Malware analysis ep_setup.exe Malicious activity | ANY.RUN

Add for printing

File name:	ep_setup.exe
Full analysis:	https://app.any.run/tasks/e3e2e703-0237-472b-93f6-6058fe77fb34
Verdict:	Malicious activity
Analysis date:	August 27, 2024, 17:43:28
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	0022AD8082B815BC30182E748FECF80C
SHA1:	88AF03747655D367A6221AF7507CE77780940CC1
SHA256:	1E19A17D39755F8094FD34398B41B8DE81534E662F0DAA17C5FB9496E3DB49F9
SSDEEP:	49152:O/edSvgdIbmKDgSmTaOAyRwdORHRj9yPtO7OBSmxk/gw69Ihu7JgoTe:OpTbmr3x0lCixWgNic+g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Registers / Runs the DLL via REGSVR32.EXE
  - ep_setup.exe (PID: 4688)
SUSPICIOUS
- Drops the executable file immediately after the start
  - ep_setup.exe (PID: 3964)
  - ep_setup.exe (PID: 4688)
- Application launched itself
  - ep_setup.exe (PID: 3964)
- Reads security settings of Internet Explorer
  - ep_setup.exe (PID: 3964)
  - ep_setup.exe (PID: 4688)
  - StartMenuExperienceHost.exe (PID: 3032)
- Reads the date of Windows installation
  - ep_setup.exe (PID: 3964)
  - ep_setup.exe (PID: 4688)
  - StartMenuExperienceHost.exe (PID: 3032)
  - SearchApp.exe (PID: 5708)
- Starts SC.EXE for service management
  - ep_setup.exe (PID: 4688)
- The process creates files with name similar to system file names
  - ep_setup.exe (PID: 4688)
- Uses TASKKILL.EXE to kill process
  - ep_setup.exe (PID: 4688)
- Process drops legitimate windows executable
  - ep_setup.exe (PID: 4688)
- Executable content was dropped or overwritten
  - ep_setup.exe (PID: 4688)
- Creates a software uninstall entry
  - ep_setup.exe (PID: 4688)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 6640)
  - regsvr32.exe (PID: 7132)
- The process executes via Task Scheduler
  - explorer.exe (PID: 1496)
INFO
- Reads the computer name
  - ep_setup.exe (PID: 3964)
  - ep_setup.exe (PID: 4688)
  - TextInputHost.exe (PID: 3448)
  - StartMenuExperienceHost.exe (PID: 3032)
  - SearchApp.exe (PID: 5708)
- Checks supported languages
  - ep_setup.exe (PID: 3964)
  - ep_setup.exe (PID: 4688)
  - TextInputHost.exe (PID: 3448)
  - StartMenuExperienceHost.exe (PID: 3032)
  - SearchApp.exe (PID: 5708)
- Process checks computer location settings
  - ep_setup.exe (PID: 3964)
  - ep_setup.exe (PID: 4688)
  - SearchApp.exe (PID: 5708)
  - StartMenuExperienceHost.exe (PID: 3032)
- Creates files in the program directory
  - ep_setup.exe (PID: 4688)
- Reads Microsoft Office registry keys
  - explorer.exe (PID: 1496)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 1496)
  - Taskmgr.exe (PID: 5140)
- Checks proxy server information
  - SearchApp.exe (PID: 5708)
  - explorer.exe (PID: 1496)
- Reads the machine GUID from the registry
  - SearchApp.exe (PID: 5708)
- Process checks Internet Explorer phishing filters
  - SearchApp.exe (PID: 5708)
- Reads the software policy settings
  - SearchApp.exe (PID: 5708)
  - explorer.exe (PID: 1496)
- Reads Environment values
  - SearchApp.exe (PID: 5708)
- Creates files or folders in the user directory
  - explorer.exe (PID: 1496)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (3.6)
.exe	\|	Generic Win/DOS Executable (1.6)
.exe	\|	DOS Executable Generic (1.5)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2023:04:24 01:22:52+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.29
CodeSize:	121856
InitializedDataSize:	1734144
UninitializedDataSize:	-
EntryPoint:	0x57b4
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	22621.1555.55.2
ProductVersionNumber:	22621.1555.55.2
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	VALINET Solutions SRL
FileDescription:	ExplorerPatcher Setup Program
FileVersion:	22621.1555.55.2
InternalName:	ep_setup.exe
LegalCopyright:	Copyright (C) 2006-2023 VALINET Solutions SRL. All rights reserved.
OriginalFileName:	ep_setup.exe
ProductName:	ExplorerPatcher
ProductVersion:	22621.1555.55.2

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

149

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1496

"C:\WINDOWS\explorer.exe" /NoUACCheck

C:\Windows\explorer.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll

2132

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

sc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2584

"C:\WINDOWS\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB

C:\Windows\System32\sc.exe

—

ep_setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

1060

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

3032

"C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

—

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\windows\systemapps\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\startmenuexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wincorlib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll

3448

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Version:

123.26505.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

3964

"C:\Users\admin\AppData\Local\Temp\ep_setup.exe"

C:\Users\admin\AppData\Local\Temp\ep_setup.exe

—

explorer.exe

User:

admin

Company:

VALINET Solutions SRL

Integrity Level:

MEDIUM

Description:

ExplorerPatcher Setup Program

Exit code:

Version:

22621.1555.55.2

Modules

Images
c:\users\admin\appdata\local\temp\ep_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

4556

C:\WINDOWS\System32\mobsync.exe -Embedding

C:\Windows\System32\mobsync.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Sync Center

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mobsync.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

4688

"C:\Users\admin\AppData\Local\Temp\ep_setup.exe"

C:\Users\admin\AppData\Local\Temp\ep_setup.exe

ep_setup.exe

User:

admin

Company:

VALINET Solutions SRL

Integrity Level:

HIGH

Description:

ExplorerPatcher Setup Program

Exit code:

Version:

22621.1555.55.2

Modules

Images
c:\users\admin\appdata\local\temp\ep_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

5128

"C:\WINDOWS\system32\taskkill.exe" /f /im explorer.exe

C:\Windows\System32\taskkill.exe

—

ep_setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

5140

"C:\WINDOWS\system32\taskmgr.exe" /4

C:\Windows\System32\Taskmgr.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Manager

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

48 697

Read events

48 380

Write events

295

Delete events

Modification events


(PID) Process:	(3964) ep_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3964) ep_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3964) ep_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3964) ep_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4688) ep_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(4688) ep_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(4688) ep_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(4688) ep_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4688) ep_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher
Operation:	write	Name:	UninstallString
Value: "C:\Program Files\ExplorerPatcher\ep_setup.exe" /uninstall
(PID) Process:	(4688) ep_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher
Operation:	write	Name:	DisplayName
Value: ExplorerPatcher

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4688	ep_setup.exe	C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll		executable
		MD5:F1B698FA42028E794D189CE072205C78	SHA256:F28B706C8241B37173F11DE3F5B09398B3921B789AF33A336BF06BCC99CD26EC
4688	ep_setup.exe	C:\Windows\dxgi.dll		executable
		MD5:D8A404763E5404F86FE24939BC80D1F5	SHA256:B69FF6CA8CF2EB4969CB00CAF9FEC2D9CB9703C154BA29D05024772F51F187CC
4688	ep_setup.exe	C:\Program Files\ExplorerPatcher\ep_dwm.exe		executable
		MD5:36453DC19A7C960071B46DA3FE5EF70A	SHA256:9ABAC80123C5862CD6F72F7F17B2B496E8FD2A4ED9E970FA0D06AB0B19C08CCA
5708	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A		binary
		MD5:B43DBE12EFEB04D44B1C84E788C2BCDE	SHA256:92AA2D7A8CB2C5D58A41D11F26033B46DB81E5DE19A5B50AAB3A16617FBF5AD8
4688	ep_setup.exe	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll		executable
		MD5:D8A404763E5404F86FE24939BC80D1F5	SHA256:B69FF6CA8CF2EB4969CB00CAF9FEC2D9CB9703C154BA29D05024772F51F187CC
5708	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\65\4bnLx4S3ZRMpYV30k3R5vRy8JVg[1].js		s
		MD5:97540BC45CFB7C7C4D859A7E1CE839BA	SHA256:4AE944B4A382D05A8A5B657105ADD88DD8B8F59D6309567E179CA64DF19F6075
4688	ep_setup.exe	C:\Program Files\ExplorerPatcher\ep_weather_host.dll		executable
		MD5:A1E5C33B9BC07F96E8D85D3BB37C9D62	SHA256:B61E0A1117F8C43D1DDB6B29DD9EE0BF6923C8A5F119481C1A164DED8B15891F
5708	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres		binary
		MD5:26BA3421CA281241765EDBBA5A003395	SHA256:91F419BC81B60C1AFD329EF7211CD29F50E2DC5E6628B541501EFD218285B271
5708	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D		binary
		MD5:C1FDF08B40CFFE9BD4C202A2BABCB789	SHA256:8C9567C6E91D0C3DA8148C8C1B58F10B89BD81CAD63C125249EA6B236E954B12
5708	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\65\4-xJy3tX6bM2BGl5zKioiEcQ1TU[1].css		text
		MD5:B8C89E50D1A8DF3954C30836B80AFA47	SHA256:F63656D5FE0A12D00F9FD662236FE996E18F036435781B1824F51C5B2BA935EC

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5708	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
1060	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6448	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
1496	explorer.exe	GET	302	204.79.197.219:80	http://msdl.microsoft.com/download/symbols/StartUI.pdb/0B81EEDEEB6FF49A7EC7F23C15C216771/StartUI.pdb	unknown	—	—	whitelisted
5708	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1496	explorer.exe	GET	200	172.64.149.23:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D	unknown	—	—	whitelisted
1496	explorer.exe	GET	200	104.18.38.233:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPlNxcMEqnlIVyH5VuZ4lawhZX3QQU9oUKOxGG4QR9DqoLLNLuzGR7e64CEE4o94a2bBo7lCzSxA63QqU%3D	unknown	—	—	whitelisted
6448	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1496	explorer.exe	GET	200	172.64.149.23:80	http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCEQDzZE5rbgBQI34JRr174fUd	unknown	—	—	whitelisted
1496	explorer.exe	GET	302	204.79.197.219:80	http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/3F0945AE4BC25ECE16353588B05D30B61/twinui.pcshell.pdb	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6880	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5708	SearchApp.exe	202.89.233.100:443	r.bing.com	Microsoft Mobile Alliance Internet Services Co., Ltd	CN	whitelisted
5708	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5708	SearchApp.exe	2.23.209.177:443	www.bing.com	Akamai International B.V.	GB	whitelisted
1496	explorer.exe	140.82.121.4:443	github.com	GITHUB	US	shared
1496	explorer.exe	172.64.149.23:80	ocsp.comodoca.com	CLOUDFLARENET	US	whitelisted
1496	explorer.exe	104.18.38.233:80	ocsp.comodoca.com	CLOUDFLARENET	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59 51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.184.206	whitelisted
r.bing.com	202.89.233.100 202.89.233.101	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
www.bing.com	2.23.209.177 2.23.209.140 2.23.209.150 2.23.209.189 2.23.209.133 2.23.209.130 2.23.209.149 2.23.209.179 2.23.209.182	whitelisted
github.com	140.82.121.4	shared
ocsp.comodoca.com	172.64.149.23 104.18.38.233	whitelisted
ocsp.usertrust.com	172.64.149.23 104.18.38.233	whitelisted
ocsp.sectigo.com	104.18.38.233 172.64.149.23	whitelisted
objects.githubusercontent.com	185.199.111.133 185.199.110.133 185.199.109.133 185.199.108.133	shared

Threats

No threats detected

Add for printing

No debug info

General Info

ep_setup.exe

0022AD8082B815BC30182E748FECF80C

88AF03747655D367A6221AF7507CE77780940CC1

1E19A17D39755F8094FD34398B41B8DE81534E662F0DAA17C5FB9496E3DB49F9

49152:O/edSvgdIbmKDgSmTaOAyRwdORHRj9yPtO7OBSmxk/gw69Ihu7JgoTe:OpTbmr3x0lCixWgNic+g

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

SUSPICIOUS

Drops the executable file immediately after the start

Application launched itself

Reads security settings of Internet Explorer

Reads the date of Windows installation

Starts SC.EXE for service management

The process creates files with name similar to system file names

Uses TASKKILL.EXE to kill process

Process drops legitimate windows executable

Executable content was dropped or overwritten

Creates a software uninstall entry

Creates/Modifies COM task schedule object

The process executes via Task Scheduler

INFO

Reads the computer name

Checks supported languages

Process checks computer location settings

Creates files in the program directory

Reads Microsoft Office registry keys

Reads security settings of Internet Explorer

Checks proxy server information

Reads the machine GUID from the registry

Process checks Internet Explorer phishing filters

Reads the software policy settings

Reads Environment values

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings