File name:

wincmp-setup.exe

Full analysis: https://app.any.run/tasks/4cf0d1d3-755c-4f6a-bf31-979ed8a47510
Verdict: Malicious activity
Analysis date: January 25, 2024, 14:08:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2EFAFE8019B6953B6640DB9E2A807D38

SHA1:

FCDE76FE1D486DB2A3AC5CA69EF7428E5F45F7FB

SHA256:

9ECF463C5A0BAE7996FD14ED8DED0C0F6483DA76CE80D3630D25ACDCD5B92DF7

SSDEEP:

49152:8qeNVkgXegzrUlKQLz+bOUC/3IjachbrlEbItlqZGJ0YF1I8P7Jop40jpv6gWd:JEptz8TLz+9CPeachbSGIfYo8C4Esg6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • wincmp-setup.exe (PID: 2580)
      • wincmp-setup.exe (PID: 2484)
      • wincmp-setup.tmp (PID: 2780)

    • Registers / Runs the DLL via REGSVR32.EXE

      • wincmp-setup.tmp (PID: 2780)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • wincmp-setup.exe (PID: 2580)
      • wincmp-setup.exe (PID: 2484)
      • wincmp-setup.tmp (PID: 2780)

    • Reads the Windows owner or organization settings

      • wincmp-setup.tmp (PID: 2780)

  • INFO

    • Checks supported languages

      • wincmp-setup.exe (PID: 2580)
      • wincmp-setup.tmp (PID: 2808)
      • wincmp-setup.exe (PID: 2484)
      • wincmp-setup.tmp (PID: 2780)
      • wincmp3.exe (PID: 2256)

    • Create files in a temporary directory

      • wincmp-setup.exe (PID: 2580)
      • wincmp-setup.exe (PID: 2484)

    • Reads the computer name

      • wincmp-setup.tmp (PID: 2808)
      • wincmp-setup.tmp (PID: 2780)
      • wincmp3.exe (PID: 2256)

    • Creates files in the program directory

      • wincmp-setup.tmp (PID: 2780)

    • Manual execution by a user

      • wincmp3.exe (PID: 2256)

    • Reads the machine GUID from the registry

      • wincmp3.exe (PID: 2256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (51.8)
.exe | InstallShield setup (20.3)
.exe | Win32 EXE PECompact compressed (generic) (19.6)
.dll | Win32 Dynamic Link Library (generic) (3.1)
.exe | Win32 Executable (generic) (2.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:05:21 07:56:23+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 38400
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.3.0.0
ProductVersionNumber: 4.3.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Grig Software
FileDescription: Compare It! Setup
FileVersion: 4.3
LegalCopyright: Copyright © 1997-2020 Grig Software.
OriginalFileName:
ProductName: Compare It!
ProductVersion: 4.3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wincmp-setup.exe wincmp-setup.tmp no specs wincmp-setup.exe wincmp-setup.tmp regsvr32.exe no specs wincmp3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2256"C:\Program Files\Compare It!\wincmp3.exe" C:\Program Files\Compare It!\wincmp3.exeexplorer.exe
User:
admin
Company:
Grig Software, www.grigsoft.com
Integrity Level:
MEDIUM
Description:
Compare It! - file compare and merge tool
Exit code:
0
Version:
4, 3, 0, 2250
Modules
Images
c:\program files\compare it!\wincmp3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2484"C:\Users\admin\AppData\Local\Temp\wincmp-setup.exe" /SPAWNWND=$1700E6 /NOTIFYWND=$8010A C:\Users\admin\AppData\Local\Temp\wincmp-setup.exe
wincmp-setup.tmp
User:
admin
Company:
Grig Software
Integrity Level:
HIGH
Description:
Compare It! Setup
Exit code:
0
Version:
4.3
Modules
Images
c:\users\admin\appdata\local\temp\wincmp-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2504"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Compare It!\wincmpExt.dll"C:\Windows\System32\regsvr32.exewincmp-setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2580"C:\Users\admin\AppData\Local\Temp\wincmp-setup.exe" C:\Users\admin\AppData\Local\Temp\wincmp-setup.exe
explorer.exe
User:
admin
Company:
Grig Software
Integrity Level:
MEDIUM
Description:
Compare It! Setup
Exit code:
0
Version:
4.3
Modules
Images
c:\users\admin\appdata\local\temp\wincmp-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2780"C:\Users\admin\AppData\Local\Temp\is-EATG5.tmp\wincmp-setup.tmp" /SL5="$120128,2386054,780800,C:\Users\admin\AppData\Local\Temp\wincmp-setup.exe" /SPAWNWND=$1700E6 /NOTIFYWND=$8010A C:\Users\admin\AppData\Local\Temp\is-EATG5.tmp\wincmp-setup.tmp
wincmp-setup.exe
User:
admin
Company:
Grig Software
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-eatg5.tmp\wincmp-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2808"C:\Users\admin\AppData\Local\Temp\is-RCEAU.tmp\wincmp-setup.tmp" /SL5="$8010A,2386054,780800,C:\Users\admin\AppData\Local\Temp\wincmp-setup.exe" C:\Users\admin\AppData\Local\Temp\is-RCEAU.tmp\wincmp-setup.tmpwincmp-setup.exe
User:
admin
Company:
Grig Software
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-rceau.tmp\wincmp-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
2 271
Read events
2 235
Write events
29
Delete events
7

Modification events

(PID) Process:(2780) wincmp-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
1F70F993B0AFF0C5BE508C182EF89F7D207132F8AFD49C8CA92ACD2D70FB6613
(PID) Process:(2780) wincmp-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Program Files\Compare It!\wincmp3.exe
(PID) Process:(2780) wincmp-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(2780) wincmp-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
04787C5D8783EA78A2E95208981993D16B09ABB8BE01E684CA726842300FCC8A
(PID) Process:(2780) wincmp-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
DC0A00008C428EEE974FDA01
(PID) Process:(2780) wincmp-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete keyName:(default)
Value:
(PID) Process:(2256) wincmp3.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2256) wincmp3.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(2256) wincmp3.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
0100000006000000000000000B00000002000000070000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(2256) wincmp3.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
020000000100000006000000000000000B000000070000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
Executable files
30
Suspicious files
8
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
2780wincmp-setup.tmpC:\Program Files\Compare It!\is-O76II.tmpexecutable
MD5:8C9F672996B03CE91678094F584CAED6
SHA256:C857300CF8A3E76E844A99BF2B9B3A3BC95ED1990395CF02A267DE1CE46E81F3
2780wincmp-setup.tmpC:\Program Files\Compare It!\unins000.exeexecutable
MD5:633129353FF15191D7154024ADD0567E
SHA256:D7B717ACD9AC8DAB27813EB747D5404E2E909D9E22084E282D05D15F7EC8BD97
2780wincmp-setup.tmpC:\Program Files\Compare It!\register.urltext
MD5:777DB63933E11E62191717749151C254
SHA256:1056014B9ABC830A6D4000B22EED63A0AFF2221DFD33A45FDD8DE898DF741566
2780wincmp-setup.tmpC:\Program Files\Compare It!\is-UHM4N.tmpexecutable
MD5:633129353FF15191D7154024ADD0567E
SHA256:D7B717ACD9AC8DAB27813EB747D5404E2E909D9E22084E282D05D15F7EC8BD97
2780wincmp-setup.tmpC:\Program Files\Compare It!\wincmp3.chmbinary
MD5:E4F514153498A2F1FF1D2E22C276B972
SHA256:22A6E3B259E5C7C3B1F1CC9F25C1FE25637FF2F74B2411B39B83A07CEC1913ED
2780wincmp-setup.tmpC:\Program Files\Compare It!\wincmp3.exeexecutable
MD5:483A9ED0B4314CB1C46E06F1E41968B8
SHA256:10059987461AD007C4D42991D8C805C1CE0DF4F004A0B95B1E60DFF3900B2BD1
2780wincmp-setup.tmpC:\Program Files\Compare It!\pdftotext.dllexecutable
MD5:8C9F672996B03CE91678094F584CAED6
SHA256:C857300CF8A3E76E844A99BF2B9B3A3BC95ED1990395CF02A267DE1CE46E81F3
2780wincmp-setup.tmpC:\Program Files\Compare It!\is-KHI3K.tmpbinary
MD5:E4F514153498A2F1FF1D2E22C276B972
SHA256:22A6E3B259E5C7C3B1F1CC9F25C1FE25637FF2F74B2411B39B83A07CEC1913ED
2780wincmp-setup.tmpC:\Program Files\Compare It!\is-QMRUG.tmpexecutable
MD5:483A9ED0B4314CB1C46E06F1E41968B8
SHA256:10059987461AD007C4D42991D8C805C1CE0DF4F004A0B95B1E60DFF3900B2BD1
2780wincmp-setup.tmpC:\Program Files\Compare It!\syntax\dirinfo.txttext
MD5:8AE898A94FBDC2CB1C841DB05916CE21
SHA256:1C01A0CF7DFA19A0AF4CDEAC16F028266419CC4C8565C87977ECD1B54F7298EF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wincmp-setup.exe