| File name: | Setup Twitch Patcher 4.0.exe |
| Full analysis: | https://app.any.run/tasks/edcbd075-3c3a-4dd0-9546-6d9e91cebac6 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | June 20, 2025, 18:46:14 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections |
| MD5: | 133ED4EB429C13C75780773725C308F2 |
| SHA1: | EDB6A75330F61045437651D6203A9673677082EA |
| SHA256: | D49C3052FFAA30C062CB77F410CF336803BF1B807B80287FB0230B598C30BB38 |
| SSDEEP: | 98304:I+fgLK0j1+TWiiwFr18FwSddzBhw/X499mdSbkjAZM/DnLaFRqj18d+V/3LuuqRN:W1Ue1t |
MALICIOUS
Create files in the Startup directory
- VersionX64_Setup.exe (PID: 7096)
Steals credentials from Web Browsers
- VersionX64_Setup.exe (PID: 7096)
Actions looks like stealing of personal data
- VersionX64_Setup.exe (PID: 7096)
Modifies files in the Chrome extension folder
- VersionX64_Setup.exe (PID: 7096)
Suspicious browser debugging (Possible cookie theft)
- msedge.exe (PID: 8180)
SUSPICIOUS
There is functionality for taking screenshot (YARA)
- Setup Twitch Patcher 4.0.exe (PID: 6260)
- msiexec.exe (PID: 2580)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 3676)
Executes as Windows Service
- VSSVC.exe (PID: 3884)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 6772)
Process drops legitimate windows executable
- msiexec.exe (PID: 6772)
Starts CMD.EXE for commands execution
- VersionX64_Setup.exe (PID: 7096)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 4308)
- cmd.exe (PID: 7056)
- cmd.exe (PID: 7732)
The process executes VB scripts
- cmd.exe (PID: 7720)
- cmd.exe (PID: 5348)
- cmd.exe (PID: 3964)
- cmd.exe (PID: 5692)
Cryptography encrypted command line is found
- cmd.exe (PID: 7056)
- powershell.exe (PID: 3628)
- cmd.exe (PID: 7732)
- powershell.exe (PID: 2604)
Uses TASKKILL.EXE to kill Browsers
- cmd.exe (PID: 7924)
- cmd.exe (PID: 9064)
- cmd.exe (PID: 9132)
Application launched itself
- VersionX64_Setup.exe (PID: 7096)
MS Edge headless start
- msedge.exe (PID: 8180)
INFO
Checks supported languages
- Setup Twitch Patcher 4.0.exe (PID: 6260)
- msiexec.exe (PID: 6772)
- VersionX64_Setup.exe (PID: 7096)
- VersionX64_Setup.exe (PID: 6360)
- VersionX64_Setup.exe (PID: 1036)
The sample compiled with english language support
- Setup Twitch Patcher 4.0.exe (PID: 6260)
- msiexec.exe (PID: 6772)
Create files in a temporary directory
- Setup Twitch Patcher 4.0.exe (PID: 6260)
- VersionX64_Setup.exe (PID: 7096)
Launching a file from the Downloads directory
- firefox.exe (PID: 6216)
- chrome.exe (PID: 984)
Manual execution by a user
- firefox.exe (PID: 4984)
- WinRAR.exe (PID: 3676)
Reads Microsoft Office registry keys
- firefox.exe (PID: 6216)
- WinRAR.exe (PID: 3676)
Reads the computer name
- msiexec.exe (PID: 6772)
- VersionX64_Setup.exe (PID: 7096)
- VersionX64_Setup.exe (PID: 1036)
- VersionX64_Setup.exe (PID: 6360)
- Setup Twitch Patcher 4.0.exe (PID: 6260)
Manages system restore points
- SrTasks.exe (PID: 2804)
Executable content was dropped or overwritten
- msiexec.exe (PID: 6772)
Creates files or folders in the user directory
- msiexec.exe (PID: 6772)
- VersionX64_Setup.exe (PID: 7096)
Creates a software uninstall entry
- msiexec.exe (PID: 6772)
Launching a file from the Startup directory
- VersionX64_Setup.exe (PID: 7096)
Reads product name
- VersionX64_Setup.exe (PID: 7096)
Reads Environment values
- VersionX64_Setup.exe (PID: 7096)
Reads security settings of Internet Explorer
- cscript.exe (PID: 6128)
- cscript.exe (PID: 2324)
- cscript.exe (PID: 3052)
- cscript.exe (PID: 7364)
Application launched itself
- chrome.exe (PID: 984)
- chrome.exe (PID: 8792)
- firefox.exe (PID: 6216)
- firefox.exe (PID: 4984)
Reads the machine GUID from the registry
- VersionX64_Setup.exe (PID: 7096)
Checks proxy server information
- VersionX64_Setup.exe (PID: 7096)
- slui.exe (PID: 4320)
Reads the software policy settings
- slui.exe (PID: 4320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | InstallShield setup (49.2) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (16.2) |
| .scr | | | Windows screen saver (14.9) |
| .dll | | | Win32 Dynamic Link Library (generic) (7.5) |
| .exe | | | Win32 Executable (generic) (5.1) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:19 22:22:17+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 148992 |
| InitializedDataSize: | 31744 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x25468 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 7.0.1.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| Comments: | - |
| CompanyName: | Twitch |
| FileDescription: | Twitch Booster 7.0.1 Installation |
| FileVersion: | 7.0.1 |
| LegalCopyright: | Twitch |
Total processes
230
Monitored processes
91
Malicious processes
3
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 984 | "C:\Program Files\Google\Chrome\Application\chrome.exe" "--load-extension=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Karma" "--disable-extensions-except=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Karma" --no-first-run --no-default-browser-check | C:\Program Files\Google\Chrome\Application\chrome.exe | VersionX64_Setup.exe | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 1 Version: 133.0.6943.127 Modules
| |||||||||||||||
| 1036 | "C:\Users\admin\AppData\Local\Programs\versionx64_setup\VersionX64_Setup.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\versionx64_setup" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1820 --field-trial-handle=1824,i,17077912350620127207,494471926590739785,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 | C:\Users\admin\AppData\Local\Programs\versionx64_setup\VersionX64_Setup.exe | — | VersionX64_Setup.exe | |||||||||||
User: admin Company: Unreal Game Inc. Integrity Level: LOW Description: VersionX64_Setup Version: 1.0.0 Modules
| |||||||||||||||
| 1180 | powershell -Command "(Get-CimInstance -Class Win32_ComputerSystemProduct).UUID" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1388 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,6218744144748605300,784689417332320478,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=1960 /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 1 Version: 133.0.6943.127 Modules
| |||||||||||||||
| 1480 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -prefsHandle 1892 -prefsLen 36520 -prefMapHandle 1896 -prefMapSize 272997 -ipcHandle 1968 -initialChannelId {cd4fd6ed-ec0a-4eb3-963e-531d07cceeee} -parentPid 6216 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6216" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 136.0 Modules
| |||||||||||||||
| 1720 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1760 | taskkill /F /IM chrome.exe | C:\Windows\System32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2148 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5628 -prefsLen 39438 -prefMapHandle 4716 -prefMapSize 272997 -jsInitHandle 4708 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5936 -initialChannelId {7224e36b-3e38-46d3-aabd-1465425dc3a2} -parentPid 6216 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6216" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 136.0 Modules
| |||||||||||||||
| 2272 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2324 | cscript //Nologo "C:\Users\admin\AppData\Local\Temp\6945418759.vbs" | C:\Windows\System32\cscript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
Total events
56 571
Read events
56 167
Write events
385
Delete events
19
Modification events
| (PID) Process: | (6216) firefox.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe |
Value: 0 | |||
| (PID) Process: | (3676) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (3676) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (3676) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (3676) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Downloads\VersionX64_Setup.rar | |||
| (PID) Process: | (3676) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3676) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3676) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3676) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (6772) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 48000000000000009E17C3BC13E2DB01741A0000840D0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
8
Suspicious files
426
Text files
122
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6260 | Setup Twitch Patcher 4.0.exe | C:\Users\admin\AppData\Local\Temp\$inst\8.tmp | image | |
MD5:BAC172B887BC7D09DB5E14CE26A4943E | SHA256:AAA3BEE9EBD3640C05B8A70F22C9FBDB8EA0E61CA3762DB5A4583E94D46A5C79 | |||
| 6216 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite | — | |
MD5:— | SHA256:— | |||
| 6216 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmp | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA | |||
| 6260 | Setup Twitch Patcher 4.0.exe | C:\Users\admin\AppData\Local\Temp\$inst\7.tmp | image | |
MD5:696641D2325E8B142B6C16D1183ACA43 | SHA256:4A56FFCE0E414F3495F70E9C2960837DF25423B0DBAFD21A073DBDBAA461BC90 | |||
| 6216 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA | |||
| 6260 | Setup Twitch Patcher 4.0.exe | C:\Users\admin\AppData\Local\Temp\$inst\5.tmp | image | |
MD5:AB2021E67E0E08657288D880ABFBAA72 | SHA256:331D997E586CBA40D4DA0587887FC4CAA4CC44E53421737DAFA67E67445E6753 | |||
| 6216 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
| 6216 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
| 6216 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
| 6216 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\SiteSecurityServiceState.bin | binary | |
MD5:ACF788D49F7E9769F6F1367EF37C874D | SHA256:8B5DB075B4B244B7928FBFF5C95806037F56477648900EF8B7289E657A51CCE6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
119
DNS requests
171
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6216 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/canonical.html | unknown | — | — | whitelisted |
6216 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://o.pki.goog/s/wr3/azY | unknown | — | — | whitelisted |
6216 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://o.pki.goog/s/wr3/FIY | unknown | — | — | whitelisted |
6216 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://o.pki.goog/s/wr3/azY | unknown | — | — | whitelisted |
6216 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://o.pki.goog/s/wr3/azY | unknown | — | — | whitelisted |
6216 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://o.pki.goog/we2 | unknown | — | — | whitelisted |
6216 | firefox.exe | POST | 200 | 95.101.54.211:80 | http://r11.o.lencr.org/ | unknown | — | — | whitelisted |
6216 | firefox.exe | POST | 200 | 95.101.54.211:80 | http://r11.o.lencr.org/ | unknown | — | — | whitelisted |
6216 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://o.pki.goog/we2 | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1268 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3108 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6216 | firefox.exe | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | GOOGLE | US | whitelisted |
6216 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | GOOGLE | US | whitelisted |
6216 | firefox.exe | 34.36.137.203:443 | contile.services.mozilla.com | GOOGLE-CLOUD-PLATFORM | US | whitelisted |
6216 | firefox.exe | 34.149.100.209:443 | firefox.settings.services.mozilla.com | GOOGLE | US | whitelisted |
6216 | firefox.exe | 142.250.186.131:80 | o.pki.goog | GOOGLE | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
content-signature-2.cdn.mozilla.net |
| whitelisted |
content-signature-chains.prod.autograph.services.mozaws.net |
| whitelisted |
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
contile.services.mozilla.com |
| whitelisted |
spocs.getpocket.com |
| whitelisted |
mc.prod.ads.prod.webservices.mozgcp.net |
| whitelisted |
example.org |
| whitelisted |