Edit tour

Windows Analysis Report
ep_setup (1).exe

Overview

General Information

Sample name:ep_setup (1).exe
Analysis ID:1411864
MD5:301bfeed86ac1ea67ca70844cae2a9a2
SHA1:d3127aabd5c0e8f9f746758564625dc69613fa3f
SHA256:5d09d4837727785ff7206b6d01849ed25f29e9b0f9b0634b3918bc20ce3d2515
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
Query firmware table information (likely to detect VMs)
Sigma detected: Explorer NOUACCHECK Flag
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses taskkill to terminate processes

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • ep_setup (1).exe (PID: 5388 cmdline: "C:\Users\user\Desktop\ep_setup (1).exe" MD5: 301BFEED86AC1EA67CA70844CAE2A9A2)
    • taskkill.exe (PID: 1824 cmdline: "C:\Windows\system32\taskkill.exe" /f /im explorer.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3740 cmdline: "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 72 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3012 cmdline: "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • regsvr32.exe (PID: 4848 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • regsvr32.exe (PID: 5176 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • explorer.exe (PID: 5412 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
  • rundll32.exe (PID: 5340 cmdline: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • explorer.exe (PID: 3360 cmdline: C:\Windows\explorer.exe /NoUACCheck MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\explorer.exe /NoUACCheck, CommandLine: C:\Windows\explorer.exe /NoUACCheck, CommandLine|base64offset|contains: y, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1136, ProcessCommandLine: C:\Windows\explorer.exe /NoUACCheck, ProcessId: 3360, ProcessName: explorer.exe
No Snort rule has matched

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher\ep_setup.exe
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher\ep_dwm.exe
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher\WebView2Loader.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher
Source: unknownHTTPS traffic detected: 140.82.114.3:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: ep_setup (1).exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

barindex
Source: C:\Windows\explorer.exeNetwork Connect: 140.82.114.3 443
Source: C:\Windows\explorer.exeNetwork Connect: 185.199.108.133 443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownDNS traffic detected: queries for: api.msn.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownHTTPS traffic detected: 140.82.114.3:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: C:\Users\user\Desktop\ep_setup (1).exeFile created: C:\Windows\dxgi.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll
Source: ep_setup (1).exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: ep_setup (1).exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: ep_setup (1).exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
Source: ep_setup (1).exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: ep_setup (1).exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: ep_setup (1).exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: ep_setup (1).exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: rstrtmgr.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: version.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: ncrypt.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: ntasn1.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: windows.storage.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: wldp.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: propsys.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: profapi.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: edputil.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: urlmon.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: iertutil.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: srvcli.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: sspicli.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: wintypes.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: appresolver.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: slc.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: sppc.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: pcacli.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: mpr.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: sfc_os.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: ntmarta.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: linkinfo.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: ntshrui.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeSection loaded: cscapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: webview2loader.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: version.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\explorer.exeSection loaded: aepic.dll
Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
Source: C:\Windows\explorer.exeSection loaded: userenv.dll
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: propsys.dll
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
Source: C:\Windows\explorer.exeSection loaded: wininet.dll
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: wldp.dll
Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
Source: C:\Windows\explorer.exeSection loaded: netutils.dll
Source: C:\Windows\explorer.exeSection loaded: dbghelp.dll
Source: C:\Windows\explorer.exeSection loaded: version.dll
Source: C:\Windows\explorer.exeSection loaded: rstrtmgr.dll
Source: C:\Windows\explorer.exeSection loaded: oleacc.dll
Source: C:\Windows\explorer.exeSection loaded: ncrypt.dll
Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
Source: C:\Windows\explorer.exeSection loaded: ntasn1.dll
Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
Source: C:\Windows\explorer.exeSection loaded: windows.ui.fileexplorer.dll
Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dll
Source: C:\Windows\explorer.exeSection loaded: wkscli.dll
Source: C:\Windows\explorer.exeSection loaded: dwrite.dll
Source: C:\Windows\explorer.exeSection loaded: dcomp.dll
Source: C:\Windows\explorer.exeSection loaded: wincorlib.dll
Source: C:\Windows\explorer.exeSection loaded: cdp.dll
Source: C:\Windows\explorer.exeSection loaded: dsreg.dll
Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exeSection loaded: twinui.dll
Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
Source: C:\Windows\explorer.exeSection loaded: pdh.dll
Source: C:\Windows\explorer.exeSection loaded: stobject.dll
Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dll
Source: C:\Windows\explorer.exeSection loaded: devobj.dll
Source: C:\Windows\explorer.exeSection loaded: pnidui.dll
Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dll
Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dll
Source: C:\Windows\explorer.exeSection loaded: peopleband.dll
Source: C:\Windows\explorer.exeSection loaded: d2d1.dll
Source: C:\Windows\explorer.exeSection loaded: d3d11.dll
Source: C:\Windows\explorer.exeSection loaded: ninput.dll
Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
Source: C:\Windows\explorer.exeSection loaded: xmllite.dll
Source: C:\Windows\explorer.exeSection loaded: aepic.dll
Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
Source: C:\Windows\explorer.exeSection loaded: userenv.dll
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: propsys.dll
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
Source: C:\Windows\explorer.exeSection loaded: wininet.dll
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: wldp.dll
Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
Source: C:\Windows\explorer.exeSection loaded: netutils.dll
Source: C:\Windows\explorer.exeSection loaded: dbghelp.dll
Source: C:\Windows\explorer.exeSection loaded: version.dll
Source: C:\Windows\explorer.exeSection loaded: rstrtmgr.dll
Source: C:\Windows\explorer.exeSection loaded: oleacc.dll
Source: C:\Windows\explorer.exeSection loaded: ncrypt.dll
Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
Source: C:\Windows\explorer.exeSection loaded: ntasn1.dll
Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
Source: C:\Windows\explorer.exeSection loaded: windows.ui.fileexplorer.dll
Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dll
Source: C:\Windows\explorer.exeSection loaded: wkscli.dll
Source: C:\Windows\explorer.exeSection loaded: dwrite.dll
Source: C:\Windows\explorer.exeSection loaded: dcomp.dll
Source: C:\Windows\explorer.exeSection loaded: wincorlib.dll
Source: C:\Windows\explorer.exeSection loaded: cdp.dll
Source: C:\Windows\explorer.exeSection loaded: dsreg.dll
Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exeSection loaded: twinui.dll
Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
Source: C:\Windows\explorer.exeSection loaded: pdh.dll
Source: C:\Windows\explorer.exeSection loaded: stobject.dll
Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dll
Source: C:\Windows\explorer.exeSection loaded: devobj.dll
Source: C:\Windows\explorer.exeSection loaded: pnidui.dll
Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dll
Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dll
Source: C:\Windows\explorer.exeSection loaded: peopleband.dll
Source: C:\Windows\explorer.exeSection loaded: d2d1.dll
Source: C:\Windows\explorer.exeSection loaded: d3d11.dll
Source: C:\Windows\explorer.exeSection loaded: ninput.dll
Source: C:\Windows\explorer.exeSection loaded: appresolver.dll
Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dll
Source: C:\Windows\explorer.exeSection loaded: slc.dll
Source: C:\Windows\explorer.exeSection loaded: sppc.dll
Source: C:\Windows\explorer.exeSection loaded: profapi.dll
Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exeSection loaded: starttiledata.dll
Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dll
Source: C:\Windows\explorer.exeSection loaded: idstore.dll
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dll
Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dll
Source: C:\Windows\explorer.exeSection loaded: wlidprov.dll
Source: C:\Windows\explorer.exeSection loaded: samcli.dll
Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\explorer.exeSection loaded: policymanager.dll
Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dll
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dll
Source: C:\Windows\explorer.exeSection loaded: appextension.dll
Source: C:\Windows\explorer.exeSection loaded: winsta.dll
Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exeSection loaded: textshaping.dll
Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dll
Source: C:\Windows\explorer.exeSection loaded: windows.ui.dll
Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dll
Source: C:\Windows\explorer.exeSection loaded: textinputframework.dll
Source: C:\Windows\explorer.exeSection loaded: inputhost.dll
Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dll
Source: C:\Windows\explorer.exeSection loaded: dxcore.dll
Source: C:\Windows\explorer.exeSection loaded: xmllite.dll
Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
Source: C:\Windows\explorer.exeSection loaded: winnsi.dll
Source: C:\Windows\explorer.exeSection loaded: cldapi.dll
Source: C:\Windows\explorer.exeSection loaded: fltlib.dll
Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dll
Source: C:\Windows\explorer.exeSection loaded: dataexchange.dll
Source: C:\Windows\explorer.exeSection loaded: apphelp.dll
Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dll
Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dll
Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dll
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dll
Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dll
Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dll
Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dll
Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dll
Source: C:\Windows\explorer.exeSection loaded: thumbcache.dll
Source: C:\Windows\explorer.exeSection loaded: edputil.dll
Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: linkinfo.dll
Source: C:\Windows\explorer.exeSection loaded: applicationframe.dll
Source: C:\Windows\explorer.exeSection loaded: rmclient.dll
Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dll
Source: C:\Windows\explorer.exeSection loaded: ntshrui.dll
Source: C:\Windows\explorer.exeSection loaded: cscapi.dll
Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dll
Source: C:\Windows\explorer.exeSection loaded: virtualmonitormanager.dll
Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dll
Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dll
Source: C:\Windows\explorer.exeSection loaded: schannel.dll
Source: C:\Windows\explorer.exeSection loaded: npsm.dll
Source: C:\Windows\explorer.exeSection loaded: windows.web.dll
Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dll
Source: C:\Windows\explorer.exeSection loaded: mscms.dll
Source: C:\Windows\explorer.exeSection loaded: coloradapterclient.dll
Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dll
Source: C:\Windows\explorer.exeSection loaded: tdh.dll
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorybroker.dll
Source: C:\Windows\explorer.exeSection loaded: mfplat.dll
Source: C:\Windows\explorer.exeSection loaded: rtworkq.dll
Source: C:\Windows\explorer.exeSection loaded: taskflowdataengine.dll
Source: C:\Windows\explorer.exeSection loaded: structuredquery.dll
Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dll
Source: C:\Windows\explorer.exeSection loaded: cscui.dll
Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dll
Source: C:\Windows\explorer.exeSection loaded: windows.data.activities.dll
Source: C:\Windows\explorer.exeSection loaded: provsvc.dll
Source: C:\Windows\explorer.exeSection loaded: windows.system.launcher.dll
Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dll
Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dll
Source: C:\Windows\explorer.exeSection loaded: actxprxy.dll
Source: C:\Windows\explorer.exeSection loaded: windows.devices.enumeration.dll
Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
Source: C:\Windows\explorer.exeSection loaded: icu.dll
Source: C:\Windows\explorer.exeSection loaded: mswb7.dll
Source: C:\Windows\explorer.exeSection loaded: devdispitemprovider.dll
Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\explorer.exeSection loaded: msasn1.dll
Source: C:\Windows\explorer.exeSection loaded: dpapi.dll
Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dll
Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dll
Source: C:\Windows\explorer.exeSection loaded: gpapi.dll
Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dll
Source: C:\Windows\explorer.exeSection loaded: uianimation.dll
Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dll
Source: C:\Windows\explorer.exeSection loaded: dictationmanager.dll
Source: C:\Windows\explorer.exeSection loaded: npmproxy.dll
Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dll
Source: C:\Windows\explorer.exeSection loaded: cryptngc.dll
Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
Source: C:\Windows\explorer.exeSection loaded: cflapi.dll
Source: C:\Windows\explorer.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\explorer.exeSection loaded: daxexec.dll
Source: C:\Windows\explorer.exeSection loaded: container.dll
Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dll
Source: C:\Windows\explorer.exeSection loaded: uiautomationcore.dll
Source: C:\Windows\explorer.exeSection loaded: samlib.dll
Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\explorer.exeSection loaded: wpnapps.dll
Source: C:\Windows\explorer.exeSection loaded: batmeter.dll
Source: C:\Windows\explorer.exeSection loaded: sxs.dll
Source: C:\Windows\explorer.exeSection loaded: inputswitch.dll
Source: C:\Windows\explorer.exeSection loaded: prnfldr.dll
Source: C:\Windows\explorer.exeSection loaded: es.dll
Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dll
Source: C:\Windows\explorer.exeSection loaded: atlthunk.dll
Source: C:\Windows\explorer.exeSection loaded: dxp.dll
Source: C:\Windows\explorer.exeSection loaded: shdocvw.dll
Source: C:\Windows\explorer.exeSection loaded: actioncenter.dll
Source: C:\Windows\explorer.exeSection loaded: wevtapi.dll
Source: C:\Windows\explorer.exeSection loaded: syncreg.dll
Source: C:\Windows\explorer.exeSection loaded: dusmapi.dll
Source: C:\Windows\explorer.exeSection loaded: wpdshserviceobj.dll
Source: C:\Windows\explorer.exeSection loaded: portabledevicetypes.dll
Source: C:\Windows\explorer.exeSection loaded: portabledeviceapi.dll
Source: C:\Windows\explorer.exeSection loaded: cscobj.dll
Source: C:\Windows\explorer.exeSection loaded: audioses.dll
Source: C:\Windows\explorer.exeSection loaded: srchadmin.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dll
Source: C:\Windows\explorer.exeSection loaded: synccenter.dll
Source: C:\Windows\explorer.exeSection loaded: wpnclient.dll
Source: C:\Windows\explorer.exeSection loaded: netprofm.dll
Source: C:\Windows\explorer.exeSection loaded: imapi2.dll
Source: C:\Windows\explorer.exeSection loaded: networkuxbroker.dll
Source: C:\Windows\explorer.exeSection loaded: ethernetmediamanager.dll
Source: C:\Windows\explorer.exeSection loaded: wlanapi.dll
Source: C:\Windows\explorer.exeSection loaded: wscinterop.dll
Source: C:\Windows\explorer.exeSection loaded: wscapi.dll
Source: C:\Windows\explorer.exeSection loaded: werconcpl.dll
Source: C:\Windows\explorer.exeSection loaded: framedynos.dll
Source: C:\Windows\explorer.exeSection loaded: wer.dll
Source: C:\Windows\explorer.exeSection loaded: hcproviders.dll
Source: C:\Windows\explorer.exeSection loaded: ncsi.dll
Source: C:\Windows\explorer.exeSection loaded: ieproxy.dll
Source: C:\Windows\explorer.exeSection loaded: storageusage.dll
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exeSection loaded: fhcfg.dll
Source: C:\Windows\explorer.exeSection loaded: efsutil.dll
Source: C:\Windows\explorer.exeSection loaded: mpr.dll
Source: C:\Windows\explorer.exeSection loaded: netapi32.dll
Source: C:\Windows\explorer.exeSection loaded: dsrole.dll
Source: C:\Windows\explorer.exeSection loaded: windows.internal.system.userprofile.dll
Source: C:\Windows\explorer.exeSection loaded: cloudexperiencehostbroker.dll
Source: C:\Windows\explorer.exeSection loaded: credui.dll
Source: C:\Windows\explorer.exeSection loaded: dui70.dll
Source: C:\Windows\explorer.exeSection loaded: wdscore.dll
Source: C:\Windows\explorer.exeSection loaded: dbgcore.dll
Source: C:\Windows\explorer.exeSection loaded: msxml6.dll
Source: C:\Windows\explorer.exeSection loaded: settingsync.dll
Source: C:\Windows\explorer.exeSection loaded: settingsynccore.dll
Source: C:\Windows\explorer.exeSection loaded: windows.ui.xaml.dll
Source: C:\Windows\explorer.exeSection loaded: windowsinternal.composableshell.desktophosting.dll
Source: C:\Windows\explorer.exeSection loaded: uiamanager.dll
Source: classification engineClassification label: mal56.evad.winEXE@18/15@3/40
Source: C:\Users\user\Desktop\ep_setup (1).exeFile created: C:\Program Files\ExplorerPatcher
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ExplorerPatcher
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:72:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4884:120:WilError_03
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\explorer.exe
Source: ep_setup (1).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe")
Source: C:\Users\user\Desktop\ep_setup (1).exeFile read: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\Desktop\ep_setup (1).exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
Source: C:\Users\user\Desktop\ep_setup (1).exeFile read: C:\Users\user\Desktop\ep_setup (1).exe
Source: unknownProcess created: C:\Users\user\Desktop\ep_setup (1).exe "C:\Users\user\Desktop\ep_setup (1).exe"
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /NoUACCheck
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: C:\Users\user\Desktop\ep_setup (1).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher\ep_setup.exe
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher\ep_dwm.exe
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeDirectory created: C:\Program Files\ExplorerPatcher\WebView2Loader.dll
Source: C:\Users\user\Desktop\ep_setup (1).exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher
Source: ep_setup (1).exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: ep_setup (1).exeStatic file information: File size 1807872 > 1048576
Source: ep_setup (1).exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x18a200
Source: ep_setup (1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ep_setup (1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ep_setup (1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ep_setup (1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ep_setup (1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ep_setup (1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ep_setup (1).exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: ep_setup (1).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ep_setup (1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ep_setup (1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ep_setup (1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ep_setup (1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ep_setup (1).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: ep_setup (1).exeStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Desktop\ep_setup (1).exeFile created: C:\Windows\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exeFile created: C:\Program Files\ExplorerPatcher\ep_setup.exeJump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exeFile created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exeFile created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exeFile created: C:\Program Files\ExplorerPatcher\WebView2Loader.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exeFile created: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exeFile created: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exeFile created: C:\Windows\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher
Source: C:\Users\user\Desktop\ep_setup (1).exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\ep_setup (1).exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup (1).exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to dropped file
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\explorer.exeNetwork Connect: 140.82.114.3 443
Source: C:\Windows\explorer.exeNetwork Connect: 185.199.108.133 443
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: C:\Users\user\Desktop\ep_setup (1).exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Source: C:\Users\user\Desktop\ep_setup (1).exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
2
Windows Service
2
Windows Service
23
Masquerading
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution
1
Registry Run Keys / Startup Folder
111
Process Injection
1
Disable or Modify Tools
LSASS Memory11
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading
1
Registry Run Keys / Startup Folder
11
Virtualization/Sandbox Evasion
Security Account Manager1
File and Directory Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
111
Process Injection
NTDS13
System Information Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Regsvr32
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Rundll32
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
ep_setup (1).exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\WebView2Loader.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_dwm.exe0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_weather_host.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll0%ReversingLabs
C:\Windows\dxgi.dll0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
github.com
140.82.114.3
truefalse
    high
    objects.githubusercontent.com
    185.199.108.133
    truetrue
      unknown
      api.msn.com
      unknown
      unknownfalse
        high
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        20.150.38.228
        unknownUnited States
        8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        140.82.114.3
        github.comUnited States
        36459GITHUBUSfalse
        20.150.70.36
        unknownUnited States
        8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        131.253.33.219
        unknownUnited States
        8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        185.199.108.133
        objects.githubusercontent.comNetherlands
        54113FASTLYUStrue
        204.79.197.203
        unknownUnited States
        8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1411864
        Start date and time:2024-03-19 16:56:55 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsinteractivecookbook.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:39
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        Analysis Mode:stream
        Analysis stop reason:Timeout
        Sample name:ep_setup (1).exe
        Detection:MAL
        Classification:mal56.evad.winEXE@18/15@3/40
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Exclude process from analysis (whitelisted): dllhost.exe, StartMenuExperienceHost.exe, TextInputHost.exe
        • Excluded IPs from analysis (whitelisted): 131.253.33.219, 20.150.38.228, 20.150.79.68, 20.150.70.36, 204.79.197.203, 23.44.201.21, 23.44.201.30, 23.44.201.32, 23.44.201.22, 23.44.201.31, 23.44.201.24, 23.44.201.20, 23.44.201.28, 23.44.201.25, 204.79.197.200, 13.107.21.200, 52.165.165.26, 23.41.168.93, 20.3.187.198, 52.165.164.15
        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, msdl-microsoft-com.a-0016.a-msedge.net, p-static.bing.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, msdl.microsoft.com, a-0016.dc-msedge.net, e86303.dscx.akamaiedge.net, login.live.com, e16604.g.akamaiedge.net, r.bing.com, www-bing-com.dual-a-0001.a-msedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, r.bing.com.edgekey.net, a-0003.a-msedge.net, blob.SAT09PrdStrz08A.trafficmanager.net, vsblobprodscussu5shard6.blob.core.windows.net, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, vsblobprodscussu5shard39.blob.core.windows.net, fe3.delivery.mp.microsoft.com, blob.sat09prdstrz08a.store.core.windows.net, msdl.microsoft.akadns.net, api-msn-com.a-0003.a-msedge.net
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtEnumerateKey calls found.
        • Report size getting too big, too many NtEnumerateValueKey calls found.
        • Report size getting too big, too many NtOpenKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: ep_setup (1).exe
        Process:C:\Users\user\Desktop\ep_setup (1).exe
        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):194560
        Entropy (8bit):6.5529574189354864
        Encrypted:false
        SSDEEP:
        MD5:C27AD2203D5FF6639080A9D13C6A7626
        SHA1:C8AEE4E32A1AB5F5CEC3B5E8772698B6D14767A3
        SHA-256:15445675495B9F009D4E60CDFCD722D1B067DBD096C03C0142F4627A99CA6EF4
        SHA-512:919F6839268D232EF5FDFCCF8C66754D0D8DF0675E3AFD03DFB95F95F2630CAE8B59A4277EFA74CA3A1ECE59B8E4BB355CD98EBB67FE8769245131E6B99AD1B3
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.g...................................I.......I.......I.........................................................Rich....................PE..L.....lb...........!.....r...........F.......................................@............@......................... ...x............@....................... ..........p...........................h...@...............<............................text....p.......r.................. ..`.rdata...............v..............@..@.data........ ......................@....rsrc........@......................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................
        Process:C:\Users\user\Desktop\ep_setup (1).exe
        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):140184
        Entropy (8bit):6.12329312962629
        Encrypted:false
        SSDEEP:
        MD5:C44BAED957B05B9327BD371DBF0DBE99
        SHA1:80B48C656B8555EBC588DE3DE0EC6C7E75AE4BF1
        SHA-256:AD8BB426A8E438493DB4D703242F373D9CB36D8C13E88B6647CD083716E09BEF
        SHA-512:AD1B76594DCA7CDE6BBCDE55BC3ABE811F9E903E2CF6613D49201E14E789CFC763CB528D499DD2DB84DB097A210D63C7D88CC909CA1C836D831E3519C2CE7B35
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......a.........." ................`@..............................................'%....`A....................................................(....`...................#...p......d...8.......................(....1..8...........`.......(...`....................text...e........................... ..`.rdata..<....0....... ..............@..@.data...............................@....pdata..............................@..@.00cfg..(.... ......................@..@.tls.........0......................@....voltbl.>....@.........................._RDATA.......P......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................
        Process:C:\Users\user\Desktop\ep_setup (1).exe
        File Type:PE32+ executable (GUI) x86-64, for MS Windows
        Category:dropped
        Size (bytes):117248
        Entropy (8bit):5.848759434272875
        Encrypted:false
        SSDEEP:
        MD5:1349718D211CC2E2E866409D13818836
        SHA1:15B354BACFC771EF941758C59FEF519B305DEA83
        SHA-256:4A8A537EB201D7D05F21BC80855BD277569C7BB733C5128680C85346BF8B8DBD
        SHA-512:09981CC2D7CD0BAA2FD722D9640BA1D65CB6846DF32BFB41C58A888718DC304D39F044570E2A2D86BC9CE592006933A861F8AF75B6D8A089F8253EE555FED0AE
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.....s...s...s..p...s..v..s..w...s.I.v.<.s.I.w...s.I.p...s..r...s...r.o.s..{...s......s.......s..q...s.Rich..s.........................PE..d.....lb..........".................X%.........@.............................0............`.....................................................d...............P............ ..h.......p...............................8...............@............................text...P........................... ..`.rdata..|...........................@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..h.... ......................@..B........................................................................................................................................................................................
        Process:C:\Users\user\Desktop\ep_setup (1).exe
        File Type:PE32+ executable (GUI) x86-64, for MS Windows
        Category:dropped
        Size (bytes):1807872
        Entropy (8bit):6.267596452849626
        Encrypted:false
        SSDEEP:
        MD5:301BFEED86AC1EA67CA70844CAE2A9A2
        SHA1:D3127AABD5C0E8F9F746758564625DC69613FA3F
        SHA-256:5D09D4837727785FF7206B6D01849ED25F29E9B0F9B0634B3918BC20CE3D2515
        SHA-512:6149DF127FFE2FE605BDF8CF8CAF41835C9F1E158B9CDC8143805C3EBEF1F42E533F57F6968F16A9546F72D9A6912189634B548650FF8FB9412BD0C56D3117AB
        Malicious:false
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!22000.613.44.2.78959caa05476f8e6S mode....$.......L.S..c=..c=..c=...>..c=...8.c=.Z.8./c=.Z.9..c=.Z.>..c=......c=...9..c=...;..c=...<..c=..c<..c=..5..c=..=..c=.....c=..c...c=..?..c=.Rich.c=.........PE..d.....lb.........."..................T.........@..........................................`..........................................................0..........@................... ...p...............................8............................................text............................... ..`.rdata..............................@..@.data... ...........................@....pdata..@...........................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc..............................@..B................................................................................................................................................................................
        Process:C:\Users\user\Desktop\ep_setup (1).exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):26
        Entropy (8bit):3.95006375643621
        Encrypted:false
        SSDEEP:
        MD5:187F488E27DB4AF347237FE461A079AD
        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
        Malicious:false
        Reputation:unknown
        Preview:[ZoneTransfer]....ZoneId=0
        Process:C:\Users\user\Desktop\ep_setup (1).exe
        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
        Category:dropped
        Size (bytes):245248
        Entropy (8bit):5.944315255157023
        Encrypted:false
        SSDEEP:
        MD5:7F4F96D52E0B9A3C38BDAE23F9403D13
        SHA1:5BEFB96A0A34625318A272045EAB8DC7CAABF714
        SHA-256:D015057726D0F4859F176ABD76A8A9DD9C768EE1DBAB8BE4C119659F3B202040
        SHA-512:BE66937FFB11C4275755F9DEA324B43B62DA90EDF5E7D73597BC191F59E77ED39BF2391968D0465743412C8AE5874D30167C695900960E7A5CE29D73B4814207
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......m...)ci.)ci.)ci...j.,ci...l.ci.{.l.6ci.{.m.&ci.{.j. ci...m.&ci...h.;ci.)ci.*ci.)ch.ci..a.*ci..i.(ci....(ci.)c..(ci..k.(ci.Rich)ci.........................PE..d.....lb.........." ................LY....................................................`.........................................`...............................................Pe..p............................e..8...............H............................text...P........................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................
        Process:C:\Users\user\Desktop\ep_setup (1).exe
        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):111104
        Entropy (8bit):5.899720989391343
        Encrypted:false
        SSDEEP:
        MD5:F69BDAE844AD51764ADFEDD989B50249
        SHA1:DFDC9CB1B74C7B9533C557F4097545F043088886
        SHA-256:8E79419BEFA2CEDC44C051052E1223D0DE769760B18CC3E75F1AD617E92E4132
        SHA-512:7756298416F1398682E7C1A615FBA5AAC71928700C50DE3B9B17F3A79805079FB04E8190D8AFC5E1F8EF2241A74791817C17E948869C725568CF7A6C76F88D76
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................V...................................................l......l.......l.......l.......Rich....................PE..d.....lb.........." ......................................................................`.................................................x...P...............................p.......p...........................0...8...............8............................text............................... ..`.orpc...,........................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..p...........................@..B........................................................................................................................................................
        Process:C:\Users\user\Desktop\ep_setup (1).exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=39, Archive, ctime=Thu Sep 8 02:06:01 2022, mtime=Tue Mar 19 14:57:17 2024, atime=Thu Sep 8 02:06:01 2022, length=71680, window=hide
        Category:modified
        Size (bytes):1990
        Entropy (8bit):3.299012457759973
        Encrypted:false
        SSDEEP:
        MD5:7A268DA11570CDDAF5B04DB9AA1B4A36
        SHA1:324928E0A09EA33DD080474A0EDE4D4AA555499D
        SHA-256:A256FE8580345C4B6282EF16E5671141E96DDAC3B7A813BBE4F86AEB9A09BEDE
        SHA-512:3B10BC384DE1DF315314C023A968043544F32852869541E45FD41E1CB5364AC9B32EB1817522FFBE360E02B3820D20D80596CA336C8FC047590F83E357C95AED
        Malicious:false
        Reputation:unknown
        Preview:L..................F.@.. .....S./....<q..z....S./.......'...................E....P.O. .:i.....+00.../C:\...................V.1.....sX+...Windows.@......OwHsX+.....3.....................R...W.i.n.d.o.w.s.....Z.1.....sX)...System32..B......OwHsX*............................Be.S.y.s.t.e.m.3.2.....f.2.....(U.. .rundll32.exe..J......(U..sX)..........................b...r.u.n.d.l.l.3.2...e.x.e.......O...............-.......N............Q.B.....C:\Windows\System32\rundll32.exe....E.x.p.l.o.r.e.r.P.a.t.c.h.e.r./.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.B.".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.E.x.p.l.o.r.e.r.P.a.t.c.h.e.r.\.E.x.p.l.o.r.e.r.P.a.t.c.h.e.r...a.m.d.6.4...d.l.l.".,.Z.Z.G.U.I...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\system32\shell32.dll...............................................................................................................
        Process:C:\Windows\explorer.exe
        File Type:data
        Category:dropped
        Size (bytes):108920
        Entropy (8bit):4.001489956863572
        Encrypted:false
        SSDEEP:
        MD5:EB41ACED54A3954B5EDF116860884773
        SHA1:7785A619A55D92EADA80FD5C0733A5AAA84F967D
        SHA-256:7E154C3DB0E7B3666D5EDD6E6F7EE65F65CE0E8F5C13F83B005D25585B9C2362
        SHA-512:8A89E58E11908CCA1B549229D9DE66989C24F59BE3800A3CD00486B763195DD7B24EB7316319145F49D7AB07E679B46A25C3798CA89001059F1EC4B99143ED67
        Malicious:false
        Reputation:unknown
        Preview:....h... ...x...(.......P...........(...Y.......^..........h...........W.......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................c.a.l.i.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................... ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................c.a.l.i..
        Process:C:\Windows\explorer.exe
        File Type:data
        Category:dropped
        Size (bytes):108920
        Entropy (8bit):4.0010445707938445
        Encrypted:false
        SSDEEP:
        MD5:1F2A36AED7C7E246E53FAC43322A6D04
        SHA1:1F011EBA65F4ADAA6C907BC23745CD40A521A038
        SHA-256:ABBF459B5A34BEDB653AC9578CA47A137691AAD20F61CBD01F5335D4E57698AC
        SHA-512:7EFFCD2EE20339B256C95BA767BF9E0A0E7D4F268A2763B2B0E5BF6E635C83400C088411EB21E3115C93C3FB533516876F32D2EA0361BBEBBBFC077822C13956
        Malicious:false
        Reputation:unknown
        Preview:....h... ...x...(.......P...........(...Y.......^..........h...........W.......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................c.a.l.i.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................... ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................c.a.l.i..
        Process:C:\Windows\explorer.exe
        File Type:MSVC program database ver 7.00, 1024*18363 bytes
        Category:dropped
        Size (bytes):18803712
        Entropy (8bit):5.737102497890461
        Encrypted:false
        SSDEEP:
        MD5:C84AE6411BAC88E3A562ECC3F5F80A1B
        SHA1:22C2554E1143DF454DC48D055EB6F470603DBFB7
        SHA-256:766ADFB1144334B173FB47BA0CEFD7358F6B9D14FA656A92842849207A290A36
        SHA-512:7706D7BC50BF175267CF48CADA9C37132AED1F7FBC6E6C156A73391124C2E8E86E4D24348603655853A14195FE8DDD426A82CA773C49F15F076D302ADEE30737
        Malicious:false
        Reputation:unknown
        Preview:Microsoft C/C++ MSF 7.00...DS............G...".......G..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        Process:C:\Windows\explorer.exe
        File Type:JSON data
        Category:dropped
        Size (bytes):619
        Entropy (8bit):5.11189622188248
        Encrypted:false
        SSDEEP:
        MD5:C129D6ADB763BD0BAE4EC63EEEA4E761
        SHA1:0F30E82C7FE57B8AA744349CF578FDD936DDE58B
        SHA-256:EAF3938AEDB0A8BA5E4388A1839AEFA240D6D70AC84A1AD2185F89C227A4ED3D
        SHA-512:72906203A123A49ED20558D9DC498320262D4742796E2DA43432A45C9BCCBF4622B9E749C2CB8125E27374C7DC968EE47AA5B72511AE7B66AFB6F10528A642D4
        Malicious:false
        Reputation:unknown
        Preview:{"serviceContext":{"serviceActivityId":"65f9b5e9-50e9-488b-a95e-fcc8fa9a9d9b","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"65f9b5e9-50e9-488b-a95e-fcc8fa9a9d9b|2024-03-19T15:57:29.7984881Z|fabric_msn|ESU|News_552"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"webView2Enabled":false,"webView2EnabledV1":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false},"isPartial":false}
        Process:C:\Windows\explorer.exe
        File Type:MSVC program database ver 7.00, 4096*9067 bytes
        Category:dropped
        Size (bytes):37138432
        Entropy (8bit):5.6992441330393016
        Encrypted:false
        SSDEEP:
        MD5:6EC8937793ABCA33686E941850AC379C
        SHA1:C33459B6BBAB2E5D0051557E0AA6E35266145CA1
        SHA-256:05E269FF0DD07EBF0B82857327B060CD5AF27870B88219C9257510E0AF312B52
        SHA-512:6FF4CBBA814245A5E3269191BB63E7A82DC40D7D7F862C17F6651F28CDB640023143057CAB4E54DCA20C77C5C515EA0EAC05883CE50CD4F1FB84F2DFB2B7CF51
        Malicious:false
        Reputation:unknown
        Preview:Microsoft C/C++ MSF 7.00...DS...........k#..$.......j#..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        Process:C:\Windows\explorer.exe
        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 1280x1024, components 3
        Category:dropped
        Size (bytes):21107
        Entropy (8bit):2.3082705768019958
        Encrypted:false
        SSDEEP:
        MD5:CF7BB7C73EEBF9504B46C827ED064F60
        SHA1:AFF4E3C6F2A1F2B0673345870C85390E2E85390C
        SHA-256:F46620F73F2ABAFCB3622CE5B672314F18350E92B7BD6C765CAE5556A994550B
        SHA-512:AC6DE3341F3774EDDA4495AB79000D39AC9CBAC14426646E92D00858CA0041027A50B8AE39DEFEFF891AE32DD5FE70280419598A8BFAE139CA87B476068EE4D3
        Malicious:false
        Reputation:unknown
        Preview:......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
        Process:C:\Users\user\Desktop\ep_setup (1).exe
        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):609280
        Entropy (8bit):6.313832183833851
        Encrypted:false
        SSDEEP:
        MD5:78959CAA05476F8E6BD80F8377BB1AAD
        SHA1:B4930866AE79BCC89E6F6DC0A01F37E0AA67D310
        SHA-256:C93B8C9521629FF8D50FE221B6863CF56010426C83D07F39608DDCD8E2207503
        SHA-512:BA21722E4DA386D9DFC7994FE64F7698BFED891EA804C418CFBFCE797325F565AE53A22A0E308C3D795BEA70D58AE4F6CB942ED883C9E8DAF386427F1C5892EF
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'..Jc.k.c.k.c.k...h.d.k...n...k...o.n.k.j...e.k....b.k.1.n.|.k.1.o.s.k.1.h.j.k...o.q.k...j.H.k.c.j...k...c.z.k...k.b.k....b.k.c...b.k...i.b.k.Richc.k.................PE..d.....lb.........." .................O....................................................`.............................................$...$...................\4..................@W..p............................W..8............................................text...P........................... ..`.rdata...'.......(..................@..@.data...X........z..................@....pdata..\4.......6...8..............@..@_RDATA...............n..............@..@.rsrc................p..............@..@.reloc...............D..............@..B................................................................................................................................................................
        File type:PE32+ executable (GUI) x86-64, for MS Windows
        Entropy (8bit):6.267596452849626
        TrID:
        • Win64 Executable GUI (202006/5) 60.38%
        • Windows ActiveX control (116523/4) 34.83%
        • Win64 Executable (generic) (12005/4) 3.59%
        • Generic Win/DOS Executable (2004/3) 0.60%
        • DOS Executable Generic (2002/1) 0.60%
        File name:ep_setup (1).exe
        File size:1'807'872 bytes
        MD5:301bfeed86ac1ea67ca70844cae2a9a2
        SHA1:d3127aabd5c0e8f9f746758564625dc69613fa3f
        SHA256:5d09d4837727785ff7206b6d01849ed25f29e9b0f9b0634b3918bc20ce3d2515
        SHA512:6149df127ffe2fe605bdf8cf8caf41835c9f1e158b9cdc8143805c3ebef1f42e533f57f6968f16a9546f72d9a6912189634b548650ff8fb9412bd0c56d3117ab
        SSDEEP:24576:7+7eblajdYRXSeOVgWxv333pQ/z/gpbdi/v:K7eRajdVe2xvHC7kbw/
        TLSH:50857C1273E401BAF1B3A73889B35602EB76B8151B71DB9F02A442595F33781DD3AF62
        File Content Preview:MZ......................@...............................................!..L.!22000.613.44.2.78959caa05476f8e6S mode....$.......L.S..c=..c=..c=...>..c=...8..c=.Z.8./c=.Z.9..c=.Z.>..c=......c=...9..c=...;..c=...<..c=..c<..c=...5..c=...=..c=......c=..c...c=
        Icon Hash:90cececece8e8eb0
        Entrypoint:0x1400054a4
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x140000000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Time Stamp:0x626C8BB0 [Sat Apr 30 01:06:56 2022 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:d650dcf7294101d9282eb76369fafe52
        Instruction
        dec eax
        sub esp, 28h
        call 00007F39856B22D0h
        dec eax
        add esp, 28h
        jmp 00007F39856B1EEFh
        int3
        int3
        dec eax
        sub esp, 28h
        call 00007F39856B283Ch
        test eax, eax
        je 00007F39856B2093h
        dec eax
        mov eax, dword ptr [00000030h]
        dec eax
        mov ecx, dword ptr [eax+08h]
        jmp 00007F39856B2077h
        dec eax
        cmp ecx, eax
        je 00007F39856B2086h
        xor eax, eax
        dec eax
        cmpxchg dword ptr [00029B54h], ecx
        jne 00007F39856B2060h
        xor al, al
        dec eax
        add esp, 28h
        ret
        mov al, 01h
        jmp 00007F39856B2069h
        int3
        int3
        int3
        inc eax
        push ebx
        dec eax
        sub esp, 20h
        movzx eax, byte ptr [00029B3Fh]
        test ecx, ecx
        mov ebx, 00000001h
        cmove eax, ebx
        mov byte ptr [00029B2Fh], al
        call 00007F39856B2643h
        call 00007F39856B2A82h
        test al, al
        jne 00007F39856B2076h
        xor al, al
        jmp 00007F39856B2086h
        call 00007F39856BDAB1h
        test al, al
        jne 00007F39856B207Bh
        xor ecx, ecx
        call 00007F39856B2A92h
        jmp 00007F39856B205Ch
        mov al, bl
        dec eax
        add esp, 20h
        pop ebx
        ret
        int3
        int3
        int3
        inc eax
        push ebx
        dec eax
        sub esp, 20h
        cmp byte ptr [00029AF4h], 00000000h
        mov ebx, ecx
        jne 00007F39856B20D9h
        cmp ecx, 01h
        jnbe 00007F39856B20DCh
        call 00007F39856B27A2h
        test eax, eax
        je 00007F39856B209Ah
        test ebx, ebx
        jne 00007F39856B2096h
        dec eax
        lea ecx, dword ptr [00029ADEh]
        call 00007F39856B20CEh
        Programming Language:
        • [IMP] VS2008 SP1 build 30729
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x2c6100xbc.rdata
        IMAGE_DIRECTORY_ENTRY_IMPORT0x2c6cc0x118.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x330000x18a1a8.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x300000x1740.pdata
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1be0000x6dc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x2a8200x70.rdata
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2a8900x138.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x1f0000x5b8.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x1d6000x1d600121d2dad23c1b2f67058600147d9f4deFalse0.549044215425532data6.4817223000673545IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x1f0000xea8a0xec008901ef05fefcc78a2e4d127e108c1cbbFalse0.412159030720339data4.883042812785964IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x2e0000x1f200xc00a09b72f51840c939cb3a7546936861e6False0.1376953125data1.9447019092655964IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .pdata0x300000x17400x1800d3a19c6b5fd5480782492695f841f7daFalse0.4744466145833333PEX Binary Archive5.189130105792291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        _RDATA0x320000xfc0x20034ead047c9b49e295e6ef836c6807393False0.291015625data1.9516971520131783IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .rsrc0x330000x18a1a80x18a200383699f098f0daa41d03922482c31632False0.4537419719314938data6.2717828889127265IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x1be0000x6dc0x8004f3779ed912385e3b5240b0c1cb1bd5dFalse0.52978515625data5.083498025474596IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_RCDATA0x335900x94c00PE32+ executable (DLL) (console) x86-64, for MS WindowsEnglishUnited States0.45692128413865546
        RT_RCDATA0xc81900x2f800PE32 executable (DLL) (console) Intel 80386, for MS WindowsEnglishUnited States0.46023334703947366
        RT_RCDATA0xf79900x1ca00PE32+ executable (GUI) x86-64, for MS WindowsEnglishUnited States0.49584641102620086
        RT_RCDATA0x1143900x3be00PE32+ executable (DLL) (GUI) x86-64, for MS WindowsEnglishUnited States0.4281135829853862
        RT_RCDATA0x1501900x1b200PE32+ executable (DLL) (console) x86-64, for MS WindowsEnglishUnited States0.5039602534562212
        RT_RCDATA0x18d7280x2f800PE32+ executable (DLL) (console) x86-64, for MS WindowsEnglishUnited States0.3707802220394737
        RT_RCDATA0x16b3900x22398PE32+ executable (DLL) (console) x86-64, for MS WindowsEnglishUnited States0.5101509444729784
        RT_VERSION0x332100x37cdataEnglishUnited States0.452914798206278
        RT_MANIFEST0x1bcf280x27eXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5517241379310345
        DLLImport
        KERNEL32.dllGetWindowsDirectoryW, LocalFree, GetCurrentProcessId, CreateProcessW, GetModuleHandleW, GetProcessTimes, GetExitCodeProcess, FindFirstFileW, SetLastError, WriteFile, FindClose, CreateThread, GetCurrentDirectoryW, GetProcAddress, FreeLibrary, CopyFileW, CreateSymbolicLinkW, MoveFileW, LoadLibraryExW, WriteConsoleW, SetEndOfFile, HeapReAlloc, HeapSize, ReadConsoleW, FlushFileBuffers, FindResourceW, GetStringTypeW, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, MultiByteToWideChar, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, LCMapStringW, LoadResource, FreeConsole, CloseHandle, DeleteFileW, LockResource, GetLastError, Sleep, CreateEventW, OpenProcess, FreeResource, GetSystemDirectoryW, GetCurrentThreadId, CreateFileW, LocalAlloc, WaitForSingleObject, GetModuleFileNameW, TerminateProcess, GetCurrentProcess, GetFileSizeEx, SizeofResource, ReadFile, GetProcessHeap, CreateDirectoryW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, GetFileType, HeapFree, HeapAlloc, GetStdHandle, GetModuleHandleExW, ExitProcess, RtlPcToFileHeader, RaiseException, EncodePointer, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, RtlUnwindEx, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext
        USER32.dllDispatchMessageW, RegisterClassExW, FindWindowW, LoadIconW, TranslateMessage, wsprintfW, ExitWindowsEx, LoadCursorW, SetProcessDpiAwarenessContext, SendMessageTimeoutW, SendMessageW, LoadStringW, GetWindowThreadProcessId, GetMessageW, DefWindowProcW, MessageBoxW, CreateWindowExW
        ADVAPI32.dllRegDeleteKeyW, AllocateAndInitializeSid, RegDeleteKeyValueW, RegCreateKeyExW, RegDeleteTreeW, RegSetValueExW, FreeSid, CheckTokenMembership, RegGetValueW, RegOpenKeyW, LookupPrivilegeValueW, AdjustTokenPrivileges, RegCloseKey, CryptAcquireContextW, CryptCreateHash, CryptHashData, CryptDestroyHash, OpenProcessToken, RegOpenKeyExW, CryptGetHashParam, RegQueryValueExW, CryptReleaseContext
        SHELL32.dllShellExecuteExW, SHGetFolderPathW, ShellExecuteW, SHFileOperationW, CommandLineToArgvW, Shell_NotifyIconW
        ole32.dllCoCreateInstance, CoInitialize, CoUninitialize
        OLEAUT32.dllSysFreeString
        RstrtMgr.DLLRmEndSession, RmRestart, RmGetList, RmShutdown, RmStartSession, RmRegisterResources
        api-ms-win-core-winrt-string-l1-1-0.dllWindowsCreateStringReference
        api-ms-win-core-winrt-l1-1-0.dllRoGetActivationFactory, RoInitialize, RoActivateInstance
        VERSION.dllVerQueryValueW
        PSAPI.DLLEnumProcesses, GetProcessImageFileNameW
        WININET.dllInternetCloseHandle, InternetOpenW, InternetReadFile, InternetOpenUrlW
        SHLWAPI.dllPathRemoveFileSpecW, PathRemoveExtensionW, PathFileExistsW, PathStripPathW
        NameOrdinalAddress
        ZZLaunchExplorer10x140001b30
        ZZLaunchExplorerDelayed20x140001c40
        ZZRestartExplorer30x140001c90
        ZZTestBalloon40x140001590
        ZZTestToast50x1400017a0
        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States