Malware analysis /brunolee-GIT/W3M0dP4tch32/releases/download/v1.2.5/v1.2.5.INSTALLER.zip Malicious activity

Add for printing

download:	/brunolee-GIT/W3M0dP4tch32/releases/download/v1.2.5/v1.2.5.INSTALLER.zip
Full analysis:	https://app.any.run/tasks/c18c40f2-fdde-4dfd-86d9-8281b79f8ef1
Verdict:	Malicious activity
Analysis date:	March 13, 2025, 18:31:04
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	github arch-exec arch-scr delphi inno installer
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	54F08D8813F9222CE1844456F8B2F2CA
SHA1:	682DF8ABD664E0DAA167E7538C5D834261233425
SHA256:	314A74A443DFAD1CFC6EF472656C45377D56BB0BCBB62E12D5DE219BDE4949F0
SSDEEP:	98304:pFJaN/xTinJkY0SOQRYETkyywjuLftNu9pHVRR7SEbDax89dePzi6AwScZBnRoSy:Y0u+R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Opens a text file (SCRIPT)
  - mshta.exe (PID: 5232)
  - mshta.exe (PID: 7592)
- Checks whether a specified folder exists (SCRIPT)
  - mshta.exe (PID: 5232)
  - mshta.exe (PID: 7592)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WeModPatcher v1.2.5 Installer.tmp (PID: 7448)
- Executable content was dropped or overwritten
  - WeModPatcher v1.2.5 Installer.exe (PID: 7428)
  - WeModPatcher v1.2.5 Installer.exe (PID: 7584)
  - WeModPatcher v1.2.5 Installer.tmp (PID: 7672)
- Reads the Windows owner or organization settings
  - WeModPatcher v1.2.5 Installer.tmp (PID: 7672)
- Starts CMD.EXE for commands execution
  - cmd.exe (PID: 7992)
  - powershell.exe (PID: 5008)
  - cmd.exe (PID: 1532)
- Execution of CURL command
  - cmd.exe (PID: 7992)
  - cmd.exe (PID: 1532)
- Starts NET.EXE to display or manage information about active sessions
  - cmd.exe (PID: 7992)
  - net.exe (PID: 7200)
  - net.exe (PID: 7864)
  - cmd.exe (PID: 1532)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 6988)
  - cmd.exe (PID: 7992)
  - cmd.exe (PID: 7280)
  - cmd.exe (PID: 1532)
  - cmd.exe (PID: 3896)
  - cmd.exe (PID: 7448)
  - cmd.exe (PID: 6652)
  - cmd.exe (PID: 7148)
  - cmd.exe (PID: 7656)
  - cmd.exe (PID: 7292)
  - cmd.exe (PID: 6132)
  - cmd.exe (PID: 5776)
  - cmd.exe (PID: 8036)
  - cmd.exe (PID: 728)
- Executing commands from a ".bat" file
  - powershell.exe (PID: 5008)
- Drops 7-zip archiver for unpacking
  - WeModPatcher v1.2.5 Installer.tmp (PID: 7672)
- Application launched itself
  - cmd.exe (PID: 7992)
  - cmd.exe (PID: 1532)
  - mshta.exe (PID: 2240)
- Get information on the list of running processes
  - cmd.exe (PID: 3896)
  - cmd.exe (PID: 1532)
  - cmd.exe (PID: 4164)
  - cmd.exe (PID: 8036)
- Starts application with an unusual extension
  - cmd.exe (PID: 1532)
  - cmd.exe (PID: 7476)
- Executes application which crashes
  - mshta.exe (PID: 7800)
  - mshta.exe (PID: 680)
  - mshta.exe (PID: 5408)
  - mshta.exe (PID: 5232)
  - mshta.exe (PID: 7592)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - mshta.exe (PID: 7800)
  - mshta.exe (PID: 2240)
  - mshta.exe (PID: 680)
  - mshta.exe (PID: 5408)
  - mshta.exe (PID: 5232)
  - mshta.exe (PID: 7592)
- Writes binary data to a Stream object (SCRIPT)
  - mshta.exe (PID: 2240)
- Checks whether a specific file exists (SCRIPT)
  - mshta.exe (PID: 2240)
  - mshta.exe (PID: 7592)
  - mshta.exe (PID: 5232)
- Reads data from a binary Stream object (SCRIPT)
  - mshta.exe (PID: 5232)
  - mshta.exe (PID: 7592)
- Runs shell command (SCRIPT)
  - mshta.exe (PID: 2240)
INFO
- Manual execution by a user
  - WeModPatcher v1.2.5 Installer.exe (PID: 7428)
  - cmd.exe (PID: 7992)
  - mshta.exe (PID: 2240)
  - notepad++.exe (PID: 660)
  - mshta.exe (PID: 7592)
- Reads the computer name
  - WeModPatcher v1.2.5 Installer.tmp (PID: 7448)
  - WeModPatcher v1.2.5 Installer.tmp (PID: 7672)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 1852)
- Create files in a temporary directory
  - WeModPatcher v1.2.5 Installer.exe (PID: 7428)
  - WeModPatcher v1.2.5 Installer.tmp (PID: 7672)
- Checks supported languages
  - WeModPatcher v1.2.5 Installer.tmp (PID: 7448)
  - WeModPatcher v1.2.5 Installer.exe (PID: 7428)
  - WeModPatcher v1.2.5 Installer.exe (PID: 7584)
  - WeModPatcher v1.2.5 Installer.tmp (PID: 7672)
- Process checks computer location settings
  - WeModPatcher v1.2.5 Installer.tmp (PID: 7448)
- Creates files or folders in the user directory
  - BackgroundTransferHost.exe (PID: 5116)
- Creates files in the program directory
  - WeModPatcher v1.2.5 Installer.tmp (PID: 7672)
  - cmd.exe (PID: 1532)
- Detects InnoSetup installer (YARA)
  - WeModPatcher v1.2.5 Installer.exe (PID: 7428)
- Compiled with Borland Delphi (YARA)
  - WeModPatcher v1.2.5 Installer.exe (PID: 7428)
- Execution of CURL command
  - cmd.exe (PID: 8132)
  - cmd.exe (PID: 2392)
- The sample compiled with english language support
  - WeModPatcher v1.2.5 Installer.tmp (PID: 7672)
- Changes the display of characters in the console
  - cmd.exe (PID: 7476)
  - cmd.exe (PID: 1532)
- Starts MODE.COM to configure console settings
  - mode.com (PID: 5416)
- Gets data length (POWERSHELL)
  - powershell.exe (PID: 5116)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:10:12 22:26:28
ZipCRC:	0xba710529
ZipCompressedSize:	3023157
ZipUncompressedSize:	3887861
ZipFileName:	WeModPatcher v1.2.5 Installer.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

236

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

660

"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files (x86)\WeModPatcher\Options.hta"

C:\Program Files\Notepad++\notepad++.exe

—

explorer.exe

User:

admin

Company:

Don HO don.h@free.fr

Integrity Level:

MEDIUM

Description:

Notepad++ : a free (GNU) source code editor

Version:

7.91

Modules

Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

680

mshta.exe "C:\Program Files (x86)\WeModPatcher\Launcher.hta"

C:\Windows\System32\mshta.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft (R) HTML Application host

Exit code:

3221225477

Version:

11.00.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll

728

C:\WINDOWS\system32\cmd.exe /c powershell -Command "(Get-FileHash Options.ini -Algorithm MD5).Hash"

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

3221225786

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

744

powershell -Command "(Get-FileHash Options.ini -Algorithm MD5).Hash"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll

1132

C:\WINDOWS\system32\cmd.exe /c mshta.exe "C:\Program Files (x86)\WeModPatcher\Launcher.hta"

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

3221225477

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1388

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7592 -s 1736

C:\Windows\SysWOW64\WerFault.exe

—

mshta.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

1532

"C:\WINDOWS\System32\cmd.exe" /C "C:\Program Files (x86)\WeModPatcher\WeModPatcher.bat"

C:\Windows\System32\cmd.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

3221225786

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll

1660

chcp 65001

C:\Windows\System32\chcp.com

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Change CodePage Utility

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

1852

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Downloads\v1.2.5.INSTALLER.zip

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2240

"C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\WeModPatcher\Launcher.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft (R) HTML Application host

Exit code:

Version:

11.00.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

90 242

Read events

90 152

Write events

Delete events

Modification events


(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Downloads\v1.2.5.INSTALLER.zip
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(1852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(8012) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(8012) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5116	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\903efa31-4df4-47b6-b45e-2fbe7bc03228.down_data		—
		MD5:—	SHA256:—
7672	WeModPatcher v1.2.5 Installer.tmp	C:\Program Files (x86)\WeModPatcher\is-OEF8H.tmp		text
		MD5:83503A2A8B9F78CFFA4ED444885C4959	SHA256:E217B87EA4F57FA0FBF70BED27EDA1DA7FF3A4D3B7A989BF15B1261E6735387A
5116	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D		binary
		MD5:9FA7CCABC494A5328612D36DD19B8E46	SHA256:0D0B2B024CD660B45A6646F77B717CCD34A8C0D3EC4D5451D53DD436E87F531D
7672	WeModPatcher v1.2.5 Installer.tmp	C:\Users\admin\AppData\Local\Temp\is-47R2A.tmp\Finished.bmp		image
		MD5:E53CD7CB8B9F88D2DC9569C3A2A10416	SHA256:CC0872802A1D2487913BAC918941FDCCA9E96DBDBDFECB0802C1AC6EDFF5A641
7584	WeModPatcher v1.2.5 Installer.exe	C:\Users\admin\AppData\Local\Temp\is-7S07K.tmp\WeModPatcher v1.2.5 Installer.tmp		executable
		MD5:FFDD8A3AE61571DBBB2BA95F5EE3D3C6	SHA256:39C79FE06B2BA133432D8814078F00ED92411BC565613AE35F1DAA0E755DCAF0
7672	WeModPatcher v1.2.5 Installer.tmp	C:\Program Files (x86)\WeModPatcher\is-1JPK9.tmp		image
		MD5:CCB4F0739B87DF9D7C9D0BEF63014E53	SHA256:1F7DDFDA33CC1FF03F897AACAEDFB33A97B6430811089B96C136F362E90073F6
7428	WeModPatcher v1.2.5 Installer.exe	C:\Users\admin\AppData\Local\Temp\is-7TNLJ.tmp\WeModPatcher v1.2.5 Installer.tmp		executable
		MD5:FFDD8A3AE61571DBBB2BA95F5EE3D3C6	SHA256:39C79FE06B2BA133432D8814078F00ED92411BC565613AE35F1DAA0E755DCAF0
7672	WeModPatcher v1.2.5 Installer.tmp	C:\Program Files (x86)\WeModPatcher\Options.hta		html
		MD5:C0826786D1B58B03C4C134865CD0A0A6	SHA256:E4CDEA4433591103E4C416165B9B7EEBFF79C30B011EEE839064C0621FE0B209
7672	WeModPatcher v1.2.5 Installer.tmp	C:\Users\admin\AppData\Local\Temp\is-47R2A.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5116	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\903efa31-4df4-47b6-b45e-2fbe7bc03228.a2ff51ba-a5e7-4de8-af5e-f4f1776186d8.down_meta		binary
		MD5:316D72F5BCB0124C5A3673EEBF5BADDC	SHA256:3349DA5539DF69DB2EE90C21919E1A8A8644C42FADE6B58A1BEC44DF08647E93

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	23.48.23.141:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7500	backgroundTaskHost.exe	GET	200	104.78.173.167:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	104.78.173.167:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	104.78.173.167:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
756	lsass.exe	GET	200	104.18.38.233:80	http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D	unknown	—	—	whitelisted
5116	BackgroundTransferHost.exe	GET	200	104.78.173.167:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
3272	SIHClient.exe	GET	200	23.218.209.163:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
756	lsass.exe	GET	200	104.18.38.233:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D	unknown	—	—	whitelisted
3272	SIHClient.exe	GET	200	23.218.209.163:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5496	MoUsoCoreWorker.exe	23.48.23.141:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6392	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
2112	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	20.197.71.89:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	SG	whitelisted
6544	svchost.exe	40.126.31.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6544	svchost.exe	104.78.173.167:80	ocsp.digicert.com	AKAMAI-AS	GB	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.184.206	whitelisted
crl.microsoft.com	23.48.23.141 23.48.23.137	whitelisted
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2	whitelisted
client.wns.windows.com	20.197.71.89 40.113.110.67	whitelisted
login.live.com	40.126.31.2 40.126.31.130 40.126.31.3 20.190.159.64 20.190.159.23 40.126.31.71 40.126.31.69 40.126.31.128	whitelisted
ocsp.digicert.com	104.78.173.167	whitelisted
arc.msn.com	20.86.201.138	whitelisted
www.bing.com	2.16.204.206 2.16.204.197	whitelisted
raw.githubusercontent.com	185.199.108.133 185.199.110.133 185.199.109.133 185.199.111.133	whitelisted
ocsp.comodoca.com	104.18.38.233 172.64.149.23	whitelisted

Threats

PID	Process	Class	Message
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub

Add for printing

No debug info

General Info

/brunolee-GIT/W3M0dP4tch32/releases/download/v1.2.5/v1.2.5.INSTALLER.zip

54F08D8813F9222CE1844456F8B2F2CA

682DF8ABD664E0DAA167E7538C5D834261233425

314A74A443DFAD1CFC6EF472656C45377D56BB0BCBB62E12D5DE219BDE4949F0

98304:pFJaN/xTinJkY0SOQRYETkyywjuLftNu9pHVRR7SEbDax89dePzi6AwScZBnRoSy:Y0u+R

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Opens a text file (SCRIPT)

Checks whether a specified folder exists (SCRIPT)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Starts CMD.EXE for commands execution

Execution of CURL command

Starts NET.EXE to display or manage information about active sessions

Starts POWERSHELL.EXE for commands execution

Executing commands from a ".bat" file

Drops 7-zip archiver for unpacking

Application launched itself

Get information on the list of running processes

Starts application with an unusual extension

Executes application which crashes

Creates FileSystem object to access computer's file system (SCRIPT)

Writes binary data to a Stream object (SCRIPT)

Checks whether a specific file exists (SCRIPT)

Reads data from a binary Stream object (SCRIPT)

Runs shell command (SCRIPT)

INFO

Manual execution by a user

Reads the computer name

Executable content was dropped or overwritten

Create files in a temporary directory

Checks supported languages

Process checks computer location settings

Creates files or folders in the user directory

Creates files in the program directory

Detects InnoSetup installer (YARA)

Compiled with Borland Delphi (YARA)

Execution of CURL command

The sample compiled with english language support

Changes the display of characters in the console

Starts MODE.COM to configure console settings

Gets data length (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity