File name:

epxlorer.exe

Full analysis: https://app.any.run/tasks/ea338711-8bf4-49a1-b882-acacf01dee84
Verdict: Malicious activity
Analysis date: July 26, 2025, 12:32:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
phishing
telegram
evasion
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

75EA94B54420C39DCD3D8CE574BA9D34

SHA1:

A7D2825E8C06D0E36F8A202E1EF60D04A5506005

SHA256:

CD899279753D920BE99E6EBEAE756CC2E8EFA651AA29A724174942ADC52B262A

SSDEEP:

49152:LfOjxtxhjVwQA9CLzVLJ1Pctw699dwr2liG42mNNXblnBgHk5a4aut+a4ANqOwVt:SjxxVwQOC5JXy9d5liG4BRCRR7aYvxhE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • epxlorer.exe (PID: 5300)

    • PHISHING has been detected (SURICATA)

      • svchost.exe (PID: 2200)

  • SUSPICIOUS

    • The process checks if it is being run in the virtual environment

      • epxlorer.exe (PID: 5300)

    • Checks for external IP

      • epxlorer.exe (PID: 5300)
      • svchost.exe (PID: 2200)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • epxlorer.exe (PID: 5300)

  • INFO

    • Checks supported languages

      • epxlorer.exe (PID: 5300)

    • Launching a file from a Registry key

      • epxlorer.exe (PID: 5300)

    • Reads the computer name

      • epxlorer.exe (PID: 5300)

    • Reads the machine GUID from the registry

      • epxlorer.exe (PID: 5300)

    • Disables trace logs

      • epxlorer.exe (PID: 5300)

    • Checks proxy server information

      • epxlorer.exe (PID: 5300)

    • Reads the software policy settings

      • epxlorer.exe (PID: 5300)

    • Creates files in the program directory

      • epxlorer.exe (PID: 5300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(5300) epxlorer.exe
Telegram-Tokens (1)8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
Telegram-Info-Links
8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
Get info about bothttps://api.telegram.org/bot8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU/getMe
Get incoming updateshttps://api.telegram.org/bot8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU/getUpdates
Get webhookhttps://api.telegram.org/bot8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
End-PointsendMe
Args
Token8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
End-PointgetU
Args
Token8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
End-PointgetUpd
Args
Token8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
End-PointgetMe
Args
Token8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
End-PointgetUpdates
Args
Token8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
End-PointsendMessage
Args
Telegram-Responses
oktrue
result
message_id1121
from
id8169267144
is_bottrue
first_nameGhßï0llmhæúûnê
usernameVwoxkancjodoanxhsiaamkshendbot
chat
id7474460026
first_nameRS Press
usernamepineapple_press
typeprivate
date1753533184
textStarted on: PC: DESKTOP-JGLLJLD User: admin IP: 45.86.203.52
entities
offset48
length12
typeurl
oktrue
result
id8169267144
is_bottrue
first_nameGhßï0llmhæúûnê
usernameVwoxkancjodoanxhsiaamkshendbot
can_join_groupstrue
can_read_all_group_messagesfalse
supports_inline_queriesfalse
can_connect_to_businessfalse
has_main_web_appfalse
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2092:02:04 03:05:20+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 1108992
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x110a3e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Locker
FileVersion: 1.0.0.0
InternalName: Locker.exe
LegalCopyright: Copyright © 2025
LegalTrademarks: -
OriginalFileName: Locker.exe
ProductName: Locker
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start epxlorer.exe #PHISHING svchost.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5300"C:\Users\admin\AppData\Local\Temp\epxlorer.exe" C:\Users\admin\AppData\Local\Temp\epxlorer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Locker
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\epxlorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
ims-api
(PID) Process(5300) epxlorer.exe
Telegram-Tokens (1)8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
Telegram-Info-Links
8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
Get info about bothttps://api.telegram.org/bot8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU/getMe
Get incoming updateshttps://api.telegram.org/bot8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU/getUpdates
Get webhookhttps://api.telegram.org/bot8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
End-PointsendMe
Args
Token8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
End-PointgetU
Args
Token8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
End-PointgetUpd
Args
Token8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
End-PointgetMe
Args
Token8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
End-PointgetUpdates
Args
Token8169267144:AAFwkhmXh71SMVcvFLantjTlwlRbT9HdJdU
End-PointsendMessage
Args
Telegram-Responses
oktrue
result
message_id1121
from
id8169267144
is_bottrue
first_nameGhßï0llmhæúûnê
usernameVwoxkancjodoanxhsiaamkshendbot
chat
id7474460026
first_nameRS Press
usernamepineapple_press
typeprivate
date1753533184
textStarted on: PC: DESKTOP-JGLLJLD User: admin IP: 45.86.203.52
entities
offset48
length12
typeurl
oktrue
result
id8169267144
is_bottrue
first_nameGhßï0llmhæúûnê
usernameVwoxkancjodoanxhsiaamkshendbot
can_join_groupstrue
can_read_all_group_messagesfalse
supports_inline_queriesfalse
can_connect_to_businessfalse
has_main_web_appfalse
7116C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
1 409
Read events
1 394
Write events
15
Delete events
0

Modification events

(PID) Process:(5300) epxlorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:melok
Value:
"C:\Users\admin\AppData\Local\Temp\epxlorer.exe"
(PID) Process:(5300) epxlorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\epxlorer_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5300) epxlorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\epxlorer_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5300) epxlorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\epxlorer_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5300) epxlorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\epxlorer_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5300) epxlorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\epxlorer_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5300) epxlorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\epxlorer_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5300) epxlorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\epxlorer_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5300) epxlorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\epxlorer_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5300) epxlorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\epxlorer_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
27
DNS requests
17
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2460
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4580
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4580
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
892
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5300
epxlorer.exe
104.21.1.247:443
api-telegram-org.ctf.do
CLOUDFLARENET
unknown
4
System
192.168.100.255:138
whitelisted
5300
epxlorer.exe
34.160.111.145:443
ifconfig.me
GOOGLE
US
shared
2460
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2460
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.206
whitelisted
api-telegram-org.ctf.do
  • 104.21.1.247
  • 172.67.128.105
unknown
ifconfig.me
  • 34.160.111.145
shared
login.live.com
  • 40.126.32.138
  • 40.126.32.76
  • 20.190.160.66
  • 40.126.32.140
  • 20.190.160.2
  • 40.126.32.136
  • 20.190.160.132
  • 20.190.160.128
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 23.216.77.8
  • 23.216.77.28
  • 23.216.77.22
  • 23.216.77.15
  • 23.216.77.19
  • 23.216.77.30
  • 23.216.77.35
  • 23.216.77.36
  • 23.216.77.13
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Fake Telegram domain pattern identified M2
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me)
Misc activity
ET INFO External IP Lookup Domain (ifconfig .me) in DNS Lookup
Misc activity
ET INFO Observed External IP Lookup Domain (ifconfig .me) in TLS SNI
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL/TLS Certificate (ifconfig .me)
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ifconfig .me)
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
epxlorer.exe