File name:

Patch_UT.47196.exe

Full analysis: https://app.any.run/tasks/6d49e709-9fee-4eb3-b425-fe6423083bbd
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 29, 2025, 20:01:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
arch-doc
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 10 sections
MD5:

16AABE65DA066BB16B43DA51DB3A6DF9

SHA1:

112CB4BD22C20262AF6EB605FF36F4520CBB75A4

SHA256:

2652224F42F954094C971F6AD03CE69BADB4201240BB358985ECE341A4A51490

SSDEEP:

196608:Id9CPOyfbnjPk/AdNbwsRLrFAm8+8HEiYnyfMga:IfCPOyTnjRfAm83HEi2fj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • wzone.exe (PID: 6216)
      • cmd.exe (PID: 828)
      • wzone.exe (PID: 1508)

    • Steals credentials from Web Browsers

      • wzone.exe (PID: 6216)
      • cmd.exe (PID: 828)
      • wzone.exe (PID: 1508)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Patch_UT.47196.exe (PID: 2028)

    • Checks for external IP

      • svchost.exe (PID: 2200)
      • curl.exe (PID: 1352)
      • curl.exe (PID: 4944)

    • Drops 7-zip archiver for unpacking

      • Patch_UT.47196.exe (PID: 2028)

    • The executable file from the user directory is run by the CMD process

      • wzone.exe (PID: 6216)
      • wzone.exe (PID: 1508)

    • Reads security settings of Internet Explorer

      • wzone.exe (PID: 6216)
      • wzone.exe (PID: 1508)

    • Reads the date of Windows installation

      • wzone.exe (PID: 6216)
      • wzone.exe (PID: 1508)

    • Starts CMD.EXE for commands execution

      • wzone.exe (PID: 6216)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 828)

    • Executing commands from ".cmd" file

      • wzone.exe (PID: 6216)

    • Connects to unusual port

      • Windows Driver Foundation (WDF).exe (PID: 6388)

  • INFO

    • The sample compiled with english language support

      • Patch_UT.47196.exe (PID: 2028)

    • Reads the computer name

      • curl.exe (PID: 4944)
      • curl.exe (PID: 1352)
      • wzone.exe (PID: 6216)
      • wzone.exe (PID: 1508)
      • Windows Driver Foundation (WDF).exe (PID: 6388)

    • Checks supported languages

      • curl.exe (PID: 4944)
      • curl.exe (PID: 1352)
      • wzone.exe (PID: 6216)
      • wzone.exe (PID: 1508)
      • Windows Driver Foundation (WDF).exe (PID: 6388)

    • Manual execution by a user

      • notepad.exe (PID: 2220)
      • notepad.exe (PID: 5576)
      • notepad.exe (PID: 2596)
      • notepad.exe (PID: 2076)
      • notepad.exe (PID: 6392)
      • notepad.exe (PID: 4040)
      • notepad.exe (PID: 1352)
      • notepad.exe (PID: 3028)
      • notepad.exe (PID: 1096)
      • notepad.exe (PID: 1668)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 5576)
      • notepad.exe (PID: 2220)
      • notepad.exe (PID: 2596)
      • notepad.exe (PID: 4040)
      • notepad.exe (PID: 2076)
      • notepad.exe (PID: 1352)
      • notepad.exe (PID: 3028)
      • notepad.exe (PID: 6392)
      • notepad.exe (PID: 1096)
      • notepad.exe (PID: 1668)

    • Process checks computer location settings

      • wzone.exe (PID: 6216)
      • wzone.exe (PID: 1508)

    • Creates files or folders in the user directory

      • Windows Driver Foundation (WDF).exe (PID: 6388)

    • Reads the software policy settings

      • slui.exe (PID: 6508)

    • Checks proxy server information

      • slui.exe (PID: 6508)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.scr | Windows screen saver (76.4)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)
.vxd | VXD Driver (0.1)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2021:08:23 03:54:50+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 8
CodeSize: 379904
InitializedDataSize: 159232
UninitializedDataSize: -
EntryPoint: 0x5d1a0
OSVersion: 5.2
ImageVersion: 5.2
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
214
Monitored processes
23
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start patch_ut.47196.exe curl.exe svchost.exe curl.exe notepad.exe no specs notepad.exe no specs wzone.exe no specs notepad.exe no specs cmd.exe conhost.exe no specs ping.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs slui.exe wzone.exe ping.exe no specs windows driver foundation (wdf).exe patch_ut.47196.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
828C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\google\chrome\user data\wtime.cmd" wlocale.cmd"C:\Windows\System32\cmd.exe
wzone.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
1096"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Estonian!et.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1352curl https://ipinfo.io/ip -kC:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
1352"C:\WINDOWS\system32\NOTEPAD.EXE" "C:\Users\admin\Desktop\Norwegian (Bokmal)!nb.txt"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1508"C:\Users\admin\AppData\Local\google\chrome\user data\wzone.exe" "C:\Users\admin\AppData\Local\google\chrome\user data\windows driver foundation (wdf).exe" -yr001C:\Users\admin\AppData\Local\Google\Chrome\User Data\wzone.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Description:
wtime
Exit code:
0
Version:
1.1.0.0
Modules
Images
c:\users\admin\appdata\local\google\chrome\user data\wzone.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1668"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Slovak!sk.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2028"C:\Users\admin\Desktop\Patch_UT.47196.exe" C:\Users\admin\Desktop\Patch_UT.47196.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2076"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\english.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2220"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Taiwan!tw.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
9 120
Read events
9 119
Write events
1
Delete events
0

Modification events

(PID) Process:(1508) wzone.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
1
Suspicious files
1
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
2028Patch_UT.47196.exeC:\Users\admin\AppData\Local\Temp\qb18DFBC.2B\uut.7z
MD5:
SHA256:
2028Patch_UT.47196.exeC:\Users\admin\AppData\Local\Temp\CL883LJY.battext
MD5:85F90D6990A5BCF3B7317D45F6C17FF9
SHA256:947E1AAD876335C040DD9EAEA47779131913E66DF317E5AA065DF1FD28B48B0B
2028Patch_UT.47196.exeC:\Users\admin\AppData\Local\Temp\qb18DFBC.2B\pro1.7zcompressed
MD5:7EA87965DBB9C8AB00A8A5CCBAC64DE6
SHA256:2F6E553E4F484630FBA6899DEF580140F929E3B50B6EEFB1AE4BFBBD3970C6A7
2028Patch_UT.47196.exeC:\Users\admin\AppData\Local\Temp\qb18DFBC.2B\cnftext
MD5:2B9068820BF67D0D7EFC4EC97A92C092
SHA256:DC6667B72A73166630B99A6CFD982D89814492F3CEF32828E3F32724474AFB3E
6388Windows Driver Foundation (WDF).exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\zk.txttext
MD5:677182B8CA901CFCD49868F8CB2A295C
SHA256:6F70909696D07BD9A05C1BCCCBF66AC54217A0B48A99D4C022007D5EFFD5D1ED
2028Patch_UT.47196.exeC:\Users\admin\AppData\Local\Temp\qb18DFBC.2B\7z2201.exeexecutable
MD5:734E95CDBE04F53FE7C28EEAAAAD7327
SHA256:8C8FBCF80F0484B48A07BD20E512B103969992DBF81B6588832B08205E3A1B43
828cmd.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\r01.txttext
MD5:CE585C6BA32AC17652D2345118536F9C
SHA256:589C942E748EA16DC86923C4391092707CE22315EB01CB85B0988C6762AA0ED3
6388Windows Driver Foundation (WDF).exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\zi.txttext
MD5:28250E53213D167C8216C0B16A62A4A5
SHA256:5A22F7BADD0D343C26E8697549A975A27A141AA69D8AAC8CFB697E2172894D2A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
49
TCP/UDP connections
1 324
DNS requests
31
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
684
RUXIMICS.exe
GET
200
23.216.77.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.32.97.216:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
684
RUXIMICS.exe
GET
200
23.32.97.216:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.32.97.216:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.128:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.160.14:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.5:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.32.72:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
684
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.11:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.11:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
684
RUXIMICS.exe
23.216.77.11:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.32.97.216:80
www.microsoft.com
AKAMAI-AS
SE
whitelisted
684
RUXIMICS.exe
23.32.97.216:80
www.microsoft.com
AKAMAI-AS
SE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.216.77.11
  • 23.216.77.14
  • 23.216.77.9
  • 23.216.77.38
  • 23.216.77.30
  • 23.216.77.5
  • 23.216.77.13
  • 23.216.77.21
  • 23.216.77.26
  • 23.216.77.6
  • 23.216.77.22
  • 23.216.77.18
  • 23.216.77.12
  • 23.216.77.20
  • 23.216.77.10
whitelisted
www.microsoft.com
  • 23.32.97.216
whitelisted
login.live.com
  • 40.126.31.128
  • 20.190.159.4
  • 40.126.31.2
  • 20.190.159.131
  • 20.190.159.68
  • 20.190.159.130
  • 20.190.159.128
  • 20.190.159.64
whitelisted
ipinfo.io
  • 34.117.59.81
whitelisted
fasttaxi8858.com
  • 45.84.205.107
unknown
c.yaridata.com
  • 141.136.39.211
unknown
z.yaridata.com
  • 141.136.39.211
unknown
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Patch_UT.47196.exe