File name:

WPE64 2.0.0.17.exe

Full analysis: https://app.any.run/tasks/eedc77b0-9ac6-49d9-a2dd-0d1cd30f9020
Verdict: Malicious activity
Analysis date: May 25, 2025, 12:24:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

EE12781D81FD56060F300BACB429D281

SHA1:

F4B70D6BCFBB0F549172CDBD5A9378BC579B08CB

SHA256:

C28DFC5F61BD118C48037082757F18BFAA119B1C2DB8C05389A2C6AE510B14FE

SSDEEP:

98304:5ZtMjY6vo5HnfG9M7EbQOnN/Wf+iS4LEltk0dM2ecWIZxvJSe2R/F5OFkg+LM4AR:1n7Xo+M5MEJ0bPQFX/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WPE64 2.0.0.17.exe (PID: 5256)

    • Executable content was dropped or overwritten

      • WPE64 2.0.0.17.exe (PID: 5256)

    • Reads the date of Windows installation

      • WPE64 2.0.0.17.exe (PID: 5256)
      • WinsockPacketEditor.exe (PID: 5720)

    • Reads security settings of Internet Explorer

      • WPE64 2.0.0.17.exe (PID: 5256)
      • WinsockPacketEditor.exe (PID: 5720)

    • Reads Internet Explorer settings

      • WinsockPacketEditor.exe (PID: 5720)
      • WinsockPacketEditor.exe (PID: 4268)

    • Application launched itself

      • WinsockPacketEditor.exe (PID: 5720)

    • There is functionality for communication over UDP network (YARA)

      • WinsockPacketEditor.exe (PID: 4268)

    • Executes as Windows Service

      • WmiApSrv.exe (PID: 5116)

    • The process checks if it is being run in the virtual environment

      • WinsockPacketEditor.exe (PID: 4268)

  • INFO

    • Reads the computer name

      • WPE64 2.0.0.17.exe (PID: 5256)
      • WinsockPacketEditor.exe (PID: 4268)

    • Checks supported languages

      • WPE64 2.0.0.17.exe (PID: 5256)
      • WinsockPacketEditor.exe (PID: 5720)
      • WinsockPacketEditor.exe (PID: 4268)

    • The sample compiled with english language support

      • WPE64 2.0.0.17.exe (PID: 5256)

    • Create files in a temporary directory

      • WPE64 2.0.0.17.exe (PID: 5256)

    • Process checks computer location settings

      • WPE64 2.0.0.17.exe (PID: 5256)
      • WinsockPacketEditor.exe (PID: 5720)

    • Disables trace logs

      • WinsockPacketEditor.exe (PID: 5720)
      • WinsockPacketEditor.exe (PID: 4268)

    • Checks proxy server information

      • WinsockPacketEditor.exe (PID: 4268)
      • WinsockPacketEditor.exe (PID: 5720)

    • Reads the machine GUID from the registry

      • WinsockPacketEditor.exe (PID: 4268)

    • Reads Environment values

      • WinsockPacketEditor.exe (PID: 4268)
      • WinsockPacketEditor.exe (PID: 5720)

    • Reads the software policy settings

      • WinsockPacketEditor.exe (PID: 5720)
      • WinsockPacketEditor.exe (PID: 4268)

    • Reads CPU info

      • WinsockPacketEditor.exe (PID: 4268)

    • Reads the time zone

      • WinsockPacketEditor.exe (PID: 4268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:02:12 14:02:25+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 307200
InitializedDataSize: 484864
UninitializedDataSize: -
EntryPoint: 0x32680
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
5
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wpe64 2.0.0.17.exe winsockpacketeditor.exe no specs winsockpacketeditor.exe wmiapsrv.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4268"C:\Users\admin\AppData\Local\Temp\RarSFX0\WinsockPacketEditor.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\WinsockPacketEditor.exe
WinsockPacketEditor.exe
User:
admin
Company:
X-NAS
Integrity Level:
HIGH
Description:
WinsockPacketEditor
Version:
2.0.0.17
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\winsockpacketeditor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4380C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5116C:\WINDOWS\system32\wbem\WmiApSrv.exeC:\Windows\System32\wbem\WmiApSrv.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Performance Reverse Adapter
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\psapi.dll
5256"C:\Users\admin\AppData\Local\Temp\WPE64 2.0.0.17.exe" C:\Users\admin\AppData\Local\Temp\WPE64 2.0.0.17.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\wpe64 2.0.0.17.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5720"C:\Users\admin\AppData\Local\Temp\RarSFX0\WinsockPacketEditor.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\WinsockPacketEditor.exe
User:
admin
Company:
X-NAS
Integrity Level:
HIGH
Description:
WinsockPacketEditor
Exit code:
4294967295
Version:
2.0.0.17
Modules
Images
c:\windows\system32\clbcatq.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\wshbth.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\textinputframework.dll
Total events
4 335
Read events
4 307
Write events
28
Delete events
0

Modification events

(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
37
Suspicious files
9
Text files
47
Unknown types
0

Dropped files

PID
Process
Filename
Type
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Be.Windows.Forms.HexBox.xmlxml
MD5:B534569D28458990C1B2F68EAFA60BC3
SHA256:415EA2D9A22AB58E5F89ECE1CAF45FD61F2579EF0C700C990A997841F284E4E3
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Microsoft.Owin.Host.HttpListener.dllexecutable
MD5:58D1267BAFC9E0D9531D7C97A08A3A68
SHA256:34FB96B4CCA40AC4312E36E3310EACC2C13F2562BAAB7FFE836060965B7AD579
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\EasyHook.xmlxml
MD5:49E0E6169CA5BF10810FF0A404C3D11E
SHA256:CB35AAA4A765D65FEBFA269E7D68994D4FAC1F8D5A456FFF8A3757B5032ACEF8
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\EasyHook32.dllexecutable
MD5:42ACE4B57A5646B62D838D573CBE4CDB
SHA256:FEA2C5634555D29FBAE098D6EA7DDAB927B25D4CE68B4D877AA35FF3DA7E9E51
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Microsoft.Owin.FileSystems.xmlxml
MD5:E256891EFA05186F9FF4AF37926AFF66
SHA256:4B07AA26670756C4A55CDCFDD8E26058596A5C38D51BFE0EC661952EE0DF4BE3
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\EasyHook64Svc.exeexecutable
MD5:43AF289E93CF2F8BD491393C695D4812
SHA256:B84C26F91D304F0922E620C96B606D325893760C14F9417AD73F7A152C539F9C
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\EasyHook.dllexecutable
MD5:8DE0A33D7203542C7397E32C0488C355
SHA256:3F6DF47A655908CC3F91AEBD4A93667A6FE1A96968C50A8C1BFEE1E5A120F87F
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\EasyLoad64.dllexecutable
MD5:2F2A51CAEDCE0A10E771A612E0E621FE
SHA256:63E31E6FE6E81F8852D5BEACBC32D440AD65B64F9BD53D2D3F308FEF736D049D
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\EntityFramework.SqlServer.xmlxml
MD5:2D1549C365902D6CBEE20E02A985B68B
SHA256:902F57044BAF104DD9A491DADCBA4C787B6F64531880DC3B11345D5758D7BD81
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\EasyHook64.dllexecutable
MD5:163C08C9333279DF7BC4788CF53A0990
SHA256:03E75032981FD6152F4D9EE18D321BF553F9191F254F326DE87B9AD0AF0B8CED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
21
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2384
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2384
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.190.159.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5720
WinsockPacketEditor.exe
101.132.222.195:443
www.wpe64.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 172.217.16.206
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.128
  • 40.126.31.69
  • 20.190.159.68
  • 20.190.159.129
  • 40.126.31.1
  • 20.190.159.0
  • 40.126.31.3
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
www.wpe64.com
  • 101.132.222.195
unknown
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WPE64 2.0.0.17.exe