File name:	ep_setup (2).exe
Full analysis:	https://app.any.run/tasks/caf59c06-e51f-431a-9202-5c83ca6dd793
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	June 04, 2024, 16:38:15
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	F52667D9C8AB6D500D66B7FB10EBA3F3
SHA1:	2AC1ED7B58D0BF8C0579FE0B108CD4A9458C6F39
SHA256:	7BEE15F947CA11D353FE45E4A732ED13D25FC8BE70D8B1FD73094DACDEC2939F
SSDEEP:	49152:2f7SGyYuMgjL/2Sk8sslITx3EwYPthCBSWhMUm2s2Ihu7JNYCLOUJPiSigSE:2RngjwlJilhUBBmcbYIlJm

.exe	\|	Win32 Executable (generic) (3.6)
.exe	\|	Generic Win/DOS Executable (1.6)
.exe	\|	DOS Executable Generic (1.5)

MachineType:	AMD AMD64
TimeStamp:	2024:04:25 16:37:35+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.38
CodeSize:	112128
InitializedDataSize:	2467840
UninitializedDataSize:	-
EntryPoint:	0x5384
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	22621.3527.65.1
ProductVersionNumber:	22621.3527.65.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	VALINET Solutions SRL
FileDescription:	ExplorerPatcher Setup Program
FileVersion:	22621.3527.65.1
InternalName:	ep_setup.exe
LegalCopyright:	Copyright (C) 2006-2024 VALINET Solutions SRL. All rights reserved.
OriginalFileName:	ep_setup.exe
ProductName:	ExplorerPatcher
ProductVersion:	22621.3527.65.1


(PID) Process:	(3700) ep_setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3700) ep_setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3700) ep_setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3700) ep_setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4124) ep_setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(4124) ep_setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(4124) ep_setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(4124) ep_setup (2).exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4124) ep_setup (2).exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher
Operation:	write	Name:	UninstallString
Value: "C:\Program Files\ExplorerPatcher\ep_setup.exe" /uninstall
(PID) Process:	(4124) ep_setup (2).exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher
Operation:	write	Name:	DisplayName
Value: ExplorerPatcher

PID	Process	Filename		Type
5924	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133619927178754992.txt~RF1176c3.TMP		—
		MD5:—	SHA256:—
4124	ep_setup (2).exe	C:\Program Files\ExplorerPatcher\WebView2Loader.dll		executable
		MD5:C44BAED957B05B9327BD371DBF0DBE99	SHA256:AD8BB426A8E438493DB4D703242F373D9CB36D8C13E88B6647CD083716E09BEF
4124	ep_setup (2).exe	C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll		executable
		MD5:F3912DAB7614DD859716AAFDB0643E95	SHA256:BA563D68AF27E7A0AECBDBF80EEAEC2AE71F125F9046501E4A3736C00392757B
4124	ep_setup (2).exe	C:\Program Files\ExplorerPatcher\ep_dwm.exe		executable
		MD5:D7BDC273E17BCC8A4502CF4F1D64FD4C	SHA256:5A43160ED9928BD69951BDC4EA7B7C782502F58CEE2BAA53F45EF365F869472F
4124	ep_setup (2).exe	C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll		executable
		MD5:94C0C03F82099D3516D0BA58D23152C5	SHA256:C856A2B1284DDB138FF63C9945F13986762E5B782929152B40D6D532DF4732FC
5924	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133619927270632076.txt~RF1197d8.TMP		—
		MD5:—	SHA256:—
4124	ep_setup (2).exe	C:\Program Files\ExplorerPatcher\ep_gui.dll		executable
		MD5:031862839632F7162A1110B3A091F679	SHA256:02F930895B6FDDFE6D944EEA17C0B09334B1DDED2BE4479136B452B58F2786D6
4124	ep_setup (2).exe	C:\Program Files\ExplorerPatcher\ep_setup.exe		executable
		MD5:F52667D9C8AB6D500D66B7FB10EBA3F3	SHA256:7BEE15F947CA11D353FE45E4A732ED13D25FC8BE70D8B1FD73094DACDEC2939F
4124	ep_setup (2).exe	C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll		executable
		MD5:0D9ED00606C3E1CB58D9D26EF1442935	SHA256:E9755A18EB431E8F54E6C09CBC2F1F68CF0D5AF7248A6822F7ABE08E662B62BC
4124	ep_setup (2).exe	C:\Program Files\ExplorerPatcher\ep_weather_host.dll		executable
		MD5:534BE5D2AF3509B043107260DD2B8C62	SHA256:ED544D67959C443334C1D2220CC0CE0F2B44D936724F8EFD0BA042A4979CD38C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5140	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
5140	MoUsoCoreWorker.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
—	—	GET	302	140.82.121.4:443	https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe	unknown	—	—	—
—	—	GET	302	140.82.121.4:443	https://github.com/valinet/ExplorerPatcher/releases/download/22621.3527.65.1_0976666/ep_setup.exe	unknown	—	—	—
4976	explorer.exe	GET	302	204.79.197.219:80	http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/3F0945AE4BC25ECE16353588B05D30B61/twinui.pcshell.pdb	unknown	—	—	unknown
—	—	GET	—	20.150.70.36:443	https://vsblobprodscussu5shard53.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/2AC36C7E53D2079BF26A0424BD05EB5FAB5EDCD29D83BA3884994C921502F3D200.blob?sv=2019-07-07&sr=b&si=1&sig=ASgphQ9C84BT2s9inooo6sVsDv505phteDsuDdUMyM0%3D&spr=https&se=2024-06-05T17%3A10%3A03Z&rscl=x-e2eid-1ec47472-d4d2409b-8a6c1eaa-fc5f6e4c-session-37065b50-eafa40e3-9655c2ef-3242de57	unknown	—	—	—
—	—	GET	—	20.150.79.68:443	https://vsblobprodscussu5shard53.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/2AC36C7E53D2079BF26A0424BD05EB5FAB5EDCD29D83BA3884994C921502F3D200.blob?sv=2019-07-07&sr=b&si=1&sig=ASgphQ9C84BT2s9inooo6sVsDv505phteDsuDdUMyM0%3D&spr=https&se=2024-06-05T17%3A10%3A03Z&rscl=x-e2eid-1ec47472-d4d2409b-8a6c1eaa-fc5f6e4c-session-37065b50-eafa40e3-9655c2ef-3242de57	unknown	—	—	—
4976	explorer.exe	GET	302	204.79.197.219:80	http://msdl.microsoft.com/download/symbols/StartUI.pdb/0B81EEDEEB6FF49A7EC7F23C15C216771/StartUI.pdb	unknown	—	—	unknown
—	—	GET	200	93.186.134.217:443	https://r.bing.com/rb/6r/ortl,cc,nc/G6CsCraoYcD6qY8uGndwq5zbkCc.css?bu=CZEMtgqWDLYKmgy2CrYKtgq2Cg&or=w	unknown	—	428 Kb	—
—	—	POST	204	93.186.134.242:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
5228	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
528	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
5140	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
5140	MoUsoCoreWorker.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
5140	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	unknown
5456	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
4	System	192.168.100.255:137	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	unknown
5924	SearchApp.exe	2.23.209.149:443	www.bing.com	Akamai International B.V.	GB	unknown
4976	explorer.exe	140.82.121.3:443	github.com	GITHUB	US	unknown

Domain	IP	Reputation
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
www.bing.com	2.23.209.149 2.23.209.140 2.23.209.179 2.23.209.185 2.23.209.176 2.23.209.189 2.23.209.133 2.23.209.182	whitelisted
github.com	140.82.121.3	shared
r.bing.com	2.23.209.140 2.23.209.185 2.23.209.189 2.23.209.182 2.23.209.176 2.23.209.149 2.23.209.179 2.23.209.133	whitelisted
msdl.microsoft.com	204.79.197.219	whitelisted
objects.githubusercontent.com	185.199.108.133 185.199.111.133 185.199.110.133 185.199.109.133	shared
vsblobprodscussu5shard53.blob.core.windows.net	20.150.70.36 20.150.38.228 20.150.79.68	unknown
vsblobprodscussu5shard3.blob.core.windows.net	20.150.70.36 20.150.79.68 20.150.38.228	unknown

PID	Process	Class	Message
—	—	Generic Protocol Command Decode	SURICATA HTTP Request abnormal Content-Encoding header
—	—	Generic Protocol Command Decode	SURICATA HTTP Request abnormal Content-Encoding header
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO EXE - Served Attached HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO EXE - Served Attached HTTP

General Info

ep_setup (2).exe

F52667D9C8AB6D500D66B7FB10EBA3F3

2AC1ED7B58D0BF8C0579FE0B108CD4A9458C6F39

7BEE15F947CA11D353FE45E4A732ED13D25FC8BE70D8B1FD73094DACDEC2939F

49152:2f7SGyYuMgjL/2Sk8sslITx3EwYPthCBSWhMUm2s2Ihu7JNYCLOUJPiSigSE:2RngjwlJilhUBBmcbYIlJm

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Registers / Runs the DLL via REGSVR32.EXE

SUSPICIOUS

Reads security settings of Internet Explorer

Application launched itself

Reads the date of Windows installation

Process drops legitimate windows executable

Uses TASKKILL.EXE to kill process

Starts SC.EXE for service management

Creates/Modifies COM task schedule object

The process executes via Task Scheduler

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Creates a software uninstall entry

Checks Windows Trust Settings

INFO

Checks supported languages

Reads the computer name

Process checks computer location settings

Creates files in the program directory

Reads Microsoft Office registry keys

Reads security settings of Internet Explorer

Checks proxy server information

Reads the machine GUID from the registry

Process checks Internet Explorer phishing filters

Reads the software policy settings

Reads Environment values

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings