File name:

Winhance.Installer.exe

Full analysis: https://app.any.run/tasks/5a8996dd-3721-46ef-b8b0-1d2b13b80efd
Verdict: Malicious activity
Analysis date: May 30, 2025, 00:23:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
inno
installer
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

DF7DCCD0591E8B59292684D97D768083

SHA1:

3354BE0C312A9D702FAE568A5C54A9912485127F

SHA256:

E8070390ADC8196C664F39FF7DFDA0429EE9FF4645D9A17DC4E9C7904A885532

SSDEEP:

786432:mOT+QtmU4DhV9cYKwVazp6VNdBVBBnazB:mOptmU4Dhfct5z8N9BBazB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8164)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 7300)

    • Changes powershell execution policy (Bypass)

      • Winhance.exe (PID: 1012)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7604)
      • powershell.exe (PID: 2192)
      • powershell.exe (PID: 7732)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Winhance.Installer.exe (PID: 7724)
      • Winhance.Installer.exe (PID: 7548)
      • Winhance.Installer.tmp (PID: 7744)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8092)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8116)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8164)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 5308)
      • Winhance.exe (PID: 1012)

    • Reads the Windows owner or organization settings

      • Winhance.Installer.tmp (PID: 7744)
      • msiexec.exe (PID: 3900)

    • Process drops legitimate windows executable

      • Winhance.Installer.tmp (PID: 7744)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8092)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8116)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8164)
      • msiexec.exe (PID: 3900)
      • Winhance.exe (PID: 1012)

    • Starts a Microsoft application from unusual location

      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8092)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8116)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8164)
      • DismHost.exe (PID: 8020)
      • DismHost.exe (PID: 8008)

    • Reads security settings of Internet Explorer

      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8116)
      • Winhance.Installer.tmp (PID: 7576)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 5308)
      • Winhance.exe (PID: 7460)
      • Winhance.exe (PID: 1012)

    • Starts itself from another location

      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8116)

    • Creates a software uninstall entry

      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8164)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 7300)

    • Application launched itself

      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 5324)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 6632)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 5308)
      • Winhance.exe (PID: 7460)

    • Searches for installed software

      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 5324)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 5308)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8116)
      • Winhance.exe (PID: 1012)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 3900)
      • Winhance.exe (PID: 1012)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 3900)

    • Reads the date of Windows installation

      • Winhance.exe (PID: 7460)

    • Starts POWERSHELL.EXE for commands execution

      • Winhance.exe (PID: 1012)

    • Detected use of alternative data streams (AltDS)

      • Winhance.exe (PID: 1012)

    • The process bypasses the loading of PowerShell profile settings

      • Winhance.exe (PID: 1012)

    • Uses powercfg.exe to modify the power settings

      • Winhance.exe (PID: 1012)

  • INFO

    • Checks supported languages

      • Winhance.Installer.tmp (PID: 7576)
      • Winhance.Installer.exe (PID: 7724)
      • Winhance.Installer.tmp (PID: 7744)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8116)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8164)
      • Winhance.Installer.exe (PID: 7548)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 5324)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 6632)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 5308)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8092)
      • msiexec.exe (PID: 3900)
      • msiexec.exe (PID: 6240)
      • msiexec.exe (PID: 1052)
      • msiexec.exe (PID: 5256)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 7300)
      • msiexec.exe (PID: 4920)
      • msiexec.exe (PID: 7400)
      • msiexec.exe (PID: 7332)
      • Winhance.exe (PID: 7460)
      • Winhance.exe (PID: 1012)
      • DismHost.exe (PID: 8008)
      • DismHost.exe (PID: 8020)

    • Create files in a temporary directory

      • Winhance.Installer.exe (PID: 7548)
      • Winhance.Installer.tmp (PID: 7744)
      • Winhance.Installer.exe (PID: 7724)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8116)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 5308)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8164)
      • Winhance.exe (PID: 1012)

    • Process checks computer location settings

      • Winhance.Installer.tmp (PID: 7576)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8116)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 5308)
      • Winhance.exe (PID: 7460)
      • Winhance.exe (PID: 1012)

    • Reads the computer name

      • Winhance.Installer.tmp (PID: 7576)
      • Winhance.Installer.tmp (PID: 7744)
      • Winhance.Installer.exe (PID: 7724)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8092)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8164)
      • msiexec.exe (PID: 3900)
      • msiexec.exe (PID: 6240)
      • msiexec.exe (PID: 1052)
      • msiexec.exe (PID: 5256)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 5308)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 7300)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8116)
      • msiexec.exe (PID: 7332)
      • msiexec.exe (PID: 7400)
      • msiexec.exe (PID: 4920)
      • Winhance.exe (PID: 7460)
      • Winhance.exe (PID: 1012)
      • DismHost.exe (PID: 8008)
      • DismHost.exe (PID: 8020)

    • Detects InnoSetup installer (YARA)

      • Winhance.Installer.exe (PID: 7548)
      • Winhance.Installer.tmp (PID: 7744)
      • Winhance.Installer.tmp (PID: 7576)
      • Winhance.Installer.exe (PID: 7724)

    • Compiled with Borland Delphi (YARA)

      • Winhance.Installer.tmp (PID: 7576)
      • Winhance.Installer.exe (PID: 7724)
      • Winhance.Installer.tmp (PID: 7744)
      • Winhance.Installer.exe (PID: 7548)

    • The sample compiled with english language support

      • Winhance.Installer.tmp (PID: 7744)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8092)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8116)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8164)
      • msiexec.exe (PID: 3900)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 5308)
      • Winhance.exe (PID: 1012)

    • Launch of the file from Registry key

      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8164)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 7300)

    • Creates files in the program directory

      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8164)
      • Winhance.Installer.tmp (PID: 7744)
      • Winhance.exe (PID: 7460)
      • Winhance.exe (PID: 1012)

    • Manual execution by a user

      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 5324)

    • Reads the machine GUID from the registry

      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 8164)
      • msiexec.exe (PID: 3900)
      • windowsdesktop-runtime-9.0.4-win-x64.exe (PID: 7300)
      • Winhance.exe (PID: 1012)

    • Reads the software policy settings

      • msiexec.exe (PID: 3900)
      • Winhance.exe (PID: 1012)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3900)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 3900)
      • Winhance.exe (PID: 7460)
      • Winhance.exe (PID: 1012)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3900)

    • Reads Environment values

      • Winhance.exe (PID: 1012)
      • DismHost.exe (PID: 8008)
      • DismHost.exe (PID: 8020)

    • Reads product name

      • Winhance.exe (PID: 1012)

    • Checks proxy server information

      • Winhance.exe (PID: 1012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:13 06:55:45+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 704512
InitializedDataSize: 116224
UninitializedDataSize: -
EntryPoint: 0xacfe0
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Marco du Plessis
FileDescription: Winhance Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: Winhance
ProductVersion: 25.05.28
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
34
Malicious processes
11
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winhance.installer.exe winhance.installer.tmp no specs winhance.installer.exe winhance.installer.tmp windowsdesktop-runtime-9.0.4-win-x64.exe windowsdesktop-runtime-9.0.4-win-x64.exe windowsdesktop-runtime-9.0.4-win-x64.exe windowsdesktop-runtime-9.0.4-win-x64.exe no specs windowsdesktop-runtime-9.0.4-win-x64.exe no specs windowsdesktop-runtime-9.0.4-win-x64.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs windowsdesktop-runtime-9.0.4-win-x64.exe msiexec.exe no specs slui.exe msiexec.exe no specs msiexec.exe no specs winhance.exe no specs winhance.exe powershell.exe no specs conhost.exe no specs dismhost.exe no specs tiworker.exe no specs dismhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs bcdedit.exe no specs conhost.exe no specs powercfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1012"C:\Program Files\Winhance\Winhance.exe" C:\Program Files\Winhance\Winhance.exe
Winhance.exe
User:
admin
Company:
Winhance
Integrity Level:
HIGH
Description:
Winhance
Version:
25.05.28
Modules
Images
c:\program files\winhance\winhance.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
1052C:\Windows\syswow64\MsiExec.exe -Embedding 894CFC3B089CB9EB86AEAF4911FC7590C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1116\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Get-AppxPackage -Name '*' | ConvertTo-Json -Depth 5 -Compress"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWinhance.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3900C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4920C:\Windows\syswow64\MsiExec.exe -Embedding 3E92591741D3CEF22129A0BAD3995D26C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5256C:\Windows\syswow64\MsiExec.exe -Embedding 500B8AB9F8360B986B6D47B8E754FBA7C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5308"C:\ProgramData\Package Cache\{60b3bad7-1da1-4082-8348-dbac77899742}\windowsdesktop-runtime-9.0.4-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{60b3bad7-1da1-4082-8348-dbac77899742}\windowsdesktop-runtime-9.0.4-win-x64.exe" -burn.filehandle.attached=524 -burn.filehandle.self=552 /quiet /norestart /burn.log.append "C:\Users\admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_9.0.4_(x64)_20250530002451.log" /installC:\ProgramData\Package Cache\{60b3bad7-1da1-4082-8348-dbac77899742}\windowsdesktop-runtime-9.0.4-win-x64.exe
windowsdesktop-runtime-9.0.4-win-x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Desktop Runtime - 9.0.4 (x64)
Exit code:
0
Version:
9.0.4.34714
Modules
Images
c:\programdata\package cache\{60b3bad7-1da1-4082-8348-dbac77899742}\windowsdesktop-runtime-9.0.4-win-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
5324"C:\ProgramData\Package Cache\{60b3bad7-1da1-4082-8348-dbac77899742}\windowsdesktop-runtime-9.0.4-win-x64.exe" /burn.runonceC:\ProgramData\Package Cache\{60b3bad7-1da1-4082-8348-dbac77899742}\windowsdesktop-runtime-9.0.4-win-x64.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Desktop Runtime - 9.0.4 (x64)
Exit code:
0
Version:
9.0.4.34714
Modules
Images
c:\programdata\package cache\{60b3bad7-1da1-4082-8348-dbac77899742}\windowsdesktop-runtime-9.0.4-win-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
5720"C:\WINDOWS\system32\bcdedit.exe" -noninteractive /enum -encodedCommand YwB1AHIAcgBlAG4AdAA= -inputFormat xml -outputFormat xmlC:\Windows\System32\bcdedit.exeWinhance.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptsp.dll
Total events
89 839
Read events
88 851
Write events
908
Delete events
80

Modification events

(PID) Process:(8164) windowsdesktop-runtime-9.0.4-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60b3bad7-1da1-4082-8348-dbac77899742}
Operation:writeName:BundleCachePath
Value:
C:\ProgramData\Package Cache\{60b3bad7-1da1-4082-8348-dbac77899742}\windowsdesktop-runtime-9.0.4-win-x64.exe
(PID) Process:(8164) windowsdesktop-runtime-9.0.4-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60b3bad7-1da1-4082-8348-dbac77899742}
Operation:writeName:BundleUpgradeCode
Value:
{914D2DAF-52FC-588C-CF9F-F9402797CB58}
(PID) Process:(8164) windowsdesktop-runtime-9.0.4-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60b3bad7-1da1-4082-8348-dbac77899742}
Operation:writeName:BundleAddonCode
Value:
(PID) Process:(8164) windowsdesktop-runtime-9.0.4-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60b3bad7-1da1-4082-8348-dbac77899742}
Operation:writeName:BundleDetectCode
Value:
(PID) Process:(8164) windowsdesktop-runtime-9.0.4-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60b3bad7-1da1-4082-8348-dbac77899742}
Operation:writeName:BundlePatchCode
Value:
(PID) Process:(8164) windowsdesktop-runtime-9.0.4-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60b3bad7-1da1-4082-8348-dbac77899742}
Operation:writeName:BundleVersion
Value:
9.0.4.34714
(PID) Process:(8164) windowsdesktop-runtime-9.0.4-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60b3bad7-1da1-4082-8348-dbac77899742}
Operation:writeName:VersionMajor
Value:
9
(PID) Process:(8164) windowsdesktop-runtime-9.0.4-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60b3bad7-1da1-4082-8348-dbac77899742}
Operation:writeName:VersionMinor
Value:
0
(PID) Process:(8164) windowsdesktop-runtime-9.0.4-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60b3bad7-1da1-4082-8348-dbac77899742}
Operation:writeName:BundleProviderKey
Value:
{60b3bad7-1da1-4082-8348-dbac77899742}
(PID) Process:(8164) windowsdesktop-runtime-9.0.4-win-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60b3bad7-1da1-4082-8348-dbac77899742}
Operation:writeName:BundleTag
Value:
Executable files
899
Suspicious files
117
Text files
92
Unknown types
0

Dropped files

PID
Process
Filename
Type
7548Winhance.Installer.exeC:\Users\admin\AppData\Local\Temp\is-J0I9P.tmp\Winhance.Installer.tmpexecutable
MD5:85DB4A3987BD547537DA90FED027CDBA
SHA256:FCA557042A428DE193055CE6053F5E0359887BD3D27D32F7507766C6A7EDE31D
7744Winhance.Installer.tmpC:\Users\admin\AppData\Local\Temp\is-5CIE2.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
7744Winhance.Installer.tmpC:\Program Files\Winhance\is-KDS4A.tmpexecutable
MD5:702A65CAB62C8118B24C836AFDA9A328
SHA256:80EAFB52D82FEC356050D0A724B0AB8D362D15A7FAC04B2C909EF1F8F4500E8B
7744Winhance.Installer.tmpC:\Program Files\Winhance\is-NGSJR.tmpexecutable
MD5:BD10C9C6D4C1263DF00D6D40CFBECAA7
SHA256:5AB258C4F6EB701FDA9E6F19576AB8FFD6A39B94AA4AFFF9F70D496368FE9398
7744Winhance.Installer.tmpC:\Program Files\Winhance\is-RF6NV.tmpexecutable
MD5:3D0B68C2F1F02B870DAD843394F437D0
SHA256:FCF90B3DAFD52078055F4B5A923E5C270DCCA0F3E4C4C5452C27C2E2463ACE74
7744Winhance.Installer.tmpC:\Program Files\Winhance\Markdig.Signed.dllexecutable
MD5:E74C55AB49608022A9D864A02316A6DC
SHA256:A094D314A6903C005AA0CC4E792C85B042730AD01387B2B24E54DB863684DA6F
7744Winhance.Installer.tmpC:\Program Files\Winhance\is-P6OCO.tmpexecutable
MD5:27C660A3C19C3E22E06409E66D5E0E03
SHA256:FCA90E940D00F862AA27B151F4145981346AA8C301468B20BD74C81058C6DC47
7744Winhance.Installer.tmpC:\Program Files\Winhance\CommunityToolkit.Mvvm.dllexecutable
MD5:FD670F412739CB8B5C027FD9A1932758
SHA256:7D7EB5C066CFE883B439B1200BF5DCB387B1E5319DD2EDBDAA9E23ADFE416452
7744Winhance.Installer.tmpC:\Program Files\Winhance\Json.More.dllexecutable
MD5:F2B8977D4F1EFF02650BB22702A9BE95
SHA256:9F294EC27D2EB516D24551926C9625393D88B06F26C657C3C7B6C8E9E59C27D0
7744Winhance.Installer.tmpC:\Program Files\Winhance\JsonSchema.Net.dllexecutable
MD5:27C660A3C19C3E22E06409E66D5E0E03
SHA256:FCA90E940D00F862AA27B151F4145981346AA8C301468B20BD74C81058C6DC47
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
47
TCP/UDP connections
56
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
40.126.32.72:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.17:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.32.136:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7872
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
  • 23.216.77.28
  • 23.216.77.6
  • 2.16.168.12
  • 2.16.168.11
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 23.35.229.160
  • 2.23.246.101
whitelisted
login.live.com
  • 20.190.160.128
  • 20.190.160.130
  • 20.190.160.2
  • 40.126.32.74
  • 40.126.32.76
  • 40.126.32.140
  • 20.190.160.5
  • 40.126.32.133
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Winhance.Installer.exe