File name:

epad.exe

Full analysis: https://app.any.run/tasks/03c527c8-e2d1-4588-835b-7c8bd65e4af1
Verdict: Malicious activity
Analysis date: March 20, 2024, 00:05:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

381E2EA63A1AEF1D644DCC7C4E380416

SHA1:

91DD7E40EE4F31E2DFA59AF6446EA7DEBF90F6C9

SHA256:

479AFADC9DA70051B93C6992B90F4D5C3DBE9D7CB63B8FAC945F196D3A366AC1

SSDEEP:

98304:dUI5tQA9WAEddugmOguU0K9oF6MvIeYcJ9LXAg4N38HZBArxyeALAICNTA7AdUws:cx+c4g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • epad.exe (PID: 2908)
      • thinsetup.exe (PID: 2672)

    • Create files in the Startup directory

      • thinsetup.exe (PID: 2672)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • epad.exe (PID: 2908)
      • thinsetup.exe (PID: 2672)

    • Executable content was dropped or overwritten

      • epad.exe (PID: 2908)
      • thinsetup.exe (PID: 2672)

    • The process drops C-runtime libraries

      • epad.exe (PID: 2908)
      • thinsetup.exe (PID: 2672)

    • Creates a software uninstall entry

      • thinsetup.exe (PID: 2672)

    • Reads the Internet Settings

      • thinsetup.exe (PID: 2672)

  • INFO

    • Create files in a temporary directory

      • epad.exe (PID: 2908)

    • Checks supported languages

      • epad.exe (PID: 2908)
      • thinsetup.exe (PID: 2672)
      • splash.exe (PID: 956)

    • Reads the computer name

      • thinsetup.exe (PID: 2672)

    • Creates files in the program directory

      • thinsetup.exe (PID: 2672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (30.7)
.exe | Win32 Executable MS Visual C++ (generic) (22.2)
.exe | Win64 Executable (generic) (19.7)
.exe | Winzip Win32 self-extracting archive (generic) (16.4)
.dll | Win32 Dynamic Link Library (generic) (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:11:02 20:24:15+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 77824
InitializedDataSize: 40960
UninitializedDataSize: -
EntryPoint: 0xaf1e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start epad.exe thinsetup.exe splash.exe no specs epad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
956C:\Users\admin\AppData\Local\Temp\WZSE0.TMP//splash.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\splash.exethinsetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\wzse0.tmp\splash.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
2672.\thinsetup.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\thinsetup.exe
epad.exe
User:
admin
Integrity Level:
HIGH
Description:
thinsetup MFC Application
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\wzse0.tmp\thinsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll
2908"C:\Users\admin\AppData\Local\Temp\epad.exe" C:\Users\admin\AppData\Local\Temp\epad.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\epad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3936"C:\Users\admin\AppData\Local\Temp\epad.exe" C:\Users\admin\AppData\Local\Temp\epad.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\epad.exe
c:\windows\system32\ntdll.dll
Total events
1 064
Read events
1 061
Write events
3
Delete events
0

Modification events

(PID) Process:(2672) thinsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ePad995
Operation:writeName:DisplayName
Value:
ePad995
(PID) Process:(2672) thinsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ePad995
Operation:writeName:UninstallString
Value:
c:\ePad995\thinsetup.exe - uninstall
(PID) Process:(2672) thinsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
116
Executable files
12
Suspicious files
3
Text files
20
Unknown types
0

Dropped files

PID
Process
Filename
Type
2908epad.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\masthead.gifimage
MD5:7DE69AFFECAE191D181078E7E479CC97
SHA256:4E8AC025806AC6E1567139C52312B859A69ABAEDEEA508E2C93161980555DDE1
2908epad.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\ep995.csstext
MD5:6CEFAFFF6FA9C049C9FC0BCE24AD2897
SHA256:8F9A0FB91CB5FC4B3D9670F3AE04BD4777FA3D5C67D17C52E712C1AAFB508827
2908epad.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\mfc100.dllexecutable
MD5:07BCCDCC337D393D7DB0B2F8FE200B3F
SHA256:BF38DDA13B938B49A4DF72B6477342373EE6E151BE12C25CB0C17662FCB4BCD4
2908epad.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\ePad995.exeexecutable
MD5:FCC1478C35C4D9018E7999159227A19F
SHA256:E698E5A5B30C42BCAA339C19D0D424908402671ED750BBBA41C389F2C5FC9676
2908epad.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\msvcp100.dllexecutable
MD5:03E9314004F504A14A61C3D364B62F66
SHA256:A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
2908epad.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\ePad995.jpgimage
MD5:BC41323E06DD6392F9762564623BB1CB
SHA256:F949839F4729A0AA42A358A4ACDE76DA031AFA37383FE5E48C929B1FF7BAD33B
2908epad.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\faq.gifimage
MD5:6F27D1F951DF2A0D8E6DFCE919F9D4F2
SHA256:367CC6FA3E23F48A164765FEA9FC4AFB779DF8258DC4F7F989644870548CA27C
2908epad.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\splash.exeexecutable
MD5:549D392D72B6EC9D52EA6BDB6BC5E9AD
SHA256:43B9435DAE3B46220F7309798AF30E9B5B88CF62C1CA5A41B237CA1928B21DE4
2908epad.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\msvcr100.dllexecutable
MD5:67EC459E42D3081DD8FD34356F7CAFC1
SHA256:1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
2908epad.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\readme.htmlhtml
MD5:A044BFEE458F2963E87404EEDEF9A147
SHA256:D514481156D482E36333F714F079D97BC9127FDA8AA6C20228588D2077F3C270
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
epad.exe