File name:

Winver.exe.bin

Full analysis: https://app.any.run/tasks/79f692a8-a9c8-4b1d-8349-da88af1f2bb9
Verdict: Malicious activity
Analysis date: July 29, 2024, 03:36:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
upx
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

DE6153AEECC2CC7B0B5B84B90EEFDD6E

SHA1:

CACEAC1A5A9190D3741BD68B6E6771927C2B1D4F

SHA256:

2BBA17E0D85F28D400EF2DD09F236FDD37C47C953E898EDC68B8B0D115675E40

SSDEEP:

98304:lt24fGd8X3bKFolq8cZz3pZ8wwgfP+xkTTaXpmUZz6H9IBNt+nEO/BQIKRzXbHt4:Geagu0GRZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Winver.exe.bin.exe (PID: 6804)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2284)

  • INFO

    • UPX packer has been detected

      • Winver.exe.bin.exe (PID: 6804)

    • Reads the computer name

      • Winver.exe.bin.exe (PID: 6804)

    • Reads product name

      • Winver.exe.bin.exe (PID: 6804)

    • Reads the machine GUID from the registry

      • Winver.exe.bin.exe (PID: 6804)

    • Reads Environment values

      • Winver.exe.bin.exe (PID: 6804)

    • Reads the software policy settings

      • Winver.exe.bin.exe (PID: 6804)

    • Checks supported languages

      • Winver.exe.bin.exe (PID: 6804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (87.1)
.exe | Generic Win/DOS Executable (6.4)
.exe | DOS Executable Generic (6.4)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 2187264
InitializedDataSize: 4096
UninitializedDataSize: 3973120
EntryPoint: 0x5e08e0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT winver.exe.bin.exe svchost.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2252C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2284C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6804"C:\Users\admin\AppData\Local\Temp\Winver.exe.bin.exe" C:\Users\admin\AppData\Local\Temp\Winver.exe.bin.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\winver.exe.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
3 814
Read events
3 813
Write events
1
Delete events
0

Modification events

(PID) Process:(6804) Winver.exe.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\WinTemp
Operation:writeName:temp
Value:
jPrTPJfBg8Fd
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
40
DNS requests
22
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6164
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4132
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
95.100.146.34:443
Akamai International B.V.
CZ
unknown
6572
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6700
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6220
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
131.253.33.254:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2432
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.142
whitelisted
ipwho.is
  • 195.201.57.90
malicious
cartmizer.info
unknown
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.60
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.0
  • 20.190.159.68
  • 40.126.31.73
  • 20.190.159.2
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.75
whitelisted
th.bing.com
  • 2.23.209.140
  • 2.23.209.185
  • 2.23.209.179
  • 2.23.209.187
  • 2.23.209.149
  • 2.23.209.189
  • 2.23.209.130
  • 2.23.209.133
  • 2.23.209.182
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted

Threats

PID
Process
Class
Message
2284
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Winver.exe.bin