download:

WinmanCAERPdownloader.exe

Full analysis: https://app.any.run/tasks/678f7b2e-6609-4c0a-b267-1556af54ffc0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 26, 2020, 20:37:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

50DD5FCB38066094363B9E2D4844385E

SHA1:

59791BCB2DC989615252361B3FC3FD5FA9603C83

SHA256:

5AE8DE113B25A99BF4EB9BF39B813455F67DC36A439500EC922FB79799590FFB

SSDEEP:

24576:CuJn6gN2A/604BqGnh5+qf+IDgN18HtWNJ6tnaO9qQCX0uuI7MM:3Jn1N4Bdh5L2ym8EWaO9q1Fx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DLLStart.exe (PID: 2788)
      • Winman3.exe (PID: 3800)
      • ChkLiteSetup.exe (PID: 1516)
      • OtherDownload.exe (PID: 3924)
      • Litesetup.exe (PID: 2140)
      • Winman5.exe (PID: 2748)
      • Winman3.exe (PID: 2832)
      • DLLStart.exe (PID: 3304)
      • AutoRepair.exe (PID: 3360)
      • wintax.exe (PID: 3064)
      • CheckUpdate.exe (PID: 3840)
      • DLL.exe (PID: 3956)
      • Winman3.exe (PID: 2892)
      • wintax.exe (PID: 2308)
      • CheckUpdate.exe (PID: 1884)
      • Winman5.exe (PID: 1644)
      • WinmanLic.exe (PID: 3912)
      • WinmanLic.exe (PID: 1768)
      • HideLines.exe (PID: 1736)
      • ReportToWeb.exe (PID: 3916)
      • AutoRepair.exe (PID: 3216)
      • WinmanLic.exe (PID: 3700)
      • Winman1.exe (PID: 912)
      • WinmanLic.exe (PID: 2756)
      • WinWebMsg.exe (PID: 3860)
      • Winman9.exe (PID: 2428)
      • WinmanLic.exe (PID: 2344)
      • PriceCalc.exe (PID: 2300)
      • WinmanLic.exe (PID: 792)

    • Loads dropped or rewritten executable

      • Winman3.exe (PID: 3800)
      • DLLStart.exe (PID: 2788)
      • ChkLiteSetup.exe (PID: 1516)
      • OtherDownload.exe (PID: 3924)
      • DLL.exe (PID: 3956)
      • Litesetup.exe (PID: 2140)
      • Winman3.exe (PID: 2832)
      • Winman5.exe (PID: 2748)
      • DLLStart.exe (PID: 3304)
      • wintax.exe (PID: 3064)
      • wintax.exe (PID: 2308)
      • Winman3.exe (PID: 2892)
      • Winman5.exe (PID: 1644)
      • CheckUpdate.exe (PID: 3840)
      • WinmanLic.exe (PID: 1768)
      • WinmanLic.exe (PID: 3912)
      • WinmanLic.exe (PID: 2756)
      • ReportToWeb.exe (PID: 3916)
      • WinmanLic.exe (PID: 3700)
      • Winman1.exe (PID: 912)
      • Winman9.exe (PID: 2428)
      • WinmanLic.exe (PID: 2344)
      • WinWebMsg.exe (PID: 3860)
      • PriceCalc.exe (PID: 2300)
      • WinmanLic.exe (PID: 792)

    • Downloads executable files from the Internet

      • OtherDownload.exe (PID: 3924)

    • Changes settings of System certificates

      • ChkLiteSetup.exe (PID: 1516)
      • PriceCalc.exe (PID: 2300)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinmanCAERPdownloader.exe (PID: 3124)
      • Winman3.exe (PID: 3800)
      • DLLStart.exe (PID: 2788)
      • OtherDownload.exe (PID: 3924)
      • Litesetup.exe (PID: 2140)
      • Winman5.exe (PID: 2748)
      • DLLStart.exe (PID: 3304)
      • DLL.exe (PID: 3956)
      • Winman3.exe (PID: 2832)
      • Winman3.exe (PID: 2892)
      • Winman5.exe (PID: 1644)
      • CheckUpdate.exe (PID: 3840)
      • Winman1.exe (PID: 912)
      • Winman9.exe (PID: 2428)

    • Creates files in the Windows directory

      • DLLStart.exe (PID: 2788)
      • DLL.exe (PID: 3956)

    • Reads Internet Cache Settings

      • ChkLiteSetup.exe (PID: 1516)
      • OtherDownload.exe (PID: 3924)
      • CheckUpdate.exe (PID: 3840)
      • wintax.exe (PID: 3064)
      • WinWebMsg.exe (PID: 3860)
      • PriceCalc.exe (PID: 2300)

    • Reads internet explorer settings

      • ChkLiteSetup.exe (PID: 1516)
      • CheckUpdate.exe (PID: 3840)
      • wintax.exe (PID: 3064)
      • PriceCalc.exe (PID: 2300)
      • WinWebMsg.exe (PID: 3860)

    • Creates COM task schedule object

      • DLL.exe (PID: 3956)

    • Creates files in the program directory

      • AutoRepair.exe (PID: 3360)
      • Litesetup.exe (PID: 2140)

    • Creates a software uninstall entry

      • Litesetup.exe (PID: 2140)

    • Modifies the open verb of a shell class

      • Litesetup.exe (PID: 2140)

    • Low-level read access rights to disk partition

      • wintax.exe (PID: 2308)
      • wintax.exe (PID: 3064)

    • Creates files in the user directory

      • wintax.exe (PID: 3064)
      • wintax.exe (PID: 2308)

    • Executed via COM

      • WINWORD.EXE (PID: 1904)
      • iexplore.exe (PID: 3080)
      • iexplore.exe (PID: 2344)

    • Searches for installed software

      • wintax.exe (PID: 3064)

    • Adds / modifies Windows certificates

      • PriceCalc.exe (PID: 2300)
      • ChkLiteSetup.exe (PID: 1516)

  • INFO

    • Reads settings of System Certificates

      • ChkLiteSetup.exe (PID: 1516)
      • wintax.exe (PID: 3064)
      • PriceCalc.exe (PID: 2300)

    • Dropped object may contain Bitcoin addresses

      • Winman5.exe (PID: 2748)
      • Winman5.exe (PID: 1644)
      • CheckUpdate.exe (PID: 3840)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1904)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1904)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3080)
      • iexplore.exe (PID: 2184)
      • iexplore.exe (PID: 2344)
      • iexplore.exe (PID: 2356)

    • Changes internet zones settings

      • iexplore.exe (PID: 3080)
      • iexplore.exe (PID: 2344)

    • Application launched itself

      • iexplore.exe (PID: 2344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 23:50:46+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 23552
InitializedDataSize: 119808
UninitializedDataSize: 1024
EntryPoint: 0x323c
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1075.0.0.0
ProductVersionNumber: 1075.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
Comments: -
CompanyName: Winman Software India LLP
FileDescription: Winman CA-ERP & GST downloader
FileVersion: 1075
LegalCopyright: Winman Software India LLP
LegalTrademarks: Winman Software India LLP
ProductName: Winman CA-ERP, Winman GST

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Dec-2009 22:50:46
Detected languages:
  • English - United States
Comments: -
CompanyName: Winman Software India LLP
FileDescription: Winman CA-ERP & GST downloader
FileVersion: 1075
LegalCopyright: Winman Software India LLP
LegalTrademarks: Winman Software India LLP
ProductName: Winman CA-ERP, Winman GST

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 05-Dec-2009 22:50:46
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005A5A
0x00005C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.4177
.rdata
0x00007000
0x00001190
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.18163
.data
0x00009000
0x0001AF98
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.70903
.ndata
0x00024000
0x0000D000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00031000
0x00004228
0x00004400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.80251

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.10394
533
UNKNOWN
English - United States
RT_MANIFEST
2
5.9993
3752
UNKNOWN
English - United States
RT_ICON
3
6.24459
2216
UNKNOWN
English - United States
RT_ICON
4
5.01502
1384
UNKNOWN
English - United States
RT_ICON
5
6.16057
1128
UNKNOWN
English - United States
RT_ICON
6
3.34146
744
UNKNOWN
English - United States
RT_ICON
7
3.04232
296
UNKNOWN
English - United States
RT_ICON
103
2.6691
104
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.73893
514
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
75
Monitored processes
37
Malicious processes
16
Suspicious processes
5

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start download and start drop and start drop and start drop and start drop and start drop and start drop and start winmancaerpdownloader.exe winman3.exe dllstart.exe chklitesetup.exe otherdownload.exe litesetup.exe winman5.exe dll.exe winman3.exe dllstart.exe autorepair.exe no specs regedit.exe no specs wintax.exe wintax.exe no specs checkupdate.exe checkupdate.exe no specs winman3.exe winman5.exe winmanlic.exe no specs winmanlic.exe no specs winmanlic.exe no specs hidelines.exe no specs reporttoweb.exe no specs winword.exe no specs autorepair.exe no specs winmanlic.exe no specs winmanlic.exe no specs winman1.exe winman9.exe winmanlic.exe no specs iexplore.exe no specs iexplore.exe no specs winwebmsg.exe iexplore.exe no specs iexplore.exe no specs pricecalc.exe winmancaerpdownloader.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
792"C:\Winman\Winman CA-ERP & GST\WinmanLic.exe" #userdata$\UserData\admin_USER-PC|#RegDrive$C|#Product$Saral|C:\Winman\Winman CA-ERP & GST\WinmanLic.exewintax.exe
User:
admin
Company:
Winman Software India LLP
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\winman\winman ca-erp & gst\winmanlic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
912"C:\Winman\Winman CA-ERP & GST\Feat_temp\Winman1.exe" LITE?C:\Winman\Winman CA-ERP & GSTC:\Winman\Winman CA-ERP & GST\Feat_temp\Winman1.exe
CheckUpdate.exe
User:
admin
Company:
Winman Software India LLP
Integrity Level:
HIGH
Description:
Add-on Feature for Winman CA-ERP & GST
Exit code:
0
Version:
1075
Modules
Images
c:\winman\winman ca-erp & gst\feat_temp\winman1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
1516"C:\Users\admin\AppData\Local\Temp\Winman CA ERP Downloader_1\ChkLiteSetup.exe" C:\Users\admin\AppData\Local\Temp\Winman CA ERP Downloader_1\ChkLiteSetup.exe
WinmanCAERPdownloader.exe
User:
admin
Company:
Winman Software (P) Ltd
Integrity Level:
HIGH
Description:
Winman's file downloader
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\winman ca erp downloader_1\chklitesetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
1644"C:\Winman\Winman CA-ERP & GST\Feat_temp\Winman5.exe" REF?C:\Winman\Winman CA-ERP & GSTC:\Winman\Winman CA-ERP & GST\Feat_temp\Winman5.exe
CheckUpdate.exe
User:
admin
Company:
Winman Software India LLP
Integrity Level:
HIGH
Description:
Add-on Feature for Winman CA-ERP & GST
Exit code:
0
Version:
1075
Modules
Images
c:\winman\winman ca-erp & gst\feat_temp\winman5.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
1736"C:\Winman\Winman CA-ERP & GST\HideLines.exe" C:\Winman\Winman CA-ERP & GST\UserData\admin_USER-PC?C:\Winman\Winman CA-ERP & GST\HideLines.exewintax.exe
User:
admin
Company:
Winman Software (P) Ltd
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\winman\winman ca-erp & gst\hidelines.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
1768"C:\Winman\Winman CA-ERP & GST\WinmanLic.exe" #userdata$\UserData\admin_USER-PC|#TAX_ERR$YES|#DPBATCH$|#DP$C:\Winman_Data\Tax Data|#ERROR_REPORT_TO_USER$FORMULA_BLANK_ERROR|C:\Winman\Winman CA-ERP & GST\WinmanLic.exewintax.exe
User:
admin
Company:
Winman Software India LLP
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\winman\winman ca-erp & gst\winmanlic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1884"C:\Winman\Winman CA-ERP & GST\update\CheckUpdate.exe" GST*#REMINDER#1075$*0%UP%\UserData\admin_USER-PC_#2C:\Winman\Winman CA-ERP & GST\update\CheckUpdate.exewintax.exe
User:
admin
Company:
Winman Software India LLP
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\winman\winman ca-erp & gst\update\checkupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1904"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\apphelp.dll
2140"C:\Users\admin\AppData\Local\Temp\Winman CA ERP Downloader_1\Litesetup.exe" C:\Users\admin\AppData\Local\Temp\Winman CA ERP Downloader_1\Litesetup.exe
OtherDownload.exe
User:
admin
Company:
Winman Software India LLP
Integrity Level:
HIGH
Description:
Winman CA-ERP & GST Express Setup
Exit code:
0
Version:
1075
Modules
Images
c:\users\admin\appdata\local\temp\winman ca erp downloader_1\litesetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2184"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3080 CREDAT:275457 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
9 294
Read events
6 367
Write events
2 761
Delete events
166

Modification events

(PID) Process:(2788) DLLStart.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}
Operation:writeName:
Value:
Microsoft ListView Control 6.0 (SP6)
(PID) Process:(2788) DLLStart.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\InprocServer32
Operation:writeName:
Value:
C:\Windows\system32\MSCOMCTL.OCX
(PID) Process:(2788) DLLStart.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(2788) DLLStart.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl
Operation:writeName:
Value:
Microsoft ListView Control 6.0 (SP6)
(PID) Process:(2788) DLLStart.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl\CLSID
Operation:writeName:
Value:
{996BF5E0-8044-4650-ADEB-0B013914E99C}
(PID) Process:(2788) DLLStart.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl\CurVer
Operation:writeName:
Value:
MSComctlLib.ListViewCtrl.2
(PID) Process:(2788) DLLStart.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl.2
Operation:writeName:
Value:
Microsoft ListView Control 6.0 (SP6)
(PID) Process:(2788) DLLStart.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl.2\CLSID
Operation:writeName:
Value:
{996BF5E0-8044-4650-ADEB-0B013914E99C}
(PID) Process:(2788) DLLStart.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\VersionIndependentProgID
Operation:writeName:
Value:
MSComctlLib.ListViewCtrl
(PID) Process:(2788) DLLStart.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\ProgID
Operation:writeName:
Value:
MSComctlLib.ListViewCtrl.2
Executable files
176
Suspicious files
388
Text files
2 314
Unknown types
129

Dropped files

PID
Process
Filename
Type
3124WinmanCAERPdownloader.exeC:\Users\admin\AppData\Local\Temp\Winman CA ERP Downloader_1\ChkLiteSetup.exe.sktSan
MD5:
SHA256:
3124WinmanCAERPdownloader.exeC:\Users\admin\AppData\Local\Temp\nsq1CDF.tmp
MD5:
SHA256:
3800Winman3.exeC:\Users\admin\AppData\Local\Temp\nsisos.dll
MD5:
SHA256:
2788DLLStart.exeC:\Users\admin\AppData\Local\Temp\nsh20E4.tmp
MD5:
SHA256:
3800Winman3.exeC:\Users\admin\AppData\Local\Temp\nsl1EE0.tmp
MD5:
SHA256:
3124WinmanCAERPdownloader.exeC:\Users\admin\AppData\Local\Temp\nsu1A8B.tmp
MD5:
SHA256:
3124WinmanCAERPdownloader.exeC:\Users\admin\AppData\Local\Temp\Winman CA ERP Downloader_1\Feat_Temp\Winman3.exeexecutable
MD5:
SHA256:
3124WinmanCAERPdownloader.exeC:\Users\admin\AppData\Local\Temp\Winman CA ERP Downloader_1\ChkLiteSetup.exeexecutable
MD5:
SHA256:
1516ChkLiteSetup.exeC:\Users\admin\AppData\Local\Temp\Cab3E6D.tmp
MD5:
SHA256:
1516ChkLiteSetup.exeC:\Users\admin\AppData\Local\Temp\Tar3E6E.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
42
DNS requests
12
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3924
OtherDownload.exe
GET
52.196.149.58:80
http://upd2.winmansoftware.com/files/Updates/Litesetup.exe
JP
shared
3924
OtherDownload.exe
GET
206
52.196.149.58:80
http://upd2.winmansoftware.com/files/Updates/Litesetup.exe
JP
binary
1.64 Mb
shared
3924
OtherDownload.exe
GET
206
52.196.149.58:80
http://upd2.winmansoftware.com/files/Updates/Litesetup.exe
JP
executable
1.64 Mb
shared
3924
OtherDownload.exe
GET
206
52.196.149.58:80
http://upd2.winmansoftware.com/files/Updates/Litesetup.exe
JP
binary
1.64 Mb
shared
3924
OtherDownload.exe
GET
206
52.196.149.58:80
http://upd2.winmansoftware.com/files/Updates/Litesetup.exe
JP
binary
1.64 Mb
shared
3924
OtherDownload.exe
GET
206
52.196.149.58:80
http://upd2.winmansoftware.com/files/Updates/Litesetup.exe
JP
binary
1.64 Mb
shared
1052
svchost.exe
GET
200
2.16.186.74:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
der
781 b
whitelisted
3924
OtherDownload.exe
GET
206
52.196.149.58:80
http://upd2.winmansoftware.com/files/Updates/Litesetup.exe
JP
binary
1.64 Mb
shared
3924
OtherDownload.exe
GET
206
52.196.149.58:80
http://upd2.winmansoftware.com/files/Updates/Litesetup.exe
JP
binary
1.64 Mb
shared
3860
WinWebMsg.exe
GET
200
192.124.249.36:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1516
ChkLiteSetup.exe
18.136.32.205:443
asp2.winman.in
US
unknown
1516
ChkLiteSetup.exe
13.126.199.7:443
winman.in
Amazon.com, Inc.
IN
unknown
1516
ChkLiteSetup.exe
192.124.249.23:80
ocsp.godaddy.com
Sucuri
US
suspicious
3924
OtherDownload.exe
52.196.149.58:80
upd2.winmansoftware.com
Amazon.com, Inc.
JP
shared
3924
OtherDownload.exe
52.196.149.58:21
upd2.winmansoftware.com
Amazon.com, Inc.
JP
shared
3840
CheckUpdate.exe
52.196.149.58:80
upd2.winmansoftware.com
Amazon.com, Inc.
JP
shared
3840
CheckUpdate.exe
52.196.149.58:21
upd2.winmansoftware.com
Amazon.com, Inc.
JP
shared
3840
CheckUpdate.exe
18.136.32.205:443
asp2.winman.in
US
unknown
3840
CheckUpdate.exe
52.196.149.58:65532
upd2.winmansoftware.com
Amazon.com, Inc.
JP
shared
1052
svchost.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
asp2.winman.in
  • 18.136.32.205
unknown
winman.in
  • 13.126.199.7
unknown
ocsp.godaddy.com
  • 192.124.249.23
  • 192.124.249.41
  • 192.124.249.36
  • 192.124.249.22
  • 192.124.249.24
whitelisted
upd2.winmansoftware.com
  • 52.196.149.58
shared
dns.msftncsi.com
  • 131.107.255.255
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl.microsoft.com
  • 2.16.186.74
  • 2.16.186.120
whitelisted
ocsp.pki.goog
  • 172.217.22.99
whitelisted
pay2.winmansoftware.com
  • 18.136.32.205
unknown
www.winmansoftware.com
  • 13.126.199.7
unknown

Threats

PID
Process
Class
Message
3924
OtherDownload.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3840
CheckUpdate.exe
Potential Corporate Privacy Violation
ET INFO .exe File requested over FTP
3924
OtherDownload.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3840
CheckUpdate.exe
Potential Corporate Privacy Violation
ET INFO .exe File requested over FTP
3840
CheckUpdate.exe
Potential Corporate Privacy Violation
ET INFO .exe File requested over FTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WinmanCAERPdownloader.exe