| File name: | EDRW v13 Activator v2.1 - De!.exe |
| Full analysis: | https://app.any.run/tasks/351dc47a-7c7c-473f-920f-257aa66772f9 |
| Verdict: | Malicious activity |
| Analysis date: | June 14, 2024, 11:23:55 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 284182F0388FE891ED6B6A1DA5B4196E |
| SHA1: | EE4FFEA0EB3CEEF561C7B02FBCC11F14A8775027 |
| SHA256: | 10BADD3B49C88AC87CE720C47CCD79F0DB4F8125D63B52D328E554FB549C44A8 |
| SSDEEP: | 24576:E3ub5cDzp/Ook9bVHIKAuTVijaUH2AcQNoMJ+CeWwIpA1JeuoSOBRcSrBIMmCpCy:q57cQKauDOTcSrqMmpnF8OMJLjelXlC |
MALICIOUS
Drops the executable file immediately after the start
- EDRW v13 Activator v2.1 - De!.exe (PID: 4092)
SUSPICIOUS
Searches for installed software
- EDRW v13 Activator v2.1 - De!.exe (PID: 4092)
INFO
Checks supported languages
- EDRW v13 Activator v2.1 - De!.exe (PID: 4092)
Reads the computer name
- EDRW v13 Activator v2.1 - De!.exe (PID: 4092)
Reads the machine GUID from the registry
- EDRW v13 Activator v2.1 - De!.exe (PID: 4092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 EXE PECompact compressed (generic) (63.7) |
|---|---|---|
| .scr | | | Windows screen saver (20) |
| .exe | | | Win32 Executable (generic) (6.9) |
| .exe | | | Win16/32 Executable Delphi generic (3.1) |
| .exe | | | Generic Win/DOS Executable (3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:04:22 21:21:05+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 2288128 |
| InitializedDataSize: | 1416704 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2305f4 |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| FileVersion: | 2.0.0.0 |
| ProductVersion: | 1.0.0.0 |
| ProgramID: | com.embarcadero.EaseUS_DRW |
| FileDescription: | EaseUS_DRW |
| ProductName: | EaseUS_DRW |
Total processes
37
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3988 | "C:\Users\admin\AppData\Local\Temp\EDRW v13 Activator v2.1 - De!.exe" | C:\Users\admin\AppData\Local\Temp\EDRW v13 Activator v2.1 - De!.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: EaseUS_DRW Exit code: 3221226540 Version: 2.0.0.0 Modules
| |||||||||||||||
| 4092 | "C:\Users\admin\AppData\Local\Temp\EDRW v13 Activator v2.1 - De!.exe" | C:\Users\admin\AppData\Local\Temp\EDRW v13 Activator v2.1 - De!.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: EaseUS_DRW Exit code: 0 Version: 2.0.0.0 Modules
| |||||||||||||||
Total events
5 049
Read events
5 019
Write events
29
Delete events
1
Modification events
| (PID) Process: | (4092) EDRW v13 Activator v2.1 - De!.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | NodeSlots |
Value: 0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
| (PID) Process: | (4092) EDRW v13 Activator v2.1 - De!.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | MRUListEx |
Value: 02000000010000000700000006000000000000000B0000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF | |||
| (PID) Process: | (4092) EDRW v13 Activator v2.1 - De!.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
| Operation: | write | Name: | TV_FolderType |
Value: {FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} | |||
| (PID) Process: | (4092) EDRW v13 Activator v2.1 - De!.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
| Operation: | write | Name: | TV_TopViewID |
Value: {82BA0782-5B7A-4569-B5D7-EC83085F08CC} | |||
| (PID) Process: | (4092) EDRW v13 Activator v2.1 - De!.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
| Operation: | write | Name: | TV_TopViewVersion |
Value: 0 | |||
| (PID) Process: | (4092) EDRW v13 Activator v2.1 - De!.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (4092) EDRW v13 Activator v2.1 - De!.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU |
| Operation: | write | Name: | 3 |
Value: 45004400520057002000760031003300200041006300740069007600610074006F0072002000760032002E00310020002D0020004400650021002E00650078006500000014001F4225481E03947BC34DB131E946B44C8DD5740000001A00EEBBFE23000010007DB10D7BD29C934A973346CC89022E7C00002A0000000000EFBE000000200000000000000000000000000000000000000000000000000100000020002A0000001900EFBE7E47B3FBE4C93B4BA2BAD3F5D3CD46F98207BA827A5B6945B5D7EC83085F08CC20000000 | |||
| (PID) Process: | (4092) EDRW v13 Activator v2.1 - De!.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU |
| Operation: | write | Name: | MRUListEx |
Value: 03000000000000000200000001000000FFFFFFFF | |||
| (PID) Process: | (4092) EDRW v13 Activator v2.1 - De!.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\* |
| Operation: | write | Name: | 13 |
Value: 14001F4225481E03947BC34DB131E946B44C8DD5740000001A00EEBBFE23000010007DB10D7BD29C934A973346CC89022E7C00002A0000000000EFBE000000200000000000000000000000000000000000000000000000000100000020002A0000001900EFBE7E47B3FBE4C93B4BA2BAD3F5D3CD46F98207BA827A5B6945B5D7EC83085F08CC20000000 | |||
| (PID) Process: | (4092) EDRW v13 Activator v2.1 - De!.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\* |
| Operation: | write | Name: | MRUListEx |
Value: 0D0000000C0000000B0000000A00000009000000080000000700000006000000050000000400000003000000020000000100000000000000FFFFFFFF | |||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |