File name:

veraport-g3-x64.exe

Full analysis: https://app.any.run/tasks/c2e99ad0-f158-4afc-8f00-9c09d0918580
Verdict: Malicious activity
Analysis date: October 20, 2024, 05:28:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FCA6017276F0FEEEE26A095A6509530D

SHA1:

BBCAB6D538BB641CC2F442D34962DE7F67DEFE7D

SHA256:

52773760053A7D754C22E9741BDD38F29FD7EE366CA9C4F8B58ED428172CF567

SSDEEP:

98304:+HOSG0gEMfYUx8ahLChwu7mfqTmqAmutOA/yuOw1hz09qvJ0qeKnl51uZeTrPZt4:PbIpx8Jfas5pDIzJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • veraport-g3-x64.tmp (PID: 6648)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • veraport-g3-x64.tmp (PID: 5172)
      • veraport20unloader.exe (PID: 4556)

    • Executable content was dropped or overwritten

      • veraport-g3-x64.exe (PID: 6436)
      • veraport-g3-x64.exe (PID: 6508)
      • veraport-g3-x64.tmp (PID: 6648)
      • wpmsvcsetup.tmp (PID: 6960)
      • wpmsvcsetup.exe (PID: 540)

    • Reads the Windows owner or organization settings

      • veraport-g3-x64.tmp (PID: 6648)

    • Process drops legitimate windows executable

      • veraport-g3-x64.tmp (PID: 6648)
      • wpmsvcsetup.tmp (PID: 6960)

    • Starts SC.EXE for service management

      • veraport-g3-x64.tmp (PID: 6648)

    • Reads the date of Windows installation

      • veraport20unloader.exe (PID: 4556)

    • The process drops C-runtime libraries

      • veraport-g3-x64.tmp (PID: 6648)

    • Executes as Windows Service

      • wpmsvc.exe (PID: 7132)

    • Uses RUNDLL32.EXE to load library

      • control.exe (PID: 2648)

  • INFO

    • Reads the computer name

      • veraport-g3-x64.tmp (PID: 5172)
      • veraport-g3-x64.tmp (PID: 6648)
      • veraport20unloader.exe (PID: 4556)

    • Checks supported languages

      • veraport-g3-x64.exe (PID: 6436)
      • veraport-g3-x64.exe (PID: 6508)
      • veraport-g3-x64.tmp (PID: 5172)
      • veraport-g3-x64.tmp (PID: 6648)
      • veraport20unloader.exe (PID: 4556)

    • Create files in a temporary directory

      • veraport-g3-x64.exe (PID: 6436)
      • veraport-g3-x64.exe (PID: 6508)
      • veraport-g3-x64.tmp (PID: 6648)

    • Process checks computer location settings

      • veraport-g3-x64.tmp (PID: 5172)
      • veraport20unloader.exe (PID: 4556)

    • The process uses the downloaded file

      • veraport20unloader.exe (PID: 4556)

    • Manual execution by a user

      • control.exe (PID: 2648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 37888
InitializedDataSize: 17920
UninitializedDataSize: -
EntryPoint: 0x9c40
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.8.6.1
ProductVersionNumber: 3.8.6.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Wizvera
FileDescription: Veraport
FileVersion: 3.8.6.1
LegalCopyright: Wizvera
ProductName: Veraport
ProductVersion: 3,8,6,1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
197
Monitored processes
66
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start veraport-g3-x64.exe veraport-g3-x64.tmp no specs veraport-g3-x64.exe veraport-g3-x64.tmp sc.exe no specs conhost.exe no specs veraport20unloader.exe no specs checknetisolation.exe no specs conhost.exe no specs veraport20unloader.exe no specs regsvr32.exe no specs wizveraregsvr.exe no specs conhost.exe no specs wizcertutil.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs wpmsvcsetup.exe wpmsvcsetup.tmp sc.exe no specs conhost.exe no specs wizsvcutil.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wpmsvc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wpmsvc.exe no specs veraport-x64.exe no specs sc.exe no specs conhost.exe no specs control.exe no specs rundll32.exe no specs COpenControlPanel no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
540"C:\Users\admin\AppData\Local\Temp\is-A5IOP.tmp\wpmsvcsetup.exe" /VERYSILENTC:\Users\admin\AppData\Local\Temp\is-A5IOP.tmp\wpmsvcsetup.exe
veraport-g3-x64.tmp
User:
admin
Company:
WIZVERA
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
632"c:\users\admin\appdata\local\temp\is-a5iop.tmp\.\nss\certutil.exe" -A -n "WIZVERA-CA-SHA2" -t "TCu,Cuw,Tuw" -i c:\users\admin\appdata\local\temp\is-a5iop.tmp\wizvera_ca.crt -d "./"C:\Users\admin\AppData\Local\Temp\is-A5IOP.tmp\nss\certutil.exewizcertutil.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
944"C:\WINDOWS\system32\sc.exe" start WizveraPMSvcC:\Windows\System32\sc.exeveraport-g3-x64.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1056
Version:
10.0.19041.1 (WinBuild.160101.0800)
1172"c:\users\admin\appdata\local\temp\is-a5iop.tmp\.\nss_sql\certutil.exe" -A -n "WIZVERA-CA-SHA2" -t "TCu,Cuw,Tuw" -i c:\users\admin\appdata\local\temp\is-a5iop.tmp\wizvera_ca.crt -d sql:"./"C:\Users\admin\AppData\Local\Temp\is-A5IOP.tmp\nss_sql\certutil.exewizcertutil.exe
User:
admin
Integrity Level:
HIGH
Exit code:
255
1252\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execertutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1576"c:\users\admin\appdata\local\temp\is-a5iop.tmp\.\nss\certutil.exe" -A -n "WIZVERA-CA-SHA2" -t "TCu,Cuw,Tuw" -i c:\users\admin\appdata\local\temp\is-a5iop.tmp\wizvera_ca.crt -d "./"C:\Users\admin\AppData\Local\Temp\is-A5IOP.tmp\nss\certutil.exewizcertutil.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1584\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCheckNetIsolation.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1584\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execertutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2312\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execertutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2312\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execertutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
655
Read events
655
Write events
0
Delete events
0

Modification events

No data
Executable files
90
Suspicious files
47
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
6648veraport-g3-x64.tmpC:\Users\admin\AppData\Local\Temp\is-A5IOP.tmp\_isetup\_setup64.tmpexecutable
MD5:4FF75F505FDDCC6A9AE62216446205D9
SHA256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
6648veraport-g3-x64.tmpC:\Users\admin\AppData\Local\Temp\is-A5IOP.tmp\_isetup\_RegDLL.tmpexecutable
MD5:0EE914C6F0BB93996C75941E1AD629C6
SHA256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
6648veraport-g3-x64.tmpC:\Program Files\Wizvera\Veraport20\is-LQTEL.tmpexecutable
MD5:48DAF9BB9DFF43C76F7EDE31487DA9AA
SHA256:6947FAADF16D1E862E5DE4771C1F45709294174433F7E9D393C4347A4A96460F
6648veraport-g3-x64.tmpC:\Program Files\Wizvera\Veraport20\is-RCDF5.tmpexecutable
MD5:C82B72D2193B8A3365FFD8C3F5A054E7
SHA256:268C2AB26C029C8A0F8EFAE49F70BEB9934A464757BC21DCB59361F2C75278D5
6648veraport-g3-x64.tmpC:\Users\admin\AppData\Local\Temp\is-A5IOP.tmp\veraport20unloader.exeexecutable
MD5:57709804AE9AEE4948827AD46291345E
SHA256:2C80C4FDD9246282A8A3DDA36BA2CF287B6F01D694B7D704FDCA48AC154E75CB
6648veraport-g3-x64.tmpC:\Program Files\Wizvera\Veraport20\veraport20.dllexecutable
MD5:C82B72D2193B8A3365FFD8C3F5A054E7
SHA256:268C2AB26C029C8A0F8EFAE49F70BEB9934A464757BC21DCB59361F2C75278D5
6648veraport-g3-x64.tmpC:\Program Files\Wizvera\Veraport20\unins000.exeexecutable
MD5:48DAF9BB9DFF43C76F7EDE31487DA9AA
SHA256:6947FAADF16D1E862E5DE4771C1F45709294174433F7E9D393C4347A4A96460F
6648veraport-g3-x64.tmpC:\Program Files\Wizvera\Veraport20\is-G551K.tmpexecutable
MD5:57709804AE9AEE4948827AD46291345E
SHA256:2C80C4FDD9246282A8A3DDA36BA2CF287B6F01D694B7D704FDCA48AC154E75CB
6648veraport-g3-x64.tmpC:\Program Files\Wizvera\Veraport20\is-H1AI1.tmpexecutable
MD5:D61EF285731C8704F3B131A168DF08A4
SHA256:DAF8F8F98E961CDE3DC0E8AB52E19CC66D2039E2FCC4681CD6A98E8642E794E6
6648veraport-g3-x64.tmpC:\Users\admin\AppData\Local\Temp\is-A5IOP.tmp\mozillafinder.exeexecutable
MD5:AA8F3A80D78B19E1656E1E7C01605CC2
SHA256:BB420F85C25137E65C63D0BD180C19D861DB366A3629C5E3F1BA13A82A4AA4DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
56
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6944
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
104.126.37.136:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.206
whitelisted
www.bing.com
  • 104.126.37.136
  • 104.126.37.176
  • 104.126.37.170
  • 104.126.37.162
  • 104.126.37.154
  • 104.126.37.163
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.144
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.75
  • 20.190.159.68
  • 20.190.159.4
  • 20.190.159.23
  • 20.190.159.2
  • 40.126.31.69
  • 40.126.31.71
whitelisted
th.bing.com
  • 104.126.37.136
  • 104.126.37.162
  • 104.126.37.131
  • 104.126.37.186
  • 104.126.37.128
  • 104.126.37.130
  • 104.126.37.123
  • 104.126.37.154
  • 104.126.37.144
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
veraport-g3-x64.exe