File name:

EPlanLicenseManager.exe

Full analysis: https://app.any.run/tasks/c1ce9e48-668e-4b00-9406-237c2187f2ab
Verdict: Malicious activity
Analysis date: August 27, 2024, 21:43:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

86F54580357B4D9D87177D3AAAE1B959

SHA1:

661B318B8A8E8121532976E9E28DC7660A3CBB40

SHA256:

EAAEADC99545C88B1190D1A684EAD9A0682CB5B622246395B40B1040AB9A5657

SSDEEP:

98304:Is01N1EyERHmz1V1uHTLhKnalWL9qvZCjP8G2fHae4a5:BsaXaVM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Modifies hosts file to block updates

      • EPlanLicenseManager.exe (PID: 7132)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • EPlanLicenseManager.exe (PID: 7132)

    • Adds/modifies Windows certificates

      • EPlanLicenseManager.exe (PID: 7132)

  • INFO

    • Checks supported languages

      • EPlanLicenseManager.exe (PID: 7132)

    • Reads the computer name

      • EPlanLicenseManager.exe (PID: 7132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:03:19 22:23:24+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.28
CodeSize: 1753088
InitializedDataSize: 591872
UninitializedDataSize: -
EntryPoint: 0x1a8658
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start eplanlicensemanager.exe conhost.exe no specs eplanlicensemanager.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6796"C:\Users\admin\AppData\Local\Temp\EPlanLicenseManager.exe" C:\Users\admin\AppData\Local\Temp\EPlanLicenseManager.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\eplanlicensemanager.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6808\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeEPlanLicenseManager.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7132"C:\Users\admin\AppData\Local\Temp\EPlanLicenseManager.exe" C:\Users\admin\AppData\Local\Temp\EPlanLicenseManager.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\eplanlicensemanager.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
1 849
Read events
1 847
Write events
1
Delete events
1

Modification events

(PID) Process:(7132) EPlanLicenseManager.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:1F06C90B9C923BEF67259FC52C5EC00FB0C2C8E5
Value:
(PID) Process:(7132) EPlanLicenseManager.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1F06C90B9C923BEF67259FC52C5EC00FB0C2C8E5
Operation:writeName:Blob
Value:
0300000001000000140000001F06C90B9C923BEF67259FC52C5EC00FB0C2C8E520000000010000002C0400003082042830820310A0030201020214377740A2B2944F006B01E93ED34C432B068323B1300D06092A864886F70D01010B0500305F3117301506035504030C0E2A2E6570756C73652E636C6F75643121301F06035504030C182A2E70726F642E73656E74696E656C636C6F75642E636F6D3121301F060355040B0C18446F6D61696E20436F6E74726F6C2056616C696461746564301E170D3231303330353133303231325A170D3431303232383133303231325A305F3117301506035504030C0E2A2E6570756C73652E636C6F75643121301F06035504030C182A2E70726F642E73656E74696E656C636C6F75642E636F6D3121301F060355040B0C18446F6D61696E20436F6E74726F6C2056616C69646174656430820122300D06092A864886F70D01010105000382010F003082010A0282010100A9CC8579B7479C0421D02536C700C4B0760F539871305331FBC55406DB734992DACA18F719E1CD49DBBE89E56014942B674779CE5D1544C4F1EA14A107754D4BDFF0235AB9586D4D88135E5BBA9B306E0BB5796034496C02723DCBD1A827298EC45B234D54A7A43917E83F9C580152AABF138983F43AB9DA0ABBB81CA90B5B5975157F8AE0DC76BF3159DD32A448460B89DF8076044D6C5955267BF6AB6247EB3BB59D913827218F24B3A48CEEB27EE9E42C9BE5620104F2407ADB6272DA0F44CC0B38A9385428750C078878D8759DD2DAEC76979469BDEC79B8938DC50D1065F32598A1F34330E70B5E60376FEB9EF52FFFA59EBD42C89EC8BD0B41609E595D0203010001A381DB3081D8301D0603551D0E041604144C0077C5E3ED003856C464DD3D423A72F7FFC42F301F0603551D230418301680144C0077C5E3ED003856C464DD3D423A72F7FFC42F300E0603551D0F0101FF0404030205A0301D0603551D250416301406082B0601050507030106082B06010505070302300C0603551D130101FF0402300030590603551D1104523050820E2A2E6570756C73652E636C6F7564820C6570756C73652E636C6F756482182A2E70726F642E73656E74696E656C636C6F75642E636F6D821670726F642E73656E74696E656C636C6F75642E636F6D300D06092A864886F70D01010B050003820101008D23DF0639378AE0D237F4BFE9C89C518E10D26213473AE9380FFE2E2E5BBB8B63BB01370563BA1FBA5CD2242ADF1959D6AE39DCB10A5F583C09DE6D5FACE0BBD4A61C72C2AA11FAE8FF322FF078A5251394268B4C6263CA9E6B1796F0816608D822FC8C48F69B2F334F8E72D23BDA7E019F57446482F3523AC85D3C75EC1B363EDAC36776C3553329CCD641AA1943E0AF913866A970447D1300F54467AC9D33FF6B56BFB7E644169450C10432CB6167B0FB2CCC9A730C4BB05294B4403A3B293CBD7208A3460696E17E92A64E87374A9F4C0F12230D6FB03B1903E75BE10801F265D18AE72999F25E04F658D9E8F10A53585A1D83DB585D24BD442C92F7F460
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7132EPlanLicenseManager.exeC:\Windows\System32\drivers\etc\hoststext
MD5:90EBB1F8B872679702CA066291177F1E
SHA256:A99758F513AA1D7A9B56E1CAE6A451F273FB4EA2B6DE8298450BA090CA372594
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
20
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1436
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2868
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2868
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2400
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7128
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2400
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1436
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1436
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2868
SIHClient.exe
13.85.23.86:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.238
whitelisted
eplan.prod.sentinelcloud.com
  • 34.36.140.227
unknown
licensingservice.epulse.cloud
  • 13.107.246.60
unknown
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.2
  • 20.190.159.71
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.64
  • 40.126.31.73
  • 40.126.31.67
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EPlanLicenseManager.exe