| download: | Patch.exe |
| Full analysis: | https://app.any.run/tasks/d5c1405e-7ef8-41e6-9f72-d887f0173db1 |
| Verdict: | Malicious activity |
| Analysis date: | April 06, 2020, 20:06:05 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | F705AC4ADF35E2B348C3E200760FCF61 |
| SHA1: | E1925F0698267D1D78C21DB13E5034274D1622CB |
| SHA256: | 8139C166D6DBEBAC912D37FB5D36A8C78A1CE7918EE228E929D98880638A4A08 |
| SSDEEP: | 393216:FYeDM1gRYF3s11613izL9cS/FG7pi87ZKfiLllXm9rjHaiYg3WWmvvmSLxAOJqN:6U6gRes1VzL9c8Fus8gfaX8DaLzMSyOa |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executable content was dropped or overwritten
- Patch.exe (PID: 3744)
Creates files in the program directory
- Patch.exe (PID: 3744)
Creates a software uninstall entry
- Patch.exe (PID: 3744)
Starts Internet Explorer
- Patch.exe (PID: 3744)
INFO
Application launched itself
- iexplore.exe (PID: 3872)
- iexplore.exe (PID: 2792)
Reads Internet Cache Settings
- iexplore.exe (PID: 3872)
- iexplore.exe (PID: 2792)
- iexplore.exe (PID: 3276)
- iexplore.exe (PID: 3052)
Changes internet zones settings
- iexplore.exe (PID: 3872)
- iexplore.exe (PID: 2792)
Reads internet explorer settings
- iexplore.exe (PID: 3276)
Reads settings of System Certificates
- iexplore.exe (PID: 3052)
- iexplore.exe (PID: 3276)
Changes settings of System certificates
- iexplore.exe (PID: 3052)
- iexplore.exe (PID: 3276)
Adds / modifies Windows certificates
- iexplore.exe (PID: 3052)
- iexplore.exe (PID: 3276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable Delphi generic (37.4) |
|---|---|---|
| .scr | | | Windows screen saver (34.5) |
| .exe | | | Win32 Executable (generic) (11.9) |
| .exe | | | Win16/32 Executable Delphi generic (5.4) |
| .exe | | | Generic Win/DOS Executable (5.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:20 00:22:17+02:00 |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 148992 |
| InitializedDataSize: | 314880 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x25468 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| Comments: | - |
| CompanyName: | Crackingpatching.com Team |
| FileDescription: | Sony Vegas Pro 17.0.0 Build 421 17.0.0 Build 421 Installatio |
| FileVersion: | 17.0.0 Build 421 |
| LegalCopyright: | Crackingpatching.com Team |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 19-Jun-1992 22:22:17 |
| Detected languages: |
|
| Comments: | - |
| CompanyName: | Crackingpatching.com Team |
| FileDescription: | Sony Vegas Pro 17.0.0 Build 421 17.0.0 Build 421 Installatio |
| FileVersion: | 17.0.0 Build 421 |
| LegalCopyright: | Crackingpatching.com Team |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0050 |
| Pages in file: | 0x0002 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x000F |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x001A |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x00000100 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 8 |
| Time date stamp: | 19-Jun-1992 22:22:17 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
CODE | 0x00001000 | 0x000244CC | 0x00024600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.59443 |
DATA | 0x00026000 | 0x00002894 | 0x00002A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.79376 |
BSS | 0x00029000 | 0x000010F5 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x0002B000 | 0x00001798 | 0x00001800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.88555 |
.tls | 0x0002D000 | 0x00000008 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x0002E000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 0.204488 |
.reloc | 0x0002F000 | 0x00001884 | 0x00001A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.58665 |
.rsrc | 0x00031000 | 0x00046F60 | 0x00047000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 4.1405 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 4.93923 | 886 | UNKNOWN | Russian - Russia | RT_MANIFEST |
50 | 5.24025 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
51 | 4.94231 | 2440 | UNKNOWN | UNKNOWN | RT_ICON |
52 | 4.73718 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
53 | 4.51902 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
54 | 4.05378 | 270376 | UNKNOWN | UNKNOWN | RT_ICON |
DVCLAL | 4 | 16 | UNKNOWN | UNKNOWN | RT_RCDATA |
PACKAGEINFO | 5.28362 | 272 | UNKNOWN | UNKNOWN | RT_RCDATA |
MAINICON | 2.75922 | 76 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
Imports
advapi32.dll |
cabinet.dll |
comctl32.dll |
gdi32.dll |
kernel32.dll |
ole32.dll |
oleaut32.dll |
shell32.dll |
user32.dll |
winmm.dll |
Total processes
43
Monitored processes
6
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2112 | "C:\Users\admin\AppData\Local\Temp\Patch.exe" | C:\Users\admin\AppData\Local\Temp\Patch.exe | — | explorer.exe | |||||||||||
User: admin Company: Crackingpatching.com Team Integrity Level: MEDIUM Description: Sony Vegas Pro 17.0.0 Build 421 17.0.0 Build 421 Installatio Exit code: 3221226540 Version: 17.0.0 Build 421 Modules
| |||||||||||||||
| 2792 | "C:\Program Files\Internet Explorer\iexplore.exe" https://crackingpatching.com/2019/08/idm-crack.html | C:\Program Files\Internet Explorer\iexplore.exe | Patch.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 3052 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2792 CREDAT:275457 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 3276 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3872 CREDAT:275457 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 3744 | "C:\Users\admin\AppData\Local\Temp\Patch.exe" | C:\Users\admin\AppData\Local\Temp\Patch.exe | explorer.exe | ||||||||||||
User: admin Company: Crackingpatching.com Team Integrity Level: HIGH Description: Sony Vegas Pro 17.0.0 Build 421 17.0.0 Build 421 Installatio Exit code: 0 Version: 17.0.0 Build 421 Modules
| |||||||||||||||
| 3872 | "C:\Program Files\Internet Explorer\iexplore.exe" https://crackingpatching.com/ | C:\Program Files\Internet Explorer\iexplore.exe | Patch.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
Total events
2 781
Read events
707
Write events
2 069
Delete events
5
Modification events
| (PID) Process: | (3744) Patch.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sony Vegas Pro 17.0.0 Build 421 |
| Operation: | write | Name: | DisplayName |
Value: Sony Vegas Pro 17.0.0 Build 421 | |||
| (PID) Process: | (3744) Patch.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sony Vegas Pro 17.0.0 Build 421 |
| Operation: | write | Name: | DisplayVersion |
Value: 17.0.0 Build 421 | |||
| (PID) Process: | (3744) Patch.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sony Vegas Pro 17.0.0 Build 421 |
| Operation: | write | Name: | VersionMajor |
Value: 17 | |||
| (PID) Process: | (3744) Patch.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sony Vegas Pro 17.0.0 Build 421 |
| Operation: | write | Name: | VersionMinor |
Value: 0 | |||
| (PID) Process: | (3744) Patch.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sony Vegas Pro 17.0.0 Build 421 |
| Operation: | write | Name: | Publisher |
Value: Crackingpatching.com Team | |||
| (PID) Process: | (3744) Patch.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sony Vegas Pro 17.0.0 Build 421 |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files\Internet Download Manager\Sony Vegas Pro 17.0.0 Build 421 Patch Uninstaller.exe | |||
| (PID) Process: | (3744) Patch.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sony Vegas Pro 17.0.0 Build 421 |
| Operation: | write | Name: | UninstallString |
Value: C:\Program Files\Internet Download Manager\Sony Vegas Pro 17.0.0 Build 421 Patch Uninstaller.exe | |||
| (PID) Process: | (3744) Patch.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sony Vegas Pro 17.0.0 Build 421 |
| Operation: | write | Name: | URLInfoAbout |
Value: https://crackingpatching.com | |||
| (PID) Process: | (3744) Patch.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sony Vegas Pro 17.0.0 Build 421 |
| Operation: | write | Name: | HelpLink |
Value: https://crackingpatching.com | |||
| (PID) Process: | (3744) Patch.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sony Vegas Pro 17.0.0 Build 421 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Program Files\VEGAS\VEGAS Pro 17.0\ | |||
Executable files
4
Suspicious files
2
Text files
6
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3744 | Patch.exe | C:\Users\admin\AppData\Local\Temp\$inst\temp_0.tmp | — | |
MD5:— | SHA256:— | |||
| 3744 | Patch.exe | C:\Users\admin\AppData\Local\Temp\$inst\0001.tmp | — | |
MD5:— | SHA256:— | |||
| 3744 | Patch.exe | C:\Users\admin\AppData\Local\Temp\$inst\0002.tmp | — | |
MD5:— | SHA256:— | |||
| 2792 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 3872 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 2792 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF21CDC3A69F310A9D.TMP | — | |
MD5:— | SHA256:— | |||
| 2792 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{27C6FE51-7842-11EA-972D-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
| 2792 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF111BD9B47359BEF3.TMP | — | |
MD5:— | SHA256:— | |||
| 2792 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{27C6FE4F-7842-11EA-972D-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
| 3872 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFB1D114157B5FEE7A.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
8
DNS requests
4
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3872 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
2792 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3872 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2792 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3276 | iexplore.exe | 104.18.57.24:443 | crackingpatching.com | Cloudflare Inc | US | shared |
3052 | iexplore.exe | 104.18.57.24:443 | crackingpatching.com | Cloudflare Inc | US | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
crackingpatching.com |
| malicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |