Malware analysis File_patched.exe Malicious activity | ANY.RUN

Add for printing

File name:	File_patched.exe
Full analysis:	https://app.any.run/tasks/c8ee1528-2bff-4f34-961f-7b9069421955
Verdict:	Malicious activity
Threats:	PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. Malware Trends Tracker >>>
Analysis date:	July 22, 2024, 14:52:46
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion privateloader
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	E8A8D55B8AAFA2FBAA103826FA155398
SHA1:	9707C41D54434D195086B9CD8C48EBE55D50ACF6
SHA256:	39B12A0B45BB75DDD3FD333A6C97C31C7928C547D5EBC620730C90CFB92C7233
SSDEEP:	98304:0ccJ6jbuXW2TELVL3HqLfLv6uMBoplUjYxzu2y1Scz30YgN6l8rPBx8efISInmN6:HkjvipXnLCm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - File_patched.exe (PID: 8180)
- Changes the Windows auto-update feature
  - File_patched.exe (PID: 8180)
- Actions looks like stealing of personal data
  - File_patched.exe (PID: 8180)
- PRIVATELOADER has been detected (SURICATA)
  - File_patched.exe (PID: 8180)
- Connects to the CnC server
  - File_patched.exe (PID: 8180)
- PRIVATELOADER has been detected (YARA)
  - File_patched.exe (PID: 8180)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - File_patched.exe (PID: 8180)
- Checks for external IP
  - File_patched.exe (PID: 8180)
- Checks Windows Trust Settings
  - File_patched.exe (PID: 8180)
- Executes application which crashes
  - Z2SOpaxDPdw148yFDKCzwUeP.exe (PID: 4092)
- Connects to the server without a host name
  - File_patched.exe (PID: 8180)
- Potential Corporate Privacy Violation
  - File_patched.exe (PID: 8180)
INFO
- Checks supported languages
  - File_patched.exe (PID: 8180)
  - Z2SOpaxDPdw148yFDKCzwUeP.exe (PID: 4092)
- Process checks computer location settings
  - File_patched.exe (PID: 8180)
- Reads the computer name
  - File_patched.exe (PID: 8180)
  - Z2SOpaxDPdw148yFDKCzwUeP.exe (PID: 4092)
- Reads the machine GUID from the registry
  - File_patched.exe (PID: 8180)
- Checks proxy server information
  - File_patched.exe (PID: 8180)
- Creates files or folders in the user directory
  - File_patched.exe (PID: 8180)
  - WerFault.exe (PID: 7240)
- Reads the software policy settings
  - File_patched.exe (PID: 8180)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:07:22 04:10:07+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.39
CodeSize:	1177088
InitializedDataSize:	463360
UninitializedDataSize:	-
EntryPoint:	0x2d2765
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	Tyrrrz
FileDescription:	LightBulb Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName:	LightBulb
ProductVersion:	2.6

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

150

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3328

"C:\Users\admin\AppData\Local\Temp\File_patched.exe"

C:\Users\admin\AppData\Local\Temp\File_patched.exe

—

explorer.exe

User:

admin

Company:

Tyrrrz

Integrity Level:

MEDIUM

Description:

LightBulb Setup

Exit code:

3221226540

Version:

Modules

Images
c:\users\admin\appdata\local\temp\file_patched.exe
c:\windows\system32\ntdll.dll

4092

C:\Users\admin\Documents\piratemamm\Z2SOpaxDPdw148yFDKCzwUeP.exe

File_patched.exe

User:

admin

Company:

Latvia misprinting

Integrity Level:

HIGH

Description:

Subaltern distil sanction insanity sunned lifeanddeath

Exit code:

3221225477

Version:

5.11.239.2

Modules

Images
c:\users\admin\documents\piratemamm\z2sopaxdpdw148yfdkczwuep.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

5660

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

7240

C:\WINDOWS\system32\WerFault.exe -u -p 4092 -s 444

C:\Windows\System32\WerFault.exe

—

Z2SOpaxDPdw148yFDKCzwUeP.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll

8180

"C:\Users\admin\AppData\Local\Temp\File_patched.exe"

C:\Users\admin\AppData\Local\Temp\File_patched.exe

explorer.exe

User:

admin

Company:

Tyrrrz

Integrity Level:

HIGH

Description:

LightBulb Setup

Exit code:

Version:

Modules

Images
c:\users\admin\appdata\local\temp\file_patched.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

Add for printing

Total events

3 658

Read events

3 557

Write events

Delete events

Modification events


(PID) Process:	(8180) File_patched.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Operation:	write	Name:	C:\
Value: 1
(PID) Process:	(8180) File_patched.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B22D3B6D-E271-4366-A4CF-38307843663E}Machine\Software\Policies\Microsoft\AppHVSI
Operation:	write	Name:	AllowAppHVSI_ProviderSet
Value: 0
(PID) Process:	(8180) File_patched.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B22D3B6D-E271-4366-A4CF-38307843663E}Machine\Software\Policies\Microsoft\EdgeUpdate
Operation:	write	Name:	UpdateDefault
Value: 0
(PID) Process:	(8180) File_patched.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B22D3B6D-E271-4366-A4CF-38307843663E}Machine\Software\Policies\Microsoft\Windows\Network Connections
Operation:	write	Name:	NC_DoNotShowLocalOnlyIcon
Value: 1
(PID) Process:	(8180) File_patched.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B22D3B6D-E271-4366-A4CF-38307843663E}Machine\Software\Policies\Microsoft\Windows\Windows Feeds
Operation:	write	Name:	EnableFeeds
Value: 0
(PID) Process:	(8180) File_patched.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B22D3B6D-E271-4366-A4CF-38307843663E}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	WUServer
Value: http://neverupdatewindows10.com
(PID) Process:	(8180) File_patched.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B22D3B6D-E271-4366-A4CF-38307843663E}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	WUStatusServer
Value: http://neverupdatewindows10.com
(PID) Process:	(8180) File_patched.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B22D3B6D-E271-4366-A4CF-38307843663E}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	UpdateServiceUrlAlternate
Value: http://neverupdatewindows10.com
(PID) Process:	(8180) File_patched.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B22D3B6D-E271-4366-A4CF-38307843663E}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	**del.FillEmptyContentUrls
Value:
(PID) Process:	(8180) File_patched.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{B22D3B6D-E271-4366-A4CF-38307843663E}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:	write	Name:	UseWUServer
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7240	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Z2SOpaxDPdw148yF_ca2fcef508d7d204c359537a8eb765a15cae063_f028f696_1d2172e0-9797-495f-a623-22cd9ba83e01\Report.wer		—
		MD5:—	SHA256:—
7240	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERB15E.tmp.WERInternalMetadata.xml		xml
		MD5:353C178D0B78936EF3262A76362CADC8	SHA256:0C36AF45724795D42A7CC48D6B5FAEBB9BA1E4874381FD08DF6D9B750656737D
8180	File_patched.exe	C:\WINDOWS\System32\GroupPolicy\Machine\Registry.pol		binary
		MD5:8C49DAA7D041CF94B84B491FF44A0915	SHA256:87826FFBE97A6F8C9B9BC24D016214488D77917D91CB606F33DD71251B7A6A79
8180	File_patched.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\351809EA8413AE0AA50BAEE3C04D84F6		binary
		MD5:023E0A51A27E527C2C9EA720CE2FBAE5	SHA256:77C167E4546EC3BB78F789234DA6F62926F40141D6AC45362F7273D30045D9CE
8180	File_patched.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\731067BF8D7976C075349ACF768DDFB7		binary
		MD5:EEE7A53BB313CD1720AF4A4B5B7ABD03	SHA256:962557D2FF42FCEBD0251E2DF5AE3297E421C4F28B3E733DC59BCFB118C20907
7240	WerFault.exe	C:\WINDOWS\AppCompat\Programs\Amcache.hve		binary
		MD5:4F3C78838B0AA5C4DA008F6E0767E779	SHA256:39CAF752208BD9321F5CC3A771984A68360D42BFA0B3D59A0649A495233C5541
8180	File_patched.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\351809EA8413AE0AA50BAEE3C04D84F6		binary
		MD5:0DB8DC01246057B54A7C23125B5605A7	SHA256:D9ACC98815C2EC09DF489E930D2777F1CADD096036F89965CE2E31C6E3F9E032
7240	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERB17E.tmp.xml		xml
		MD5:D36A1F5E0DE0CE2C294967CDDBAB59F2	SHA256:EDD4041FCBDFB6A35541E85359CA13CCDA52087BBCD8261832CD94F92363C3EC
8180	File_patched.exe	C:\Users\admin\Documents\piratemamm\Z2SOpaxDPdw148yFDKCzwUeP.exe		binary
		MD5:7D7048444D4A71E38A1BD16B3252873E	SHA256:C2570C9EC105ED62DDBE709F1A88FDD3FBE08E704D5A7B71A45E5E1CB261B4C0
7240	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0B1.tmp.dmp		dmp
		MD5:3BEBEFCB28A1CAE553522E8FC1C65838	SHA256:2E6635A2B25C2E312EA1B815CC2BBBBAFA6CF7F7344FCDF6CD29EE346F2EAF6D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
8180	File_patched.exe	GET	200	109.120.176.203:80	http://109.120.176.203/api/crazyfish.php	unknown	—	—	unknown
8180	File_patched.exe	GET	200	104.18.20.226:80	http://ocsp2.globalsign.com/rootr5/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQiD0S5cIHyfrLTJ1fvAkJWflH%2B2QQUPeYpSJvqB8ohREom3m7e0oPQn1kCDQHuXyKVQkkF%2BQGRqNw%3D	unknown	—	—	whitelisted
8180	File_patched.exe	POST	200	109.120.176.203:80	http://109.120.176.203/api/twofish.php	unknown	—	—	unknown
8180	File_patched.exe	GET	200	104.18.20.226:80	http://ocsp.globalsign.com/gseccovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSTMjK03nNiYoQYvu4Izyfn9OJNdAQUWHuOdSr%2BYYCqkEABrtboB0ZuP0gCDHmsXXQgoaZQ4a3ukw%3D%3D	unknown	—	—	whitelisted
8180	File_patched.exe	GET	200	104.18.20.226:80	http://ocsp.globalsign.com/gseccovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSTMjK03nNiYoQYvu4Izyfn9OJNdAQUWHuOdSr%2BYYCqkEABrtboB0ZuP0gCDB8VCpIoQMc6D1nxwA%3D%3D	unknown	—	—	whitelisted
8180	File_patched.exe	POST	200	109.120.176.203:80	http://109.120.176.203/api/twofish.php	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4716	svchost.exe	40.126.31.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5620	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7856	svchost.exe	4.209.32.67:443	licensing.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
2168	svchost.exe	224.0.0.251:5353	—	—	—	unknown
2168	svchost.exe	224.0.0.252:5355	—	—	—	whitelisted
8180	File_patched.exe	109.120.176.203:80	—	—	RU	unknown
8180	File_patched.exe	172.67.75.163:443	api.myip.com	CLOUDFLARENET	US	unknown

DNS requests

Domain	IP	Reputation
login.live.com	40.126.31.71 20.190.159.73 20.190.159.68 40.126.31.69 20.190.159.0 20.190.159.71 20.190.159.2 40.126.31.67 40.126.32.140 40.126.32.134 20.190.160.17 40.126.32.133 40.126.32.74 40.126.32.136 20.190.160.22 40.126.32.72	whitelisted
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59 40.127.240.158	whitelisted
google.com	142.250.184.238	whitelisted
api.myip.com	172.67.75.163 104.26.8.59 104.26.9.59	whitelisted
ipinfo.io	34.117.59.81	shared
client.wns.windows.com	40.115.3.253	whitelisted
vk.com	87.240.137.164 87.240.132.72 87.240.132.78 87.240.132.67 87.240.129.133 93.186.225.194	whitelisted
ocsp2.globalsign.com	104.18.20.226 104.18.21.226	whitelisted
ocsp.globalsign.com	104.18.20.226 104.18.21.226	whitelisted
sun6-20.userapi.com	95.142.206.0	whitelisted

Threats

PID	Process	Class	Message
8180	File_patched.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
8180	File_patched.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
8180	File_patched.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
2168	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
8180	File_patched.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
2168	svchost.exe	Potential Corporate Privacy Violation	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
8180	File_patched.exe	Potential Corporate Privacy Violation	ET POLICY IP Check Domain (iplogger .org in TLS SNI)

Add for printing

No debug info

General Info

File_patched.exe

E8A8D55B8AAFA2FBAA103826FA155398

9707C41D54434D195086B9CD8C48EBE55D50ACF6

39B12A0B45BB75DDD3FD333A6C97C31C7928C547D5EBC620730C90CFB92C7233

98304:0ccJ6jbuXW2TELVL3HqLfLv6uMBoplUjYxzu2y1Scz30YgN6l8rPBx8efISInmN6:HkjvipXnLCm

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the Windows auto-update feature

Actions looks like stealing of personal data

PRIVATELOADER has been detected (SURICATA)

Connects to the CnC server

PRIVATELOADER has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Checks for external IP

Checks Windows Trust Settings

Executes application which crashes

Connects to the server without a host name

Potential Corporate Privacy Violation

INFO

Checks supported languages

Process checks computer location settings

Reads the computer name

Reads the machine GUID from the registry

Checks proxy server information

Creates files or folders in the user directory

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings