| File name: | EaseUS Data Recovery Wizard Technician 10.2.0 + Keygen [SadeemPC].zip_ |
| Full analysis: | https://app.any.run/tasks/84b1a09c-e783-4692-9445-af4eba11b371 |
| Verdict: | Malicious activity |
| Analysis date: | November 02, 2023, 15:17:03 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract |
| MD5: | 475C989840C1690C3080C8A1B272D9BB |
| SHA1: | 865B5322CAD1FDA923D3CB1D7725B3162E0A2E6E |
| SHA256: | 261B6813FEB72410EDE16BDB7BBF17EE45D58A3EC3FFC618B8EB6D72403099DF |
| SSDEEP: | 196608:8buu3lFfwxxoMVv4/OVszYZMrPoS9vUYh23:8bfuxJVvmOV6YZSPoSB+ |
MALICIOUS
Drops the executable file immediately after the start
- drw_trial.exe (PID: 1660)
- drw_trial.tmp (PID: 1356)
SUSPICIOUS
Reads the Windows owner or organization settings
- drw_trial.tmp (PID: 1356)
Process drops legitimate windows executable
- drw_trial.tmp (PID: 1356)
Reads the Internet Settings
- drw_trial.tmp (PID: 1356)
- DRWUI.exe (PID: 3468)
The process drops C-runtime libraries
- drw_trial.tmp (PID: 1356)
Checks Windows Trust Settings
- DRWUI.exe (PID: 3468)
Reads security settings of Internet Explorer
- DRWUI.exe (PID: 3468)
Reads settings of System Certificates
- DRWUI.exe (PID: 3468)
INFO
Manual execution by a user
- drw_trial.exe (PID: 1760)
- notepad.exe (PID: 916)
- drw_trial.exe (PID: 1660)
- msedge.exe (PID: 3816)
- wmpnscfg.exe (PID: 3432)
Create files in a temporary directory
- drw_trial.exe (PID: 1660)
- drw_trial.tmp (PID: 1356)
- DRWUI.exe (PID: 3468)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3496)
Checks supported languages
- drw_trial.exe (PID: 1660)
- wmpnscfg.exe (PID: 3428)
- drw_trial.tmp (PID: 1356)
- DRW.exe (PID: 3504)
- wmpnscfg.exe (PID: 3432)
- DRWUI.exe (PID: 3468)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 3428)
- wmpnscfg.exe (PID: 3432)
- DRWUI.exe (PID: 3468)
Reads the computer name
- wmpnscfg.exe (PID: 3428)
- wmpnscfg.exe (PID: 3432)
- drw_trial.tmp (PID: 1356)
- DRWUI.exe (PID: 3468)
Application launched itself
- msedge.exe (PID: 3816)
- msedge.exe (PID: 2336)
Creates files in the program directory
- DRW.exe (PID: 3504)
- drw_trial.tmp (PID: 1356)
- DRWUI.exe (PID: 3468)
Reads Environment values
- drw_trial.tmp (PID: 1356)
Reads product name
- drw_trial.tmp (PID: 1356)
Checks proxy server information
- DRWUI.exe (PID: 3468)
Creates files or folders in the user directory
- DRWUI.exe (PID: 3468)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2016:05:07 06:17:38 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | EaseUS Data Recovery Wizard Technician 10.2.0 + Keygen [SadeemPC]/ |
Total processes
80
Monitored processes
35
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 788 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3784 --field-trial-handle=1232,i,13012188020154554902,14310800165523951185,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 908 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3936 --field-trial-handle=1232,i,13012188020154554902,14310800165523951185,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 916 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\EaseUS Data Recovery Wizard Technician 10.2.0 + Keygen [SadeemPC]\Instructions Important !!!.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1356 | "C:\Users\admin\AppData\Local\Temp\is-THJTF.tmp\drw_trial.tmp" /SL5="$C016E,15032751,546816,C:\Users\admin\Desktop\EaseUS Data Recovery Wizard Technician 10.2.0 + Keygen [SadeemPC]\drw_trial.exe" | C:\Users\admin\AppData\Local\Temp\is-THJTF.tmp\drw_trial.tmp | drw_trial.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 1436 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3960 --field-trial-handle=1232,i,13012188020154554902,14310800165523951185,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1660 | "C:\Users\admin\Desktop\EaseUS Data Recovery Wizard Technician 10.2.0 + Keygen [SadeemPC]\drw_trial.exe" | C:\Users\admin\Desktop\EaseUS Data Recovery Wizard Technician 10.2.0 + Keygen [SadeemPC]\drw_trial.exe | explorer.exe | ||||||||||||
User: admin Company: EaseUS Integrity Level: HIGH Description: EaseUS Data Recovery Wizard Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 1760 | "C:\Users\admin\Desktop\EaseUS Data Recovery Wizard Technician 10.2.0 + Keygen [SadeemPC]\drw_trial.exe" | C:\Users\admin\Desktop\EaseUS Data Recovery Wizard Technician 10.2.0 + Keygen [SadeemPC]\drw_trial.exe | — | explorer.exe | |||||||||||
User: admin Company: EaseUS Integrity Level: MEDIUM Description: EaseUS Data Recovery Wizard Setup Exit code: 3221226540 Version: Modules
| |||||||||||||||
| 1760 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3960 --field-trial-handle=1232,i,13012188020154554902,14310800165523951185,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1836 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6b3ef598,0x6b3ef5a8,0x6b3ef5b4 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1876 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1280 --field-trial-handle=1304,i,4970991793702394869,16392631602837651690,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
Total events
10 660
Read events
10 553
Write events
94
Delete events
13
Modification events
| (PID) Process: | (3428) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{D765F926-B10B-4535-A09E-4A0BBE9CEFB4}\{857FCC3A-0138-40AB-8F87-FDA324CC6E41} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3428) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{D765F926-B10B-4535-A09E-4A0BBE9CEFB4} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3428) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{CF6B7DA6-DD6D-4944-A393-9639369FCADE} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3496) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3496) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (3496) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3496) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3496) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3496) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3496) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
73
Suspicious files
129
Text files
261
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1356 | drw_trial.tmp | C:\Users\admin\AppData\Local\Temp\is-5Q614.tmp\uexper.dll | executable | |
MD5:0E85B4A828FA22549257DCE22FAFA188 | SHA256:B9D660117E18836E9103A2AB8EC3B58A95606F5B7E246F29434F60598254EC29 | |||
| 1356 | drw_trial.tmp | C:\Users\admin\AppData\Local\Temp\is-5Q614.tmp\libcurl.dll | executable | |
MD5:1D5225E761C9F4A2A881CC8DE0BD627C | SHA256:9A274288B17D64A402789B4114CB49BC7346BCC2202EC6F3E3D828B82C6EED16 | |||
| 1356 | drw_trial.tmp | C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\Chinese.data | text | |
MD5:37EBF8D3A1664B98A4CA85F07DE4BAB9 | SHA256:A09A2C30E6243D048D965D2E7A9CBAC9467B0DDA14A19DE14F8B89B1A52126F0 | |||
| 1356 | drw_trial.tmp | C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\is-FQFS1.tmp | executable | |
MD5:353F79C20F61B1C268534F1EB2ED5832 | SHA256:BBAD9B631F5685535FCF72D419956B2A2D2921E50096D8FB631B505098F82278 | |||
| 3496 | WinRAR.exe | C:\Users\admin\Desktop\EaseUS Data Recovery Wizard Technician 10.2.0 + Keygen [SadeemPC]\Keygen\Config.dat | text | |
MD5:59D74C96DCC39E6870A7EC7E71CDCFD6 | SHA256:145E34D9466828CE4D8AE0321C5C6E30CF59947E7142915FCD1518C6007AAA26 | |||
| 1356 | drw_trial.tmp | C:\Users\admin\AppData\Local\Temp\is-5Q614.tmp\BrowseWarning.bmp | image | |
MD5:391C6EBB2E18F854160F892C413EFE31 | SHA256:636B1E54AE1BFB4AC14BD44014A299DFA2A585FD1AB4E8E586E1EB406FEF1C3C | |||
| 3496 | WinRAR.exe | C:\Users\admin\Desktop\EaseUS Data Recovery Wizard Technician 10.2.0 + Keygen [SadeemPC]\Keygen\offline.cmd | text | |
MD5:AF2BB7F7964824CDF443003F92706CAF | SHA256:D1657193CB0AE89B381B7F76CA6CA84D66E9EA62A99394DE2C6B3CA96FD8F68C | |||
| 1356 | drw_trial.tmp | C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\is-J38RP.tmp | text | |
MD5:37EBF8D3A1664B98A4CA85F07DE4BAB9 | SHA256:A09A2C30E6243D048D965D2E7A9CBAC9467B0DDA14A19DE14F8B89B1A52126F0 | |||
| 1356 | drw_trial.tmp | C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\unins000.exe | executable | |
MD5:353F79C20F61B1C268534F1EB2ED5832 | SHA256:BBAD9B631F5685535FCF72D419956B2A2D2921E50096D8FB631B505098F82278 | |||
| 1356 | drw_trial.tmp | C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\is-HET74.tmp | text | |
MD5:BA5360AAABF2A4DF9DB5AA138A8CA851 | SHA256:EB61985DDB34775F851494E0B49FB5F9A3585F0432829CE5E8EA1CD3FCF7173E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
48
DNS requests
77
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3468 | DRWUI.exe | GET | 301 | 104.18.18.71:80 | http://www.easeus.com/update/drw_eng/drw.ini?time=133434119930460000 | unknown | — | — | unknown |
2844 | msedge.exe | GET | 301 | 104.18.18.71:80 | http://www.easeus.com/thankyou/install-data-recovery-wizard-trial.htm | unknown | — | — | unknown |
1356 | drw_trial.tmp | POST | 200 | 163.171.156.15:80 | http://track.easeus.com/product/index.php/?a=statistics&p_type=m_drw_infos | unknown | — | — | unknown |
3468 | DRWUI.exe | GET | 200 | 172.217.16.195:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | unknown | binary | 1.41 Kb | unknown |
3468 | DRWUI.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7e218a66623cea9e | unknown | compressed | 4.66 Kb | unknown |
3468 | DRWUI.exe | GET | 200 | 172.217.16.195:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D | unknown | binary | 724 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1356 | drw_trial.tmp | 163.171.156.15:80 | track.easeus.com | QUANTILNETWORKS | DE | unknown |
2844 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3816 | msedge.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2844 | msedge.exe | 104.18.18.71:80 | www.easeus.com | CLOUDFLARENET | — | unknown |
2844 | msedge.exe | 13.107.21.239:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2844 | msedge.exe | 20.103.180.120:443 | nav-edge.smartscreen.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
track.easeus.com |
| unknown |
www.easeus.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
nav-edge.smartscreen.microsoft.com |
| whitelisted |
data-edge.smartscreen.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
update.easeus.com |
| whitelisted |
www.googletagmanager.com |
| whitelisted |
Threats
Process | Message |
|---|---|
drw_trial.tmp | 2023-11-02 15:19:49:953[UE] --Info. SetValue. id=0x2 (2), val=1, inst=038CE858
|
drw_trial.tmp | 2023-11-02 15:19:49:953[UE] --Info. top num =0
|
drw_trial.tmp | 2023-11-02 15:19:49:953[UE] --Info. join=1
|
drw_trial.tmp | 2023-11-02 15:19:49:953[UE] --Info. url=http://track.easeus.com/product/index.php/?a=statistics&p_type=m_drw_infos
|
drw_trial.tmp | 2023-11-02 15:19:49:953[UE] --Info. InstallSpy. inst=038CE858
|
drw_trial.tmp | 2023-11-02 15:19:49:953[UE] --Info. try send=1
|
drw_trial.tmp | 2023-11-02 15:19:49:953[UE] --Info. send data=uid=3EB4B8A5-6EAD-41A5-B1AD-42D4AA5C221B&ue=1&codeinstall=1&processors=4&memory=3071&ipaddress=ip-test&os=Windows 7 Professional, Service Pack 1&timezone=GMT-00:00(GMT Standard Time)&install_version=DRW 10.2 Trial
|
drw_trial.tmp | 2023-11-02 15:19:49:953[UE] --Info. log level=3
|
drw_trial.tmp | 2023-11-02 15:19:49:953[UE] --Info. SetText. id=0x5101 (20737), text=DRW 10.2 Trial, inst=038CE858
|
drw_trial.tmp | 2023-11-02 15:19:49:953[UE] --Info. SetText. id=0x3 (3), text=1, inst=038CE858
|