File name:	wiresock-secure-connect-x64-2.4.16.1.exe
Full analysis:	https://app.any.run/tasks/f175efdc-90ef-4f98-918c-2f133bb6e019
Verdict:	Malicious activity
Analysis date:	August 02, 2025, 18:50:09
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, InstallShield self-extracting archive, 9 sections
MD5:	638EA7AAFE99D91B68B5C59566FE8D7C
SHA1:	9A2BC744327C67714F18269B99FE2B1E2030F927
SHA256:	E41C36C2ECF2B6FE1891BCC112CAB04F189F7D21AE3E5779171E3EA8D71BB448
SSDEEP:	98304:9lvKAhyEGqiunoagsOGfkXp69A0+mo/x8Mo50VQ6yRZBN4+oJFPfMwhCHZHPeNBl:jVSZ0VFFPzez

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2025:04:07 17:50:27+00:00
ImageFileCharacteristics:	Executable, Large address aware, Removable run from swap, Net run from swap
PEType:	PE32+
LinkerVersion:	14.43
CodeSize:	569344
InitializedDataSize:	795136
UninitializedDataSize:	-
EntryPoint:	0x610f0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	2.4.16.1
ProductVersionNumber:	2.4.16.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	ASCII
CompanyName:	WireSock Foundation
FileDescription:	WireSock Secure Connect
FileVersion:	2.4.16.1
InternalName:	burn
OriginalFileName:	wiresock-secure-connect.exe
ProductName:	WireSock Secure Connect
ProductVersion:	2.4.16.1
LegalCopyright:	Copyright (c) 2021-2025 WireSock Foundation


(PID) Process:	(2428) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(2428) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(2428) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(2428) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 66B6C5A1FC992F00
(PID) Process:	(2428) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(2428) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328440
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {404F9382-8333-4251-9CCB-6B47E44FDF8B}
(PID) Process:	(2428) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328440
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {1AD1C546-9D2B-48B4-B31B-D1051126B450}
(PID) Process:	(2428) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328440
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {FB6995E6-9645-4479-859F-95751D89EFFB}
(PID) Process:	(2428) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328440
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {B54C4EF0-DD07-4356-BE7A-BE875A675C5A}
(PID) Process:	(2428) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: B4C3E1A2FC992F00

PID	Process	Filename		Type
6104	wiresock-secure-connect-x64-2.4.16.1.exe	C:\Users\admin\AppData\Local\Temp\{59375F4C-3704-44F3-AAA7-6D92CF286433}\.ba\icon.ico		image
		MD5:8B4CD6BEA65A2FC8E1D5B3C90D989066	SHA256:F7A7AA48644508A9C624F4B9ACDC8D03031BFD45097D93D7AC3337F34300AB6A
6104	wiresock-secure-connect-x64-2.4.16.1.exe	C:\Users\admin\AppData\Local\Temp\{59375F4C-3704-44F3-AAA7-6D92CF286433}\.ba\1034\logo.png		image
		MD5:594F3877CCE1DB2395ACFFBB6C182E4E	SHA256:E627A5A1D090ADC3F85EB6C52DBCB6BD8B7B07B6395EBBF7F281235C929D7BE2
6104	wiresock-secure-connect-x64-2.4.16.1.exe	C:\Users\admin\AppData\Local\Temp\{59375F4C-3704-44F3-AAA7-6D92CF286433}\.ba\1031\icon.ico		image
		MD5:8B4CD6BEA65A2FC8E1D5B3C90D989066	SHA256:F7A7AA48644508A9C624F4B9ACDC8D03031BFD45097D93D7AC3337F34300AB6A
6104	wiresock-secure-connect-x64-2.4.16.1.exe	C:\Users\admin\AppData\Local\Temp\{59375F4C-3704-44F3-AAA7-6D92CF286433}\.ba\1031\thm.wxl		text
		MD5:437F7882DA28890BA5CA1D8977BA2989	SHA256:2AEE0E49423F443DB0ACBC297F68EC5BD03A79B95B057F9D53EEBA2D8C289E03
6104	wiresock-secure-connect-x64-2.4.16.1.exe	C:\Users\admin\AppData\Local\Temp\{59375F4C-3704-44F3-AAA7-6D92CF286433}\.ba\1031\logo.png		image
		MD5:594F3877CCE1DB2395ACFFBB6C182E4E	SHA256:E627A5A1D090ADC3F85EB6C52DBCB6BD8B7B07B6395EBBF7F281235C929D7BE2
6104	wiresock-secure-connect-x64-2.4.16.1.exe	C:\Users\admin\AppData\Local\Temp\{59375F4C-3704-44F3-AAA7-6D92CF286433}\.ba\1034\thm.xml		xml
		MD5:4BD16A2ADAFDAAE8673EC963F7D1333A	SHA256:74D464822EBC30ACDE5A4F2C5E83F143B58381C43F1940CE66F95EF5C1127A2D
6104	wiresock-secure-connect-x64-2.4.16.1.exe	C:\Users\admin\AppData\Local\Temp\{59375F4C-3704-44F3-AAA7-6D92CF286433}\.ba\1049\thm.xml		xml
		MD5:4BD16A2ADAFDAAE8673EC963F7D1333A	SHA256:74D464822EBC30ACDE5A4F2C5E83F143B58381C43F1940CE66F95EF5C1127A2D
6104	wiresock-secure-connect-x64-2.4.16.1.exe	C:\Users\admin\AppData\Local\Temp\{59375F4C-3704-44F3-AAA7-6D92CF286433}\.ba\1034\icon.ico		image
		MD5:8B4CD6BEA65A2FC8E1D5B3C90D989066	SHA256:F7A7AA48644508A9C624F4B9ACDC8D03031BFD45097D93D7AC3337F34300AB6A
6104	wiresock-secure-connect-x64-2.4.16.1.exe	C:\Users\admin\AppData\Local\Temp\{59375F4C-3704-44F3-AAA7-6D92CF286433}\.ba\1036\thm.wxl		text
		MD5:41A70C87923686217CB1814CEBF82FB8	SHA256:E710D9961B5CAE4AB1D94BA49F7112BE4F786019F1B8EA9BBC0EAF70A4DAF58F
6104	wiresock-secure-connect-x64-2.4.16.1.exe	C:\Users\admin\AppData\Local\Temp\{59375F4C-3704-44F3-AAA7-6D92CF286433}\.ba\1036\icon.ico		image
		MD5:8B4CD6BEA65A2FC8E1D5B3C90D989066	SHA256:F7A7AA48644508A9C624F4B9ACDC8D03031BFD45097D93D7AC3337F34300AB6A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.216.77.15:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.32.72:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	GET	200	23.216.77.15:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.216.77.15:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	400	40.126.32.72:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.32.76:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted
—	—	GET	200	150.171.22.17:443	https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=51&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1754160630&lafgdate=0	unknown	binary	1.47 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.216.77.15:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.216.77.15:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.216.77.15:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	69.192.161.161:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5944	MoUsoCoreWorker.exe	69.192.161.161:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	69.192.161.161:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	20.190.160.65:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
crl.microsoft.com	23.216.77.15 23.216.77.18 23.216.77.27 23.216.77.32 23.216.77.19 23.216.77.16 23.216.77.30 23.216.77.28 23.216.77.13 23.216.77.17 23.216.77.29 23.216.77.21 23.216.77.23 23.216.77.22	whitelisted
google.com	142.250.184.238	whitelisted
www.microsoft.com	69.192.161.161 95.101.149.131	whitelisted
login.live.com	20.190.160.65 40.126.32.74 20.190.160.66 40.126.32.76 20.190.160.20 20.190.160.64 40.126.32.138 40.126.32.136	whitelisted
edge.microsoft.com	150.171.27.11 150.171.28.11	whitelisted
config.edge.skype.com	150.171.22.17	whitelisted
www.wiresock.net	104.21.16.1 104.21.64.1 104.21.112.1 104.21.32.1 104.21.96.1 104.21.48.1 104.21.80.1	unknown
copilot.microsoft.com	92.123.104.53 92.123.104.45	whitelisted
www.bing.com	2.16.241.218 2.16.241.205 92.123.104.58 92.123.104.62 92.123.104.53 92.123.104.5 92.123.104.66 92.123.104.63 92.123.104.65 92.123.104.67 92.123.104.61	whitelisted

PID	Process	Class	Message
4232	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
4232	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
4232	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
4232	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
—	—	Potentially Bad Traffic	ET INFO Possible Chrome Plugin install

General Info

wiresock-secure-connect-x64-2.4.16.1.exe

638EA7AAFE99D91B68B5C59566FE8D7C

9A2BC744327C67714F18269B99FE2B1E2030F927

E41C36C2ECF2B6FE1891BCC112CAB04F189F7D21AE3E5779171E3EA8D71BB448

98304:9lvKAhyEGqiunoagsOGfkXp69A0+mo/x8Mo50VQ6yRZBN4+oJFPfMwhCHZHPeNBl:jVSZ0VFFPzez

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

There is functionality for taking screenshot (YARA)

Searches for installed software

INFO

The sample compiled with english language support

Create files in a temporary directory

Checks supported languages

Application launched itself

Reads the computer name

Manual execution by a user

Reads Environment values

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings