Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://github.com/valinet/ExplorerPatcher

Overview

General Information

Sample URL:https://github.com/valinet/ExplorerPatcher
Analysis ID:1515754
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
System process connects to network (likely due to code injection or exploit)
Query firmware table information (likely to detect VMs)
Sigma detected: Explorer NOUACCHECK Flag
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
HTML page contains hidden javascript code
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sigma detected: Conhost Spawned By Uncommon Parent Process
Stores files to the Windows start menu directory
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 1796 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://github.com/valinet/ExplorerPatcher MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 7024 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1952,i,18433083930356474953,1962578405358936012,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 7688 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5672 --field-trial-handle=1952,i,18433083930356474953,1962578405358936012,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • ep_setup.exe (PID: 7972 cmdline: "C:\Users\user\Downloads\ep_setup.exe" MD5: 45A5A443C01ABD7618EFEF4827241312)
      • taskkill.exe (PID: 8028 cmdline: "C:\Windows\system32\taskkill.exe" /f /im explorer.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 8132 cmdline: "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1428 cmdline: "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • regsvr32.exe (PID: 2212 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
      • regsvr32.exe (PID: 7452 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
      • explorer.exe (PID: 3364 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
  • rundll32.exe (PID: 8188 cmdline: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • explorer.exe (PID: 7516 cmdline: C:\Windows\explorer.exe /NoUACCheck MD5: 662F4F92FDE3557E86D110526BB578D5)
    • rundll32.exe (PID: 5832 cmdline: "C:\Windows\System32\rundll32.exe" "C:\Program Files\ExplorerPatcher\ep_gui.dll",ZZGUI MD5: EF3179D498793BF4234F708D3BE28633)
      • regsvr32.exe (PID: 4668 cmdline: "C:\Windows\system32\regsvr32.exe" "C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Explorer NOUACCHECK Flag
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\explorer.exe /NoUACCheck, CommandLine: C:\Windows\explorer.exe /NoUACCheck, CommandLine|base64offset|contains: y, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1136, ProcessCommandLine: C:\Windows\explorer.exe /NoUACCheck, ProcessId: 7516, ProcessName: explorer.exe
Sigma detected: Conhost Spawned By Uncommon Parent Process
Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Windows\explorer.exe /NoUACCheck, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 7516, ParentProcessName: explorer.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 1816, ProcessName: conhost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Downloads\Unconfirmed 363220.crdownloadReversingLabs: Detection: 20%
Source: https://github.com/valinet/ExplorerPatcher/releases/tag/22621.3880.66.6_92fce8cHTTP Parser: Base64 decoded: {"referrer":"https://github.com/valinet/ExplorerPatcher","request_id":"3299:5F600:3C18DDB:3D5F07B:66F14F55","visitor_id":"7034977482762702670","region_edge":"fra","region_render":"fra"}
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_setup.exe
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_gui.dll
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_dwm.exe
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host.dll
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\WebView2Loader.dll
Source: C:\Users\user\Downloads\ep_setup.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49837 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49838 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49858 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.190.160.20:443 -> 192.168.2.16:49951 version: TLS 1.2
Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.16:49954 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.16:49965 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49970 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.16:49986 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.16:49985 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.16:49987 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.16:49988 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.16:49990 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.16:49991 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.237.254:443 -> 192.168.2.16:49994 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.237.254:443 -> 192.168.2.16:49995 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.253.33.254:443 -> 192.168.2.16:49996 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.16:50014 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.223.35.26:443 -> 192.168.2.16:50013 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.16:50015 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.23.209.131:443 -> 192.168.2.16:50016 version: TLS 1.2
Source: chrome.exeMemory has grown: Private usage: 19MB later: 27MB

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exeNetwork Connect: 140.82.121.3 443
Source: C:\Windows\explorer.exeNetwork Connect: 185.199.110.133 443
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: github.com
Source: global trafficDNS traffic detected: DNS query: github.githubassets.com
Source: global trafficDNS traffic detected: DNS query: avatars.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: user-images.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: github-cloud.s3.amazonaws.com
Source: global trafficDNS traffic detected: DNS query: camo.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: collector.github.com
Source: global trafficDNS traffic detected: DNS query: api.github.com
Source: global trafficDNS traffic detected: DNS query: objects.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: api.msn.com
Source: global trafficDNS traffic detected: DNS query: tse1.mm.bing.net
Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49978
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
Source: unknownNetwork traffic detected: HTTP traffic on port 49886 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49965
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49961
Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49951
Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
Source: unknownNetwork traffic detected: HTTP traffic on port 50017 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49897
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49897 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49886
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49884
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50005 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49999
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49877
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49998
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49875
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49871
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49934 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49906 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50005
Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49871 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49965 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49908 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49961 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50010 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50017
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50019
Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50010
Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50016
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49940 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49912 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49901 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50020 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49940
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49939
Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49937
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
Source: unknownNetwork traffic detected: HTTP traffic on port 49902 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49934
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49930
Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49928
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49927
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49926
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49837 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49838 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49858 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.190.160.20:443 -> 192.168.2.16:49951 version: TLS 1.2
Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.16:49954 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.16:49965 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49970 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.16:49986 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.16:49985 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.16:49987 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.16:49988 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.16:49990 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.27.10:443 -> 192.168.2.16:49991 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.237.254:443 -> 192.168.2.16:49994 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.237.254:443 -> 192.168.2.16:49995 version: TLS 1.2
Source: unknownHTTPS traffic detected: 131.253.33.254:443 -> 192.168.2.16:49996 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.16:50014 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.223.35.26:443 -> 192.168.2.16:50013 version: TLS 1.2
Source: unknownHTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.16:50015 version: TLS 1.2
Source: unknownHTTPS traffic detected: 2.23.209.131:443 -> 192.168.2.16:50016 version: TLS 1.2
Source: C:\Users\user\Downloads\ep_setup.exeFile created: C:\Windows\dxgi.dll
Source: C:\Users\user\Downloads\ep_setup.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll
Source: classification engineClassification label: mal64.evad.win@39/25@39/183
Source: C:\Users\user\Downloads\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03
Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\eptE279.tmp
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\explorer.exe
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe")
Source: C:\Users\user\Downloads\ep_setup.exeFile read: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\Downloads\ep_setup.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://github.com/valinet/ExplorerPatcher
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1952,i,18433083930356474953,1962578405358936012,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1952,i,18433083930356474953,1962578405358936012,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5672 --field-trial-handle=1952,i,18433083930356474953,1962578405358936012,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\user\Downloads\ep_setup.exe "C:\Users\user\Downloads\ep_setup.exe"
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5672 --field-trial-handle=1952,i,18433083930356474953,1962578405358936012,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\user\Downloads\ep_setup.exe "C:\Users\user\Downloads\ep_setup.exe"
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /NoUACCheck
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Program Files\ExplorerPatcher\ep_gui.dll",ZZGUI
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Program Files\ExplorerPatcher\ep_gui.dll",ZZGUI
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll"
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: apphelp.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: rstrtmgr.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: version.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: ncrypt.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: ntasn1.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: wldp.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: propsys.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: profapi.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: edputil.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: urlmon.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: iertutil.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: srvcli.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: netutils.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: sspicli.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: wintypes.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: appresolver.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: slc.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: userenv.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: sppc.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: pcacli.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: mpr.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: sfc_os.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: ntmarta.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: linkinfo.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: ntshrui.dll
Source: C:\Users\user\Downloads\ep_setup.exeSection loaded: cscapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: webview2loader.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: version.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\explorer.exeSection loaded: aepic.dll
Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
Source: C:\Windows\explorer.exeSection loaded: userenv.dll
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: propsys.dll
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
Source: C:\Windows\explorer.exeSection loaded: wininet.dll
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: wldp.dll
Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
Source: C:\Windows\explorer.exeSection loaded: netutils.dll
Source: C:\Windows\explorer.exeSection loaded: dbghelp.dll
Source: C:\Windows\explorer.exeSection loaded: version.dll
Source: C:\Windows\explorer.exeSection loaded: rstrtmgr.dll
Source: C:\Windows\explorer.exeSection loaded: oleacc.dll
Source: C:\Windows\explorer.exeSection loaded: ncrypt.dll
Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
Source: C:\Windows\explorer.exeSection loaded: ntasn1.dll
Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
Source: C:\Windows\explorer.exeSection loaded: windows.ui.fileexplorer.dll
Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dll
Source: C:\Windows\explorer.exeSection loaded: wkscli.dll
Source: C:\Windows\explorer.exeSection loaded: dwrite.dll
Source: C:\Windows\explorer.exeSection loaded: dcomp.dll
Source: C:\Windows\explorer.exeSection loaded: wincorlib.dll
Source: C:\Windows\explorer.exeSection loaded: cdp.dll
Source: C:\Windows\explorer.exeSection loaded: dsreg.dll
Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exeSection loaded: twinui.dll
Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
Source: C:\Windows\explorer.exeSection loaded: pdh.dll
Source: C:\Windows\explorer.exeSection loaded: stobject.dll
Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dll
Source: C:\Windows\explorer.exeSection loaded: devobj.dll
Source: C:\Windows\explorer.exeSection loaded: pnidui.dll
Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dll
Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dll
Source: C:\Windows\explorer.exeSection loaded: peopleband.dll
Source: C:\Windows\explorer.exeSection loaded: d2d1.dll
Source: C:\Windows\explorer.exeSection loaded: d3d11.dll
Source: C:\Windows\explorer.exeSection loaded: ninput.dll
Source: C:\Windows\explorer.exeSection loaded: wpnapps.dll
Source: C:\Windows\explorer.exeSection loaded: rmclient.dll
Source: C:\Windows\explorer.exeSection loaded: xmllite.dll
Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
Source: C:\Windows\explorer.exeSection loaded: aepic.dll
Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
Source: C:\Windows\explorer.exeSection loaded: userenv.dll
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: propsys.dll
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
Source: C:\Windows\explorer.exeSection loaded: wininet.dll
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: wldp.dll
Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
Source: C:\Windows\explorer.exeSection loaded: netutils.dll
Source: C:\Windows\explorer.exeSection loaded: dbghelp.dll
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
Source: C:\Windows\explorer.exeSection loaded: version.dll
Source: C:\Windows\explorer.exeSection loaded: rstrtmgr.dll
Source: C:\Windows\explorer.exeSection loaded: oleacc.dll
Source: C:\Windows\explorer.exeSection loaded: ncrypt.dll
Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
Source: C:\Windows\explorer.exeSection loaded: ntasn1.dll
Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
Source: C:\Windows\explorer.exeSection loaded: windows.ui.fileexplorer.dll
Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dll
Source: C:\Windows\explorer.exeSection loaded: wkscli.dll
Source: C:\Windows\explorer.exeSection loaded: dwrite.dll
Source: C:\Windows\explorer.exeSection loaded: dcomp.dll
Source: C:\Windows\explorer.exeSection loaded: wincorlib.dll
Source: C:\Windows\explorer.exeSection loaded: cdp.dll
Source: C:\Windows\explorer.exeSection loaded: dsreg.dll
Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exeSection loaded: twinui.dll
Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
Source: C:\Windows\explorer.exeSection loaded: pdh.dll
Source: C:\Windows\explorer.exeSection loaded: stobject.dll
Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dll
Source: C:\Windows\explorer.exeSection loaded: devobj.dll
Source: C:\Windows\explorer.exeSection loaded: pnidui.dll
Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dll
Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dll
Source: C:\Windows\explorer.exeSection loaded: peopleband.dll
Source: C:\Windows\explorer.exeSection loaded: d2d1.dll
Source: C:\Windows\explorer.exeSection loaded: d3d11.dll
Source: C:\Windows\explorer.exeSection loaded: ninput.dll
Source: C:\Windows\explorer.exeSection loaded: wpnapps.dll
Source: C:\Windows\explorer.exeSection loaded: rmclient.dll
Source: C:\Windows\explorer.exeSection loaded: xmllite.dll
Source: C:\Windows\explorer.exeSection loaded: appresolver.dll
Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dll
Source: C:\Windows\explorer.exeSection loaded: slc.dll
Source: C:\Windows\explorer.exeSection loaded: sppc.dll
Source: C:\Windows\explorer.exeSection loaded: profapi.dll
Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exeSection loaded: starttiledata.dll
Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dll
Source: C:\Windows\explorer.exeSection loaded: msxml6.dll
Source: C:\Windows\explorer.exeSection loaded: idstore.dll
Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dll
Source: C:\Windows\explorer.exeSection loaded: wlidprov.dll
Source: C:\Windows\explorer.exeSection loaded: samcli.dll
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exeSection loaded: policymanager.dll
Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dll
Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dll
Source: C:\Windows\explorer.exeSection loaded: winsta.dll
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dll
Source: C:\Windows\explorer.exeSection loaded: appextension.dll
Source: C:\Windows\explorer.exeSection loaded: textshaping.dll
Source: C:\Windows\explorer.exeSection loaded: windows.ui.dll
Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dll
Source: C:\Windows\explorer.exeSection loaded: textinputframework.dll
Source: C:\Windows\explorer.exeSection loaded: inputhost.dll
Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dll
Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dll
Source: C:\Windows\explorer.exeSection loaded: dxcore.dll
Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
Source: C:\Windows\explorer.exeSection loaded: winnsi.dll
Source: C:\Windows\explorer.exeSection loaded: cldapi.dll
Source: C:\Windows\explorer.exeSection loaded: fltlib.dll
Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dll
Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exeSection loaded: dataexchange.dll
Source: C:\Windows\explorer.exeSection loaded: apphelp.dll
Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dll
Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dll
Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dll
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dll
Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dll
Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dll
Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dll
Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dll
Source: C:\Windows\explorer.exeSection loaded: thumbcache.dll
Source: C:\Windows\explorer.exeSection loaded: edputil.dll
Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dll
Source: C:\Windows\explorer.exeSection loaded: linkinfo.dll
Source: C:\Windows\explorer.exeSection loaded: applicationframe.dll
Source: C:\Windows\explorer.exeSection loaded: schannel.dll
Source: C:\Windows\explorer.exeSection loaded: ntshrui.dll
Source: C:\Windows\explorer.exeSection loaded: cscapi.dll
Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dll
Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dll
Source: C:\Windows\explorer.exeSection loaded: virtualmonitormanager.dll
Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dll
Source: C:\Windows\explorer.exeSection loaded: cscui.dll
Source: C:\Windows\explorer.exeSection loaded: provsvc.dll
Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dll
Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dll
Source: C:\Windows\explorer.exeSection loaded: npsm.dll
Source: C:\Windows\explorer.exeSection loaded: windows.web.dll
Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dll
Source: C:\Windows\explorer.exeSection loaded: mscms.dll
Source: C:\Windows\explorer.exeSection loaded: coloradapterclient.dll
Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dll
Source: C:\Windows\explorer.exeSection loaded: tdh.dll
Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\explorer.exeSection loaded: msasn1.dll
Source: C:\Windows\explorer.exeSection loaded: dpapi.dll
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorybroker.dll
Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dll
Source: C:\Windows\explorer.exeSection loaded: gpapi.dll
Source: C:\Windows\explorer.exeSection loaded: mfplat.dll
Source: C:\Windows\explorer.exeSection loaded: rtworkq.dll
Source: C:\Windows\explorer.exeSection loaded: taskflowdataengine.dll
Source: C:\Windows\explorer.exeSection loaded: structuredquery.dll
Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dll
Source: C:\Windows\explorer.exeSection loaded: windows.data.activities.dll
Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dll
Source: C:\Windows\explorer.exeSection loaded: windows.system.launcher.dll
Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dll
Source: C:\Windows\explorer.exeSection loaded: windows.devices.enumeration.dll
Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
Source: C:\Windows\explorer.exeSection loaded: icu.dll
Source: C:\Windows\explorer.exeSection loaded: mswb7.dll
Source: C:\Windows\explorer.exeSection loaded: devdispitemprovider.dll
Source: C:\Windows\explorer.exeSection loaded: actxprxy.dll
Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dll
Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dll
Source: C:\Windows\explorer.exeSection loaded: uianimation.dll
Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dll
Source: C:\Windows\explorer.exeSection loaded: dictationmanager.dll
Source: C:\Windows\explorer.exeSection loaded: npmproxy.dll
Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dll
Source: C:\Windows\explorer.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\explorer.exeSection loaded: daxexec.dll
Source: C:\Windows\explorer.exeSection loaded: container.dll
Source: C:\Windows\explorer.exeSection loaded: cryptngc.dll
Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dll
Source: C:\Windows\explorer.exeSection loaded: cflapi.dll
Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
Source: C:\Windows\explorer.exeSection loaded: uiautomationcore.dll
Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\explorer.exeSection loaded: samlib.dll
Source: C:\Windows\explorer.exeSection loaded: batmeter.dll
Source: C:\Windows\explorer.exeSection loaded: inputswitch.dll
Source: C:\Windows\explorer.exeSection loaded: es.dll
Source: C:\Windows\explorer.exeSection loaded: prnfldr.dll
Source: C:\Windows\explorer.exeSection loaded: sxs.dll
Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dll
Source: C:\Windows\explorer.exeSection loaded: atlthunk.dll
Source: C:\Windows\explorer.exeSection loaded: dxp.dll
Source: C:\Windows\explorer.exeSection loaded: shdocvw.dll
Source: C:\Windows\explorer.exeSection loaded: actioncenter.dll
Source: C:\Windows\explorer.exeSection loaded: wevtapi.dll
Source: C:\Windows\explorer.exeSection loaded: syncreg.dll
Source: C:\Windows\explorer.exeSection loaded: dusmapi.dll
Source: C:\Windows\explorer.exeSection loaded: wpdshserviceobj.dll
Source: C:\Windows\explorer.exeSection loaded: portabledevicetypes.dll
Source: C:\Windows\explorer.exeSection loaded: portabledeviceapi.dll
Source: C:\Windows\explorer.exeSection loaded: audioses.dll
Source: C:\Windows\explorer.exeSection loaded: cscobj.dll
Source: C:\Windows\explorer.exeSection loaded: netprofm.dll
Source: C:\Windows\explorer.exeSection loaded: srchadmin.dll
Source: C:\Windows\explorer.exeSection loaded: networkuxbroker.dll
Source: C:\Windows\explorer.exeSection loaded: wpnclient.dll
Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dll
Source: C:\Windows\explorer.exeSection loaded: ethernetmediamanager.dll
Source: C:\Windows\explorer.exeSection loaded: synccenter.dll
Source: C:\Windows\explorer.exeSection loaded: wscinterop.dll
Source: C:\Windows\explorer.exeSection loaded: imapi2.dll
Source: C:\Windows\explorer.exeSection loaded: wscapi.dll
Source: C:\Windows\explorer.exeSection loaded: wlanapi.dll
Source: C:\Windows\explorer.exeSection loaded: werconcpl.dll
Source: C:\Windows\explorer.exeSection loaded: framedynos.dll
Source: C:\Windows\explorer.exeSection loaded: wer.dll
Source: C:\Windows\explorer.exeSection loaded: hcproviders.dll
Source: C:\Windows\explorer.exeSection loaded: ncsi.dll
Source: C:\Windows\explorer.exeSection loaded: ieproxy.dll
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exeSection loaded: storageusage.dll
Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exeSection loaded: fhcfg.dll
Source: C:\Windows\explorer.exeSection loaded: efsutil.dll
Source: C:\Windows\explorer.exeSection loaded: mpr.dll
Source: C:\Windows\explorer.exeSection loaded: netapi32.dll
Source: C:\Windows\explorer.exeSection loaded: dsrole.dll
Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exeSection loaded: windows.internal.system.userprofile.dll
Source: C:\Windows\explorer.exeSection loaded: cloudexperiencehostbroker.dll
Source: C:\Windows\explorer.exeSection loaded: credui.dll
Source: C:\Windows\explorer.exeSection loaded: dui70.dll
Source: C:\Windows\explorer.exeSection loaded: wdscore.dll
Source: C:\Windows\explorer.exeSection loaded: dbgcore.dll
Source: C:\Windows\explorer.exeSection loaded: settingsync.dll
Source: C:\Windows\explorer.exeSection loaded: settingsynccore.dll
Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dll
Source: C:\Windows\explorer.exeSection loaded: windows.ui.xaml.dll
Source: C:\Windows\explorer.exeSection loaded: windowsinternal.composableshell.desktophosting.dll
Source: C:\Windows\explorer.exeSection loaded: uiamanager.dll
Source: C:\Windows\explorer.exeSection loaded: smartscreenps.dll
Source: C:\Windows\explorer.exeSection loaded: pcacli.dll
Source: C:\Windows\explorer.exeSection loaded: sfc_os.dll
Source: C:\Windows\explorer.exeSection loaded: cdprt.dll
Source: C:\Windows\explorer.exeSection loaded: dlnashext.dll
Source: C:\Windows\explorer.exeSection loaded: wpdshext.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: propsys.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: wininet.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: version.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: userenv.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: rstrtmgr.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: oleacc.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: iertutil.dll
Source: C:\Users\user\Downloads\ep_setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_setup.exe
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_gui.dll
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_dwm.exe
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host.dll
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll
Source: C:\Users\user\Downloads\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\WebView2Loader.dll
Source: C:\Users\user\Downloads\ep_setup.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Downloads\ep_setup.exeFile created: C:\Windows\dxgi.dllJump to dropped file
Source: C:\Users\user\Downloads\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to dropped file
Source: C:\Users\user\Downloads\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to dropped file
Source: C:\Users\user\Downloads\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\ep_gui.dllJump to dropped file
Source: C:\Users\user\Downloads\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\WebView2Loader.dllJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\701b3574-c885-48a1-b323-248f4400d0fe.tmpJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\Unconfirmed 363220.crdownloadJump to dropped file
Source: C:\Users\user\Downloads\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dllJump to dropped file
Source: C:\Users\user\Downloads\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to dropped file
Source: C:\Users\user\Downloads\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to dropped file
Source: C:\Users\user\Downloads\ep_setup.exeFile created: C:\Windows\dxgi.dllJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Users\user\Downloads\ep_setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher
Source: C:\Users\user\Downloads\ep_setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Users\user\Downloads\ep_setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\ep_setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Downloads\ep_setup.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to dropped file
Source: C:\Users\user\Downloads\ep_setup.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to dropped file
Source: C:\Users\user\Downloads\ep_setup.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_gui.dllJump to dropped file
Source: C:\Users\user\Downloads\ep_setup.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dllJump to dropped file
Source: C:\Users\user\Downloads\ep_setup.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to dropped file
Source: C:\Users\user\Downloads\ep_setup.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to dropped file
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exeNetwork Connect: 140.82.121.3 443
Source: C:\Windows\explorer.exeNetwork Connect: 185.199.110.133 443
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: C:\Users\user\Downloads\ep_setup.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Source: C:\Users\user\Downloads\ep_setup.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		2
Windows Service		2
Windows Service		23
Masquerading		OS Credential Dumping21
Security Software Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution		1
Registry Run Keys / Startup Folder		111
Process Injection		1
Disable or Modify Tools		LSASS Memory11
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		11
Virtualization/Sandbox Evasion		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		111
Process Injection		NTDS13
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
Extra Window Memory Injection		1
Regsvr32		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Rundll32		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Extra Window Memory Injection		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
https://github.com/valinet/ExplorerPatcher0%Avira URL Cloudsafe

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Downloads\Unconfirmed 363220.crdownload21%ReversingLabsWin64.Hacktool.ExplorerPatcher
C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\WebView2Loader.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_dwm.exe0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_gui.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_weather_host.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll4%ReversingLabs
C:\Windows\dxgi.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
chrome.cloudflare-dns.com
162.159.61.3
truefalse
    		unknown
    a-9999.a-dc-msedge.net
    		131.253.33.254
    		truefalse
      		unknown
      avatars.githubusercontent.com
      		185.199.111.133
      		truefalse
        		unknown
        github.com
        		140.82.121.4
        		truefalse
          		unknown
          api.github.com
          		140.82.121.5
          		truefalse
            		unknown
            glb-db52c2cf8be544.github.com
            		140.82.112.21
            		truefalse
              		unknown
              camo.githubusercontent.com
              		185.199.111.133
              		truefalse
                		unknown
                ax-0001.ax-msedge.net
                		150.171.27.10
                		truefalse
                  		unknown
                  github.githubassets.com
                  		185.199.108.154
                  		truefalse
                    		unknown
                    s3-w.us-east-1.amazonaws.com
                    		52.216.245.140
                    		truefalse
                      		unknown
                      t-9999.fdv2-t-msedge.net
                      		13.107.237.254
                      		truefalse
                        		unknown
                        www.google.com
                        		142.250.74.196
                        		truefalse
                          		unknown
                          user-images.githubusercontent.com
                          		185.199.110.133
                          		truetrue
                            		unknown
                            objects.githubusercontent.com
                            		185.199.110.133
                            		truetrue
                              		unknown
                              github-cloud.s3.amazonaws.com
                              		unknown
                              		unknownfalse
                                		unknown
                                tse1.mm.bing.net
                                		unknown
                                		unknownfalse
                                  		unknown
                                  collector.github.com
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    api.msn.com
                                    		unknown
                                    		unknownfalse
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      142.250.185.206
                                      		unknownUnited States
                                      		15169GOOGLEUSfalse
                                      1.1.1.1
                                      		unknownAustralia
                                      		13335CLOUDFLARENETUSfalse
                                      185.199.109.154
                                      		unknownNetherlands
                                      		54113FASTLYUSfalse
                                      140.82.121.3
                                      		unknownUnited States
                                      		36459GITHUBUStrue
                                      140.82.121.4
                                      		github.comUnited States
                                      		36459GITHUBUSfalse
                                      140.82.121.5
                                      		api.github.comUnited States
                                      		36459GITHUBUSfalse
                                      142.250.185.227
                                      		unknownUnited States
                                      		15169GOOGLEUSfalse
                                      185.199.111.133
                                      		avatars.githubusercontent.comNetherlands
                                      		54113FASTLYUSfalse
                                      64.233.167.84
                                      		unknownUnited States
                                      		15169GOOGLEUSfalse
                                      239.255.255.250
                                      		unknownReserved
                                      		unknownunknownfalse
                                      20.150.79.68
                                      		unknownUnited States
                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                      185.199.108.133
                                      		unknownNetherlands
                                      		54113FASTLYUSfalse
                                      140.82.112.21
                                      		glb-db52c2cf8be544.github.comUnited States
                                      		36459GITHUBUSfalse
                                      185.199.108.154
                                      		github.githubassets.comNetherlands
                                      		54113FASTLYUSfalse
                                      204.79.197.219
                                      		unknownUnited States
                                      		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                      185.199.110.133
                                      		user-images.githubusercontent.comNetherlands
                                      		54113FASTLYUStrue
                                      142.250.186.74
                                      		unknownUnited States
                                      		15169GOOGLEUSfalse
                                      204.79.197.203
                                      		unknownUnited States
                                      		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                      142.250.74.196
                                      		www.google.comUnited States
                                      		15169GOOGLEUSfalse

                                      Private

                                      IP
                                      192.168.2.16

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1515754
                                      Start date and time:2024-09-23 13:21:17 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                      Sample URL:https://github.com/valinet/ExplorerPatcher
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:60
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:1
                                      Technologies:
                                      • EGA enabled
                                      Analysis Mode:stream
                                      Detection:MAL
                                      Classification:mal64.evad.win@39/25@39/183

                                      Warnings

                                      • Exclude process from analysis (whitelisted): svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 142.250.185.227, 142.250.185.206, 64.233.167.84, 34.104.35.123
                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtCreateKey calls found.
                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                      • Report size getting too big, too many NtEnumerateValueKey calls found.
                                      • Report size getting too big, too many NtOpenKey calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • VT rate limit hit for: https://github.com/valinet/ExplorerPatcher

                                      LLM Input / Output

                                      InputOutput
                                      URL: https://github.com/valinet/ExplorerPatcher/releases/tag/22621.3880.66.6_92fce8c Model: jbxai
                                      {
"brand":["GitHub"],
"contains_trigger_text":false,
"prominent_button_name":"unknown",
"text_input_field_labels":["unknown"],
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":false,
"has_visible_qrcode":false}

                                      Created / dropped Files

                                      C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll

                                      Download File
                                      Process:C:\Users\user\Downloads\ep_setup.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):156160
                                      Entropy (8bit):6.375266888011147
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:5D1F22A4A8CB76C337FEC809463092E1
                                      SHA1:B4F216C118FBF93C0B2FC9CFCD1D7BC981A2572F
                                      SHA-256:6AFD7333E956C125C9D4D3E6F88C2ED27CC41E0AA9A4E0656BA17B87C655A306
                                      SHA-512:B5FB3CFA44955DDA982AEF231C93F5F6D64CAE85325C616A54270B6E4E434CC3E3805AB8B5CD291310B3FE99137EFD5782D34EC3A0997A752FC4F2E75FF8304A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:unknown
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2..2..2...J..2...J...2...J..2....2....2....2...J..2..2..>2.....2.....2...;.2..2S.2.....2..Rich.2..................PE..L..._..f...........!...).z...........J....................................................@.............................x...h........P...0..............................p........................... ...@...............H............................text....x.......z.................. ..`.rdata...............~..............@..@.data........0......................@....rsrc....0...P...2..................@..@.reloc...............L..............@..B........................................................................................................................................................................................................................................................................................

                                      C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll

                                      Download File
                                      Process:C:\Users\user\Downloads\ep_setup.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):716800
                                      Entropy (8bit):6.219577157189828
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:57999FF1631929462DE24BA18F61AE1C
                                      SHA1:2AAAE073E752D32C6FD08DAC578C040924FE4B59
                                      SHA-256:B21C0ED7224784B642647A8EFAD45C634BF88646638823215818B25143FEE86E
                                      SHA-512:0AD42CBE76CA39353FBFBDD95411DF7ED830C960ACF5D1B943ECC424972FB326B2C69CCE680EFD9003D9650D0E791120A91AC8F2BE1AF09404F3D1EC6C4553E7
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:unknown
                                      Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........y...............`.......`.......................`4.......Z..............................`.......`................................X.......0.............Rich....................PE..d......f.........." ...).....N......|........................................P............`......................................... V..H...hZ...........0.......I...........@.......|..p...............................@...............p............................text.............................. ..`.rdata..............................@..@.data...H...........................@....pdata...I.......J...f..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

                                      C:\Program Files\ExplorerPatcher\WebView2Loader.dll

                                      Download File
                                      Process:C:\Users\user\Downloads\ep_setup.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):165336
                                      Entropy (8bit):6.238659206665009
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:C5F0C46E91F354C58ECEC864614157D7
                                      SHA1:CB6F85C0B716B4FC3810DEB3EB9053BEB07E803C
                                      SHA-256:465A7DDFB3A0DA4C3965DAF2AD6AC7548513F42329B58AEBC337311C10EA0A6F
                                      SHA-512:287756078AA08130907BD8601B957E9E006CEF9F5C6765DF25CFAA64DDD0FFF7D92FFA11F10A00A4028687F3220EFDA8C64008DBCF205BEDAE5DA296E3896E91
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:unknown
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....sgf.........." .....\..........@F....................................................`A........................................Y...0.......(............P.......^...'..............T...................P...(....q..@...........h...........`....................text...][.......\.................. ..`.rdata..|....p.......`..............@..@.data...D....0......................@....pdata.......P......."..............@..@.gxfg...p....p.......8..............@..@.retplne.............J...................tls.................L..............@..._RDATA...............N..............@..@.rsrc................P..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                      C:\Program Files\ExplorerPatcher\ep_dwm.exe

                                      Download File
                                      Process:C:\Users\user\Downloads\ep_setup.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):118272
                                      Entropy (8bit):5.883056677379098
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:85FFBD19F247F682DF7CB348429BF563
                                      SHA1:A3534A2C41B46EF253ABE52D4F00F98EEDE00020
                                      SHA-256:770379D1A2DFF974D3A0D1D282B2BFD69E1C25CC2BB161C4DFB9B208330FBCB3
                                      SHA-512:DD78C6D09CA5831D9E5E5146AF6F5537142EE4B5DFCC40AB34271B81FACBA1C1F285EAB84FCBB8180460408FF888588BAEB3DA95D385A167EF0828B37367E1B7
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:unknown
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m.Lk..Lk..Lk......Ik.......k......Fk..\...Ek..\...\k..\...dk......Gk..Lk..4k......Mk......Mk..Lk..Mk......Mk..RichLk..........PE..d...r..f.........."....).............'.........@..........................................`....................................................x...............................h...0...p...............................@...............`............................text...`........................... ..`.rdata..Z...........................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................................

                                      C:\Program Files\ExplorerPatcher\ep_gui.dll

                                      Download File
                                      Process:C:\Users\user\Downloads\ep_setup.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):721408
                                      Entropy (8bit):5.53410489167774
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:C83153FFC63411AAF525CAA6C50C1FFC
                                      SHA1:76EE60BBEE697882FE5390D0F50A9F521F281BDA
                                      SHA-256:422D9784435C893B810DC8D02B8EAA713A030ECDDE0C29AE5A588C889CE6A7DF
                                      SHA-512:363F259AA9FF47FE9D8F65A308EB3732581ECB703B827A773DD2C9AAA61BD90F89BFD1F8B1A1C5CAA86F213799FC4487053182425676ABAAA3A301453C4E8A0D
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:unknown
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{|..{|..{|..0...}|..0....|..r.=.y|..k...r|..k...k|..k...X|..0...t|..0...z|..0...f|..{|.._}..3...s|..3...z|..3.Q.z|..{|9.j|..3...z|..Rich{|..........PE..d......f.........." ...).....P......x........................................`............`.................................................<...,....P.......0...............P.........p...............................@............................................text... ........................... ..`.rdata..,...........................@..@.data...0#..........................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................

                                      C:\Program Files\ExplorerPatcher\ep_setup.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Users\user\Downloads\ep_setup.exe
                                      File Type:ASCII text, with very long lines (517), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):638
                                      Entropy (8bit):5.357498172671854
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:CF4976B00246696124FC79FF9BC0AC02
                                      SHA1:F20953367901D5DDE5E1628A3A47B99AA429E5C0
                                      SHA-256:A5AF453696261E24C897DE29E280B51A5951184E0B52DA51E79784FF3143EB88
                                      SHA-512:616F648923CAD00AC254700C9CACC3F4029001EE971D92C5A9DA0E3A087BB0CF0948E0C8E4587285E0D8726D1F049E2DEEE766A0B49240574FDBDB83A1E16712
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:[ZoneTransfer]..ZoneId=3..ReferrerUrl=https://github.com/valinet/ExplorerPatcher/releases/tag/22621.3880.66.6_92fce8c..HostUrl=https://objects.githubusercontent.com/github-production-release-asset-2e65be/394318710/2bf7f74e-7088-4ad1-8d82-d2452160b9d3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240923%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240923T112203Z&X-Amz-Expires=300&X-Amz-Signature=285995b4358bffc3021b9d9d7c845054543e64d91a6f82f8e88165259d9bf243&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dep_setup.exe&response-content-type=application%2Foctet-stream..

                                      C:\Program Files\ExplorerPatcher\ep_weather_host.dll

                                      Download File
                                      Process:C:\Users\user\Downloads\ep_setup.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):244224
                                      Entropy (8bit):5.982282823910593
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:F2920695EA15CC80E479D79F536437F1
                                      SHA1:3B65E31BD40D371303FB8C82A712BC8E3CBDD451
                                      SHA-256:350535396C011ED00753F6CD2D30FA1D38FD0F48077B1F9D461CB3DF1B1CF39D
                                      SHA-512:16FBF89D7B14F1FE6F1A2BF80838BBB28B9DB9D79255EB194A0952097D63B29438B5D95B2E64B49293828E1932BF73F47780E90F06502EB32A9386E9A23DE407
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:unknown
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.6vb.X%b.X%b.X%).[$g.X%).]$..X%ry[$k.X%ry\$m.X%ry]$B.X%).\$l.X%).Y$v.X%b.X%a.X%b.Y%..X%*xP$a.X%*xX$c.X%*x.%c.X%b..%c.X%*xZ$c.X%Richb.X%........PE..d...y..f.........." ...).............e....................................................`..........................................~......,.......................................@^..p............................]..@...............@............................text...0........................... ..`.rdata.............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                      C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll

                                      Download File
                                      Process:C:\Users\user\Downloads\ep_setup.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):111616
                                      Entropy (8bit):5.926324663614139
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:AB6AA536FCAE0D915FC6856F66FF693C
                                      SHA1:9B20EB39735C80A2EC5974F477CDDDF72796D0FA
                                      SHA-256:0578867D07DF70F0080E5EB864F77C7356745347B1D9CDDD568F68E10FA8AA50
                                      SHA-512:E9BC6F57120F484C8E64A86F623E6B029E32F14BA49B70146AD6C16A84740C12A954F78B564F5619F55908AF200CA2FAC21E9E5DC35B6219A0FE7A6590B66524
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 4%
                                      Reputation:unknown
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l.z.(...(...(...c...-...c.......c..."...8...!...8...&...8.......c.../...(...]...`...+...`...)...`..)...`...)...Rich(...........................PE..d...t..f.........." ...)............p.....................................................`.................................................X...P...............................x.......p...........................P...@...............8............................text... ........................... ..`.orpc...,........................... ..`.rdata.............................@..@.data...h...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..x...........................@..B........................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk

                                      Download File
                                      Process:C:\Users\user\Downloads\ep_setup.exe
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=39, Archive, ctime=Thu Sep 8 02:06:01 2022, mtime=Mon Sep 23 10:22:14 2024, atime=Thu Sep 8 02:06:01 2022, length=71680, window=hide
                                      Category:modified
                                      Size (bytes):1960
                                      Entropy (8bit):3.297856564255495
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:C316E942A8FF81FDC4B538BF3E6DA66D
                                      SHA1:E033AF1F15AB0C378E2B1E2B87BF7A1D7303FDEB
                                      SHA-256:59DA92533E97FD2B9D6786AEC0439411E43706F9192365D93F8690BF44C0EBD7
                                      SHA-512:D8A2F641CAC8DBC1D16EB3EA72E60A9577D149F487DB4226FCE39DC62F836E76BF6AF3754897838E829576CDD953578F204577B590421E9BE272CEBDD2BAA3A9
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:L..................F.@.. .....S./............S./.......'...................E....P.O. .:i.....+00.../C:\...................V.1.....7Y.Z..Windows.@......OwH7Y.Z....3.........................W.i.n.d.o.w.s.....Z.1.....7Y.Z..System32..B......OwH7Y.Z..........................<...S.y.s.t.e.m.3.2.....f.2.....(U.. .rundll32.exe..J......(U..7Y.Z.........................b...r.u.n.d.l.l.3.2...e.x.e.......O...............-.......N............G.o.....C:\Windows\System32\rundll32.exe....E.x.p.l.o.r.e.r.P.a.t.c.h.e.r./.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.3.".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.E.x.p.l.o.r.e.r.P.a.t.c.h.e.r.\.e.p._.g.u.i...d.l.l.".,.Z.Z.G.U.I...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\system32\shell32.dll.............................................................................................................................................

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db

                                      Download File
                                      Process:C:\Windows\explorer.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):115584
                                      Entropy (8bit):4.01683121140014
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:BD0FF17B57308EF9CF0A82E91139BF54
                                      SHA1:6DB513BD16D232C26487B29B481A74E6C97C22E4
                                      SHA-256:5E039D8BCB97C671160C6E1F4E3F67B65F71C370E19FF9332AD72E08A3FB11FE
                                      SHA-512:FF7CB32C0C0B8560287458DECBAFF2EAA0A6BE805B637C799570CE4D586D7908D76D79DFE93B4872A6E922005B4DC1691B93B89E4407D5D6DCA4EA29769897CE
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:....h... ..............P.............._...P...d...........X..........].......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................c.a.l.i.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................... ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................c.a.l.i..

                                      C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db

                                      Download File
                                      Process:C:\Windows\explorer.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):115584
                                      Entropy (8bit):4.0169108405235505
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:D5EDC11EFA2BA099E5E6AAC027ACD5A9
                                      SHA1:23ACB50D99C630AC52A39F4FC650BD320DB49650
                                      SHA-256:9C1A30D0BCFE75C41EF95E77CB9E8DDCBFF1F2A01EE413287A6C208605F41A75
                                      SHA-512:E1F0F9C5157C58160E17F9F595CFB93E6CCB42B2DD27002862231FE827560F93DEB7EAD4CDB66AA7955226A540509C05EC842C37EF32003F72B3987D54D2F0E3
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:....h... ..............P.............._...P...d...........X..........].......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................c.a.l.i.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................... ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................c.a.l.i..

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\39B7A829951E377CD5C4AA3BD72155D9808470F724602420910673D8D0CC60C600[1].blob

                                      Download File
                                      Process:C:\Windows\explorer.exe
                                      File Type:MSVC program database ver 7.00, 1024*18363 bytes
                                      Category:dropped
                                      Size (bytes):18803712
                                      Entropy (8bit):5.737102497890461
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:C84AE6411BAC88E3A562ECC3F5F80A1B
                                      SHA1:22C2554E1143DF454DC48D055EB6F470603DBFB7
                                      SHA-256:766ADFB1144334B173FB47BA0CEFD7358F6B9D14FA656A92842849207A290A36
                                      SHA-512:7706D7BC50BF175267CF48CADA9C37132AED1F7FBC6E6C156A73391124C2E8E86E4D24348603655853A14195FE8DDD426A82CA773C49F15F076D302ADEE30737
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:Microsoft C/C++ MSF 7.00...DS............G...".......G..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\Windows[2].json

                                      Download File
                                      Process:C:\Windows\explorer.exe
                                      File Type:JSON data
                                      Category:dropped
                                      Size (bytes):750
                                      Entropy (8bit):5.153078874444219
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:B77A5DD21BF1B5D7B2552209A3402011
                                      SHA1:E23366A5A7292E59AFE8391FD068942587E427EE
                                      SHA-256:B7E0B5BEE4B5FA4350575E781A5AD46CD227C468FCED0FFD6F2371D3915E0A13
                                      SHA-512:2FE16EE0983CE1750A12B139DEF264D35E00B59751C14C2BC3805435F48D98629005AE18BDE673F0F12E2F96A84D929D9E5C893BB452D2D83C57FFC42BD08ABD
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:{"serviceContext":{"serviceActivityId":"26eb59b1-1406-47d6-84ef-b23612194bd6","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"26eb59b1-1406-47d6-84ef-b23612194bd6|2024-09-23T11:22:23.7250644Z|fabric_msn|WUS2-A|News_460"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false},"isPartial":false}

                                      C:\Users\user\AppData\Local\Temp\eptE401.tmp

                                      Download File
                                      Process:C:\Windows\System32\rundll32.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):14610
                                      Entropy (8bit):5.567900169683724
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:2475D86131317EEC18455466D8A7796B
                                      SHA1:FAB7AF27A86C17884D6AD609B7AAD26ED3F6A261
                                      SHA-256:74A37BBD9556AF5E65E8CDE183768F9D692F08D8CC6FB237D2B60C236919698E
                                      SHA-512:218D6E5FB3A1C6785EA17EF182D56D3DC7A3511F9BE97AAE85C0F6867CDE8C77CFBCE1E406281C3091F2DCF6586D08E193FE0E087C22ED774B2D4FF97FDC27CC
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:.Windows Registry Editor Version 5.00......;M Settings..;q....;T %R:1001%..[HKEY_CURRENT_USER\Software\ExplorerPatcher]..;y %R:1005% ....;ms-settings:taskbar..;y %R:1006% ....;shell:::{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}..;y %R:1007% ....;shell:::{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}\SystemIcons..[HKEY_CURRENT_USER\Software\ExplorerPatcher]..;c 4 %R:1008% *..;x 3 %R:1009%..;x 1 %R:1010%..;x 0 %R:1011%..;x 2 %R:1012%..;"Virtualized_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_TaskbarPosition"=dword:00000003..;c 4 %R:1013%..;x 3 %R:1009%..;x 1 %R:1010%..;x 0 %R:1011%..;x 2 %R:1012%..;"Virtualized_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_MMTaskbarPosition"=dword:00000003..[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search]..;c 3 %R:1019%..;x 0 %R:1020%..;x 1 %R:1021%..;x 2 %R:1022%.."SearchboxTaskbarMode"=dword:00000001..[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]..;b %R:1023%.."ShowCortanaButton"=dword:00000000..[HKEY_CURRENT_USER\S

                                      C:\Users\user\AppData\Roaming\ExplorerPatcher\StartUI.pdb

                                      Download File
                                      Process:C:\Windows\explorer.exe
                                      File Type:MSVC program database ver 7.00, 4096*9067 bytes
                                      Category:dropped
                                      Size (bytes):37138432
                                      Entropy (8bit):5.6992441330393016
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:6EC8937793ABCA33686E941850AC379C
                                      SHA1:C33459B6BBAB2E5D0051557E0AA6E35266145CA1
                                      SHA-256:05E269FF0DD07EBF0B82857327B060CD5AF27870B88219C9257510E0AF312B52
                                      SHA-512:6FF4CBBA814245A5E3269191BB63E7A82DC40D7D7F862C17F6651F28CDB640023143057CAB4E54DCA20C77C5C515EA0EAC05883CE50CD4F1FB84F2DFB2B7CF51
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:Microsoft C/C++ MSF 7.00...DS...........k#..$.......j#..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                                      Download File
                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Sep 23 10:21:51 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                      Category:dropped
                                      Size (bytes):2673
                                      Entropy (8bit):3.989917988351868
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:DDFF5F9A44E340836010E8C5F4DF18C2
                                      SHA1:29062C89B1522C6286688E1E72E7704B3DFA6563
                                      SHA-256:474C0B58D3B5FD4D3FDFF014B1BEF01C2287BDCE8E4C1404684E1C0A411D91DD
                                      SHA-512:2E6640990F741FF246F3632855675016E9CA31A99C3B743B7A7A920F603599846CDE643CD70A0B973F787B9E616E62B50DED4D2976D5FAB0F12F3A477B7479A7
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:L..................F.@.. ...$+.,....."\....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I7Y.Z....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V7Y.Z....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V7Y.Z....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V7Y.Z..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V7Y.Z...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............G.o.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                                      Download File
                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Sep 23 10:21:51 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                      Category:dropped
                                      Size (bytes):2675
                                      Entropy (8bit):4.006943437553047
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:15644393B69209994C1C5EC448638F97
                                      SHA1:C41375D590CB1DF34AED27F6C74C112690E4020E
                                      SHA-256:7BF686244ECA263445B682C57F8C9E8925EE12D0872EC398927F7286A92BE6F1
                                      SHA-512:E18CC423196D0D8C6F86C4C308AC6BEA9BC690AE7B7D784B21134874ACE5ECD99AD998E76996EEB38BFC72E61B702D1C39A78C9C7F062B07A77D1FFAD166AF32
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:L..................F.@.. ...$+.,.....)O....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I7Y.Z....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V7Y.Z....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V7Y.Z....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V7Y.Z..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V7Y.Z...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............G.o.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                                      Download File
                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                      Category:dropped
                                      Size (bytes):2689
                                      Entropy (8bit):4.010550090847512
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:A91FB67462B140C8AC94BF27042DE6C0
                                      SHA1:CC50A78F4ACD93F171C16A6FB45770E0AD79850D
                                      SHA-256:4C0935B5BD6D83914EA0FC7212002DD9095E5740B1FD0A9D7D54386ED03D6347
                                      SHA-512:2B65339C9A194F51F6F74D0EBAEFBEF267E03A51A9C881475999425AE4D29F56C32C907EEEE02D4A0AAB95EBEE9A5B9BD8AFDAA25FFD26FF0F8F80D806260F6C
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I7Y.Z....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V7Y.Z....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V7Y.Z....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V7Y.Z..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............G.o.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                                      Download File
                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Sep 23 10:21:51 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                      Category:dropped
                                      Size (bytes):2677
                                      Entropy (8bit):4.005152522896564
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:B6A2C6AA64235ACD10ABA2FD81D1E227
                                      SHA1:D3701193E313E256F1FC58163C23D40FF21EFD98
                                      SHA-256:2F26994653323E47FD1C08891430E49D7822DEA26B679A3C52BB701850D0D507
                                      SHA-512:58D42D805A1EC865A9EC22AA83E818B4E8AFCCC8D3E0ADE5CCE154D609B2AFE2F9DA6854C40376144B3C3661EDF3123366612800F74C4599942AF484DFD3ADF5
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:L..................F.@.. ...$+.,......H....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I7Y.Z....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V7Y.Z....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V7Y.Z....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V7Y.Z..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V7Y.Z...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............G.o.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                                      Download File
                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Sep 23 10:21:51 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                      Category:dropped
                                      Size (bytes):2677
                                      Entropy (8bit):3.991264499147564
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:F385C87E05B0BDB4CB003B25837A7004
                                      SHA1:DB7CA62BDF5F71353A5A6868F8C54F79C5BD2EDB
                                      SHA-256:E948F0806AA49CF969FCC42EBEF923B772761CF3EF797774A18D2A13F712CD50
                                      SHA-512:371BCD9B689EF8B6E99CF6D212B512F905CA0D131E0B6BFEAD73BCC7A1D6CB009E8CCD2D5B2C2EDEE3D76EC6069083A62EB536F6C7A76908176AAB4D610E021C
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:L..................F.@.. ...$+.,......V....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I7Y.Z....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V7Y.Z....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V7Y.Z....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V7Y.Z..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V7Y.Z...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............G.o.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                                      Download File
                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Sep 23 10:21:50 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                      Category:dropped
                                      Size (bytes):2679
                                      Entropy (8bit):4.001932723009443
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:614DEC9B8B89DB34B9775E5630AFAE91
                                      SHA1:82B991CAFB2D57BE5E1207CF7F408800D3C8984F
                                      SHA-256:07F46DDC7791B2B7E824C94A203829DBE3A4AB9144F7B3C071B2A8F9D453D18B
                                      SHA-512:3F95ACA385A020E6B8713196FDC08BB25B3BD9AE3BF1FD3108CBC0E7F4A2F7F74F4FFC9B46E751BE9B863261693622743DC3752A4CC3350A84F4D2A6409371F0
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:L..................F.@.. ...$+.,.....9>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I7Y.Z....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V7Y.Z....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V7Y.Z....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V7Y.Z..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V7Y.Z...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............G.o.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg

                                      Download File
                                      Process:C:\Windows\explorer.exe
                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 1280x1024, components 3
                                      Category:dropped
                                      Size (bytes):21107
                                      Entropy (8bit):2.3082705768019958
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:CF7BB7C73EEBF9504B46C827ED064F60
                                      SHA1:AFF4E3C6F2A1F2B0673345870C85390E2E85390C
                                      SHA-256:F46620F73F2ABAFCB3622CE5B672314F18350E92B7BD6C765CAE5556A994550B
                                      SHA-512:AC6DE3341F3774EDDA4495AB79000D39AC9CBAC14426646E92D00858CA0041027A50B8AE39DEFEFF891AE32DD5FE70280419598A8BFAE139CA87B476068EE4D3
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

                                      C:\Users\user\Downloads\701b3574-c885-48a1-b323-248f4400d0fe.tmp

                                      Download File
                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):13780
                                      Entropy (8bit):5.929553744027108
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:F6DA27232FF3B8217A606A0E63B1D1FA
                                      SHA1:EA84ACE3FEFB69A5A6574A302D2EDCCA1F6D975B
                                      SHA-256:41729FA8E0E5B2A6A50F66B069637A670E2934B6F0CF0641A1BCF3203CDBE4B8
                                      SHA-512:1BAA7CA7454F9E827D3AFEC190041418554463F382A2A4F74CADBD7269C10CFE1EA23C7B2115D795BC1A854055DB4AE383D86707AE7D2A08C30A72FEF151D480
                                      Malicious:true
                                      Reputation:unknown
                                      Preview:MZ......................@...............................................!..L.!22622.3880.66.6.57999ff163192946S mode....$........^uOY?..Y?..Y?...G..\?...G...?......_?..I...P?..I...I?..I...q?...G..V?...G..X?...G..L?..Y?...?......]?......X?..Y?..H?......X?..RichY?..................PE..d......f.........."....).P...\................@.........................................`..................................................K..........p...........................p(..p...........................0'..@............`...............................text...0O.......P.................. ..`.rdata.. ....`.......T..............@..@.data...T....`.......R..............@....pdata...............^..............@..@.rsrc...p............z..............@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                      C:\Users\user\Downloads\Unconfirmed 363220.crdownload

                                      Download File
                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):10525696
                                      Entropy (8bit):7.989219365061286
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:45A5A443C01ABD7618EFEF4827241312
                                      SHA1:5390D36A371F0598B86301961D5FDB329E368E7A
                                      SHA-256:D7F98B8AF8A3BFE9D93CE31558A62E4D5D0CD425BC30BBC0D517901E5B82BF46
                                      SHA-512:0DF6330A020CE3B52320F087F56023DB069B56D4579B43A9827B8158BE430585B88FB43D98004EAE4E7A05F85086F5762DA17F51AF95FDB302669AE1C581F734
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 21%
                                      Reputation:unknown
                                      Preview:MZ......................@...............................................!..L.!22622.3880.66.6.57999ff163192946S mode....$........^uOY?..Y?..Y?...G..\?...G...?......_?..I...P?..I...I?..I...q?...G..V?...G..X?...G..L?..Y?...?......]?......X?..Y?..H?......X?..RichY?..................PE..d......f.........."....).P...\................@.........................................`..................................................K..........p...........................p(..p...........................0'..@............`...............................text...0O.......P.................. ..`.rdata.. ....`.......T..............@..@.data...T....`.......R..............@....pdata...............^..............@..@.rsrc...p............z..............@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                      C:\Users\user\Downloads\ep_setup.exe (copy)

                                      Download File
                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):0
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:45A5A443C01ABD7618EFEF4827241312
                                      SHA1:5390D36A371F0598B86301961D5FDB329E368E7A
                                      SHA-256:D7F98B8AF8A3BFE9D93CE31558A62E4D5D0CD425BC30BBC0D517901E5B82BF46
                                      SHA-512:0DF6330A020CE3B52320F087F56023DB069B56D4579B43A9827B8158BE430585B88FB43D98004EAE4E7A05F85086F5762DA17F51AF95FDB302669AE1C581F734
                                      Malicious:true
                                      Reputation:unknown
                                      Preview:MZ......................@...............................................!..L.!22622.3880.66.6.57999ff163192946S mode....$........^uOY?..Y?..Y?...G..\?...G...?......_?..I...P?..I...I?..I...q?...G..V?...G..X?...G..L?..Y?...?......]?......X?..Y?..H?......X?..RichY?..................PE..d......f.........."....).P...\................@.........................................`..................................................K..........p...........................p(..p...........................0'..@............`...............................text...0O.......P.................. ..`.rdata.. ....`.......T..............@..@.data...T....`.......R..............@....pdata...............^..............@..@.rsrc...p............z..............@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                      C:\Windows\dxgi.dll

                                      Download File
                                      Process:C:\Users\user\Downloads\ep_setup.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):716800
                                      Entropy (8bit):6.219649477306373
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:A3F150CEC06C4434460EF680417AF1AC
                                      SHA1:A32958417D97509BE368CC48BAB8D9A1C8A9050D
                                      SHA-256:F0D8FA3DB3127ABCDED89ABBF13F8D3C0071169618A0340570AA9B389034F176
                                      SHA-512:B7354B772DBC6C137D35ACA2E9094E013D05A624A1A71F4B169EDFB07E4212369EF9FD78F23D996EC2C2B3A1E4A4FD158B5E60E347A9CCBA35E07CBA97E64C80
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:unknown
                                      Preview:MZ......................@...................................0...........!..L.!22622.3880.66.6.57999ff163192946S mode....$........y...............`.......`.......................`4.......Z..............................`.......`................................X.......0.............Rich....................PE..d......f.........." ...).....N......|........................................P............`......................................... V..H...hZ...........0.......I...........@.......|..p...............................@...............p............................text.............................. ..`.rdata..............................@..@.data...H...........................@....pdata...I.......J...f..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

                                      Static File Info

                                      No static file info