Malicious
This file is confirmed confirmed malware — abuse.ch researchers uploaded this exact sample to MalwareBazaar as known malware. Delete it and scan your system.
d52ae302f0ec1971d8…da2f1630a9The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
This file is confirmed confirmed malware — abuse.ch researchers uploaded this exact sample to MalwareBazaar as known malware. Delete it and scan your system. MalwareBazaar is a researcher-curated malware repository; hits there are ground-truth positives.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
MalwareBazaar: confirmed malware
(no named signature)
First catalogued: 2025-05-17 15:11:36
- MalwareBazaar confirmed family: confirmed malware
- Researcher-uploaded malware sample
Delete this file and run a full-system antivirus scan.
patcher corroborated by 3 sources
- 1 YARA ruledUP2xPatcherwwwdiablo2oo2cjbnet
- VT (74 engines)patcher
- MT AI Engineconfirmed malware
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 192.168.0.76
- 52.185.73.156
- 23.216.81.152
- 192.168.0.82
- 20.99.133.109
- 192.168.0.13
- 20.99.185.48
- 152.195.19.97
- 52.154.209.174
- a83f:8110:584a:b5b1:17cb:1ec8:0:0
- C:\Program Files\Google\Policies
- C:\Program Files\Google\Temp\GUMBA81.tmp
- C:\Program Files\Google\Temp\GUME1A1.tmp
- C:\Program Files\Google\Temp\GUM1C1A.tmp
- C:\Program Files\Google\Temp\GUMF3D1.tmp
- C:\Windows\System32\wbem\Performance\WmiApRpl.h
- C:\Windows\System32\wbem\Performance\WmiApRpl.ini
- %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IE\KLT1I0ZU\update50[1].xml
- C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cbbb49d6-b7ff-44ca-aba5-8a5e250d4d42
- C:\Program Files\Google\Policies
- Global\G{D0BB2EF1-C183-4cdb-B218-040922092869}
- Global\G{C4F406E5-F024-4e3f-89A7-D5AB7663C3CD}
- Local\MSCTF.Asm.MutexDefault1
2 corroborating signals from researcher-curated sources
- dUP2xPatcherwwwdiablo2oo2cjbnetby malware-lu
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
- dUP2xPatcherwwwdiablo2oo2cjbnet
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence"C:\Users\<USER>\Desktop\executable.exe"Sample contacted 13 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence52.185.73.156 · 23.216.81.152 · 20.99.133.109
31 detections across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- patch.exe
- Size
- 58.0 KB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- d52ae302f0ec1971d86211002c84cbf43d7837c83921df35b9d14bda2f1630a9
- MD5
- 0697f7c6a3b9c4f4c3b62d7dcd28463b
- SHA-1
- 6fc4e68f7eb29f0d2ef9664b33e1e9956922c534
- PE imphash
- f4bb4222146d800b890601f425c01f46
- First seen (VT)
- 12/29/2024, 5:10:59 PM
- Last analysis (VT)
- 7/6/2026, 1:39:42 PM
- First scan (MalwareTips)
- 7/9/2026, 9:49:14 PM
- Last scan (MalwareTips)
- 7/9/2026, 9:49:14 PM
- Community reputation
- -20flagged
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.