File name:

patcher.exe

Full analysis: https://app.any.run/tasks/35c03538-c044-4269-97f6-81a527a82b0a
Verdict: Malicious activity
Threats:

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Malware Trends Tracker     >>>
Analysis date: May 13, 2025, 17:31:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
redline
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

3A078E7E923AFDD0163DA0C27B34D755

SHA1:

456885A4DF49B7D35F174A51CCAA614512573B68

SHA256:

2F1A7A8FEC3CC5F3A70D26126C13065E2A99EFCAFBC9A372D6EC4E2AB0C20266

SSDEEP:

6144:XLC5YqofbkN7MF0blylmkXLKne6Tv/33in+:25Y3fbkN7k0blylmSLKne6Tv/3yn+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REDLINE has been detected (YARA)

      • patcher.exe (PID: 6744)

  • SUSPICIOUS

    • Application launched itself

      • patcher.exe (PID: 5392)

    • Executes application which crashes

      • patcher.exe (PID: 6744)

    • Multiple wallet extension IDs have been found

      • patcher.exe (PID: 6744)

  • INFO

    • Checks supported languages

      • patcher.exe (PID: 5392)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4180)

    • Reads the machine GUID from the registry

      • patcher.exe (PID: 5392)

    • Reads the computer name

      • patcher.exe (PID: 5392)

    • Create files in a temporary directory

      • WerFault.exe (PID: 4180)

    • Checks proxy server information

      • slui.exe (PID: 1040)

    • Reads the software policy settings

      • slui.exe (PID: 1040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(6744) patcher.exe
C2 (1)ierinapu.xyz:80
Botnet@activewate
Options
ErrorMessage
Keys
XorLianes
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (62)
.exe | Win64 Executable (generic) (23.3)
.dll | Win32 Dynamic Link Library (generic) (5.5)
.exe | Win32 Executable (generic) (3.8)
.exe | Win16/32 Executable Delphi generic (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2077:06:23 09:24:30+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 363520
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x5abfa
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 0.0.0.0
InternalName: Monochord.exe
LegalCopyright:
OriginalFileName: Monochord.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start patcher.exe conhost.exe no specs #REDLINE patcher.exe werfault.exe no specs slui.exe patcher.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1040C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1804\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepatcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
4180C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6744 -s 12C:\Windows\SysWOW64\WerFault.exepatcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
5332"C:\Users\admin\Desktop\patcher.exe" C:\Users\admin\Desktop\patcher.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
3221226540
Version:
0.0.0.0
5392"C:\Users\admin\Desktop\patcher.exe" C:\Users\admin\Desktop\patcher.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
0.0.0.0
6744C:\Users\admin\Desktop\patcher.exeC:\Users\admin\Desktop\patcher.exe
patcher.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
3221225477
Version:
0.0.0.0
RedLine
(PID) Process(6744) patcher.exe
C2 (1)ierinapu.xyz:80
Botnet@activewate
Options
ErrorMessage
Keys
XorLianes
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4180WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_d244ee56-a4da-4c8e-8f12-950bb7a6cc88\Report.wer
MD5:
SHA256:
4180WerFault.exeC:\Users\admin\AppData\Local\Temp\WERD719.tmp.WERDataCollectionStatus.txtbinary
MD5:8C4C579F9A54D0A1FF1DAB0DC7111B39
SHA256:D68A5F68F5E61746D34A529CCFA5DFBFBBFA8737AD1EA98580039AB79E874331
4180WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:DAE46E6EBD7C832EB4DB00ECEE9A6BE9
SHA256:8060F72F76819FB2431936AD5B71D54559B3147EA511FEEBBE84F69C13074F8C
4180WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE6E9.tmp.WERInternalMetadata.xmlbinary
MD5:B2997E9E8D22CF5329A977141827DC26
SHA256:6889F95E1C5F5C64770592AF22EC3A5EAA237188101D2100D35E8F67E6E1B48E
4180WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE729.tmp.xmlxml
MD5:C6FB6917462576EA3F1D2008E453B530
SHA256:BB720DAC211EA00AA7EEDBBA51D492128AD46712DFBF86703D311FBDAE8D8428
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
51
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.164.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4120
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4120
SIHClient.exe
GET
200
184.24.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4120
SIHClient.exe
GET
200
184.24.77.6:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4120
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
4120
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4120
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
4120
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.16.164.99:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6544
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.16.164.99
  • 2.16.164.90
  • 2.16.164.98
  • 2.16.164.11
  • 2.16.164.43
  • 184.24.77.6
  • 184.24.77.12
  • 184.24.77.23
  • 184.24.77.42
  • 184.24.77.37
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.76
  • 40.126.32.72
  • 40.126.32.136
  • 20.190.160.3
  • 20.190.160.22
  • 20.190.160.20
  • 20.190.160.5
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
patcher.exe