File name:

EPM Patch v1.8.exe

Full analysis: https://app.any.run/tasks/35111a83-fea8-4610-8460-2c8914ab5f72
Verdict: Malicious activity
Analysis date: October 21, 2023, 20:52:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9304423DA18F4DCE764D363B50DB1868

SHA1:

865F274A71289B26AA10A35B34CC031B36B5F796

SHA256:

8481AAE60BEB9F049F7E282A3C936B8027B6D6B233EFA8C9E22A2D46C8C4EF99

SSDEEP:

49152:4BuZrEUPKB9BhWDfAU5cAlq9fCgBVP3cl:mkLQ9BWd5cAlq9xXvy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • EPM Patch v1.8.exe (PID: 1772)
      • EPM Patch v1.8.exe (PID: 1560)
      • EPM Patch v1.8.tmp (PID: 2352)

    • Application was dropped or rewritten from another process

      • EPML.exe (PID: 3524)
      • EPML.exe (PID: 2912)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • EPM Patch v1.8.tmp (PID: 2352)

    • Reads the Internet Settings

      • EPM Patch v1.8.tmp (PID: 2352)

    • Uses TASKKILL.EXE to kill process

      • EPM Patch v1.8.tmp (PID: 2352)
      • cmd.exe (PID: 3532)

    • Starts CMD.EXE for commands execution

      • EPM Patch v1.8.tmp (PID: 2352)

    • Executing commands from a ".bat" file

      • EPM Patch v1.8.tmp (PID: 2352)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3532)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 3532)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 3532)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3532)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3532)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 3532)

  • INFO

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3684)

    • Checks supported languages

      • wmpnscfg.exe (PID: 3684)
      • EPM Patch v1.8.exe (PID: 1560)
      • EPM Patch v1.8.tmp (PID: 2396)
      • EPM Patch v1.8.exe (PID: 1772)
      • EPM Patch v1.8.tmp (PID: 2352)
      • EPML.exe (PID: 2912)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3684)
      • EPM Patch v1.8.tmp (PID: 2396)
      • EPM Patch v1.8.tmp (PID: 2352)

    • Create files in a temporary directory

      • EPM Patch v1.8.exe (PID: 1560)
      • EPM Patch v1.8.exe (PID: 1772)

    • Application was dropped or rewritten from another process

      • EPM Patch v1.8.tmp (PID: 2352)
      • EPM Patch v1.8.tmp (PID: 2396)

    • Creates files in the program directory

      • EPM Patch v1.8.tmp (PID: 2352)

    • Manual execution by a user

      • EPML.exe (PID: 2912)
      • EPML.exe (PID: 3524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 15:54:16+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 110080
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.8.0.0
ProductVersionNumber: 1.8.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: yaschir
FileDescription: EPM Fixer
FileVersion: 1.8
LegalCopyright: by yaschir
OriginalFileName:
ProductName: EPM Fixer
ProductVersion: 1.8
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
163
Monitored processes
110
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start epm patch v1.8.exe no specs epm patch v1.8.tmp no specs epm patch v1.8.exe epm patch v1.8.tmp no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs tskill.exe no specs cmd.exe no specs fltmc.exe no specs sc.exe no specs sc.exe no specs timeout.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs timeout.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs timeout.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs timeout.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs icacls.exe no specs attrib.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs find.exe no specs ipconfig.exe no specs epml.exe no specs epml.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128SC DELETE "EaseUS UPDATE SERVICE"C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
148TASKKILL /F /IM "EDownloaderNoUI.exe" /TC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
240TASKKILL /F /IM "Recommend.exe" /TC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
240REG DELETE "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION" /v "DRWUI.exe" /FC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
292FIND /C /I "v2api-uoss.easeus.com" C:\Windows\system32\drivers\etc\hostsC:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
312REG ADD "HKLM\SOFTWARE\EaseUS\EaseUS Partition Master\AutoUpdate" /reg:32 /F /v "StartChk" /t REG_DWORD /d "0"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
760REG DELETE "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION" /reg:32 /F /v "EPMUI.exe"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
876REG DELETE "HKLM\SOFTWARE\EASEUS\EPM" /reg:32 /F /v "SNExpired"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\reg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\ws2_32.dll
948"C:\Windows\System32\tskill.exe" AliyunWrapExeC:\Windows\System32\tskill.exeEPM Patch v1.8.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Remote Desktop Services End Process Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\tskill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
948TASKKILL /F /IM "AliyunWrapExe.exe" /TC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
3 134
Read events
3 114
Write events
11
Delete events
9

Modification events

(PID) Process:(3684) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{513B1554-60BC-4A38-BAB0-9FB33B9589C3}\{D716EF08-228C-4F53-8F86-CD49D2FAE55F}
Operation:delete keyName:(default)
Value:
(PID) Process:(3684) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{513B1554-60BC-4A38-BAB0-9FB33B9589C3}
Operation:delete keyName:(default)
Value:
(PID) Process:(3684) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{B44CBD19-CDBF-45A1-929D-29909BC8E041}
Operation:delete keyName:(default)
Value:
(PID) Process:(2352) EPM Patch v1.8.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2352) EPM Patch v1.8.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2352) EPM Patch v1.8.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2352) EPM Patch v1.8.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2352) EPM Patch v1.8.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\EASEUS\EPM\Version
Operation:writeName:StrVersion
Value:
Technician
(PID) Process:(2352) EPM Patch v1.8.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\EASEUS\EPM\Version
Operation:writeName:Flag
Value:
57
(PID) Process:(2352) EPM Patch v1.8.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\EASEUS\EPM\Version
Operation:writeName:InstallVer
Value:
57
Executable files
8
Suspicious files
3
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1772EPM Patch v1.8.exeC:\Users\admin\AppData\Local\Temp\is-FFSVC.tmp\EPM Patch v1.8.tmpexecutable
MD5:8037BAD8C7DE145806B4B4C1DE08C029
SHA256:F2EDCE26BAE88927D78714E7ED41810D3FFB258615B1D8356A1B634612B1EF09
2352EPM Patch v1.8.tmpC:\Program Files\EaseUS\EaseUS Partition Master\bin\EPML.exeexecutable
MD5:CA77CC17ED5D4A9CE73821E44154E5EB
SHA256:34AE620B4930FC1086DAB4676CEE936A378676850F4AB918100F0CC662548B53
2352EPM Patch v1.8.tmpC:\Program Files\EaseUS\EaseUS Partition Master\bin\is-3RK4L.tmpexecutable
MD5:CA77CC17ED5D4A9CE73821E44154E5EB
SHA256:34AE620B4930FC1086DAB4676CEE936A378676850F4AB918100F0CC662548B53
2352EPM Patch v1.8.tmpC:\Program Files\EaseUS\EaseUS Partition Master\unins000.exeexecutable
MD5:9479A19E2D3007BA3910CFA00BA0D392
SHA256:05D2EF638582AD5154B30257F415BCC2EEE71B9E55621CF1BC19EA78C3E77CC9
2352EPM Patch v1.8.tmpC:\Program Files\EaseUS\EaseUS Partition Master\EPM Fixer.battext
MD5:813A7BD7E6AC3DA79266D69CFAE48B2A
SHA256:1960D95EEF5B9057A3F7902F2E4A5CA697EB2069C30337728059A03F3F77EE50
2352EPM Patch v1.8.tmpC:\Program Files\EaseUS\EaseUS Partition Master\bin\is-OFL7R.tmpexecutable
MD5:C965834509CB559F6954975AA7B3A790
SHA256:08F9C0C8D775E9804CC0E88AE9D18F0D3F6E4CE368BA055489CD2CFE91F9EBA4
2352EPM Patch v1.8.tmpC:\Program Files\EaseUS\EaseUS Partition Master\bin\CRYPTSP.dllexecutable
MD5:C965834509CB559F6954975AA7B3A790
SHA256:08F9C0C8D775E9804CC0E88AE9D18F0D3F6E4CE368BA055489CD2CFE91F9EBA4
2352EPM Patch v1.8.tmpC:\Program Files\EaseUS\EaseUS Partition Master\is-QUD0R.tmpexecutable
MD5:9479A19E2D3007BA3910CFA00BA0D392
SHA256:05D2EF638582AD5154B30257F415BCC2EEE71B9E55621CF1BC19EA78C3E77CC9
2352EPM Patch v1.8.tmpC:\Program Files\EaseUS\EaseUS Partition Master\is-1CO1V.tmptext
MD5:813A7BD7E6AC3DA79266D69CFAE48B2A
SHA256:1960D95EEF5B9057A3F7902F2E4A5CA697EB2069C30337728059A03F3F77EE50
3532cmd.exeC:\Windows\System32\drivers\etc\hoststext
MD5:F28274FB6995741DD883E96BEB7E02CC
SHA256:B2CCFC0401921EDD2036E4B7B90DB99B08B5ED48188C9F3AF55A3D22E314E60D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EPM Patch v1.8.exe