File name:

WPE64 2.0.0.17.exe

Full analysis: https://app.any.run/tasks/eedc77b0-9ac6-49d9-a2dd-0d1cd30f9020
Verdict: Malicious activity
Analysis date: May 25, 2025, 12:24:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

EE12781D81FD56060F300BACB429D281

SHA1:

F4B70D6BCFBB0F549172CDBD5A9378BC579B08CB

SHA256:

C28DFC5F61BD118C48037082757F18BFAA119B1C2DB8C05389A2C6AE510B14FE

SSDEEP:

98304:5ZtMjY6vo5HnfG9M7EbQOnN/Wf+iS4LEltk0dM2ecWIZxvJSe2R/F5OFkg+LM4AR:1n7Xo+M5MEJ0bPQFX/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WPE64 2.0.0.17.exe (PID: 5256)

    • Executable content was dropped or overwritten

      • WPE64 2.0.0.17.exe (PID: 5256)

    • Reads the date of Windows installation

      • WPE64 2.0.0.17.exe (PID: 5256)
      • WinsockPacketEditor.exe (PID: 5720)

    • Reads security settings of Internet Explorer

      • WPE64 2.0.0.17.exe (PID: 5256)
      • WinsockPacketEditor.exe (PID: 5720)

    • Reads Internet Explorer settings

      • WinsockPacketEditor.exe (PID: 5720)
      • WinsockPacketEditor.exe (PID: 4268)

    • Application launched itself

      • WinsockPacketEditor.exe (PID: 5720)

    • Executes as Windows Service

      • WmiApSrv.exe (PID: 5116)

    • The process checks if it is being run in the virtual environment

      • WinsockPacketEditor.exe (PID: 4268)

    • There is functionality for communication over UDP network (YARA)

      • WinsockPacketEditor.exe (PID: 4268)

  • INFO

    • Checks supported languages

      • WPE64 2.0.0.17.exe (PID: 5256)
      • WinsockPacketEditor.exe (PID: 5720)
      • WinsockPacketEditor.exe (PID: 4268)

    • Reads the computer name

      • WPE64 2.0.0.17.exe (PID: 5256)
      • WinsockPacketEditor.exe (PID: 4268)

    • The sample compiled with english language support

      • WPE64 2.0.0.17.exe (PID: 5256)

    • Create files in a temporary directory

      • WPE64 2.0.0.17.exe (PID: 5256)

    • Disables trace logs

      • WinsockPacketEditor.exe (PID: 5720)
      • WinsockPacketEditor.exe (PID: 4268)

    • Process checks computer location settings

      • WPE64 2.0.0.17.exe (PID: 5256)
      • WinsockPacketEditor.exe (PID: 5720)

    • Checks proxy server information

      • WinsockPacketEditor.exe (PID: 5720)
      • WinsockPacketEditor.exe (PID: 4268)

    • Reads Environment values

      • WinsockPacketEditor.exe (PID: 5720)
      • WinsockPacketEditor.exe (PID: 4268)

    • Reads the software policy settings

      • WinsockPacketEditor.exe (PID: 5720)
      • WinsockPacketEditor.exe (PID: 4268)

    • Reads the machine GUID from the registry

      • WinsockPacketEditor.exe (PID: 4268)

    • Reads the time zone

      • WinsockPacketEditor.exe (PID: 4268)

    • Reads CPU info

      • WinsockPacketEditor.exe (PID: 4268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:02:12 14:02:25+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 307200
InitializedDataSize: 484864
UninitializedDataSize: -
EntryPoint: 0x32680
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
5
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wpe64 2.0.0.17.exe winsockpacketeditor.exe no specs winsockpacketeditor.exe wmiapsrv.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4268"C:\Users\admin\AppData\Local\Temp\RarSFX0\WinsockPacketEditor.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\WinsockPacketEditor.exe
WinsockPacketEditor.exe
User:
admin
Company:
X-NAS
Integrity Level:
HIGH
Description:
WinsockPacketEditor
Version:
2.0.0.17
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\winsockpacketeditor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4380C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5116C:\WINDOWS\system32\wbem\WmiApSrv.exeC:\Windows\System32\wbem\WmiApSrv.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Performance Reverse Adapter
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\psapi.dll
5256"C:\Users\admin\AppData\Local\Temp\WPE64 2.0.0.17.exe" C:\Users\admin\AppData\Local\Temp\WPE64 2.0.0.17.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\wpe64 2.0.0.17.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5720"C:\Users\admin\AppData\Local\Temp\RarSFX0\WinsockPacketEditor.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\WinsockPacketEditor.exe
User:
admin
Company:
X-NAS
Integrity Level:
HIGH
Description:
WinsockPacketEditor
Exit code:
4294967295
Version:
2.0.0.17
Modules
Images
c:\windows\system32\clbcatq.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\wshbth.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\textinputframework.dll
Total events
4 335
Read events
4 307
Write events
28
Delete events
0

Modification events

(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5720) WinsockPacketEditor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WinsockPacketEditor_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
37
Suspicious files
9
Text files
47
Unknown types
0

Dropped files

PID
Process
Filename
Type
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Be.Windows.Forms.HexBox.dllexecutable
MD5:1ABB997D4E809B9D7F9016617DC01294
SHA256:4938A4DBB51FD8D35DFDF2C5D42E9A127B9365D495461864E6BB9EC7FC9A3CB7
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\EntityFramework.SqlServer.xmlxml
MD5:2D1549C365902D6CBEE20E02A985B68B
SHA256:902F57044BAF104DD9A491DADCBA4C787B6F64531880DC3B11345D5758D7BD81
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\EntityFramework.dllexecutable
MD5:29716264EFCC4C38E96B94917375129A
SHA256:CE25578A749C17A559832340004AC1AF2BF3594B79795AE53F8CAB09999E8FF6
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Be.Windows.Forms.HexBox.xmlxml
MD5:B534569D28458990C1B2F68EAFA60BC3
SHA256:415EA2D9A22AB58E5F89ECE1CAF45FD61F2579EF0C700C990A997841F284E4E3
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\EasyHook32.dllexecutable
MD5:42ACE4B57A5646B62D838D573CBE4CDB
SHA256:FEA2C5634555D29FBAE098D6EA7DDAB927B25D4CE68B4D877AA35FF3DA7E9E51
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\EasyHook32Svc.exeexecutable
MD5:828B9A7AE0651E0F690C00816EEC1A94
SHA256:9CFDA284E280CF9C6AFEB2D3016D78BEDA4E5B3CBAAF893684B569F5C246B99E
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\EasyHook.dllexecutable
MD5:8DE0A33D7203542C7397E32C0488C355
SHA256:3F6DF47A655908CC3F91AEBD4A93667A6FE1A96968C50A8C1BFEE1E5A120F87F
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\EasyHook.xmlxml
MD5:49E0E6169CA5BF10810FF0A404C3D11E
SHA256:CB35AAA4A765D65FEBFA269E7D68994D4FAC1F8D5A456FFF8A3757B5032ACEF8
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\EasyHook64.dllexecutable
MD5:163C08C9333279DF7BC4788CF53A0990
SHA256:03E75032981FD6152F4D9EE18D321BF553F9191F254F326DE87B9AD0AF0B8CED
5256WPE64 2.0.0.17.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\EasyLoad32.dllexecutable
MD5:FFC0CD23FFA6929D90868D8F7DE133B3
SHA256:6AE23E848531C6D67327071E994F65B37B8EFCE27E4E3E1B53D96A2D3A1D2F2F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
21
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2384
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2384
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.190.159.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5720
WinsockPacketEditor.exe
101.132.222.195:443
www.wpe64.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 172.217.16.206
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.128
  • 40.126.31.69
  • 20.190.159.68
  • 20.190.159.129
  • 40.126.31.1
  • 20.190.159.0
  • 40.126.31.3
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
www.wpe64.com
  • 101.132.222.195
unknown
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WPE64 2.0.0.17.exe