Malware analysis Patch‌‌.exe Malicious activity | ANY.RUN

Add for printing

File name:	Patch‌‌.exe
Full analysis:	https://app.any.run/tasks/f9b5f6b8-dfcb-4a7f-8e75-af20d4e9d5c6
Verdict:	Malicious activity
Analysis date:	December 05, 2024, 03:38:23
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	telegram netreactor crypto-regex ims-api generic
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	43FA07EA54AC675414E7E765BC168EC7
SHA1:	0799B972044A1893272A3949A50E26E08E903970
SHA256:	97A780627C1FC393865FD8CA7DD7C890E0B2BF4D70EF98FDD00D3DF344F983AC
SSDEEP:	49152:6fxIVzMHqh6uVWErmAF7iawqvn7DFp0UAGXcsJxpPJI/UjWcfZIntIj2P30tMW6f:6fa96M9F7iWPFp0uMB/4Gn3PEKtmrHO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Uses Task Scheduler to run other applications
  - svchost.exe (PID: 6344)
- Adds path to the Windows Defender exclusion list
  - svchost.exe (PID: 6344)
SUSPICIOUS
- Executes application which crashes
  - Patch.exe (PID: 6624)
- Starts POWERSHELL.EXE for commands execution
  - svchost.exe (PID: 6344)
- Script adds exclusion path to Windows Defender
  - svchost.exe (PID: 6344)
- The process creates files with name similar to system file names
  - Patch‌‌.exe (PID: 2496)
- Executable content was dropped or overwritten
  - Patch‌‌.exe (PID: 2496)
- Reads security settings of Internet Explorer
  - Patch‌‌.exe (PID: 2496)
- Reads the date of Windows installation
  - Patch‌‌.exe (PID: 2496)
- Process drops legitimate windows executable
  - Patch‌‌.exe (PID: 2496)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - RuntimeBroker.exe (PID: 6384)
- Found regular expressions for crypto-addresses (YARA)
  - RuntimeBroker.exe (PID: 6384)
- Possible usage of Discord/Telegram API has been detected (YARA)
  - RuntimeBroker.exe (PID: 6384)
INFO
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 6932)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 6932)
- Checks supported languages
  - Patch‌‌.exe (PID: 2496)
  - Patch.exe (PID: 6624)
  - svchost.exe (PID: 6344)
  - RuntimeBroker.exe (PID: 6384)
- Reads the machine GUID from the registry
  - Patch‌‌.exe (PID: 2496)
  - svchost.exe (PID: 6344)
  - RuntimeBroker.exe (PID: 6384)
- Reads the computer name
  - Patch‌‌.exe (PID: 2496)
  - svchost.exe (PID: 6344)
  - Patch.exe (PID: 6624)
  - RuntimeBroker.exe (PID: 6384)
- Creates files in the program directory
  - Patch‌‌.exe (PID: 2496)
- Create files in a temporary directory
  - Patch‌‌.exe (PID: 2496)
- Process checks computer location settings
  - Patch‌‌.exe (PID: 2496)
- The process uses the downloaded file
  - Patch‌‌.exe (PID: 2496)
- Creates files or folders in the user directory
  - Patch‌‌.exe (PID: 2496)
- .NET Reactor protector has been detected
  - RuntimeBroker.exe (PID: 6384)
  - svchost.exe (PID: 6344)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

ims-api

(PID) Process(6384) RuntimeBroker.exe

Telegram-Tokens (1)8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg

Telegram-Info-Links

8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg

Get info about bothttps://api.telegram.org/bot8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg/getMe

Get incoming updateshttps://api.telegram.org/bot8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg/getUpdates

Get webhookhttps://api.telegram.org/bot8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg

End-PointsendMessage

Args

chat_id (1)8070554953

Token8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg

End-PointsendMessage

Args

chat_id (1)8070554953

text (1)☠ [XWorm V5.6] New Clinet : 3C54740F7CC0F23B53E5 UserName : admin OSFullName : Microsoft Windows 10

Token8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg

End-PointsendMessage

Args

chat_id (1)8070554953

text (1)☠ [XWorm V5.6] New Clinet : 3C54740F7CC0F23B53E5 UserName : admin OSFullName : Microsoft Windows 10 Pro USB : False CPU : Intel i5-6400 @ 2.70GHz GPU : Microsoft Basic Display Adapter RAM : 3.99 GB Groub : threat HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe	\|	Win64 Executable (generic) (23.8)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)
.exe	\|	Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:12:04 03:12:59+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	940032
InitializedDataSize:	70144
UninitializedDataSize:	-
EntryPoint:	0xe75fe
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Tools Reversing
FileDescription:	Patch
FileVersion:	1.0.0.0
InternalName:	Patch.exe
LegalCopyright:	Copyright © 2024
LegalTrademarks:	@Drcrypt0r
OriginalFileName:	Patch.exe
ProductName:	Patch
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

138

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2496

"C:\Users\admin\AppData\Local\Temp\Patch‌‌.exe"

C:\Users\admin\AppData\Local\Temp\Patch‌‌.exe

explorer.exe

User:

admin

Company:

Tools Reversing

Integrity Level:

MEDIUM

Description:

Patch

Exit code:

Version:

1.0.0.0

Modules

Images
c:\windows\assembly\nativeimages_v4.0.30319_64\system\4dd00a645a9f01baf30bc958379af31e\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.core\e4dc69d3423231045901c1e8ffd7e357\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\microsoft.v9921e851#\e6ea6e97a219590914a8452edf94f016\microsoft.visualbasic.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\wldp.dll

6344

"C:\ProgramData\svchost.exe"

C:\ProgramData\svchost.exe

—

Patch‌‌.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Host Process for Windows Services

Version:

10.0.26100.1150

Modules

Images
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\windows.storage.dll
c:\windows\syswow64\shcore.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\microsoft.net\assembly\gac_msil\system.drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.drawing.dll

6384

"C:\Users\admin\AppData\Roaming\RuntimeBroker.exe"

C:\Users\admin\AppData\Roaming\RuntimeBroker.exe

Patch‌‌.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Runtime Broker

Version:

10.0.26100.1882

Modules

Images
c:\windows\syswow64\scrrun.dll
c:\windows\syswow64\edputil.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\702c2af6b170d9c3fc21c25e30b76a98\system.xml.ni.dll
c:\windows\syswow64\textinputframework.dll
c:\windows\syswow64\coremessaging.dll
c:\windows\syswow64\coreuicomponents.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wintypes.dll
c:\windows\syswow64\wbem\fastprox.dll
c:\windows\syswow64\mskeyprotect.dll

ims-api

(PID) Process(6384) RuntimeBroker.exe

Telegram-Tokens (1)8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg

Telegram-Info-Links

8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg

Get info about bothttps://api.telegram.org/bot8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg/getMe

Get incoming updateshttps://api.telegram.org/bot8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg/getUpdates

Get webhookhttps://api.telegram.org/bot8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg

End-PointsendMessage

Args

chat_id (1)8070554953

Token8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg

End-PointsendMessage

Args

chat_id (1)8070554953

text (1)☠ [XWorm V5.6] New Clinet : 3C54740F7CC0F23B53E5 UserName : admin OSFullName : Microsoft Windows 10

Token8121771984:AAGXOlTP44BsB9q7BSb6ogc3oDB4i1-Uucg

End-PointsendMessage

Args

chat_id (1)8070554953

6420

"C:\Users\admin\AppData\Local\Temp\Patch.exe"

C:\Users\admin\AppData\Local\Temp\Patch.exe

—

Patch‌‌.exe

User:

admin

Company:

Tools Reversing

Integrity Level:

MEDIUM

Description:

Patch

Exit code:

3221226540

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\patch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

6624

"C:\Users\admin\AppData\Local\Temp\Patch.exe"

C:\Users\admin\AppData\Local\Temp\Patch.exe

Patch‌‌.exe

User:

admin

Company:

Tools Reversing

Integrity Level:

HIGH

Description:

Patch

Version:

1.0.0.0

Modules

Images
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shcore.dll
c:\windows\syswow64\windows.storage.dll
c:\windows\syswow64\wldp.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\syswow64\oleaut32.dll

6648

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

Patch.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

6876

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6624 -s 1240

C:\Windows\SysWOW64\WerFault.exe

Patch.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\policymanager.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\twinapi.appcore.dll
c:\windows\syswow64\netprofm.dll
c:\windows\syswow64\npmproxy.dll
c:\windows\syswow64\textshaping.dll
c:\windows\syswow64\onecoreuapcommonproxystub.dll
c:\windows\syswow64\dpapi.dll
c:\windows\syswow64\dhcpcsvc6.dll

6932

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Services'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\imm32.dll

6952

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6960

"schtasks.exe" /create /tn svchost.exe /tr "C:\ProgramData\Windows Services\svchost.exe" /st 03:43 /du 23:59 /sc daily /ri 1 /f

C:\Windows\SysWOW64\schtasks.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

2 591

Read events

2 590

Write events

Delete events

Modification events


(PID) Process:	(2496) Patch‌‌.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6876	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Patch.exe_efe110148c871034832e5992496a10261249b_b376a00e_8abc5af3-6f71-4360-978f-fc3bf7412362\Report.wer		—
		MD5:—	SHA256:—
6876	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\Patch.exe.6624.dmp		—
		MD5:—	SHA256:—
6876	WerFault.exe	C:\Windows\appcompat\Programs\Amcache.hve		hiv
		MD5:6D28471DD7B2529B14ADBE752A19AC4E	SHA256:1C639038BD34455B873FB2C4B5A3836065DC17F69F8C67F8769BE77CB9E386A8
6384	RuntimeBroker.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk		binary
		MD5:E15611E201ABAAFBC1C574EDA2976B01	SHA256:8AAA5213E326BAE2719BF677FF8D161DDF3855745C30554450C835C70850D70B
6932	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_r2s5q0yw.y1t.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6932	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3whofcvz.cv3.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6876	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7247.tmp.xml		xml
		MD5:3EB47397C9D52F1B6A600FAE00FF4E8D	SHA256:8923B8CAEB26D2281B5CFE8F422509472A492EBB42A0B133809FFBEBD31A8D29
6876	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER709F.tmp.dmp		dmp
		MD5:29BE899662F9E020C9D75E6F64071E3E	SHA256:991A4A7FA53295FD6FA2064E136C5DF3B25DF57C31FDC6DCF90561EED684FB66
6932	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:A67B4E8581133F2BCE1E39A967FC382C	SHA256:DE1DBDD86B0E8FE1E5939EF4FE41DE20103A8FFB242F6D64A29451A2BBE821B6
2496	Patch‌‌.exe	C:\Users\admin\AppData\Roaming\RuntimeBroker.exe		executable
		MD5:CC084CB296C50A336288563831E412FE	SHA256:A1C4F4610B13CEEA2F94F24201E0E89FF6CE80AB8E36283D9D8370F84546F4DD

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl%20	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	104.126.37.161:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1176	svchost.exe	20.190.159.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1076	svchost.exe	23.32.186.57:443	go.microsoft.com	AKAMAI-AS	BR	whitelisted
1176	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28 2.16.164.9 2.16.164.49	whitelisted
www.microsoft.com	184.30.21.171 95.101.149.131	whitelisted
google.com	216.58.206.46	whitelisted
www.bing.com	104.126.37.161 104.126.37.186 104.126.37.160 104.126.37.153 104.126.37.170 104.126.37.177 104.126.37.155 104.126.37.178 104.126.37.179	whitelisted
login.live.com	20.190.159.2 40.126.31.67 40.126.31.71 20.190.159.23 20.190.159.68 20.190.159.71 40.126.31.73 40.126.31.69	whitelisted
go.microsoft.com	23.32.186.57	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
watson.events.data.microsoft.com	20.42.65.92	whitelisted
fd.api.iris.microsoft.com	20.74.47.205	whitelisted

Threats

PID	Process	Class	Message
2192	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
6384	RuntimeBroker.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
6384	RuntimeBroker.exe	Misc activity	ET HUNTING Telegram API Certificate Observed

Add for printing

No debug info

General Info

Patch‌‌.exe

43FA07EA54AC675414E7E765BC168EC7

0799B972044A1893272A3949A50E26E08E903970

97A780627C1FC393865FD8CA7DD7C890E0B2BF4D70EF98FDD00D3DF344F983AC

49152:6fxIVzMHqh6uVWErmAF7iawqvn7DFp0UAGXcsJxpPJI/UjWcfZIntIj2P30tMW6f:6fa96M9F7iWPFp0uMB/4Gn3PEKtmrHO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses Task Scheduler to run other applications

Adds path to the Windows Defender exclusion list

SUSPICIOUS

Executes application which crashes

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the date of Windows installation

Process drops legitimate windows executable

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Found regular expressions for crypto-addresses (YARA)

Possible usage of Discord/Telegram API has been detected (YARA)

INFO

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Creates files in the program directory

Create files in a temporary directory

Process checks computer location settings

The process uses the downloaded file

Creates files or folders in the user directory

.NET Reactor protector has been detected

Malware configuration

ims-api

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Malware configuration

ims-api

Information

Modules

Information

Modules

Information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings