Windows Analysis Report
5390d36a371f0598b86301961d5fdb329e368e7a.exe

Overview

General Information

Sample name:	5390d36a371f0598b86301961d5fdb329e368e7a.exe (renamed file extension from none to exe)
Original sample name:	5390d36a371f0598b86301961d5fdb329e368e7a
Analysis ID:	1520616
MD5:	0447e67da4fb72bdde31bd7ec2b62e04
SHA1:	7143740f5b7a35799398568b9606c4b1eeb9d591
SHA256:	12f30a0114c0d67881f10a66cf5b848afc3d858dea34c06836113e272bad0dc5

Errors Corrupt sample or wrongly selected analyzer. Details: 36b1

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains functionality to automate explorer (e.g. start an application)

Extracts suspicious resources from PE file (packer detected)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Classification

Signatures

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_setup.pdb source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140003050 FindFirstFileW,lstrcmpW,lstrcmpW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0000000140003050
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400031F0 SetProcessDpiAwarenessContext,CommandLineToArgvW,CreateDirectoryW,GetCurrentDirectoryW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,GetModuleFileNameW,PathStripPathW,GetModuleFileNameW,LoadStringW,MessageBoxW,AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,RegGetValueW,LoadStringW,MessageBoxW,RegDeleteKeyValueW,CreateEventW,SHGetFolderPathW,CreateDirectoryW,GetLastError,FindWindowW,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,GetCurrentProcess,OpenProcessToken,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,CloseHandle,SendMessageTimeoutW,CreateThread,WaitForSingleObject,CloseHandle,Sleep,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,CloseHandle,Sleep,CreateEventW,GetLastError,CloseHandle,GetLastError,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,FindWindowW,GetWindowThreadProcessId,OpenProcess,SendMessageW,TerminateProcess,CloseHandle,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,SHGetFolderPathW,RegOpenKeyExW,RegCloseKey,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,FindFirstFileW,FindClose,GetUserPreferredUILanguages,GetUserPreferredUILanguages,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegDeleteKeyW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,CreateSymbolicLinkW,FindFirstFileW,FindClose,RemoveDirectoryW,FindFirstFileW,FindClose,RemoveDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,SHGetFolderPathW,SHGetFolderPathW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegCloseKey,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,LoadStringW,MessageBoxW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetWindowsDirectoryW,Sleep,ImpersonateLoggedOnUser,DuplicateTokenEx,RevertToSelf,CreateProcessWithTokenW,CloseHandle,CloseHandle,CloseHandle,ShellExecuteW,CloseHandle,GetLastError,LoadStringW,MessageBoxW,ExitWindowsEx,ShellExecuteExW,GetLastError,_invalid_parameter_noinfo,	0_2_00000001400031F0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014001D674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_000000014001D674

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

String found in binary or memory: http://www.winimage.com/zLibDll

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: 0_2_00000001400031F0 SetProcessDpiAwarenessContext,CommandLineToArgvW,CreateDirectoryW,GetCurrentDirectoryW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,GetModuleFileNameW,PathStripPathW,GetModuleFileNameW,LoadStringW,MessageBoxW,AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,RegGetValueW,LoadStringW,MessageBoxW,RegDeleteKeyValueW,CreateEventW,SHGetFolderPathW,CreateDirectoryW,GetLastError,FindWindowW,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,GetCurrentProcess,OpenProcessToken,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,CloseHandle,SendMessageTimeoutW,CreateThread,WaitForSingleObject,CloseHandle,Sleep,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,CloseHandle,Sleep,CreateEventW,GetLastError,CloseHandle,GetLastError,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,FindWindowW,GetWindowThreadProcessId,OpenProcess,SendMessageW,TerminateProcess,CloseHandle,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,SHGetFolderPathW,RegOpenKeyExW,RegCloseKey,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,FindFirstFileW,FindClose,GetUserPreferredUILanguages,GetUserPreferredUILanguages,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegDeleteKeyW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,CreateSymbolicLinkW,FindFirstFileW,FindClose,RemoveDirectoryW,FindFirstFileW,FindClose,RemoveDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,SHGetFolderPathW,SHGetFolderPathW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegCloseKey,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,LoadStringW,MessageBoxW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetWindowsDirectoryW,Sleep,ImpersonateLoggedOnUser,DuplicateTokenEx,RevertToSelf,CreateProcessWithTokenW,CloseHandle,CloseHandle,CloseHandle,ShellExecuteW,CloseHandle,GetLastError,LoadStringW,MessageBoxW,ExitWindowsEx,ShellExecuteExW,GetLastError,_invalid_parameter_noinfo,

0_2_00000001400031F0

Detected potential crypto function

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000F434	0_2_000000014000F434
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000F864	0_2_000000014000F864
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140012890	0_2_0000000140012890
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000FC90	0_2_000000014000FC90
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400248A8	0_2_00000001400248A8
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400060B0	0_2_00000001400060B0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400190BC	0_2_00000001400190BC
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140005CC0	0_2_0000000140005CC0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400028C0	0_2_00000001400028C0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140021D04	0_2_0000000140021D04
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000F540	0_2_000000014000F540
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140010554	0_2_0000000140010554
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140012D54	0_2_0000000140012D54
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000F96C	0_2_000000014000F96C
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140010994	0_2_0000000140010994
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400185A8	0_2_00000001400185A8
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000B1B0	0_2_000000014000B1B0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400131B8	0_2_00000001400131B8
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140010DD4	0_2_0000000140010DD4
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400031F0	0_2_00000001400031F0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000960B	0_2_000000014000960B
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014001FE30	0_2_000000014001FE30
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140018A3C	0_2_0000000140018A3C
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000F64C	0_2_000000014000F64C
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014001D674	0_2_000000014001D674
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000FA78	0_2_000000014000FA78
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400202CC	0_2_00000001400202CC
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400022D0	0_2_00000001400022D0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140001AF0	0_2_0000000140001AF0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000F328	0_2_000000014000F328
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140001730	0_2_0000000140001730
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000F758	0_2_000000014000F758
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140010760	0_2_0000000140010760
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140006F60	0_2_0000000140006F60
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000FB84	0_2_000000014000FB84
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400223A0	0_2_00000001400223A0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140010BA0	0_2_0000000140010BA0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400097A4	0_2_00000001400097A4
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140017BC8	0_2_0000000140017BC8
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140009FDD	0_2_0000000140009FDD
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140010FE0	0_2_0000000140010FE0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: String function: 000000014001506C appears 49 times

PE file contains executable resources (Code or Archives)

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Sample file is different than original file name gathered from version info

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Binary or memory string: OriginalFilename vs 5390d36a371f0598b86301961d5fdb329e368e7a.exe
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Binary or memory string: OriginalFilenameep_setup.exe@ vs 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Source: classification engine

Classification label: mal48.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

0_2_00000001400031F0

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: 0_2_0000000140001730 GetSystemDirectoryW,LoadLibraryExW,LoadStringW,SHGetFolderPathW,SHFileOperationW,CreateDirectoryW,GetSystemDirectoryW,CoInitialize,CoCreateInstance,PathRemoveFileSpecW,CoUninitialize,

0_2_0000000140001730

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: 0_2_0000000140002020 FindResourceW,LoadResource,LockResource,SizeofResource,

0_2_0000000140002020

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static file information: File size 10525696 > 1048576

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x9d1a00

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_setup.pdb source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Extracts suspicious resources from PE file (packer detected)

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: 0_2_0000000140001AF0 RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegSetValueExW,RegSetValueExW,RegSetValueExW,PathRemoveFileSpecW,LoadLibraryExW,FindResourceW,SizeofResource,LoadResource,LockResource,LocalAlloc,FreeResource,VerQueryValueW,LocalFree,RegSetValueExW,RegSetValueExW,RegSetValueExW,FreeLibrary,GetWindowsDirectoryW,RegSetValueExW,RegOpenKeyW,RegDeleteTreeW,RegCloseKey, \explorer.exe

0_2_0000000140001AF0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140003050 FindFirstFileW,lstrcmpW,lstrcmpW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0000000140003050
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400031F0 SetProcessDpiAwarenessContext,CommandLineToArgvW,CreateDirectoryW,GetCurrentDirectoryW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,GetModuleFileNameW,PathStripPathW,GetModuleFileNameW,LoadStringW,MessageBoxW,AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,RegGetValueW,LoadStringW,MessageBoxW,RegDeleteKeyValueW,CreateEventW,SHGetFolderPathW,CreateDirectoryW,GetLastError,FindWindowW,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,GetCurrentProcess,OpenProcessToken,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,CloseHandle,SendMessageTimeoutW,CreateThread,WaitForSingleObject,CloseHandle,Sleep,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,CloseHandle,Sleep,CreateEventW,GetLastError,CloseHandle,GetLastError,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,FindWindowW,GetWindowThreadProcessId,OpenProcess,SendMessageW,TerminateProcess,CloseHandle,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,SHGetFolderPathW,RegOpenKeyExW,RegCloseKey,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,FindFirstFileW,FindClose,GetUserPreferredUILanguages,GetUserPreferredUILanguages,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegDeleteKeyW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,CreateSymbolicLinkW,FindFirstFileW,FindClose,RemoveDirectoryW,FindFirstFileW,FindClose,RemoveDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,SHGetFolderPathW,SHGetFolderPathW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegCloseKey,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,LoadStringW,MessageBoxW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetWindowsDirectoryW,Sleep,ImpersonateLoggedOnUser,DuplicateTokenEx,RevertToSelf,CreateProcessWithTokenW,CloseHandle,CloseHandle,CloseHandle,ShellExecuteW,CloseHandle,GetLastError,LoadStringW,MessageBoxW,ExitWindowsEx,ShellExecuteExW,GetLastError,_invalid_parameter_noinfo,	0_2_00000001400031F0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014001D674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_000000014001D674

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: 0_2_000000014001519C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000000014001519C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: 0_2_000000014001F7B8 GetProcessHeap,

0_2_000000014001F7B8

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140009128 SetUnhandledExceptionFilter,	0_2_0000000140009128
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014001519C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000014001519C
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400086E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00000001400086E0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140008F48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0000000140008F48

HIPS / PFW / Operating System Protection Evasion

Contains functionality to automate explorer (e.g. start an application)

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

0_2_00000001400031F0

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: 0_2_00000001400010D0 GetSystemDirectoryW,GetSystemDirectoryW,SHGetFolderPathW,GetWindowsDirectoryW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,

0_2_00000001400010D0

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

0_2_00000001400031F0

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Binary or memory string: Shell_TrayWnd
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Binary or memory string: runasExplorerPatcherntdll.dllRtlGetVersion\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersionUBRShell_TrayWnd\explorer.exeopenep_taskbar.0.dllep_taskbar.1.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\ExplorerFrame.dll (ExplorerPatcher).lnk\shell32.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcherUninstallStringDisplayNameVALINET Solutions SRLPublisherNoModifyNoRepair\ExplorerPatcher.amd64.dll%d.%d.%d.%dDisplayVersionVersionMajorVersionMinorDisplayIcon\ExplorerPatcher\cleanup_.tmp.preven-USmuipriep_taskbar.0.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\*.../extractIsWow64Process2kernel32.dllx64ARM64/uninstall/uninstall_silentep_uninstall.exe/update_silentUndockingDisabledSOFTWARE\Microsoft\Windows\CurrentVersion\Shell\Update\PackagesGlobal\ep_setup_D17F1E1A-5919-4427-8F89-A1A8503CA3EB/f /im explorer.exeGlobal\ep_dwm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}Software\ExplorerPatcherOpenPropertiesAtNextStartep_setup.exeSOFTWARE\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}\InProcServer32\ExplorerPatcher\ExplorerPatcher.amd64.dll"\regsvr32.exeExplorerPatcher.IA-32.dllExplorerPatcher.IA-32.dllExplorerPatcher.amd64.dllExplorerPatcher.amd64.dllep_gui.dllep_gui.dllep_dwm.exeep_dwm.exeep_weather_host.dllep_weather_host.dllep_weather_host_stub.dllep_weather_host_stub.dllWebView2Loader.dllWebView2Loader.dllar-SAbg-BGca-EScs-CZda-DKde-DEel-GRen-GBes-ESes-MXet-EEeu-ESfi-FIfr-CAfr-FRgl-EShe-ILhr-HRhu-HUid-IDit-ITja-JPko-KRlt-LTlv-LVnb-NOnl-NLpl-PLpt-BRpt-PTro-ROru-RUsk-SKsl-SIsr-Latn-RSsv-SEth-THtr-TRuk-UAvi-VNzh-CNzh-TWprisStartUIWindows.UI.ShellCommon.pripnidui/Windows.UI.ShellCommon/pnidui.dllpnidui/pnidui.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{C2796011-81BA-4148-8FCA-C6643245113F}AutoStartdxgi.dll\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewywincorlib.dllep_startmenu.dllwincorlib_orig.dll\wincorlib.dll\wincorlib_orig.dllStartUI_.dllStartUI/StartUI.dllAppResolverLegacy.dllStartTileDataLegacy.dll\en-USStartTileDataLegacy.dll.mui\pris2Windows.UI.ShellCommon.en-US.pri\SystemApps\ShellExperienceHost_cw5n1h2txyewy\rundll32.exe "\ExplorerPatcher\ep_gui.dll",ZZGUI\ExplorerPatcher\ep_setup.exe" /uninstallstart ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBdelete ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB\ExplorerPatcher\ep_weather_host.dll"\ExplorerPatcher\ep_weather_host_stub.dll"SOFTWARE\Policies\Microsoft\Windows\ExplorerSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\cleanupSOFTWARE\Microsoft\Windows\CurrentVersion\RunOncecmd /c rmdir /s /q ""ExplorerPatcherCleanupIsUpdatePendingrbr+bwb1.3.1.1-motley unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll@

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: 0_2_00000001400246F0 cpuid

0_2_00000001400246F0

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: 0_2_0000000140008E2C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0000000140008E2C

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_setup.pdb source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140003050 FindFirstFileW,lstrcmpW,lstrcmpW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0000000140003050
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400031F0 SetProcessDpiAwarenessContext,CommandLineToArgvW,CreateDirectoryW,GetCurrentDirectoryW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,GetModuleFileNameW,PathStripPathW,GetModuleFileNameW,LoadStringW,MessageBoxW,AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,RegGetValueW,LoadStringW,MessageBoxW,RegDeleteKeyValueW,CreateEventW,SHGetFolderPathW,CreateDirectoryW,GetLastError,FindWindowW,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,GetCurrentProcess,OpenProcessToken,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,CloseHandle,SendMessageTimeoutW,CreateThread,WaitForSingleObject,CloseHandle,Sleep,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,CloseHandle,Sleep,CreateEventW,GetLastError,CloseHandle,GetLastError,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,FindWindowW,GetWindowThreadProcessId,OpenProcess,SendMessageW,TerminateProcess,CloseHandle,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,SHGetFolderPathW,RegOpenKeyExW,RegCloseKey,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,FindFirstFileW,FindClose,GetUserPreferredUILanguages,GetUserPreferredUILanguages,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegDeleteKeyW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,CreateSymbolicLinkW,FindFirstFileW,FindClose,RemoveDirectoryW,FindFirstFileW,FindClose,RemoveDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,SHGetFolderPathW,SHGetFolderPathW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegCloseKey,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,LoadStringW,MessageBoxW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetWindowsDirectoryW,Sleep,ImpersonateLoggedOnUser,DuplicateTokenEx,RevertToSelf,CreateProcessWithTokenW,CloseHandle,CloseHandle,CloseHandle,ShellExecuteW,CloseHandle,GetLastError,LoadStringW,MessageBoxW,ExitWindowsEx,ShellExecuteExW,GetLastError,_invalid_parameter_noinfo,	0_2_00000001400031F0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014001D674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_000000014001D674

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

String found in binary or memory: http://www.winimage.com/zLibDll

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

0_2_00000001400031F0

Detected potential crypto function

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000F434	0_2_000000014000F434
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000F864	0_2_000000014000F864
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140012890	0_2_0000000140012890
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000FC90	0_2_000000014000FC90
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400248A8	0_2_00000001400248A8
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400060B0	0_2_00000001400060B0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400190BC	0_2_00000001400190BC
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140005CC0	0_2_0000000140005CC0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400028C0	0_2_00000001400028C0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140021D04	0_2_0000000140021D04
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000F540	0_2_000000014000F540
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140010554	0_2_0000000140010554
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140012D54	0_2_0000000140012D54
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000F96C	0_2_000000014000F96C
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140010994	0_2_0000000140010994
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400185A8	0_2_00000001400185A8
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000B1B0	0_2_000000014000B1B0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400131B8	0_2_00000001400131B8
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140010DD4	0_2_0000000140010DD4
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400031F0	0_2_00000001400031F0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000960B	0_2_000000014000960B
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014001FE30	0_2_000000014001FE30
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140018A3C	0_2_0000000140018A3C
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000F64C	0_2_000000014000F64C
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014001D674	0_2_000000014001D674
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000FA78	0_2_000000014000FA78
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400202CC	0_2_00000001400202CC
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400022D0	0_2_00000001400022D0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140001AF0	0_2_0000000140001AF0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000F328	0_2_000000014000F328
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140001730	0_2_0000000140001730
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000F758	0_2_000000014000F758
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140010760	0_2_0000000140010760
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140006F60	0_2_0000000140006F60
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014000FB84	0_2_000000014000FB84
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400223A0	0_2_00000001400223A0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140010BA0	0_2_0000000140010BA0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400097A4	0_2_00000001400097A4
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140017BC8	0_2_0000000140017BC8
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140009FDD	0_2_0000000140009FDD
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140010FE0	0_2_0000000140010FE0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: String function: 000000014001506C appears 49 times

PE file contains executable resources (Code or Archives)

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Sample file is different than original file name gathered from version info

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Binary or memory string: OriginalFilename vs 5390d36a371f0598b86301961d5fdb329e368e7a.exe
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Binary or memory string: OriginalFilenameep_setup.exe@ vs 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Source: classification engine

Classification label: mal48.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

0_2_00000001400031F0

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

0_2_0000000140001730

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: 0_2_0000000140002020 FindResourceW,LoadResource,LockResource,SizeofResource,

0_2_0000000140002020

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static file information: File size 10525696 > 1048576

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x9d1a00

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_setup.pdb source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Extracts suspicious resources from PE file (packer detected)

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

0_2_0000000140001AF0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140003050 FindFirstFileW,lstrcmpW,lstrcmpW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0000000140003050
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400031F0 SetProcessDpiAwarenessContext,CommandLineToArgvW,CreateDirectoryW,GetCurrentDirectoryW,GetModuleHandleW,GetProcAddress,GetCurrentProcess,GetModuleFileNameW,PathStripPathW,GetModuleFileNameW,LoadStringW,MessageBoxW,AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,RegGetValueW,LoadStringW,MessageBoxW,RegDeleteKeyValueW,CreateEventW,SHGetFolderPathW,CreateDirectoryW,GetLastError,FindWindowW,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,GetCurrentProcess,OpenProcessToken,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,SetLastError,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,CloseHandle,SendMessageTimeoutW,CreateThread,WaitForSingleObject,CloseHandle,Sleep,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,CloseHandle,Sleep,CreateEventW,GetLastError,CloseHandle,GetLastError,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,FindWindowW,GetWindowThreadProcessId,OpenProcess,SendMessageW,TerminateProcess,CloseHandle,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,SHGetFolderPathW,RegOpenKeyExW,RegCloseKey,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,FindFirstFileW,FindClose,GetUserPreferredUILanguages,GetUserPreferredUILanguages,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegDeleteKeyW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,CreateSymbolicLinkW,FindFirstFileW,FindClose,RemoveDirectoryW,FindFirstFileW,FindClose,RemoveDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,SHGetFolderPathW,SHGetFolderPathW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,SHGetFolderPathW,GetSystemDirectoryW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,SetLastError,CloseHandle,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegCloseKey,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,LoadStringW,MessageBoxW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LoadStringW,MessageBoxW,GetWindowsDirectoryW,Sleep,ImpersonateLoggedOnUser,DuplicateTokenEx,RevertToSelf,CreateProcessWithTokenW,CloseHandle,CloseHandle,CloseHandle,ShellExecuteW,CloseHandle,GetLastError,LoadStringW,MessageBoxW,ExitWindowsEx,ShellExecuteExW,GetLastError,_invalid_parameter_noinfo,	0_2_00000001400031F0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014001D674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_000000014001D674

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: 0_2_000000014001519C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000000014001519C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: 0_2_000000014001F7B8 GetProcessHeap,

0_2_000000014001F7B8

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140009128 SetUnhandledExceptionFilter,	0_2_0000000140009128
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_000000014001519C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000014001519C
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_00000001400086E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00000001400086E0
Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe	Code function: 0_2_0000000140008F48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0000000140008F48

HIPS / PFW / Operating System Protection Evasion

Contains functionality to automate explorer (e.g. start an application)

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

0_2_00000001400031F0

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

0_2_00000001400010D0

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

0_2_00000001400031F0

Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Binary or memory string: Shell_TrayWnd
Source: 5390d36a371f0598b86301961d5fdb329e368e7a.exe	Binary or memory string: runasExplorerPatcherntdll.dllRtlGetVersion\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersionUBRShell_TrayWnd\explorer.exeopenep_taskbar.0.dllep_taskbar.1.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\ExplorerFrame.dll (ExplorerPatcher).lnk\shell32.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcherUninstallStringDisplayNameVALINET Solutions SRLPublisherNoModifyNoRepair\ExplorerPatcher.amd64.dll%d.%d.%d.%dDisplayVersionVersionMajorVersionMinorDisplayIcon\ExplorerPatcher\cleanup_.tmp.preven-USmuipriep_taskbar.0.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\*.../extractIsWow64Process2kernel32.dllx64ARM64/uninstall/uninstall_silentep_uninstall.exe/update_silentUndockingDisabledSOFTWARE\Microsoft\Windows\CurrentVersion\Shell\Update\PackagesGlobal\ep_setup_D17F1E1A-5919-4427-8F89-A1A8503CA3EB/f /im explorer.exeGlobal\ep_dwm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}Software\ExplorerPatcherOpenPropertiesAtNextStartep_setup.exeSOFTWARE\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}\InProcServer32\ExplorerPatcher\ExplorerPatcher.amd64.dll"\regsvr32.exeExplorerPatcher.IA-32.dllExplorerPatcher.IA-32.dllExplorerPatcher.amd64.dllExplorerPatcher.amd64.dllep_gui.dllep_gui.dllep_dwm.exeep_dwm.exeep_weather_host.dllep_weather_host.dllep_weather_host_stub.dllep_weather_host_stub.dllWebView2Loader.dllWebView2Loader.dllar-SAbg-BGca-EScs-CZda-DKde-DEel-GRen-GBes-ESes-MXet-EEeu-ESfi-FIfr-CAfr-FRgl-EShe-ILhr-HRhu-HUid-IDit-ITja-JPko-KRlt-LTlv-LVnb-NOnl-NLpl-PLpt-BRpt-PTro-ROru-RUsk-SKsl-SIsr-Latn-RSsv-SEth-THtr-TRuk-UAvi-VNzh-CNzh-TWprisStartUIWindows.UI.ShellCommon.pripnidui/Windows.UI.ShellCommon/pnidui.dllpnidui/pnidui.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{C2796011-81BA-4148-8FCA-C6643245113F}AutoStartdxgi.dll\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewywincorlib.dllep_startmenu.dllwincorlib_orig.dll\wincorlib.dll\wincorlib_orig.dllStartUI_.dllStartUI/StartUI.dllAppResolverLegacy.dllStartTileDataLegacy.dll\en-USStartTileDataLegacy.dll.mui\pris2Windows.UI.ShellCommon.en-US.pri\SystemApps\ShellExperienceHost_cw5n1h2txyewy\rundll32.exe "\ExplorerPatcher\ep_gui.dll",ZZGUI\ExplorerPatcher\ep_setup.exe" /uninstallstart ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBdelete ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB\ExplorerPatcher\ep_weather_host.dll"\ExplorerPatcher\ep_weather_host_stub.dll"SOFTWARE\Policies\Microsoft\Windows\ExplorerSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\cleanupSOFTWARE\Microsoft\Windows\CurrentVersion\RunOncecmd /c rmdir /s /q ""ExplorerPatcherCleanupIsUpdatePendingrbr+bwb1.3.1.1-motley unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll@

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: 0_2_00000001400246F0 cpuid

0_2_00000001400246F0

Source: C:\Users\user\Desktop\5390d36a371f0598b86301961d5fdb329e368e7a.exe

Code function: 0_2_0000000140008E2C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0000000140008E2C

ID:	1520616
Product:	CloudBasic
Start time:	16:56:50
Start date:	27.09.2024
Sample:	5390d36a371f0598b86301961d5fdb329e368e7a
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0447e67da4fb72bdde31bd7ec2b62e04
SHA1:	7143740f5b7a35799398568b9606c4b1eeb9d591
SHA256:	12f30a0114c0d67881f10a66cf5b848afc3d858dea34c06836113e272bad0dc5
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
5390d36a371f0598b86301961d5fdb329e368e7a.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report 5390d36a371f0598b86301961d5fdb329e368e7a.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
5390d36a371f0598b86301961d5fdb329e368e7a.exe