File name:

EPRLastic13.exe

Full analysis: https://app.any.run/tasks/83b54029-0d00-429d-9914-91adc5a80a69
Verdict: Malicious activity
Analysis date: February 10, 2024, 10:20:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6C56DF7DD16F2ABEB6DF9CF6823C029C

SHA1:

70C24E1626734C84E4F8E4CCC6DBBECD315B322D

SHA256:

03A7B7376CE6B93EF3D7F007DCA4261EEABD403F87C5995854E4886853A1367E

SSDEEP:

98304:2bUgd1g88da6dsbvVYJi7VERgagEfQCzLn7kfGQrx+qZ3idCts4M7hCjT/BmelF0:8VNA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • EPRLastic13.exe (PID: 2472)
      • EPRLastic13.tmp (PID: 3864)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • EPRLastic13.tmp (PID: 3864)

    • Executable content was dropped or overwritten

      • EPRLastic13.exe (PID: 2472)
      • EPRLastic13.tmp (PID: 3864)

  • INFO

    • Checks supported languages

      • EPRLastic13.exe (PID: 2472)
      • EPRLastic13.tmp (PID: 3864)
      • EPRLastic.exe (PID: 3732)

    • Reads the computer name

      • EPRLastic13.tmp (PID: 3864)

    • Create files in a temporary directory

      • EPRLastic13.exe (PID: 2472)
      • EPRLastic13.tmp (PID: 3864)

    • Creates files or folders in the user directory

      • EPRLastic13.tmp (PID: 3864)

    • Creates a software uninstall entry

      • EPRLastic13.tmp (PID: 3864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (51.8)
.exe | InstallShield setup (20.3)
.exe | Win32 EXE PECompact compressed (generic) (19.6)
.dll | Win32 Dynamic Link Library (generic) (3.1)
.exe | Win32 Executable (generic) (2.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:04:27 08:22:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 682496
InitializedDataSize: 37888
UninitializedDataSize: -
EntryPoint: 0xa7ed0
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.3.0.3
ProductVersionNumber: 1.3.0.3
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: PasswordLastic
FileDescription: Excel Password Recovery Lastic Setup
FileVersion: 1.3.0.3
LegalCopyright: Copyright © From 2011, PasswordLastic
OriginalFileName:
ProductName: Excel Password Recovery Lastic
ProductVersion: 1.3.0.3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start eprlastic13.exe eprlastic13.tmp eprlastic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2472"C:\Users\admin\AppData\Local\Temp\EPRLastic13.exe" C:\Users\admin\AppData\Local\Temp\EPRLastic13.exe
explorer.exe
User:
admin
Company:
PasswordLastic
Integrity Level:
MEDIUM
Description:
Excel Password Recovery Lastic Setup
Exit code:
0
Version:
1.3.0.3
Modules
Images
c:\users\admin\appdata\local\temp\eprlastic13.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3732"C:\Users\admin\AppData\Local\PasswordLastic\Excel Password Recovery Lastic\EPRLastic.exe"C:\Users\admin\AppData\Local\PasswordLastic\Excel Password Recovery Lastic\EPRLastic.exeEPRLastic13.tmp
User:
admin
Company:
PasswordLastic
Integrity Level:
MEDIUM
Description:
Excel Password Recovery Lastic
Exit code:
2
Version:
1, 3, 0, 3
Modules
Images
c:\users\admin\appdata\local\passwordlastic\excel password recovery lastic\eprlastic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3864"C:\Users\admin\AppData\Local\Temp\is-JU4V9.tmp\EPRLastic13.tmp" /SL5="$E0170,2182815,721408,C:\Users\admin\AppData\Local\Temp\EPRLastic13.exe" C:\Users\admin\AppData\Local\Temp\is-JU4V9.tmp\EPRLastic13.tmp
EPRLastic13.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
3221225547
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ju4v9.tmp\eprlastic13.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
3 041
Read events
3 008
Write events
27
Delete events
6

Modification events

(PID) Process:(3864) EPRLastic13.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
180F0000B2FB43BC0A5CDA01
(PID) Process:(3864) EPRLastic13.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
9CFF3986F9757E462DD11998796C25E63FD6E26F7E1190D9825719B85A7780CA
(PID) Process:(3864) EPRLastic13.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(3864) EPRLastic13.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\PasswordLastic\Excel Password Recovery Lastic\EPRLastic.exe
(PID) Process:(3864) EPRLastic13.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
7766BA337671FD47271EF2E4E4DAC22DB085B08C2D36BC4992C621F64D586295
(PID) Process:(3864) EPRLastic13.tmpKey:HKEY_CURRENT_USER\Software\PasswordLastic\Excel Password Recovery Lastic
Operation:writeName:AffiliateID
Value:
0
(PID) Process:(3864) EPRLastic13.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Excel Password Recovery Lastic_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.0.2 (u)
(PID) Process:(3864) EPRLastic13.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Excel Password Recovery Lastic_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Local\PasswordLastic\Excel Password Recovery Lastic
(PID) Process:(3864) EPRLastic13.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Excel Password Recovery Lastic_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\PasswordLastic\Excel Password Recovery Lastic\
(PID) Process:(3864) EPRLastic13.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Excel Password Recovery Lastic_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Excel Password Recovery Lastic
Executable files
8
Suspicious files
4
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
2472EPRLastic13.exeC:\Users\admin\AppData\Local\Temp\is-JU4V9.tmp\EPRLastic13.tmpexecutable
MD5:8E2D270339DCD0A68FBB2F02A65D45DD
SHA256:506176B3245DE84BB0B7A4DA4B8068B9DD289EB9A3A1757D4183C7C3F168C811
3864EPRLastic13.tmpC:\Users\admin\AppData\Local\PasswordLastic\Excel Password Recovery Lastic\is-BAOSA.tmpexecutable
MD5:499472A940A86F93DCCFE4C0E2F4D983
SHA256:93143B86D2481D803C28BE5BFC6ED5F1A87EDA79A0D687AC05ADF0FC307FFECE
3864EPRLastic13.tmpC:\Users\admin\AppData\Local\PasswordLastic\Excel Password Recovery Lastic\is-9E7B6.tmptext
MD5:09BFFDD60A47B022A6365E832E09931F
SHA256:C3F4D6108A96AA8745547F2EC42D3A6F0ABA785D4C5180A89FD0033A441596B9
3864EPRLastic13.tmpC:\Users\admin\AppData\Local\Temp\is-HK24N.tmp\Styles.cjstylesexecutable
MD5:F450D34876B007AC8548D6942E95FD0F
SHA256:315B3DDEDFD7012D85E211EEC1C9E157043781D1AE9C209E4774680ED6B83F92
3864EPRLastic13.tmpC:\Users\admin\AppData\Local\Temp\is-HK24N.tmp\isskin.dllexecutable
MD5:92C2E247392E0E02261DEA67E1BB1A5E
SHA256:25FDB94E386F8A41F10ABA00ED092A91B878339F8E256A7252B11169122B0A68
3864EPRLastic13.tmpC:\Users\admin\AppData\Local\PasswordLastic\Excel Password Recovery Lastic\is-36JDP.tmpexecutable
MD5:8D018E33A7FDC98B23E88804A76660CB
SHA256:4DCF0171CDA99134774533AD54BF239C1B99B0A71DBDE236FBDB1281C2265852
3864EPRLastic13.tmpC:\Users\admin\AppData\Local\PasswordLastic\Excel Password Recovery Lastic\Languages\is-8MNKU.tmptext
MD5:6EEA95D9F921C879EA4BB3C9BFB1D8CF
SHA256:CB5406D7B7675B510B587A300ED5019C010E23626BA007B70E60725A69E412A0
3864EPRLastic13.tmpC:\Users\admin\AppData\Local\PasswordLastic\Excel Password Recovery Lastic\Languages\English.lngini
MD5:6EEA95D9F921C879EA4BB3C9BFB1D8CF
SHA256:CB5406D7B7675B510B587A300ED5019C010E23626BA007B70E60725A69E412A0
3864EPRLastic13.tmpC:\Users\admin\AppData\Local\PasswordLastic\Excel Password Recovery Lastic\Languages\French.lngtext
MD5:C6346EABC363626F9FF86C2212150607
SHA256:7019EC5520291AC6228EE83DFD5C22B353C0FC2470E4342864D8B573AA9808EA
3864EPRLastic13.tmpC:\Users\admin\AppData\Local\PasswordLastic\Excel Password Recovery Lastic\License.txttext
MD5:09BFFDD60A47B022A6365E832E09931F
SHA256:C3F4D6108A96AA8745547F2EC42D3A6F0ABA785D4C5180A89FD0033A441596B9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EPRLastic13.exe