File verdict·Decided by the MT AI Engine

Our call

Suspicious

Item: ep_setup.exe
Rating: 2.5
Author: MalwareTips File Scanner

ExplorerPatcher installer flagged as PUA riskware due to patching behaviour and low-tier detections.

explorerpatcher

Trust score45Caution

MT AI confidence · 78%

ep_setup.exe

11.6 MB

f689c068d61e7339ef…0c11a84ae8

Antivirus engines

4 of 75 flagged

Code signing

Unsigned

Age

First seen 16 days ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

78%Confidence

High

Reasoning

Only a single tier-1 engine (GData) reports riskware with an explicit PUA flag; the remaining detections are low-trust. Behavioural artefacts match the documented operation of ExplorerPatcher rather than malware. No malicious children, sandbox verdicts, or contacted hosts exist. The combination of unsigned status, offensive MITRE techniques, and installer hint places the sample in the PUA category rather than clean or malicious.

Key signals · 4

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

GData tier1 detection Win64.Riskware.ExplorerPatcher.B with adwarePua flag
popularThreatLabel pua.explorerpatcher and 6 offensiveTechniques (T1055, T1547.001)
common_new prevalence (136 submitters) with hasMaliciousChild=false
unsigned with triggeredHeuristics MalwareTips.Synth.ProcessInjection

Points in its favour

Only 1 tier-1 malicious detection with explicit PUA label
Common_new prevalence across 136 submitters
No malicious sandbox or child verdicts

Points against

Unsigned binary
Process injection into explorer.exe
Low-trust engine detections

What to do

Block or allow based on policy; the file is a known PUA rather than malware.

Threat family attribution

explorerpatcher corroborated by 2 sources

VT (75 engines)
explorerpatcher
MT AI Engine
explorerpatcher

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1010T1012T1027T1027.002T1033T1036T1047T1055T1057T1059T1070.004T1071T1082T1083T1112T1129T1134T1134.001T1202T1497.001T1518T1529T1539T1546.015+5 more

Spawned processes

$(unnamed)

C:\Windows\system32\services.exe

$(unnamed)

"C:\Users\<USER>\Desktop\ep_setup.exe"

$(unnamed)

"C:\Windows\system32\taskkill.exe" /f /im explorer.exe

$(unnamed)

"C:\Windows\system32\cmd.exe" /c ""C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB & "C:\Windows\system32\sc.exe" delete ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB & "

$(unnamed)

"C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB

$(unnamed)

"C:\Windows\system32\sc.exe" delete ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB

$(unnamed)

"C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB

$(unnamed)

"C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB

+7 more processes captured.

Filesystem & mutexes

Files written15

C:\Program Files\ExplorerPatcher\ep_setup.exe
C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll
C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll
C:\Program Files\ExplorerPatcher\ep_gui.dll
C:\Program Files\ExplorerPatcher\ep_dwm_svc.exe

+10 more

Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen

097dfaea778000b9e102…8737ccNever scanned
never seen before
d75b29ad314d6af52c2f…0996c0Never scanned
never seen before
ae8e7f0c0d935a698def…857a6bNever scanned
never seen before
b5ff17b52dbce8fcbbde…dd77a8Never scanned
never seen before
6320d4893083d4112b55…d78a32Never scanned
never seen before
6796c85256c35d8ebf1f…ad5fa8Never scanned
never seen before
ae26d6ef7c8f6b533585…61ba45Never scanned
never seen before
fe677e93e6ebcb4b0268…ec197cNever scanned
never seen before
97a47364127595870353…cab70fNever scanned
never seen before
b8c8fcb5a8d288eaa20f…d89351Never scanned
never seen before

No researcher-database hits

External threat-intel sources were not collected for this scan.

Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

1 synthesis

MITRE ATT&CK profile

Defense evasion× 1

MalwareTips synthesis rules

Our heuristics on VT data + sandbox behaviour

ProcessInjection
T1055
high
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence
"C:\Windows\system32\taskkill.exe" /f /im explorer.exe

Antivirus engine breakdown

4 detections across 75 engines

4 malicious0 suspicious71 clean

Tier-117 engines

1flag

Top commercial AVs (low FP rate)

Tier-238 engines

0flag

Mainstream engines with mixed FP rates

Low-trust20 engines

3flag

Heuristic / generic-AI engines (high FP rate)

APEX

malicious

Malicious

DeepInstinct

malicious

MALICIOUS

GData

malicious

Win64.Riskware.ExplorerPatcher.B

Trapmine

malicious

malicious.moderate.ml.score

Hash f689c068d61e… cross-referenced against 75 AV engines via our AV network.

PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

Unpacked

Section entropy7 sections

.text

6.47

.rdata

5.62

.data

1.97

.pdata

5.24

.fptable

0.00

.rsrc

7.99

.reloc

5.01

0.0Packed threshold 7.28.0

Prevalence

How often this file shows up in the wild

Lots of people are uploading this but it's recent — typical of newly-released legitimate software. Low prior for malware.

Common & new

Unique uploaders

136

Hundreds of people have uploaded this — common.

Total submissions

151

Includes repeat uploads by the same source.

First seen by VT

15d ago

May 19, 2026

Prevalence quadrant

Rare · New

Targeted malware lives here

here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

5/19/2026, 3:17:59 AM

First seen (MalwareBazaar)

—

Last analysis (VT)

5/26/2026, 8:09:06 AM

Scanned here

5/26/2026, 8:40:14 AM

File name: ep_setup.exe
Size: 11.57 MB
MIME type: (unknown)
Detected type: Win32 EXE
SHA-256: f689c068d61e7339efc6eba266d9674b41c5ef96dff0cc90ab0ff80c11a84ae8
MD5: f4a34ca503c245db745e74636c307273
SHA-1: 6aca0ee445be70085dc626a90d12796d164dfafa
PE imphash: 60043cdc8ec75b3db9d74a95586b1bb7
First seen (VT): 5/19/2026, 3:17:59 AM
Last analysis (VT): 5/26/2026, 8:09:06 AM
First scan (MalwareTips): 5/26/2026, 8:40:14 AM
Last scan (MalwareTips): 5/26/2026, 8:40:14 AM

Behavior tags

detect-debug-environmentcalls-wmi64bitspeexe

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scanned by

harlan4096Staff

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.