Edit tour

Windows Analysis Report
ep_setup (1).exe

Overview

General Information

Sample name:	ep_setup (1).exe
Analysis ID:	1411864
MD5:	301bfeed86ac1ea67ca70844cae2a9a2
SHA1:	d3127aabd5c0e8f9f746758564625dc69613fa3f
SHA256:	5d09d4837727785ff7206b6d01849ed25f29e9b0f9b0634b3918bc20ce3d2515
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

Query firmware table information (likely to detect VMs)

Sigma detected: Explorer NOUACCHECK Flag

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64_ra

ep_setup (1).exe (PID: 5388 cmdline: "C:\Users\user\Desktop\ep_setup (1).exe" MD5: 301BFEED86AC1EA67CA70844CAE2A9A2)

taskkill.exe (PID: 1824 cmdline: "C:\Windows\system32\taskkill.exe" /f /im explorer.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3740 cmdline: "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 72 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3012 cmdline: "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

regsvr32.exe (PID: 4848 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

regsvr32.exe (PID: 5176 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

explorer.exe (PID: 5412 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)

rundll32.exe (PID: 5340 cmdline: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

explorer.exe (PID: 3360 cmdline: C:\Windows\explorer.exe /NoUACCheck MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Sigma Signatures

System Summary

Sigma detected: Explorer NOUACCHECK Flag

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\explorer.exe /NoUACCheck, CommandLine: C:\Windows\explorer.exe /NoUACCheck, CommandLine|base64offset|contains: y, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1136, ProcessCommandLine: C:\Windows\explorer.exe /NoUACCheck, ProcessId: 3360, ProcessName: explorer.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher
Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher\ep_setup.exe
Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher\ep_dwm.exe
Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher\ep_weather_host.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher\WebView2Loader.dll

Source: C:\Users\user\Desktop\ep_setup (1).exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher

Source: unknown	HTTPS traffic detected: 140.82.114.3:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.16:49716 version: TLS 1.2

Source: ep_setup (1).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 140.82.114.3 443
Source: C:\Windows\explorer.exe	Network Connect: 185.199.108.133 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: api.msn.com

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716

Source: unknown	HTTPS traffic detected: 140.82.114.3:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.16:49716 version: TLS 1.2

Source: C:\Users\user\Desktop\ep_setup (1).exe	File created: C:\Windows\dxgi.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	File created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll

Source: ep_setup (1).exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: ep_setup (1).exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: ep_setup (1).exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
Source: ep_setup (1).exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: ep_setup (1).exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: ep_setup (1).exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: ep_setup (1).exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (console) x86-64, for MS Windows

Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: pcacli.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: ntshrui.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: webview2loader.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: version.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: dbghelp.dll
Source: C:\Windows\explorer.exe	Section loaded: version.dll
Source: C:\Windows\explorer.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.fileexplorer.dll
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll
Source: C:\Windows\explorer.exe	Section loaded: pnidui.dll
Source: C:\Windows\explorer.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll
Source: C:\Windows\explorer.exe	Section loaded: peopleband.dll
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: dbghelp.dll
Source: C:\Windows\explorer.exe	Section loaded: version.dll
Source: C:\Windows\explorer.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.fileexplorer.dll
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll
Source: C:\Windows\explorer.exe	Section loaded: pnidui.dll
Source: C:\Windows\explorer.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll
Source: C:\Windows\explorer.exe	Section loaded: peopleband.dll
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: holographicextensions.dll
Source: C:\Windows\explorer.exe	Section loaded: virtualmonitormanager.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\explorer.exe	Section loaded: abovelockapphost.dll
Source: C:\Windows\explorer.exe	Section loaded: schannel.dll
Source: C:\Windows\explorer.exe	Section loaded: npsm.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.bluelightreduction.dll
Source: C:\Windows\explorer.exe	Section loaded: mscms.dll
Source: C:\Windows\explorer.exe	Section loaded: coloradapterclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.signals.dll
Source: C:\Windows\explorer.exe	Section loaded: tdh.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorybroker.dll
Source: C:\Windows\explorer.exe	Section loaded: mfplat.dll
Source: C:\Windows\explorer.exe	Section loaded: rtworkq.dll
Source: C:\Windows\explorer.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.security.authentication.web.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.data.activities.dll
Source: C:\Windows\explorer.exe	Section loaded: provsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.system.launcher.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.ui.shell.windowtabmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\explorer.exe	Section loaded: icu.dll
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll
Source: C:\Windows\explorer.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\explorer.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\explorer.exe	Section loaded: gpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.core.textinput.dll
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll
Source: C:\Windows\explorer.exe	Section loaded: dictationmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll
Source: C:\Windows\explorer.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: daxexec.dll
Source: C:\Windows\explorer.exe	Section loaded: container.dll
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\explorer.exe	Section loaded: samlib.dll
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\explorer.exe	Section loaded: wpnapps.dll
Source: C:\Windows\explorer.exe	Section loaded: batmeter.dll
Source: C:\Windows\explorer.exe	Section loaded: sxs.dll
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll
Source: C:\Windows\explorer.exe	Section loaded: prnfldr.dll
Source: C:\Windows\explorer.exe	Section loaded: es.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: atlthunk.dll
Source: C:\Windows\explorer.exe	Section loaded: dxp.dll
Source: C:\Windows\explorer.exe	Section loaded: shdocvw.dll
Source: C:\Windows\explorer.exe	Section loaded: actioncenter.dll
Source: C:\Windows\explorer.exe	Section loaded: wevtapi.dll
Source: C:\Windows\explorer.exe	Section loaded: syncreg.dll
Source: C:\Windows\explorer.exe	Section loaded: dusmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: wpdshserviceobj.dll
Source: C:\Windows\explorer.exe	Section loaded: portabledevicetypes.dll
Source: C:\Windows\explorer.exe	Section loaded: portabledeviceapi.dll
Source: C:\Windows\explorer.exe	Section loaded: cscobj.dll
Source: C:\Windows\explorer.exe	Section loaded: audioses.dll
Source: C:\Windows\explorer.exe	Section loaded: srchadmin.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.search.dll
Source: C:\Windows\explorer.exe	Section loaded: synccenter.dll
Source: C:\Windows\explorer.exe	Section loaded: wpnclient.dll
Source: C:\Windows\explorer.exe	Section loaded: netprofm.dll
Source: C:\Windows\explorer.exe	Section loaded: imapi2.dll
Source: C:\Windows\explorer.exe	Section loaded: networkuxbroker.dll
Source: C:\Windows\explorer.exe	Section loaded: ethernetmediamanager.dll
Source: C:\Windows\explorer.exe	Section loaded: wlanapi.dll
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll
Source: C:\Windows\explorer.exe	Section loaded: wer.dll
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll
Source: C:\Windows\explorer.exe	Section loaded: ncsi.dll
Source: C:\Windows\explorer.exe	Section loaded: ieproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: storageusage.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: fhcfg.dll
Source: C:\Windows\explorer.exe	Section loaded: efsutil.dll
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.system.userprofile.dll
Source: C:\Windows\explorer.exe	Section loaded: cloudexperiencehostbroker.dll
Source: C:\Windows\explorer.exe	Section loaded: credui.dll
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll
Source: C:\Windows\explorer.exe	Section loaded: wdscore.dll
Source: C:\Windows\explorer.exe	Section loaded: dbgcore.dll
Source: C:\Windows\explorer.exe	Section loaded: msxml6.dll
Source: C:\Windows\explorer.exe	Section loaded: settingsync.dll
Source: C:\Windows\explorer.exe	Section loaded: settingsynccore.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.xaml.dll
Source: C:\Windows\explorer.exe	Section loaded: windowsinternal.composableshell.desktophosting.dll
Source: C:\Windows\explorer.exe	Section loaded: uiamanager.dll

Source: classification engine

Classification label: mal56.evad.winEXE@18/15@3/40

Source: C:\Users\user\Desktop\ep_setup (1).exe

File created: C:\Program Files\ExplorerPatcher

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\ExplorerPatcher

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:72:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4884:120:WilError_03

Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\explorer.exe

Source: ep_setup (1).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe")

Source: C:\Users\user\Desktop\ep_setup (1).exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\ep_setup (1).exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding

Source: C:\Users\user\Desktop\ep_setup (1).exe

File read: C:\Users\user\Desktop\ep_setup (1).exe

Source: unknown	Process created: C:\Users\user\Desktop\ep_setup (1).exe "C:\Users\user\Desktop\ep_setup (1).exe"
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /NoUACCheck
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"

Source: C:\Users\user\Desktop\ep_setup (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher
Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher\ep_setup.exe
Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher\ep_dwm.exe
Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher\ep_weather_host.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll
Source: C:\Users\user\Desktop\ep_setup (1).exe	Directory created: C:\Program Files\ExplorerPatcher\WebView2Loader.dll

Source: C:\Users\user\Desktop\ep_setup (1).exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher

Source: ep_setup (1).exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ep_setup (1).exe

Static file information: File size 1807872 > 1048576

Source: ep_setup (1).exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x18a200

Source: ep_setup (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ep_setup (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ep_setup (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ep_setup (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ep_setup (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ep_setup (1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ep_setup (1).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ep_setup (1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: ep_setup (1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ep_setup (1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ep_setup (1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ep_setup (1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ep_setup (1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: ep_setup (1).exe

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\ep_setup (1).exe

Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"

Source: C:\Users\user\Desktop\ep_setup (1).exe	File created: C:\Windows\dxgi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exe	File created: C:\Program Files\ExplorerPatcher\ep_setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exe	File created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exe	File created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exe	File created: C:\Program Files\ExplorerPatcher\WebView2Loader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exe	File created: C:\Program Files\ExplorerPatcher\ep_weather_host.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exe	File created: C:\Program Files\ExplorerPatcher\ep_dwm.exe	Jump to dropped file

Source: C:\Users\user\Desktop\ep_setup (1).exe

File created: C:\Windows\dxgi.dll

Jump to dropped file

Source: C:\Users\user\Desktop\ep_setup (1).exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher
Source: C:\Users\user\Desktop\ep_setup (1).exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk

Source: C:\Users\user\Desktop\ep_setup (1).exe

Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB

Source: C:\Users\user\Desktop\ep_setup (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\ep_setup (1).exe	Dropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exe	Dropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exe	Dropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_weather_host.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exe	Dropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_dwm.exe	Jump to dropped file

Source: C:\Windows\System32\taskkill.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 140.82.114.3 443
Source: C:\Windows\explorer.exe	Network Connect: 185.199.108.133 443

Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
Source: C:\Users\user\Desktop\ep_setup (1).exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"

Source: C:\Users\user\Desktop\ep_setup (1).exe

Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe

Source: C:\Users\user\Desktop\ep_setup (1).exe

Queries volume information: C:\ VolumeInformation

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	2 Windows Service	2 Windows Service	23 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Disable or Modify Tools	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	11 Virtualization/Sandbox Evasion	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	111 Process Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Regsvr32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Source	Detection	Scanner	Label	Link
ep_setup (1).exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll	0%	ReversingLabs
C:\Program Files\ExplorerPatcher\WebView2Loader.dll	0%	ReversingLabs
C:\Program Files\ExplorerPatcher\ep_dwm.exe	0%	ReversingLabs
C:\Program Files\ExplorerPatcher\ep_weather_host.dll	0%	ReversingLabs
C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll	0%	ReversingLabs
C:\Windows\dxgi.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
github.com	140.82.114.3	true	false	high
objects.githubusercontent.com	185.199.108.133	true	true	unknown
api.msn.com	unknown	unknown	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
20.150.38.228	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
140.82.114.3	github.com	United States	36459	GITHUBUS	false
20.150.70.36	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
131.253.33.219	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.199.108.133	objects.githubusercontent.com	Netherlands	54113	FASTLYUS	true
204.79.197.203	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1411864
Start date and time:	2024-03-19 16:56:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	ep_setup (1).exe
Detection:	MAL
Classification:	mal56.evad.winEXE@18/15@3/40
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, StartMenuExperienceHost.exe, TextInputHost.exe
Excluded IPs from analysis (whitelisted): 131.253.33.219, 20.150.38.228, 20.150.79.68, 20.150.70.36, 204.79.197.203, 23.44.201.21, 23.44.201.30, 23.44.201.32, 23.44.201.22, 23.44.201.31, 23.44.201.24, 23.44.201.20, 23.44.201.28, 23.44.201.25, 204.79.197.200, 13.107.21.200, 52.165.165.26, 23.41.168.93, 20.3.187.198, 52.165.164.15
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, msdl-microsoft-com.a-0016.a-msedge.net, p-static.bing.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, msdl.microsoft.com, a-0016.dc-msedge.net, e86303.dscx.akamaiedge.net, login.live.com, e16604.g.akamaiedge.net, r.bing.com, www-bing-com.dual-a-0001.a-msedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, r.bing.com.edgekey.net, a-0003.a-msedge.net, blob.SAT09PrdStrz08A.trafficmanager.net, vsblobprodscussu5shard6.blob.core.windows.net, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, vsblobprodscussu5shard39.blob.core.windows.net, fe3.delivery.mp.microsoft.com, blob.sat09prdstrz08a.store.core.windows.net, msdl.microsoft.akadns.net, api-msn-com.a-0003.a-msedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: ep_setup (1).exe

Created / dropped Files

C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup (1).exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	194560
Entropy (8bit):	6.5529574189354864
Encrypted:	false
SSDEEP:
MD5:	C27AD2203D5FF6639080A9D13C6A7626
SHA1:	C8AEE4E32A1AB5F5CEC3B5E8772698B6D14767A3
SHA-256:	15445675495B9F009D4E60CDFCD722D1B067DBD096C03C0142F4627A99CA6EF4
SHA-512:	919F6839268D232EF5FDFCCF8C66754D0D8DF0675E3AFD03DFB95F95F2630CAE8B59A4277EFA74CA3A1ECE59B8E4BB355CD98EBB67FE8769245131E6B99AD1B3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.g...................................I.......I.......I.........................................................Rich....................PE..L.....lb...........!.....r...........F.......................................@............@......................... ...x............@....................... ..........p...........................h...@...............<............................text....p.......r.................. ..`.rdata...............v..............@..@.data........ ......................@....rsrc........@......................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files\ExplorerPatcher\WebView2Loader.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup (1).exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	140184
Entropy (8bit):	6.12329312962629
Encrypted:	false
SSDEEP:
MD5:	C44BAED957B05B9327BD371DBF0DBE99
SHA1:	80B48C656B8555EBC588DE3DE0EC6C7E75AE4BF1
SHA-256:	AD8BB426A8E438493DB4D703242F373D9CB36D8C13E88B6647CD083716E09BEF
SHA-512:	AD1B76594DCA7CDE6BBCDE55BC3ABE811F9E903E2CF6613D49201E14E789CFC763CB528D499DD2DB84DB097A210D63C7D88CC909CA1C836D831E3519C2CE7B35
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......a.........." ................`@..............................................'%....`A....................................................(....`...................#...p......d...8.......................(....1..8...........`.......(...`....................text...e........................... ..`.rdata..<....0....... ..............@..@.data...............................@....pdata..............................@..@.00cfg..(.... ......................@..@.tls.........0......................@....voltbl.>....@.........................._RDATA.......P......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................

C:\Program Files\ExplorerPatcher\ep_dwm.exe

Download File

Process:	C:\Users\user\Desktop\ep_setup (1).exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	117248
Entropy (8bit):	5.848759434272875
Encrypted:	false
SSDEEP:
MD5:	1349718D211CC2E2E866409D13818836
SHA1:	15B354BACFC771EF941758C59FEF519B305DEA83
SHA-256:	4A8A537EB201D7D05F21BC80855BD277569C7BB733C5128680C85346BF8B8DBD
SHA-512:	09981CC2D7CD0BAA2FD722D9640BA1D65CB6846DF32BFB41C58A888718DC304D39F044570E2A2D86BC9CE592006933A861F8AF75B6D8A089F8253EE555FED0AE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.....s...s...s..p...s..v..s..w...s.I.v.<.s.I.w...s.I.p...s..r...s...r.o.s..{...s......s.......s..q...s.Rich..s.........................PE..d.....lb..........".................X%.........@.............................0............`.....................................................d...............P............ ..h.......p...............................8...............@............................text...P........................... ..`.rdata..\|...........................@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..h.... ......................@..B........................................................................................................................................................................................

C:\Program Files\ExplorerPatcher\ep_setup.exe

Download File

Process:	C:\Users\user\Desktop\ep_setup (1).exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1807872
Entropy (8bit):	6.267596452849626
Encrypted:	false
SSDEEP:
MD5:	301BFEED86AC1EA67CA70844CAE2A9A2
SHA1:	D3127AABD5C0E8F9F746758564625DC69613FA3F
SHA-256:	5D09D4837727785FF7206B6D01849ED25F29E9B0F9B0634B3918BC20CE3D2515
SHA-512:	6149DF127FFE2FE605BDF8CF8CAF41835C9F1E158B9CDC8143805C3EBEF1F42E533F57F6968F16A9546F72D9A6912189634B548650FF8FB9412BD0C56D3117AB
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!22000.613.44.2.78959caa05476f8e6S mode....$.......L.S..c=..c=..c=...>..c=...8.c=.Z.8./c=.Z.9..c=.Z.>..c=......c=...9..c=...;..c=...<..c=..c<..c=..5..c=..=..c=.....c=..c...c=..?..c=.Rich.c=.........PE..d.....lb.........."..................T.........@..........................................`..........................................................0..........@................... ...p...............................8............................................text............................... ..`.rdata..............................@..@.data... ...........................@....pdata..@...........................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc..............................@..B................................................................................................................................................................................

C:\Program Files\ExplorerPatcher\ep_setup.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\ep_setup (1).exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\ExplorerPatcher\ep_weather_host.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup (1).exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	245248
Entropy (8bit):	5.944315255157023
Encrypted:	false
SSDEEP:
MD5:	7F4F96D52E0B9A3C38BDAE23F9403D13
SHA1:	5BEFB96A0A34625318A272045EAB8DC7CAABF714
SHA-256:	D015057726D0F4859F176ABD76A8A9DD9C768EE1DBAB8BE4C119659F3B202040
SHA-512:	BE66937FFB11C4275755F9DEA324B43B62DA90EDF5E7D73597BC191F59E77ED39BF2391968D0465743412C8AE5874D30167C695900960E7A5CE29D73B4814207
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......m...)ci.)ci.)ci...j.,ci...l.ci.{.l.6ci.{.m.&ci.{.j. ci...m.&ci...h.;ci.)ci.ci.)ch.ci..a.ci..i.(ci....(ci.)c..(ci..k.(ci.Rich)ci.........................PE..d.....lb.........." ................LY....................................................`.........................................`...............................................Pe..p............................e..8...............H............................text...P........................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................

C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup (1).exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	111104
Entropy (8bit):	5.899720989391343
Encrypted:	false
SSDEEP:
MD5:	F69BDAE844AD51764ADFEDD989B50249
SHA1:	DFDC9CB1B74C7B9533C557F4097545F043088886
SHA-256:	8E79419BEFA2CEDC44C051052E1223D0DE769760B18CC3E75F1AD617E92E4132
SHA-512:	7756298416F1398682E7C1A615FBA5AAC71928700C50DE3B9B17F3A79805079FB04E8190D8AFC5E1F8EF2241A74791817C17E948869C725568CF7A6C76F88D76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................V...................................................l......l.......l.......l.......Rich....................PE..d.....lb.........." ......................................................................`.................................................x...P...............................p.......p...........................0...8...............8............................text............................... ..`.orpc...,........................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..p...........................@..B........................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk

Download File

Process:	C:\Users\user\Desktop\ep_setup (1).exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=39, Archive, ctime=Thu Sep 8 02:06:01 2022, mtime=Tue Mar 19 14:57:17 2024, atime=Thu Sep 8 02:06:01 2022, length=71680, window=hide
Category:	modified
Size (bytes):	1990
Entropy (8bit):	3.299012457759973
Encrypted:	false
SSDEEP:
MD5:	7A268DA11570CDDAF5B04DB9AA1B4A36
SHA1:	324928E0A09EA33DD080474A0EDE4D4AA555499D
SHA-256:	A256FE8580345C4B6282EF16E5671141E96DDAC3B7A813BBE4F86AEB9A09BEDE
SHA-512:	3B10BC384DE1DF315314C023A968043544F32852869541E45FD41E1CB5364AC9B32EB1817522FFBE360E02B3820D20D80596CA336C8FC047590F83E357C95AED
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. .....S./....<q..z....S./.......'...................E....P.O. .:i.....+00.../C:\...................V.1.....sX+...Windows.@......OwHsX+.....3.....................R...W.i.n.d.o.w.s.....Z.1.....sX)...System32..B......OwHsX*............................Be.S.y.s.t.e.m.3.2.....f.2.....(U.. .rundll32.exe..J......(U..sX)..........................b...r.u.n.d.l.l.3.2...e.x.e.......O...............-.......N............Q.B.....C:\Windows\System32\rundll32.exe....E.x.p.l.o.r.e.r.P.a.t.c.h.e.r./.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.B.".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.E.x.p.l.o.r.e.r.P.a.t.c.h.e.r.\.E.x.p.l.o.r.e.r.P.a.t.c.h.e.r...a.m.d.6.4...d.l.l.".,.Z.Z.G.U.I...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\system32\shell32.dll...............................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	108920
Entropy (8bit):	4.001489956863572
Encrypted:	false
SSDEEP:
MD5:	EB41ACED54A3954B5EDF116860884773
SHA1:	7785A619A55D92EADA80FD5C0733A5AAA84F967D
SHA-256:	7E154C3DB0E7B3666D5EDD6E6F7EE65F65CE0E8F5C13F83B005D25585B9C2362
SHA-512:	8A89E58E11908CCA1B549229D9DE66989C24F59BE3800A3CD00486B763195DD7B24EB7316319145F49D7AB07E679B46A25C3798CA89001059F1EC4B99143ED67
Malicious:	false
Reputation:	unknown
Preview:	....h... ...x...(.......P...........(...Y.......^..........h...........W.......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................c.a.l.i.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................... ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................c.a.l.i..

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000014.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	108920
Entropy (8bit):	4.0010445707938445
Encrypted:	false
SSDEEP:
MD5:	1F2A36AED7C7E246E53FAC43322A6D04
SHA1:	1F011EBA65F4ADAA6C907BC23745CD40A521A038
SHA-256:	ABBF459B5A34BEDB653AC9578CA47A137691AAD20F61CBD01F5335D4E57698AC
SHA-512:	7EFFCD2EE20339B256C95BA767BF9E0A0E7D4F268A2763B2B0E5BF6E635C83400C088411EB21E3115C93C3FB533516876F32D2EA0361BBEBBBFC077822C13956
Malicious:	false
Reputation:	unknown
Preview:	....h... ...x...(.......P...........(...Y.......^..........h...........W.......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................c.a.l.i.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................... ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................c.a.l.i..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\39B7A829951E377CD5C4AA3BD72155D9808470F724602420910673D8D0CC60C600[1].blob

Download File

Process:	C:\Windows\explorer.exe
File Type:	MSVC program database ver 7.00, 1024*18363 bytes
Category:	dropped
Size (bytes):	18803712
Entropy (8bit):	5.737102497890461
Encrypted:	false
SSDEEP:
MD5:	C84AE6411BAC88E3A562ECC3F5F80A1B
SHA1:	22C2554E1143DF454DC48D055EB6F470603DBFB7
SHA-256:	766ADFB1144334B173FB47BA0CEFD7358F6B9D14FA656A92842849207A290A36
SHA-512:	7706D7BC50BF175267CF48CADA9C37132AED1F7FBC6E6C156A73391124C2E8E86E4D24348603655853A14195FE8DDD426A82CA773C49F15F076D302ADEE30737
Malicious:	false
Reputation:	unknown
Preview:	Microsoft C/C++ MSF 7.00...DS............G...".......G..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Windows[2].json

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	619
Entropy (8bit):	5.11189622188248
Encrypted:	false
SSDEEP:
MD5:	C129D6ADB763BD0BAE4EC63EEEA4E761
SHA1:	0F30E82C7FE57B8AA744349CF578FDD936DDE58B
SHA-256:	EAF3938AEDB0A8BA5E4388A1839AEFA240D6D70AC84A1AD2185F89C227A4ED3D
SHA-512:	72906203A123A49ED20558D9DC498320262D4742796E2DA43432A45C9BCCBF4622B9E749C2CB8125E27374C7DC968EE47AA5B72511AE7B66AFB6F10528A642D4
Malicious:	false
Reputation:	unknown
Preview:	{"serviceContext":{"serviceActivityId":"65f9b5e9-50e9-488b-a95e-fcc8fa9a9d9b","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"65f9b5e9-50e9-488b-a95e-fcc8fa9a9d9b\|2024-03-19T15:57:29.7984881Z\|fabric_msn\|ESU\|News_552"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"webView2Enabled":false,"webView2EnabledV1":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false},"isPartial":false}

C:\Users\user\AppData\Roaming\ExplorerPatcher\StartUI.pdb

Download File

Process:	C:\Windows\explorer.exe
File Type:	MSVC program database ver 7.00, 4096*9067 bytes
Category:	dropped
Size (bytes):	37138432
Entropy (8bit):	5.6992441330393016
Encrypted:	false
SSDEEP:
MD5:	6EC8937793ABCA33686E941850AC379C
SHA1:	C33459B6BBAB2E5D0051557E0AA6E35266145CA1
SHA-256:	05E269FF0DD07EBF0B82857327B060CD5AF27870B88219C9257510E0AF312B52
SHA-512:	6FF4CBBA814245A5E3269191BB63E7A82DC40D7D7F862C17F6651F28CDB640023143057CAB4E54DCA20C77C5C515EA0EAC05883CE50CD4F1FB84F2DFB2B7CF51
Malicious:	false
Reputation:	unknown
Preview:	Microsoft C/C++ MSF 7.00...DS...........k#..$.......j#..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg

Download File

Process:	C:\Windows\explorer.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	21107
Entropy (8bit):	2.3082705768019958
Encrypted:	false
SSDEEP:
MD5:	CF7BB7C73EEBF9504B46C827ED064F60
SHA1:	AFF4E3C6F2A1F2B0673345870C85390E2E85390C
SHA-256:	F46620F73F2ABAFCB3622CE5B672314F18350E92B7BD6C765CAE5556A994550B
SHA-512:	AC6DE3341F3774EDDA4495AB79000D39AC9CBAC14426646E92D00858CA0041027A50B8AE39DEFEFF891AE32DD5FE70280419598A8BFAE139CA87B476068EE4D3
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Windows\dxgi.dll

Download File

Process:	C:\Users\user\Desktop\ep_setup (1).exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	609280
Entropy (8bit):	6.313832183833851
Encrypted:	false
SSDEEP:
MD5:	78959CAA05476F8E6BD80F8377BB1AAD
SHA1:	B4930866AE79BCC89E6F6DC0A01F37E0AA67D310
SHA-256:	C93B8C9521629FF8D50FE221B6863CF56010426C83D07F39608DDCD8E2207503
SHA-512:	BA21722E4DA386D9DFC7994FE64F7698BFED891EA804C418CFBFCE797325F565AE53A22A0E308C3D795BEA70D58AE4F6CB942ED883C9E8DAF386427F1C5892EF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'..Jc.k.c.k.c.k...h.d.k...n...k...o.n.k.j...e.k....b.k.1.n.\|.k.1.o.s.k.1.h.j.k...o.q.k...j.H.k.c.j...k...c.z.k...k.b.k....b.k.c...b.k...i.b.k.Richc.k.................PE..d.....lb.........." .................O....................................................`.............................................$...$...................\4..................@W..p............................W..8............................................text...P........................... ..`.rdata...'.......(..................@..@.data...X........z..................@....pdata..\4.......6...8..............@..@_RDATA...............n..............@..@.rsrc................p..............@..@.reloc...............D..............@..B................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.267596452849626
TrID:	Win64 Executable GUI (202006/5) 60.38% Windows ActiveX control (116523/4) 34.83% Win64 Executable (generic) (12005/4) 3.59% Generic Win/DOS Executable (2004/3) 0.60% DOS Executable Generic (2002/1) 0.60%
File name:	ep_setup (1).exe
File size:	1'807'872 bytes
MD5:	301bfeed86ac1ea67ca70844cae2a9a2
SHA1:	d3127aabd5c0e8f9f746758564625dc69613fa3f
SHA256:	5d09d4837727785ff7206b6d01849ed25f29e9b0f9b0634b3918bc20ce3d2515
SHA512:	6149df127ffe2fe605bdf8cf8caf41835c9f1e158b9cdc8143805c3ebef1f42e533f57f6968f16a9546f72d9a6912189634b548650ff8fb9412bd0c56d3117ab
SSDEEP:	24576:7+7eblajdYRXSeOVgWxv333pQ/z/gpbdi/v:K7eRajdVe2xvHC7kbw/
TLSH:	50857C1273E401BAF1B3A73889B35602EB76B8151B71DB9F02A442595F33781DD3AF62
File Content Preview:	MZ......................@...............................................!..L.!22000.613.44.2.78959caa05476f8e6S mode....$.......L.S..c=..c=..c=...>..c=...8..c=.Z.8./c=.Z.9..c=.Z.>..c=......c=...9..c=...;..c=...<..c=..c<..c=...5..c=...=..c=......c=..c...c=

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400054a4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x626C8BB0 [Sat Apr 30 01:06:56 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d650dcf7294101d9282eb76369fafe52

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F39856B22D0h
dec eax
add esp, 28h
jmp 00007F39856B1EEFh
int3
int3
dec eax
sub esp, 28h
call 00007F39856B283Ch
test eax, eax
je 00007F39856B2093h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F39856B2077h
dec eax
cmp ecx, eax
je 00007F39856B2086h
xor eax, eax
dec eax
cmpxchg dword ptr [00029B54h], ecx
jne 00007F39856B2060h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F39856B2069h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00029B3Fh]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00029B2Fh], al
call 00007F39856B2643h
call 00007F39856B2A82h
test al, al
jne 00007F39856B2076h
xor al, al
jmp 00007F39856B2086h
call 00007F39856BDAB1h
test al, al
jne 00007F39856B207Bh
xor ecx, ecx
call 00007F39856B2A92h
jmp 00007F39856B205Ch
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [00029AF4h], 00000000h
mov ebx, ecx
jne 00007F39856B20D9h
cmp ecx, 01h
jnbe 00007F39856B20DCh
call 00007F39856B27A2h
test eax, eax
je 00007F39856B209Ah
test ebx, ebx
jne 00007F39856B2096h
dec eax
lea ecx, dword ptr [00029ADEh]
call 00007F39856B20CEh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2c610	0xbc	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2c6cc	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x33000	0x18a1a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x30000	0x1740	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1be000	0x6dc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2a820	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2a890	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f000	0x5b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1d600	0x1d600	121d2dad23c1b2f67058600147d9f4de	False	0.549044215425532	data	6.4817223000673545	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1f000	0xea8a	0xec00	8901ef05fefcc78a2e4d127e108c1cbb	False	0.412159030720339	data	4.883042812785964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2e000	0x1f20	0xc00	a09b72f51840c939cb3a7546936861e6	False	0.1376953125	data	1.9447019092655964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x30000	0x1740	0x1800	d3a19c6b5fd5480782492695f841f7da	False	0.4744466145833333	PEX Binary Archive	5.189130105792291	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x32000	0xfc	0x200	34ead047c9b49e295e6ef836c6807393	False	0.291015625	data	1.9516971520131783	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x33000	0x18a1a8	0x18a200	383699f098f0daa41d03922482c31632	False	0.4537419719314938	data	6.2717828889127265	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1be000	0x6dc	0x800	4f3779ed912385e3b5240b0c1cb1bd5d	False	0.52978515625	data	5.083498025474596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_RCDATA	0x33590	0x94c00	PE32+ executable (DLL) (console) x86-64, for MS Windows	English	United States	0.45692128413865546
RT_RCDATA	0xc8190	0x2f800	PE32 executable (DLL) (console) Intel 80386, for MS Windows	English	United States	0.46023334703947366
RT_RCDATA	0xf7990	0x1ca00	PE32+ executable (GUI) x86-64, for MS Windows	English	United States	0.49584641102620086
RT_RCDATA	0x114390	0x3be00	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	English	United States	0.4281135829853862
RT_RCDATA	0x150190	0x1b200	PE32+ executable (DLL) (console) x86-64, for MS Windows	English	United States	0.5039602534562212
RT_RCDATA	0x18d728	0x2f800	PE32+ executable (DLL) (console) x86-64, for MS Windows	English	United States	0.3707802220394737
RT_RCDATA	0x16b390	0x22398	PE32+ executable (DLL) (console) x86-64, for MS Windows	English	United States	0.5101509444729784
RT_VERSION	0x33210	0x37c	data	English	United States	0.452914798206278
RT_MANIFEST	0x1bcf28	0x27e	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5517241379310345

Imports

DLL	Import
KERNEL32.dll	GetWindowsDirectoryW, LocalFree, GetCurrentProcessId, CreateProcessW, GetModuleHandleW, GetProcessTimes, GetExitCodeProcess, FindFirstFileW, SetLastError, WriteFile, FindClose, CreateThread, GetCurrentDirectoryW, GetProcAddress, FreeLibrary, CopyFileW, CreateSymbolicLinkW, MoveFileW, LoadLibraryExW, WriteConsoleW, SetEndOfFile, HeapReAlloc, HeapSize, ReadConsoleW, FlushFileBuffers, FindResourceW, GetStringTypeW, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, MultiByteToWideChar, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, LCMapStringW, LoadResource, FreeConsole, CloseHandle, DeleteFileW, LockResource, GetLastError, Sleep, CreateEventW, OpenProcess, FreeResource, GetSystemDirectoryW, GetCurrentThreadId, CreateFileW, LocalAlloc, WaitForSingleObject, GetModuleFileNameW, TerminateProcess, GetCurrentProcess, GetFileSizeEx, SizeofResource, ReadFile, GetProcessHeap, CreateDirectoryW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, GetFileType, HeapFree, HeapAlloc, GetStdHandle, GetModuleHandleExW, ExitProcess, RtlPcToFileHeader, RaiseException, EncodePointer, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, RtlUnwindEx, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext
USER32.dll	DispatchMessageW, RegisterClassExW, FindWindowW, LoadIconW, TranslateMessage, wsprintfW, ExitWindowsEx, LoadCursorW, SetProcessDpiAwarenessContext, SendMessageTimeoutW, SendMessageW, LoadStringW, GetWindowThreadProcessId, GetMessageW, DefWindowProcW, MessageBoxW, CreateWindowExW
ADVAPI32.dll	RegDeleteKeyW, AllocateAndInitializeSid, RegDeleteKeyValueW, RegCreateKeyExW, RegDeleteTreeW, RegSetValueExW, FreeSid, CheckTokenMembership, RegGetValueW, RegOpenKeyW, LookupPrivilegeValueW, AdjustTokenPrivileges, RegCloseKey, CryptAcquireContextW, CryptCreateHash, CryptHashData, CryptDestroyHash, OpenProcessToken, RegOpenKeyExW, CryptGetHashParam, RegQueryValueExW, CryptReleaseContext
SHELL32.dll	ShellExecuteExW, SHGetFolderPathW, ShellExecuteW, SHFileOperationW, CommandLineToArgvW, Shell_NotifyIconW
ole32.dll	CoCreateInstance, CoInitialize, CoUninitialize
OLEAUT32.dll	SysFreeString
RstrtMgr.DLL	RmEndSession, RmRestart, RmGetList, RmShutdown, RmStartSession, RmRegisterResources
api-ms-win-core-winrt-string-l1-1-0.dll	WindowsCreateStringReference
api-ms-win-core-winrt-l1-1-0.dll	RoGetActivationFactory, RoInitialize, RoActivateInstance
VERSION.dll	VerQueryValueW
PSAPI.DLL	EnumProcesses, GetProcessImageFileNameW
WININET.dll	InternetCloseHandle, InternetOpenW, InternetReadFile, InternetOpenUrlW
SHLWAPI.dll	PathRemoveFileSpecW, PathRemoveExtensionW, PathFileExistsW, PathStripPathW

Exports

Name	Ordinal	Address
ZZLaunchExplorer	1	0x140001b30
ZZLaunchExplorerDelayed	2	0x140001c40
ZZRestartExplorer	3	0x140001c90
ZZTestBalloon	4	0x140001590
ZZTestToast	5	0x1400017a0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ep_setup (1).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll

C:\Program Files\ExplorerPatcher\WebView2Loader.dll

C:\Program Files\ExplorerPatcher\ep_dwm.exe

C:\Program Files\ExplorerPatcher\ep_setup.exe

C:\Program Files\ExplorerPatcher\ep_setup.exe:Zone.Identifier

C:\Program Files\ExplorerPatcher\ep_weather_host.dll

C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000014.db

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\39B7A829951E377CD5C4AA3BD72155D9808470F724602420910673D8D0CC60C600[1].blob

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Windows[2].json

C:\Users\user\AppData\Roaming\ExplorerPatcher\StartUI.pdb

C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg

C:\Windows\dxgi.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
ep_setup (1).exe