Edit tour

Windows Analysis Report
expat-win32bin-2.6.2.exe

Overview

General Information

Sample name:	expat-win32bin-2.6.2.exe
Analysis ID:	1428761
MD5:	7e3077da4633ad49b055d9447b4509fa
SHA1:	4ef1d59c6cbdc3a250c1aa9d8030cb000ef45e00
SHA256:	5b596bd1625ff3021ce5d891ab4bcdab32964ee33cb096b06804bd46007e2583
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Creates a process in suspended mode (likely to inject code)

Dropped file seen in connection with other malware

Drops PE files

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

expat-win32bin-2.6.2.exe (PID: 5692 cmdline: "C:\Users\user\Desktop\expat-win32bin-2.6.2.exe" MD5: 7E3077DA4633AD49B055D9447B4509FA)

expat-win32bin-2.6.2.tmp (PID: 5892 cmdline: "C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp" /SL5="$40390,763717,121344,C:\Users\user\Desktop\expat-win32bin-2.6.2.exe" MD5: 90FC739C83CD19766ACB562C66A7D0E2)

cmd.exe (PID: 6864 cmdline: "C:\Windows\system32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

xmlwf.exe (PID: 4800 cmdline: xmlwf MD5: 162E9381BECB2DC60B03AF229873AA69)

rundll32.exe (PID: 7100 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Expat 2.6.2\Bin\is-VEROQ.tmp	ReversingLabs: Detection: 29%
Source: C:\Program Files (x86)\Expat 2.6.2\Bin\xmlwf.exe (copy)	ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Source: expat-win32bin-2.6.2.exe

ReversingLabs: Detection: 39%

Source: expat-win32bin-2.6.2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: expat-win32bin-2.6.2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\projects\libexpat\expat\build_static_char\expat.dir\RelWithDebInfo\expat.pdbANYATTLISTCDATADOCTYPEELEMENTEMPTYENTITIESENTITYFIXEDIDIDREFIDREFSIGNOREIMPLIEDINCLUDENDATANMTOKENNMTOKENSNOTATIONPCDATAPUBLICREQUIREDSYSTEM source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-536SH.tmp.1.dr
Source:	Binary string: C:\projects\libexpat\expat\build_static_char\expat.dir\RelWithDebInfo\expat.pdb source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-536SH.tmp.1.dr
Source:	Binary string: C:\projects\libexpat\expat\build_static_char\expat.dir\RelWithDebInfo\expat.pdbCDATA[ source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-536SH.tmp.1.dr
Source:	Binary string: C:\projects\libexpat\expat\build_shared_wchar_t\RelWithDebInfo\libexpatw.pdb source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-O4RPJ.tmp.1.dr
Source:	Binary string: C:\projects\libexpat\expat\build_static_char\xmlwf\RelWithDebInfo\xmlwf.pdb source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, xmlwf.exe, 00000012.00000000.1702656497.00000000004A5000.00000002.00000001.01000000.0000000A.sdmp, is-VEROQ.tmp.1.dr
Source:	Binary string: C:\projects\libexpat\expat\build_static_wchar_t\expat.dir\RelWithDebInfo\expat.pdb source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-2OJDA.tmp.1.dr
Source:	Binary string: C:\projects\libexpat\expat\build_shared_char\RelWithDebInfo\libexpat.pdb source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005EF5000.00000004.00001000.00020000.00000000.sdmp, is-E0P4F.tmp.1.dr

Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-3DN6T.tmp.1.dr	String found in binary or memory: http://check.sourceforge.net/
Source: is-2LFRU.tmp.1.dr, is-PK54U.tmp.1.dr, is-HM97B.tmp.1.dr	String found in binary or memory: http://example.org/
Source: is-0U35S.tmp.1.dr	String found in binary or memory: http://example.org/a
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-2LFRU.tmp.1.dr	String found in binary or memory: http://example.org/baz
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-0U35S.tmp.1.dr, is-PK54U.tmp.1.dr	String found in binary or memory: http://example.org/doc.dtd
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-8T34J.tmp.1.dr	String found in binary or memory: http://example.org/dtd.ent
Source: is-8T34J.tmp.1.dr, is-PK54U.tmp.1.dr	String found in binary or memory: http://example.org/dummy.ent
Source: is-PK54U.tmp.1.dr	String found in binary or memory: http://example.org/e
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-0U35S.tmp.1.dr, is-PK54U.tmp.1.dr	String found in binary or memory: http://example.org/entity.ent
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-8T34J.tmp.1.dr	String found in binary or memory: http://example.org/foo
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-2LFRU.tmp.1.dr	String found in binary or memory: http://example.org/long/enough/URI/to/reallocate/
Source: is-PK54U.tmp.1.dr	String found in binary or memory: http://example.org/n
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-0U35S.tmp.1.dr, is-PK54U.tmp.1.dr	String found in binary or memory: http://example.org/ns1
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-8T34J.tmp.1.dr, is-PK54U.tmp.1.dr	String found in binary or memory: http://example.org/one.ent
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-8T34J.tmp.1.dr	String found in binary or memory: http://example.org/two.ent
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-OO3ST.tmp.1.dr, is-4FTAQ.tmp.1.dr	String found in binary or memory: http://libexpat.org/
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-MUAV6.tmp.1.dr	String found in binary or memory: http://pubs.opengroup.org/onlinepubs/009695399/functions/read.html
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-4F42Q.tmp.1.dr, is-RPQ2E.tmp.1.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: expat-win32bin-2.6.2.exe, 00000000.00000003.1160182723.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, expat-win32bin-2.6.2.exe, 00000000.00000003.1160505995.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, expat-win32bin-2.6.2.tmp, 00000001.00000000.1161483708.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-ETMC9.tmp.1.dr, expat-win32bin-2.6.2.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-DLR13.tmp.1.dr	String found in binary or memory: http://www.jclark.com/xml/canonxml.html
Source: expat-win32bin-2.6.2.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-DLR13.tmp.1.dr	String found in binary or memory: http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd
Source: expat-win32bin-2.6.2.exe, 00000000.00000003.1160182723.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, expat-win32bin-2.6.2.exe, 00000000.00000003.1160505995.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, expat-win32bin-2.6.2.tmp, 00000001.00000000.1161483708.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-ETMC9.tmp.1.dr, expat-win32bin-2.6.2.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-8T34J.tmp.1.dr	String found in binary or memory: https://131002.net/siphash/siphash.pdf
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-IFIDL.tmp.1.dr	String found in binary or memory: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34302
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-MRCVE.tmp.1.dr	String found in binary or memory: https://ci.appveyor.com/api/projects/status/github/libexpat/libexpat?svg=true)
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-MRCVE.tmp.1.dr	String found in binary or memory: https://ci.appveyor.com/project/libexpat/libexpat)
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-MRCVE.tmp.1.dr	String found in binary or memory: https://cmake.org/cmake/help/latest/module/FindEXPAT.html).
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-H25RM.tmp.1.dr	String found in binary or memory: https://cmake.org/cmake/help/latest/variable/MSVC_VERSION.html
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-9CIQT.tmp.1.dr	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
Source: is-IFIDL.tmp.1.dr	String found in binary or memory: https://domain.invalid/
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-IFIDL.tmp.1.dr	String found in binary or memory: https://example.org/
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-4F42Q.tmp.1.dr, is-RPQ2E.tmp.1.dr	String found in binary or memory: https://gcc.gnu.org/onlinedocs/gcc-3.4.3/cpp/Stringification.html
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-H25RM.tmp.1.dr	String found in binary or memory: https://gcc.gnu.org/onlinedocs/gcc/x86-Windows-Options.html
Source: is-4FTAQ.tmp.1.dr	String found in binary or memory: https://github.com/libexpat/
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-MRCVE.tmp.1.dr	String found in binary or memory: https://github.com/libexpat/libexpat/)
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-MRCVE.tmp.1.dr	String found in binary or memory: https://github.com/libexpat/libexpat/actions/workflows/linux.yml)
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-MRCVE.tmp.1.dr	String found in binary or memory: https://github.com/libexpat/libexpat/actions/workflows/linux.yml/badge.svg)
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-MRCVE.tmp.1.dr	String found in binary or memory: https://github.com/libexpat/libexpat/blob/master/expat/COPYING)
Source: is-LI6L5.tmp.1.dr, is-VEROQ.tmp.1.dr, is-H25RM.tmp.1.dr, is-KHE4M.tmp.1.dr	String found in binary or memory: https://github.com/libexpat/libexpat/issues
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-OO3ST.tmp.1.dr, is-4FTAQ.tmp.1.dr	String found in binary or memory: https://github.com/libexpat/libexpat/pull/30/commits
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-OO3ST.tmp.1.dr, is-4FTAQ.tmp.1.dr	String found in binary or memory: https://github.com/libexpat/libexpat/pull/39/commits
Source: is-MRCVE.tmp.1.dr	String found in binary or memory: https://github.com/libexpat/libexpat/releases)
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-MRCVE.tmp.1.dr	String found in binary or memory: https://img.shields.io/github/downloads/libexpat/libexpat/total?label=Downloads%20GitHub)
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-MRCVE.tmp.1.dr	String found in binary or memory: https://img.shields.io/sourceforge/dt/expat?label=Downloads%20SourceForge)
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, expat-win32bin-2.6.2.tmp, 00000001.00000003.1228144461.000000000244D000.00000004.00001000.00020000.00000000.sdmp, expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-LI6L5.tmp.1.dr, is-DLR13.tmp.1.dr, is-4RN45.tmp.1.dr	String found in binary or memory: https://libexpat.github.io/
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1228144461.000000000244D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://libexpat.github.io/)
Source: expat-win32bin-2.6.2.exe, 00000000.00000003.1159559114.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, expat-win32bin-2.6.2.tmp, 00000001.00000003.1162591939.00000000032E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://libexpat.github.io/6https://libexpat.github.io/6https://libexpat.github.io/
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-OO3ST.tmp.1.dr, is-4FTAQ.tmp.1.dr	String found in binary or memory: https://libexpat.github.io/doc/cve-2017-9233/
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-BABGD.tmp.1.dr	String found in binary or memory: https://namespace1.test
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-9CIQT.tmp.1.dr	String found in binary or memory: https://osdn.net/projects/mingw/ticket/39658
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-IFIDL.tmp.1.dr	String found in binary or memory: https://oss-fuzz.com/testcase-detail/4860575394955264
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-MRCVE.tmp.1.dr	String found in binary or memory: https://repology.org/badge/tiny-repos/expat.svg)
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-MRCVE.tmp.1.dr	String found in binary or memory: https://repology.org/metapackage/expat/versions)
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-R12A0.tmp.1.dr	String found in binary or memory: https://rsms.me/inter/inter.css
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-EVI0M.tmp.1.dr	String found in binary or memory: https://semver.org
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-H25RM.tmp.1.dr	String found in binary or memory: https://sourceforge.net/p/predef/wiki/Compilers/
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-LI6L5.tmp.1.dr	String found in binary or memory: https://sourceforge.net/projects/expat/
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-MRCVE.tmp.1.dr	String found in binary or memory: https://sourceforge.net/projects/expat/files/)
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-OO3ST.tmp.1.dr, is-4FTAQ.tmp.1.dr	String found in binary or memory: https://uriparser.github.io/
Source: is-4FTAQ.tmp.1.dr	String found in binary or memory: https://verbump.de/
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-NFJ3Q.tmp.1.dr	String found in binary or memory: https://www.131002.net/siphash/
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-NFJ3Q.tmp.1.dr	String found in binary or memory: https://www.131002.net/siphash/siphash24.c
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-MRCVE.tmp.1.dr	String found in binary or memory: https://www.gnu.org/philosophy/free-sw.en.html).
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-KHCSJ.tmp.1.dr	String found in binary or memory: https://www.unicode.org/unicode/reports/tr28/
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-LI6L5.tmp.1.dr	String found in binary or memory: https://www.xml.com/

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp 821BD11693BF4B4B2B9F3C196036E1F4902ABD95FB26873EA6C43E123B8C9431

Source: expat-win32bin-2.6.2.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: expat-win32bin-2.6.2.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-E0P4F.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: is-O4RPJ.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: is-ETMC9.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-ETMC9.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: expat-win32bin-2.6.2.exe, 00000000.00000003.1160182723.00000000025E6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs expat-win32bin-2.6.2.exe
Source: expat-win32bin-2.6.2.exe, 00000000.00000003.1160505995.000000007FE32000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs expat-win32bin-2.6.2.exe

Source: expat-win32bin-2.6.2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-LI6L5.tmp.1.dr	Binary or memory string: you can use CMake to generate a <code>.sln</code> file, e.g.
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-4TEN0.tmp.1.dr	Binary or memory string: cmake .. -G "Visual Studio 15 2017" && msbuild /m expat.sln
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-VLGVF.tmp.1.dr	Binary or memory string: msbuild /m expat.sln
Source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-LI6L5.tmp.1.dr	Binary or memory string: </code>, and build Expat using <code>msbuild /m expat.sln</code> after.</p>

Source: classification engine

Classification label: mal56.winEXE@8/224@0/0

Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp

File created: C:\Program Files (x86)\Expat 2.6.2

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\Desktop\expat-win32bin-2.6.2.exe

File created: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp

Jump to behavior

Source: C:\Users\user\Desktop\expat-win32bin-2.6.2.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\expat-win32bin-2.6.2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: expat-win32bin-2.6.2.exe

ReversingLabs: Detection: 39%

Source: expat-win32bin-2.6.2.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\expat-win32bin-2.6.2.exe

File read: C:\Users\user\Desktop\expat-win32bin-2.6.2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\expat-win32bin-2.6.2.exe "C:\Users\user\Desktop\expat-win32bin-2.6.2.exe"
Source: C:\Users\user\Desktop\expat-win32bin-2.6.2.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp "C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp" /SL5="$40390,763717,121344,C:\Users\user\Desktop\expat-win32bin-2.6.2.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Expat 2.6.2\Bin\xmlwf.exe xmlwf
Source: C:\Users\user\Desktop\expat-win32bin-2.6.2.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp "C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp" /SL5="$40390,763717,121344,C:\Users\user\Desktop\expat-win32bin-2.6.2.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Expat 2.6.2\Bin\xmlwf.exe xmlwf	Jump to behavior

Source: C:\Users\user\Desktop\expat-win32bin-2.6.2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\expat-win32bin-2.6.2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Expat 2.6.2\Bin\xmlwf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Expat 2.6.2\Bin\xmlwf.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: expat-win32bin-2.6.2.exe

Static file information: File size 1152968 > 1048576

Source: expat-win32bin-2.6.2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\projects\libexpat\expat\build_static_char\expat.dir\RelWithDebInfo\expat.pdbANYATTLISTCDATADOCTYPEELEMENTEMPTYENTITIESENTITYFIXEDIDIDREFIDREFSIGNOREIMPLIEDINCLUDENDATANMTOKENNMTOKENSNOTATIONPCDATAPUBLICREQUIREDSYSTEM source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-536SH.tmp.1.dr
Source:	Binary string: C:\projects\libexpat\expat\build_static_char\expat.dir\RelWithDebInfo\expat.pdb source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-536SH.tmp.1.dr
Source:	Binary string: C:\projects\libexpat\expat\build_static_char\expat.dir\RelWithDebInfo\expat.pdbCDATA[ source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-536SH.tmp.1.dr
Source:	Binary string: C:\projects\libexpat\expat\build_shared_wchar_t\RelWithDebInfo\libexpatw.pdb source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-O4RPJ.tmp.1.dr
Source:	Binary string: C:\projects\libexpat\expat\build_static_char\xmlwf\RelWithDebInfo\xmlwf.pdb source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, xmlwf.exe, 00000012.00000000.1702656497.00000000004A5000.00000002.00000001.01000000.0000000A.sdmp, is-VEROQ.tmp.1.dr
Source:	Binary string: C:\projects\libexpat\expat\build_static_wchar_t\expat.dir\RelWithDebInfo\expat.pdb source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-2OJDA.tmp.1.dr
Source:	Binary string: C:\projects\libexpat\expat\build_shared_char\RelWithDebInfo\libexpat.pdb source: expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005EF5000.00000004.00001000.00020000.00000000.sdmp, is-E0P4F.tmp.1.dr

Source: is-E0P4F.tmp.1.dr	Static PE information: section name: .00cfg
Source: is-O4RPJ.tmp.1.dr	Static PE information: section name: .00cfg
Source: is-VEROQ.tmp.1.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	File created: C:\Program Files (x86)\Expat 2.6.2\Bin\libexpat.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	File created: C:\Program Files (x86)\Expat 2.6.2\Bin\xmlwf.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	File created: C:\Program Files (x86)\Expat 2.6.2\Bin\is-E0P4F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\expat-win32bin-2.6.2.exe	File created: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	File created: C:\Program Files (x86)\Expat 2.6.2\Uninstall\is-ETMC9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	File created: C:\Users\user\AppData\Local\Temp\is-M6SQ1.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	File created: C:\Program Files (x86)\Expat 2.6.2\Bin\is-O4RPJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	File created: C:\Program Files (x86)\Expat 2.6.2\Uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	File created: C:\Program Files (x86)\Expat 2.6.2\Bin\is-VEROQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	File created: C:\Program Files (x86)\Expat 2.6.2\Bin\libexpatw.dll (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\expat-win32bin-2.6.2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Expat 2.6.2\Bin\libexpat.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Expat 2.6.2\Bin\is-E0P4F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Expat 2.6.2\Uninstall\is-ETMC9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M6SQ1.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Expat 2.6.2\Bin\is-O4RPJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Expat 2.6.2\Uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Expat 2.6.2\Bin\libexpatw.dll (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Program Files (x86)\Expat 2.6.2\Bin\xmlwf.exe xmlwf

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	2 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	2 System Owner/User Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	21 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
expat-win32bin-2.6.2.exe	39%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Expat 2.6.2\Bin\is-E0P4F.tmp	0%	ReversingLabs
C:\Program Files (x86)\Expat 2.6.2\Bin\is-O4RPJ.tmp	0%	ReversingLabs
C:\Program Files (x86)\Expat 2.6.2\Bin\is-VEROQ.tmp	29%	ReversingLabs	Win32.Trojan.Generic
C:\Program Files (x86)\Expat 2.6.2\Bin\libexpat.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Expat 2.6.2\Bin\libexpatw.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Expat 2.6.2\Bin\xmlwf.exe (copy)	29%	ReversingLabs	Win32.Trojan.Generic
C:\Program Files (x86)\Expat 2.6.2\Source\is-EEC6T.tmp	0%	ReversingLabs
C:\Program Files (x86)\Expat 2.6.2\Source\run.sh.in (copy)	0%	ReversingLabs
C:\Program Files (x86)\Expat 2.6.2\Uninstall\is-ETMC9.tmp	4%	ReversingLabs
C:\Program Files (x86)\Expat 2.6.2\Uninstall\unins000.exe (copy)	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-M6SQ1.tmp\_isetup\_setup64.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.remobjects.com/ps	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	expat-win32bin-2.6.2.exe, 00000000.00000003.1160182723.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, expat-win32bin-2.6.2.exe, 00000000.00000003.1160505995.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, expat-win32bin-2.6.2.tmp, 00000001.00000000.1161483708.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-ETMC9.tmp.1.dr, expat-win32bin-2.6.2.tmp.0.dr	false		unknown
https://osdn.net/projects/mingw/ticket/39658	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-9CIQT.tmp.1.dr	false		high
https://www.131002.net/siphash/siphash24.c	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-NFJ3Q.tmp.1.dr	false		unknown
http://example.org/e	is-PK54U.tmp.1.dr	false		high
http://example.org/long/enough/URI/to/reallocate/	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-2LFRU.tmp.1.dr	false		high
https://www.xml.com/	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-LI6L5.tmp.1.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-4F42Q.tmp.1.dr, is-RPQ2E.tmp.1.dr	false		high
https://example.org/	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-IFIDL.tmp.1.dr	false		high
http://example.org/a	is-0U35S.tmp.1.dr	false		high
https://www.131002.net/siphash/	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-NFJ3Q.tmp.1.dr	false		unknown
https://rsms.me/inter/inter.css	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-R12A0.tmp.1.dr	false		high
http://example.org/n	is-PK54U.tmp.1.dr	false		high
http://example.org/two.ent	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-8T34J.tmp.1.dr	false		high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	expat-win32bin-2.6.2.exe	false		high
http://check.sourceforge.net/	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-3DN6T.tmp.1.dr	false		high
http://example.org/doc.dtd	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-0U35S.tmp.1.dr, is-PK54U.tmp.1.dr	false		high
https://gcc.gnu.org/onlinedocs/gcc/x86-Windows-Options.html	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-H25RM.tmp.1.dr	false		high
http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-DLR13.tmp.1.dr	false		high
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34302	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-IFIDL.tmp.1.dr	false		high
https://131002.net/siphash/siphash.pdf	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-8T34J.tmp.1.dr	false		unknown
https://gcc.gnu.org/onlinedocs/gcc-3.4.3/cpp/Stringification.html	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-4F42Q.tmp.1.dr, is-RPQ2E.tmp.1.dr	false		high
http://example.org/entity.ent	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-0U35S.tmp.1.dr, is-PK54U.tmp.1.dr	false		high
https://semver.org	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-EVI0M.tmp.1.dr	false		high
https://sourceforge.net/p/predef/wiki/Compilers/	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-H25RM.tmp.1.dr	false		high
https://oss-fuzz.com/testcase-detail/4860575394955264	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-IFIDL.tmp.1.dr	false		unknown
https://datatracker.ietf.org/doc/html/rfc3986#appendix-A	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-9CIQT.tmp.1.dr	false		high
https://www.gnu.org/philosophy/free-sw.en.html).	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-MRCVE.tmp.1.dr	false		high
http://example.org/dummy.ent	is-8T34J.tmp.1.dr, is-PK54U.tmp.1.dr	false		high
http://pubs.opengroup.org/onlinepubs/009695399/functions/read.html	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-MUAV6.tmp.1.dr	false		high
https://verbump.de/	is-4FTAQ.tmp.1.dr	false		unknown
https://domain.invalid/	is-IFIDL.tmp.1.dr	false		unknown
http://example.org/baz	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-2LFRU.tmp.1.dr	false		high
http://example.org/	is-2LFRU.tmp.1.dr, is-PK54U.tmp.1.dr, is-HM97B.tmp.1.dr	false		high
http://example.org/dtd.ent	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-8T34J.tmp.1.dr	false		high
http://example.org/foo	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-8T34J.tmp.1.dr	false		high
https://uriparser.github.io/	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-OO3ST.tmp.1.dr, is-4FTAQ.tmp.1.dr	false		unknown
https://www.unicode.org/unicode/reports/tr28/	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-KHCSJ.tmp.1.dr	false		high
http://www.remobjects.com/ps	expat-win32bin-2.6.2.exe, 00000000.00000003.1160182723.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, expat-win32bin-2.6.2.exe, 00000000.00000003.1160505995.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, expat-win32bin-2.6.2.tmp, 00000001.00000000.1161483708.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-ETMC9.tmp.1.dr, expat-win32bin-2.6.2.tmp.0.dr	false	URL Reputation: safe	unknown
https://namespace1.test	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-BABGD.tmp.1.dr	false		unknown
https://cmake.org/cmake/help/latest/variable/MSVC_VERSION.html	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-H25RM.tmp.1.dr	false		high
http://example.org/one.ent	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-8T34J.tmp.1.dr, is-PK54U.tmp.1.dr	false		high
http://example.org/ns1	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005F7C000.00000004.00001000.00020000.00000000.sdmp, is-0U35S.tmp.1.dr, is-PK54U.tmp.1.dr	false		high
http://www.jclark.com/xml/canonxml.html	expat-win32bin-2.6.2.tmp, 00000001.00000003.1225801313.0000000005E34000.00000004.00001000.00020000.00000000.sdmp, is-DLR13.tmp.1.dr	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428761
Start date and time:	2024-04-19 15:29:46 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	expat-win32bin-2.6.2.exe
Detection:	MAL
Classification:	mal56.winEXE@8/224@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, mcr-ring.msedge.net, l-ring.msedge.net, slscr.update.microsoft.com, login.live.com, static-ecst.licdn.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: expat-win32bin-2.6.2.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp	Ps1_To_Exe_(Installer).exe	Get hash	malicious	Unknown	Browse
	CHT1044.Compact.Analyzer.v2.34.10.0.exe	Get hash	malicious	Unknown	Browse
	window driver-Receipt.exe	Get hash	malicious	Unknown	Browse
	setup.exe	Get hash	malicious	Unknown	Browse
	5CdYzOKRTr.exe	Get hash	malicious	Unknown	Browse
	GoogleTranslateDesktop.exe	Get hash	malicious	Unknown	Browse
	483595855.exe	Get hash	malicious	Unknown	Browse
	setup.exe	Get hash	malicious	Unknown	Browse
	WinCash_Backoffice.exe	Get hash	malicious	Unknown	Browse
	6d8bf9d.bin.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Users\user\AppData\Local\Temp\is-5QN94.tmp\expat-win32bin-2.6.2.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	142
Entropy (8bit):	4.73033054878804
Encrypted:	false
SSDEEP:	3:YujXMR6jKDA9XnspvcFnMbcIAqALjOvZWU5MmL2e2uMSZ:YaA6jkkFU1AfaWPE2uMS
MD5:	4FCC7D1EFFD5D9789581801BD86B27D2
SHA1:	A502AB6EBD4206DD8384111279B42821FE442B6F
SHA-256:	59F14371C6B75912CFEBB46E6247EE5146766E803A0365B124E5D3011E7D0877
SHA-512:	C26314E8E6F40477427E313C7ED08E77AF6F5EC24CF1B033135ABB4962289486CC8912EF66FC162DC54E5FDA45C49A9B76FD58E43464209D419DC232C2DD1AE6
Malicious:	false
Reputation:	low
Preview:	Expat is brought to you by:..Clark Cooper.Fred L. Drake, Jr..Greg Stein.James Clark.Karl Waclawek.Rhodri James.Sebastian Pipping.Steven Solie.

Process:	C:\Users\user\Desktop\expat-win32bin-2.6.2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1179648
Entropy (8bit):	6.395287124443116
Encrypted:	false
SSDEEP:	24576:RtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5lTxyt:PqTytRFk6ek1L
MD5:	90FC739C83CD19766ACB562C66A7D0E2
SHA1:	451F385A53D5FED15E7649E7891E05F231EF549A
SHA-256:	821BD11693BF4B4B2B9F3C196036E1F4902ABD95FB26873EA6C43E123B8C9431
SHA-512:	4CB11AD48B7585EF1B70FAC9E3C25610B2F64A16358CD51E32ADCB0B17A6AB1C934AEB10ADAA8E9DDF69B2E2F1D18FE2E87B49B39F89B05EA13AA3205E41296C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: Ps1_To_Exe_(Installer).exe, Detection: malicious, Browse Filename: CHT1044.Compact.Analyzer.v2.34.10.0.exe, Detection: malicious, Browse Filename: window driver-Receipt.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: 5CdYzOKRTr.exe, Detection: malicious, Browse Filename: GoogleTranslateDesktop.exe, Detection: malicious, Browse Filename: 483595855.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: WinCash_Backoffice.exe, Detection: malicious, Browse Filename: 6d8bf9d.bin.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.......................................@......@..............................@8...0....................................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc........0.......l..............@..@....................................@..@........................................................................................................................................

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:i:i
MD5:	3CF9DC0FDC2A6AB9B6F6265DC66B0157
SHA1:	028C81DFFABD9A1B112B95E10FBAFB6C72EC9C45
SHA-256:	8C14FDF5C613F56EF1755248A9D0C3A739ED5F3BA13746AA8315EE569CABEC17
SHA-512:	B5DD62462DEB0324FF00400FEAE70652482177A28E58A6116A273536B47C05595A3573AD91C3DE62441EB251D87C11DB23B9F0873297196D46DA04F9FD04CC45
Malicious:	false
Preview:	^C

Entrypoint:	0x4117dc
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x57051F88 [Wed Apr 6 14:39:04 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	20dd26497880c05caed9305b3c8b9109

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19000	0xe04	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0xb200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1b000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19304	0x214	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf244	0xf400	a33e9ff7181115027d121cd377c28c8f	False	0.5481717469262295	data	6.3752135040515485	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x11000	0xf64	0x1000	caec456c18277b579a94c9508daf36ec	False	0.55859375	data	5.732200666157372	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x12000	0xc88	0xe00	746954890499546d73dce0e994642192	False	0.2533482142857143	data	2.2967209087898324	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x13000	0x56bc	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x19000	0xe04	0x1000	e9b9c0328fd9628ad4d6ab8283dcb20e	False	0.321533203125	data	4.597812557707959	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1a000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x1b000	0x18	0x200	3dffc444ccc131c9dcee18db49ee6403	False	0.05078125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0xb200	0xb200	fd02d023e3007411e003d3a50d7c0d4b	False	0.179906952247191	data	4.147275472118676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1c41c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0x1c544	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0x1caac	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0x1cd94	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0x1d63c	0x68	data			0.6538461538461539
RT_STRING	0x1d6a4	0xd4	data			0.5283018867924528
RT_STRING	0x1d778	0xa4	data			0.6524390243902439
RT_STRING	0x1d81c	0x2ac	data			0.45614035087719296
RT_STRING	0x1dac8	0x34c	data			0.4218009478672986
RT_STRING	0x1de14	0x294	data			0.4106060606060606
RT_RCDATA	0x1e0a8	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x26390	0x10	data			1.5
RT_RCDATA	0x263a0	0x150	data			0.8392857142857143
RT_RCDATA	0x264f0	0x2c	data			1.1590909090909092
RT_GROUP_ICON	0x2651c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x2655c	0x4f4	data	English	United States	0.3359621451104101
RT_MANIFEST	0x26a50	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, DeleteFileW, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CloseHandle
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
advapi32.dll	AdjustTokenPrivileges

Target ID:	0
Start time:	15:30:13
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\expat-win32bin-2.6.2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\expat-win32bin-2.6.2.exe"
Imagebase:	0x400000
File size:	1'152'968 bytes
MD5 hash:	7E3077DA4633AD49B055D9447B4509FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	14
Start time:	15:30:38
Start date:	19/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe"
Imagebase:	0x7ff6fd780000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	17
Start time:	15:30:46
Start date:	19/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff7dd620000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	18
Start time:	15:31:07
Start date:	19/04/2024
Path:	C:\Program Files (x86)\Expat 2.6.2\Bin\xmlwf.exe
Wow64 process (32bit):	true
Commandline:	xmlwf
Imagebase:	0x420000
File size:	634'368 bytes
MD5 hash:	162E9381BECB2DC60B03AF229873AA69
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report expat-win32bin-2.6.2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Expat 2.6.2\AUTHORS.txt (copy)

C:\Program Files (x86)\Expat 2.6.2\Bin\is-2OJDA.tmp

C:\Program Files (x86)\Expat 2.6.2\Bin\is-536SH.tmp

C:\Program Files (x86)\Expat 2.6.2\Bin\is-98DOC.tmp

C:\Program Files (x86)\Expat 2.6.2\Bin\is-E0P4F.tmp

C:\Program Files (x86)\Expat 2.6.2\Bin\is-O4RPJ.tmp

C:\Program Files (x86)\Expat 2.6.2\Bin\is-T894K.tmp

C:\Program Files (x86)\Expat 2.6.2\Bin\is-VEROQ.tmp

C:\Program Files (x86)\Expat 2.6.2\Bin\libexpat.dll (copy)

C:\Program Files (x86)\Expat 2.6.2\Bin\libexpat.lib (copy)

C:\Program Files (x86)\Expat 2.6.2\Bin\libexpatMT.lib (copy)

C:\Program Files (x86)\Expat 2.6.2\Bin\libexpatw.dll (copy)

C:\Program Files (x86)\Expat 2.6.2\Bin\libexpatw.lib (copy)

C:\Program Files (x86)\Expat 2.6.2\Bin\libexpatwMT.lib (copy)

C:\Program Files (x86)\Expat 2.6.2\Bin\xmlwf.exe (copy)

C:\Program Files (x86)\Expat 2.6.2\COPYING.txt (copy)

C:\Program Files (x86)\Expat 2.6.2\Changes.txt (copy)

C:\Program Files (x86)\Expat 2.6.2\Doc\is-DLR13.tmp

C:\Program Files (x86)\Expat 2.6.2\Doc\is-LI6L5.tmp

C:\Program Files (x86)\Expat 2.6.2\Doc\is-PBSRF.tmp

C:\Program Files (x86)\Expat 2.6.2\Doc\is-R12A0.tmp

C:\Program Files (x86)\Expat 2.6.2\Doc\ok.min.css (copy)

C:\Program Files (x86)\Expat 2.6.2\Doc\reference.html (copy)

C:\Program Files (x86)\Expat 2.6.2\Doc\style.css (copy)

C:\Program Files (x86)\Expat 2.6.2\Doc\xmlwf.xml (copy)

Windows Analysis Report
expat-win32bin-2.6.2.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre