File name:

starwindconverter.exe

Full analysis: https://app.any.run/tasks/359cb65a-327a-46c0-a5a3-2c84f9fe2973
Verdict: Malicious activity
Analysis date: September 05, 2024, 08:38:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

06DF1D80075680439507FACB6888DB5E

SHA1:

CB0AF930B0D2F29D5F0F7757D8C265CB75D36958

SHA256:

AD01DC3DCF725BEE263C04729AB1F4D6EA668CC5AAF7B0547416BE1B9F84A72E

SSDEEP:

393216:MjOBzuVCSkmmw3oI1l7TxtLyhMOuqy6iDaLG5XOqpW4rC:MjfSavDxXOAjsN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • vc_redist.x64.130.exe (PID: 2368)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • starwindconverter.tmp (PID: 6628)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 5656)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 5656)

    • Creates files in the driver directory

      • cmd.exe (PID: 5656)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 5656)
      • starwindconverter.exe (PID: 4876)
      • vc_redist.x64.130.exe (PID: 2384)
      • vc_redist.x64.140.exe (PID: 5292)

    • Drops a system driver (possible attempt to evade defenses)

      • cmd.exe (PID: 5656)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5656)

    • Application launched itself

      • vc_redist.x64.130.exe (PID: 2368)
      • vc_redist.x64.140.exe (PID: 1780)

    • Process drops legitimate windows executable

      • vc_redist.x64.130.exe (PID: 2384)
      • vc_redist.x64.140.exe (PID: 5292)

    • Searches for installed software

      • vc_redist.x64.130.exe (PID: 2384)
      • vc_redist.x64.130.exe (PID: 2368)
      • dllhost.exe (PID: 4060)
      • vc_redist.x64.140.exe (PID: 5292)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7108)

  • INFO

    • Checks supported languages

      • starwindconverter.exe (PID: 4876)
      • starwindconverter.tmp (PID: 6628)
      • vc_redist.x64.130.exe (PID: 2368)
      • vc_redist.x64.130.exe (PID: 2384)
      • vc_redist.x64.140.exe (PID: 5292)
      • vc_redist.x64.140.exe (PID: 1780)

    • Create files in a temporary directory

      • starwindconverter.exe (PID: 4876)
      • vc_redist.x64.130.exe (PID: 2384)
      • vc_redist.x64.140.exe (PID: 5292)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6200)

    • Process checks computer location settings

      • starwindconverter.tmp (PID: 6628)

    • Reads the computer name

      • starwindconverter.tmp (PID: 6628)
      • vc_redist.x64.130.exe (PID: 2368)
      • vc_redist.x64.130.exe (PID: 2384)
      • vc_redist.x64.140.exe (PID: 1780)
      • vc_redist.x64.140.exe (PID: 5292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (91.2)
.exe | Win32 Executable (generic) (3.7)
.exe | Win16/32 Executable Delphi generic (1.7)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 41472
InitializedDataSize: 296448
UninitializedDataSize: -
EntryPoint: 0xaa98
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 9.0.1.509
ProductVersionNumber: 9.0.1.509
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: StarWind Software
FileDescription: StarWind V2V Converter
FileVersion: 9.0.1.509
LegalCopyright: StarWind Software Inc. All rights reserved.
ProductName: StarWind V2V Converter
ProductVersion: 9.0 build 509
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
18
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start starwindconverter.exe starwindconverter.tmp no specs starwindconverter.exe cmd.exe conhost.exe no specs wmic.exe no specs findstr.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs vc_redist.x64.130.exe vc_redist.x64.130.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs vc_redist.x64.140.exe no specs vc_redist.x64.140.exe

Process information

PID
CMD
Path
Indicators
Parent process
1020sc start vstor2-mntapi20-sharedC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1184\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1780"C:\Program Files\StarWind Software\StarWind V2V Converter\vc\vc_redist.x64.140.exe" /quietC:\Program Files\StarWind Software\StarWind V2V Converter\vc\vc_redist.x64.140.exestarwindconverter.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026
Exit code:
1638
Version:
14.0.23026.0
Modules
Images
c:\program files\starwind software\starwind v2v converter\vc\vc_redist.x64.140.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2080findstr 64C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
2368"C:\Program Files\StarWind Software\StarWind V2V Converter\vc\vc_redist.x64.130.exe" /quietC:\Program Files\StarWind Software\StarWind V2V Converter\vc\vc_redist.x64.130.exe
starwindconverter.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
Exit code:
0
Version:
12.0.30501.0
Modules
Images
c:\program files\starwind software\starwind v2v converter\vc\vc_redist.x64.130.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2384"C:\Program Files\StarWind Software\StarWind V2V Converter\vc\vc_redist.x64.130.exe" /quiet -burn.unelevated BurnPipe.{429A3722-7D83-438F-8B38-7928192124E7} {C6CE9B65-6B27-40B0-9382-BEFEE0489958} 2368C:\Program Files\StarWind Software\StarWind V2V Converter\vc\vc_redist.x64.130.exe
vc_redist.x64.130.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
Exit code:
0
Version:
12.0.30501.0
Modules
Images
c:\program files\starwind software\starwind v2v converter\vc\vc_redist.x64.130.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3304C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4060C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
4876"C:\Users\admin\Desktop\starwindconverter.exe" C:\Users\admin\Desktop\starwindconverter.exe
explorer.exe
User:
admin
Company:
StarWind Software
Integrity Level:
MEDIUM
Description:
StarWind V2V Converter
Exit code:
0
Version:
9.0.1.509
Modules
Images
c:\users\admin\desktop\starwindconverter.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5184\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
2 333
Read events
2 139
Write events
171
Delete events
23

Modification events

(PID) Process:(4060) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000000B3282266FFFDA01DC0F0000441B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2368) vc_redist.x64.130.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000000B3282266FFFDA0140090000D4180000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4060) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000007DD5BD266FFFDA01DC0F0000441B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4060) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000613AC0266FFFDA01DC0F0000441B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4060) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000D08BC2266FFFDA01DC0F0000441B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4060) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000006255C7266FFFDA01DC0F0000441B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4060) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(4060) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
480000000000000039E32D276FFFDA01DC0F0000441B0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4060) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
48000000000000000B4730276FFFDA01DC0F0000D8070000E8030000010000000000000000000000C94C79C85671B84F8A8F242787E92A6B00000000000000000000000000000000
(PID) Process:(7108) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000082FA34276FFFDA01C41B0000E41B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
5
Suspicious files
3
Text files
38
Unknown types
0

Dropped files

PID
Process
Filename
Type
4060dllhost.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
4876starwindconverter.exeC:\Users\admin\AppData\Local\Temp\is-IA97D.tmp\starwindconverter.tmpexecutable
MD5:4005538D0689C8182A32DCF5AE91008E
SHA256:3F6B4C708994788167BA110B0E2E88398D904511F6CE1720B6DB5F10286397BB
2384vc_redist.x64.130.exeC:\Users\admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\thm.wxlxml
MD5:FBFCBC4DACC566A3C426F43CE10907B6
SHA256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
2384vc_redist.x64.130.exeC:\Users\admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\license.rtftext
MD5:1E47EE7B71B22488068343DF4CE30534
SHA256:8518F0420972C1DBE8A323FFC6F57863AF0B80C6A3B27FD0C6FC9BDABB7E2D13
2384vc_redist.x64.130.exeC:\Users\admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.be\vcredist_x64.exeexecutable
MD5:E16E6D68CE1949C9721656390F47CE07
SHA256:18E6D3D96FCD39BA069C0E6EBC108881EC5BB07E29A24B0177688CE391DAC526
2384vc_redist.x64.130.exeC:\Users\admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\wixstdba.dllexecutable
MD5:A52E5220EFB60813B31A82D101A97DCB
SHA256:E7C8E7EDD9112137895820E789BAAAECA41626B01FB99FEDE82968DDB66D02CF
2384vc_redist.x64.130.exeC:\Users\admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\BootstrapperApplicationData.xmlxml
MD5:0BD4FA44198EB101D1F070BB99A12C0B
SHA256:54BF9F4BC4ADCBBA99AEF3C048522C23822D3DDAB51891DCBA3B6F59192A2B28
5656cmd.exeC:\Windows\System32\drivers\vstor2-mntapi20-shared.sysexecutable
MD5:701F6FB77B31ED04321108C264D04DE0
SHA256:ADE2410D00A9667B4003BB9ECFE7F64621151246F44CD3A55BF322BEE950181C
5292vc_redist.x64.140.exeC:\Users\admin\AppData\Local\Temp\{e46eca4f-393b-40df-9f49-076faf788d83}\.ba1\1031\license.rtftext
MD5:B4A1F60A329E18DD44C19F91E19E9A0D
SHA256:C017EDFE3B0D308E20FBF3DE8795FD4451A530475A2D0EE0824E166045EADFB7
5292vc_redist.x64.140.exeC:\Users\admin\AppData\Local\Temp\{e46eca4f-393b-40df-9f49-076faf788d83}\.ba1\1028\license.rtftext
MD5:EFA0E0316DBE1D01B04DB8AE55216E89
SHA256:D5147EE2BA7826D5B68E0DC10FC2AC95079F89C38264C5648D924DEC9290D085
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
17
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6052
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
6052
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.78
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
starwindconverter.exe