.4.0.exe (PID: 6540)

    • Executable content was dropped or overwritten

      • WutheringWaves_overseas_setup_1.6.4.0.exe (PID: 6540)

  • INFO

    • Create files in a temporary directory

      • WutheringWaves_overseas_setup_1.6.4.0.exe (PID: 6540)

    • Checks supported languages

      • WutheringWaves_overseas_setup_1.6.4.0.exe (PID: 6540)

    • Creates files or folders in the user directory

      • WutheringWaves_overseas_setup_1.6.4.0.exe (PID: 6540)

    • Sends debugging messages

      • WutheringWaves_overseas_setup_1.6.4.0.exe (PID: 6540)

    • Reads the computer name

      • WutheringWaves_overseas_setup_1.6.4.0.exe (PID: 6540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:57:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x352d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.6.4.0
ProductVersionNumber: 1.6.4.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: 广州库洛科技有限公司
FileDescription: Wuthering Waves
FileVersion: 1.6.4.0
InternalName: launcher.exe
LegalCopyright: Guangzhou Kuro Technology Co., Ltd
ProductName: KRInstall Wuthering Waves Overseas
ProductVersion: 1.6.4.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
114
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wutheringwaves_overseas_setup_1.6.4.0.exe wutheringwaves_overseas_setup_1.6.4.0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5172"C:\Users\admin\Desktop\WutheringWaves_overseas_setup_1.6.4.0.exe" C:\Users\admin\Desktop\WutheringWaves_overseas_setup_1.6.4.0.exeexplorer.exe
User:
admin
Company:
广州库洛科技有限公司
Integrity Level:
MEDIUM
Description:
Wuthering Waves
Exit code:
3221226540
Version:
1.6.4.0
Modules
Images
c:\users\admin\desktop\wutheringwaves_overseas_setup_1.6.4.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6540"C:\Users\admin\Desktop\WutheringWaves_overseas_setup_1.6.4.0.exe" C:\Users\admin\Desktop\WutheringWaves_overseas_setup_1.6.4.0.exe
explorer.exe
User:
admin
Company:
广州库洛科技有限公司
Integrity Level:
HIGH
Description:
Wuthering Waves
Version:
1.6.4.0
Modules
Images
c:\users\admin\desktop\wutheringwaves_overseas_setup_1.6.4.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
198
Read events
198
Write events
0
Delete events
0

Modification events

No data
Executable files
30
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6540WutheringWaves_overseas_setup_1.6.4.0.exeC:\Users\admin\AppData\Local\Temp\nsg301D.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
6540WutheringWaves_overseas_setup_1.6.4.0.exeC:\Users\admin\AppData\Local\Temp\nsg301D.tmp\libcurl.dllexecutable
MD5:FE5E6AECB98BBCB2CB0E826526DEA007
SHA256:EC5F18199DC57130082315BFB6BAEDB8614DA92AE256019A30B5880DDED9AE47
6540WutheringWaves_overseas_setup_1.6.4.0.exeC:\Users\admin\AppData\Local\Temp\nsg301D.tmp\libssl-3.dllexecutable
MD5:440A0F750F770676AEAC4DE35FD88637
SHA256:1515C8560DDA68C87B0E0DE7330D0B7B517B8FE2A89ADCFE9922A7301FFF4BF0
6540WutheringWaves_overseas_setup_1.6.4.0.exeC:\Users\admin\AppData\Local\Temp\nsg301D.tmp\libssl-1_1.dllexecutable
MD5:E3F1A7C6D1C185835CEEB3BDF37F9562
SHA256:4630AF7D655A93784E5669BE594A0E7AE534D4626E71C1E6ACEFA722D34A1117
6540WutheringWaves_overseas_setup_1.6.4.0.exeC:\Users\admin\AppData\Local\Temp\nsg301D.tmp\styles\qwindowsvistastyle.dllexecutable
MD5:CEA2589B96F6A9F02FCCC0BC0786965F
SHA256:A0B0177A40B1C74AC79BF31C9F26AB0770D54C2297D68A53D289C48FF5B23EDB
6540WutheringWaves_overseas_setup_1.6.4.0.exeC:\Users\admin\AppData\Local\Temp\nsg301D.tmp\thinkingdata.dllexecutable
MD5:E295BBB7C68F5CB535D72983227B12CD
SHA256:E988EBFB5798D712CA21FB8986C06A364B1D1F3B9397277898BF2E80B5818E2B
6540WutheringWaves_overseas_setup_1.6.4.0.exeC:\Users\admin\AppData\Local\Temp\nsg301D.tmp\sqlite3.dllexecutable
MD5:B8074421D9F92ADB9D112B90A54D47D1
SHA256:8CE20D2F27C6574DCAED648971778BB11D1EC18B9A44E879C0E53C1A29273DD8
6540WutheringWaves_overseas_setup_1.6.4.0.exeC:\Users\admin\AppData\Local\Temp\nsg301D.tmp\imageformats\qico.dllexecutable
MD5:77B5EEE567D88078024E3B535D6196F1
SHA256:AE2D373DA197C94FD6AFF5B56BAF3DF754722926AF4F71279688CE563FE6EF31
6540WutheringWaves_overseas_setup_1.6.4.0.exeC:\Users\admin\AppData\Local\Temp\nsg301D.tmp\zlibwapi.dllexecutable
MD5:5B56B325DBD6A7284D2ECF09D4CC0623
SHA256:14ACA2BF23B47996F630A1C5175FA6003E5898612411EEB6CAD5ABF96BC27B8C
6540WutheringWaves_overseas_setup_1.6.4.0.exeC:\Users\admin\AppData\Local\Temp\nsg301D.tmp\platforms\qwindows.dllexecutable
MD5:F52D1908E2D1F5B03B72CC87DF48C8AD
SHA256:60085C5B61554A1E9D96350F039597A1B77A7576A81A12A24ACE9DE4C323BB8D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
21
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.187:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
52.137.106.217:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 52.137.106.217
  • 4.231.128.59
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.23.209.187
  • 2.23.209.176
  • 2.23.209.182
  • 2.23.209.179
  • 2.23.209.183
  • 2.23.209.181
  • 2.23.209.161
  • 2.23.209.177
  • 2.23.209.185
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 51.132.193.105
whitelisted

Threats

No threats detected
Process
Message
WutheringWaves_overseas_setup_1.6.4.0.exe
[KRInstaller][2024-10-13T08:19:58.367][TID:6284][Info]open log file succeed: C:\Users\admin\AppData\Roaming/KRLauncher/G153/C50004/log/KRInstaller_2024-10-13_08_19.log
WutheringWaves_overseas_setup_1.6.4.0.exe
[KRInstaller][2024-10-13T08:19:58.367][TID:6284][Info]KRSimpleLog::KRSimpleLog construct
WutheringWaves_overseas_setup_1.6.4.0.exe
[KRInstaller][2024-10-13T08:19:58.367][TID:6284][Info][NSIS] .onInit: place dependencies done
WutheringWaves_overseas_setup_1.6.4.0.exe
[KRInstaller][2024-10-13T08:19:58.367][TID:6284][Debug][krsystem.cpp:143][KRSystem::ParseLongCommandLineParam] cmd param 0: C:\Users\admin\Desktop\WutheringWaves_overseas_setup_1.6.4.0.exe
WutheringWaves_overseas_setup_1.6.4.0.exe
[KRInstaller][2024-10-13T08:19:58.367][TID:6284][Debug][krsystem.cpp:148][KRSystem::ParseLongCommandLineParam] param: update, value:
WutheringWaves_overseas_setup_1.6.4.0.exe
[KRInstaller][2024-10-13T08:19:58.367][TID:6284][Info][NSIS] .onInit: upadte install path:
WutheringWaves_overseas_setup_1.6.4.0.exe
[KRInstaller][2024-10-13T08:19:58.445][TID:6284][Info][NSIS] QtUiPage: NSIS Plugin Dir: C:\Users\admin\AppData\Local\Temp\nsg301D.tmp
WutheringWaves_overseas_setup_1.6.4.0.exe
[KRInstaller][2024-10-13T08:19:58.445][TID:6284][Info][NSIS] QtUiPage: BindInstallEventToNsisFunc: UI_PREPARED, OnUIPrepared
WutheringWaves_overseas_setup_1.6.4.0.exe
[KRInstaller][2024-10-13T08:19:58.445][TID:6284][Info][NSIS] QtUiPage: BindInstallEventToNsisFunc: START_EXTRACT_FILES, OnStartExtractFiles
WutheringWaves_overseas_setup_1.6.4.0.exe
[KRInstaller][2024-10-13T08:19:58.460][TID:6284][Info][NSIS] QtUiPage: BindInstallEventToNsisFunc: BEFORE_FINISHED, OnBeforeFinished
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WutheringWaves_overseas_setup_1.6.4.0.exe