Malware analysis epm_free_installer.17145678618828b292.exe Malicious activity

Add for printing

File name:	epm_free_installer.17145678618828b292.exe
Full analysis:	https://app.any.run/tasks/db464b07-e00a-45cd-9d82-e06fba21e119
Verdict:	Malicious activity
Analysis date:	May 01, 2024, 13:01:15
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	D33BDE2AC7340BC96E5920A7307E363B
SHA1:	4E1C33B945A1453636287739CCD6D21BC660AD6B
SHA256:	3F18740138451CBB4116270120B4F7EEAC62F80923F5CDF6614D42977CE074E2
SSDEEP:	98304:nnCTzRnymY2wmc0OLwFRdXfSV7JHIuh6xR+vSUQiRLQFr+Uf33vOYnb8iise+Eak:eoRd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - epm_free_installer.17145678618828b292.exe (PID: 4084)
  - epm_free_support_16.5.exe (PID: 2020)
  - DrvSetup.exe (PID: 3448)
  - EnsUtils.exe (PID: 3684)
  - epm_free_support_16.5.tmp (PID: 2624)
- Actions looks like stealing of personal data
  - epm_free_support_16.5.tmp (PID: 2624)
- Creates a writable file in the system directory
  - epm_free_support_16.5.tmp (PID: 2624)
  - DrvSetup.exe (PID: 3448)
  - msdtc.exe (PID: 2804)
- Starts NET.EXE for service management
  - cmd.exe (PID: 2712)
  - net.exe (PID: 2412)
  - net.exe (PID: 2396)
  - net.exe (PID: 920)
- Registers / Runs the DLL via REGSVR32.EXE
  - cmd.exe (PID: 2712)
SUSPICIOUS
- Executable content was dropped or overwritten
  - epm_free_installer.17145678618828b292.exe (PID: 4084)
  - epm_free_support_16.5.exe (PID: 2020)
  - epm_free_support_16.5.tmp (PID: 2624)
  - DrvSetup.exe (PID: 3448)
  - EnsUtils.exe (PID: 3684)
- Reads the Internet Settings
  - AliyunWrapExe.Exe (PID: 748)
  - WMIC.exe (PID: 1652)
  - AliyunWrapExe.Exe (PID: 3576)
  - epm_free_support_16.5.tmp (PID: 2624)
  - AliyunWrapExe.Exe (PID: 1292)
- Reads security settings of Internet Explorer
  - AliyunWrapExe.Exe (PID: 748)
  - AliyunWrapExe.Exe (PID: 3576)
  - ensserver.exe (PID: 3516)
  - epm_free_support_16.5.tmp (PID: 2624)
  - AliyunWrapExe.Exe (PID: 3928)
  - AliyunWrapExe.Exe (PID: 1292)
- Uses WMIC.EXE to obtain computer system information
  - EDownloader.exe (PID: 1020)
- Process drops legitimate windows executable
  - epm_free_support_16.5.tmp (PID: 2624)
  - EnsUtils.exe (PID: 3684)
- Creates files in the driver directory
  - epm_free_support_16.5.tmp (PID: 2624)
  - DrvSetup.exe (PID: 3448)
- Process checks presence of unattended files
  - epm_free_support_16.5.tmp (PID: 2624)
- The process drops C-runtime libraries
  - epm_free_support_16.5.tmp (PID: 2624)
  - EnsUtils.exe (PID: 3684)
- Drops a system driver (possible attempt to evade defenses)
  - epm_free_support_16.5.tmp (PID: 2624)
  - DrvSetup.exe (PID: 3448)
- Drops 7-zip archiver for unpacking
  - epm_free_support_16.5.tmp (PID: 2624)
- Changes Internet Explorer settings (feature browser emulation)
  - epm_free_support_16.5.tmp (PID: 2624)
  - EUinApp.exe (PID: 1116)
- Reads the Windows owner or organization settings
  - epm_free_support_16.5.tmp (PID: 2624)
- Executing commands from ".cmd" file
  - epm_free_support_16.5.tmp (PID: 2624)
- Starts CMD.EXE for commands execution
  - epm_free_support_16.5.tmp (PID: 2624)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 2712)
- The process executes VB scripts
  - cmd.exe (PID: 2712)
- Executes as Windows Service
  - dllhost.exe (PID: 2740)
  - msdtc.exe (PID: 2804)
  - VSSVC.exe (PID: 3000)
  - ensserver.exe (PID: 3516)
- Uses WMI to retrieve WMI-managed resources (SCRIPT)
  - cscript.exe (PID: 2956)
- Executes WMI query (SCRIPT)
  - cscript.exe (PID: 2956)
- Creates or modifies Windows services
  - DrvSetup.exe (PID: 3448)
  - setupepmdrv.exe (PID: 3492)
- Checks Windows Trust Settings
  - ensserver.exe (PID: 3516)
INFO
- Create files in a temporary directory
  - EDownloader.exe (PID: 1020)
  - epm_free_installer.17145678618828b292.exe (PID: 4084)
  - InfoForSetup.exe (PID: 1116)
  - epm_free_support_16.5.exe (PID: 2020)
  - AliyunWrapExe.Exe (PID: 748)
  - epm_free_support_16.5.tmp (PID: 2624)
- Checks supported languages
  - InfoForSetup.exe (PID: 2108)
  - epm_free_installer.17145678618828b292.exe (PID: 4084)
  - EDownloader.exe (PID: 1020)
  - InfoForSetup.exe (PID: 1116)
  - AliyunWrapExe.Exe (PID: 748)
  - InfoForSetup.exe (PID: 1132)
  - wmpnscfg.exe (PID: 524)
  - InfoForSetup.exe (PID: 2060)
  - InfoForSetup.exe (PID: 2524)
  - InfoForSetup.exe (PID: 2512)
  - epm_free_support_16.5.exe (PID: 2020)
  - InfoForSetup.exe (PID: 1580)
  - InfoForSetup.exe (PID: 1368)
  - InfoForSetup.exe (PID: 2336)
  - epm_free_support_16.5.tmp (PID: 2624)
  - DrvSetup.exe (PID: 3448)
  - setupepmdrv.exe (PID: 3492)
  - AliyunWrapExe.Exe (PID: 3576)
  - EnsUtils.exe (PID: 3684)
  - InfoForSetup.exe (PID: 3804)
  - SetupUE.exe (PID: 3920)
  - ensserver.exe (PID: 3516)
  - AliyunWrapExe.Exe (PID: 3928)
  - InfoForSetup.exe (PID: 3972)
  - AliyunWrapExe.Exe (PID: 1292)
  - EUinApp.exe (PID: 1116)
  - InfoForSetup.exe (PID: 1756)
  - InfoForSetup.exe (PID: 1768)
- Reads the computer name
  - EDownloader.exe (PID: 1020)
  - epm_free_installer.17145678618828b292.exe (PID: 4084)
  - AliyunWrapExe.Exe (PID: 748)
  - wmpnscfg.exe (PID: 524)
  - epm_free_support_16.5.tmp (PID: 2624)
  - DrvSetup.exe (PID: 3448)
  - setupepmdrv.exe (PID: 3492)
  - AliyunWrapExe.Exe (PID: 3576)
  - EnsUtils.exe (PID: 3684)
  - ensserver.exe (PID: 3516)
  - AliyunWrapExe.Exe (PID: 3928)
  - AliyunWrapExe.Exe (PID: 1292)
- Checks proxy server information
  - AliyunWrapExe.Exe (PID: 748)
  - AliyunWrapExe.Exe (PID: 3576)
  - ensserver.exe (PID: 3516)
  - AliyunWrapExe.Exe (PID: 3928)
  - AliyunWrapExe.Exe (PID: 1292)
- Reads the machine GUID from the registry
  - AliyunWrapExe.Exe (PID: 748)
  - AliyunWrapExe.Exe (PID: 3576)
  - EnsUtils.exe (PID: 3684)
  - ensserver.exe (PID: 3516)
  - AliyunWrapExe.Exe (PID: 3928)
  - AliyunWrapExe.Exe (PID: 1292)
- Creates files or folders in the user directory
  - AliyunWrapExe.Exe (PID: 748)
  - epm_free_support_16.5.tmp (PID: 2624)
- Manual execution by a user
  - wmpnscfg.exe (PID: 524)
- Creates files in the program directory
  - epm_free_support_16.5.tmp (PID: 2624)
  - DrvSetup.exe (PID: 3448)
  - EnsUtils.exe (PID: 3684)
  - ensserver.exe (PID: 3516)
- Checks transactions between databases Windows and Oracle
  - dllhost.exe (PID: 2740)
  - msdtc.exe (PID: 2804)
  - cscript.exe (PID: 952)
  - cscript.exe (PID: 2956)
- Reads security settings of Internet Explorer
  - cscript.exe (PID: 952)
  - cscript.exe (PID: 2956)
- Creates a software uninstall entry
  - epm_free_support_16.5.tmp (PID: 2624)
- Application launched itself
  - msedge.exe (PID: 864)
- Reads the software policy settings
  - ensserver.exe (PID: 3516)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:01:30 03:57:48+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26624
InitializedDataSize:	186368
UninitializedDataSize:	2048
EntryPoint:	0x338f
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

524

"C:\Program Files\Windows Media Player\wmpnscfg.exe"

C:\Program Files\Windows Media Player\wmpnscfg.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Media Player Network Sharing Service Configuration Application

Exit code:

Version:

12.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

748

C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\aliyun\AliyunWrapExe.Exe

InfoForSetup.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\appdata\local\temp\downloader_easeus\2.2.0\5free\aliyun\aliyunwrapexe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\downloader_easeus\2.2.0\5free\aliyun\aliyunwrap.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll

864

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.easeus.com/thankyou/install-partition-master-free.htm

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

epm_free_support_16.5.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Edge

Version:

109.0.1518.115

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

920

net stop swprv

C:\Windows\System32\net.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll

924

C:\Windows\system32\net1 stop swprv

C:\Windows\System32\net1.exe

—

net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll

952

cscript "C:\Program Files\EaseUS\EaseUS Partition Master\DC\bin\\register_app.vbs" -unregister "EPMVssEaseusProvider"

C:\Windows\System32\cscript.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft ® Console Based Script Host

Exit code:

Version:

5.8.7600.16385

Modules

Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

1020

"C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\EDownloader.exe" EXEDIR=C:\Users\admin\AppData\Local\Temp ||| EXENAME=epm_free_installer.17145678618828b292.exe ||| DOWNLOAD_VERSION=free ||| PRODUCT_VERSION=2.2.0 ||| INSTALL_TYPE=0

C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\EDownloader.exe

epm_free_installer.17145678618828b292.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\appdata\local\temp\downloader_easeus\2.2.0\5free\edownloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

1116

/SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"United States\",\"Pageid\":\"17145678618828b292\",\"Timezone\":\"GMT-00:00\"}"

C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe

—

EDownloader.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\downloader_easeus\2.2.0\5free\aliyun\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

1116

"C:\Program Files\EaseUS\EaseUS Partition Master\bin\EUinApp.exe" Main.exe

C:\Program Files\EaseUS\EaseUS Partition Master\bin\EUinApp.exe

—

epm_free_support_16.5.tmp

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\program files\easeus\easeus partition master\bin\euinapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll

1132

/SendInfo Window "Downloading" Activity "Info_Start_Download_Program" Attribute "{\"Downloadfrom\":\"https://d1.easeus.com/epm/free/epm_free_support_16.5.exe\",\"Pageid\":\"17145678618828b292\",\"Testid\":\"\",\"Version\":\"Free\",\"Versionnumber\":\"18.5\"}"

C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe

—

EDownloader.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\downloader_easeus\2.2.0\5free\aliyun\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

Add for printing

Total events

15 450

Read events

15 180

Write events

208

Delete events

Modification events


(PID) Process:	(748) AliyunWrapExe.Exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(748) AliyunWrapExe.Exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(748) AliyunWrapExe.Exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(748) AliyunWrapExe.Exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(748) AliyunWrapExe.Exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(748) AliyunWrapExe.Exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	delete value	Name:	ProxyServer
Value:
(PID) Process:	(748) AliyunWrapExe.Exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	delete value	Name:	ProxyOverride
Value:
(PID) Process:	(748) AliyunWrapExe.Exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	delete value	Name:	AutoConfigURL
Value:
(PID) Process:	(748) AliyunWrapExe.Exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	delete value	Name:	AutoDetect
Value:
(PID) Process:	(748) AliyunWrapExe.Exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

1 260

Suspicious files

194

Text files

2 212

Unknown types

Dropped files

PID	Process	Filename		Type
4084	epm_free_installer.17145678618828b292.exe	C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\skin.zip		compressed
		MD5:85D86B4A38D993082B1F6C5DCD4AAF39	SHA256:6047DE478C219AD42EA91D461D81886966C653DA9DB1F28107880FA991075732
4084	epm_free_installer.17145678618828b292.exe	C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\Dutch.ini		text
		MD5:32E8AB5BD9243CA333C007DD5274FC6E	SHA256:9E6F6A6FE0CA269D68F3B0D9C4116AA6914291A783959CD6E8A2D5A6ED22C6DF
4084	epm_free_installer.17145678618828b292.exe	C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\ChineseTrad.ini		text
		MD5:EE9F9E88AAD4014304D5557962D07B48	SHA256:0F66AA4B69A8988C63AD09977762734283519D696F100278C42D1B974C6AC69F
4084	epm_free_installer.17145678618828b292.exe	C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\InitConfigure_epms.ini		ini
		MD5:398367EFD0613214E3AE77B113EA9D2B	SHA256:C44D56BFD888832B610677426C78211D2811FE3F74FBB4E3E5846DC54EA85B8D
4084	epm_free_installer.17145678618828b292.exe	C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\Portuguese.ini		text
		MD5:AA06C1D742B5304534848D4DB958259F	SHA256:EF8E757D203FD029F899459FF6AC28F4F269681F4FD1B9C00ADDBAF01CCC6DE2
4084	epm_free_installer.17145678618828b292.exe	C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\French.ini		text
		MD5:25EA7511C5F3C88EBE6F329B6BEBB69F	SHA256:92E4741A9C9ED34FD1760CFB236437ED60A724FD36485D721E64FA28FC0175AA
4084	epm_free_installer.17145678618828b292.exe	C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\Italian.ini		text
		MD5:D8228001A210BD49D45087AAEA8D187F	SHA256:D359DA5D3A4C0AE6EE0A17EC799365B38F4788C7F56BD4A23FF7254419940182
4084	epm_free_installer.17145678618828b292.exe	C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\InitConfigure.ini		ini
		MD5:D5A1BDAA9A7D406CD36FEBC0A49DEF1F	SHA256:18DB7EF980A52A9B43CAD34AB2BB854CFE66444740ABF807C8EFF7091A2328D9
4084	epm_free_installer.17145678618828b292.exe	C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\German.ini		text
		MD5:BEFDB0294BB4D7ECF66BC8FA82185364	SHA256:BD3DF746CE443B93733933C73C3D3C44E0D2CE6D22AED536F83B92A304AB1EB3
4084	epm_free_installer.17145678618828b292.exe	C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\LanguageTransfor.ini		text
		MD5:8EBF0F0B4966FEB8915100E42FA05EF8	SHA256:E84AAAA5938F1DC9B7E420F791AF443A8B876A9205D8EAF6ED0749CD09A0E840

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
748	AliyunWrapExe.Exe	GET	200	163.171.128.150:80	http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=19	unknown	—	—	unknown
748	AliyunWrapExe.Exe	POST	200	47.252.97.9:80	http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb	unknown	—	—	unknown
1020	EDownloader.exe	POST	200	18.172.112.123:80	http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/	unknown	—	—	unknown
748	AliyunWrapExe.Exe	POST	200	47.252.97.9:80	http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb	unknown	—	—	unknown
—	—	POST	200	47.252.97.9:80	http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb	unknown	—	—	unknown
748	AliyunWrapExe.Exe	POST	200	47.252.97.9:80	http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb	unknown	—	—	unknown
748	AliyunWrapExe.Exe	POST	200	47.252.97.9:80	http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb	unknown	—	—	unknown
748	AliyunWrapExe.Exe	POST	200	47.252.97.11:80	http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb	unknown	—	—	unknown
748	AliyunWrapExe.Exe	POST	200	47.252.97.11:80	http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb	unknown	—	—	unknown
748	AliyunWrapExe.Exe	POST	200	47.252.97.11:80	http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1020	EDownloader.exe	18.172.112.123:80	download.easeus.com	—	US	unknown
748	AliyunWrapExe.Exe	163.171.128.150:80	track.easeus.com	QUANTILNETWORKS	DE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
748	AliyunWrapExe.Exe	47.252.97.9:80	easeusinfo.us-east-1.log.aliyuncs.com	Alibaba US Technology Co., Ltd.	US	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
1020	EDownloader.exe	18.66.112.111:443	d1.easeus.com	AMAZON-02	US	unknown
748	AliyunWrapExe.Exe	47.252.97.11:80	easeusinfo.us-east-1.log.aliyuncs.com	Alibaba US Technology Co., Ltd.	US	unknown
3576	AliyunWrapExe.Exe	163.171.128.150:80	track.easeus.com	QUANTILNETWORKS	DE	unknown
3928	AliyunWrapExe.Exe	163.171.128.150:80	track.easeus.com	QUANTILNETWORKS	DE	unknown
1292	AliyunWrapExe.Exe	163.171.128.150:80	track.easeus.com	QUANTILNETWORKS	DE	unknown

DNS requests

Domain	IP	Reputation
download.easeus.com	18.172.112.123 18.172.112.32 18.172.112.26 18.172.112.107	unknown
track.easeus.com	163.171.128.150 163.171.156.15	unknown
easeusinfo.us-east-1.log.aliyuncs.com	47.252.97.9 47.252.97.11 47.252.97.14 47.252.97.15 47.252.97.10 47.252.97.8 47.252.97.13 47.252.97.12 47.252.97.212	unknown
d1.easeus.com	18.66.112.111 18.66.112.125 18.66.112.6 18.66.112.38	unknown
update.easeus.com	—	unknown

Threats

No threats detected

Add for printing

Process	Message
EDownloader.exe	[928]-14:01:27:087 ParseCmdLine param=EXEDIR=C:\Users\admin\AppData\Local\Temp \|\|\| EXENAME=epm_free_installer.17145678618828b292.exe \|\|\| DOWNLOAD_VERSION=free \|\|\| PRODUCT_VERSION=2.2.0 \|\|\| INSTALL_TYPE=0
EDownloader.exe	[928]-14:01:27:087 CTools::loadIni configPath=C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\InitConfigure.ini
EDownloader.exe	[1872]-14:01:27:946 Json parse Data Start
EDownloader.exe	[1872]-14:01:27:946 PostData Start download url=http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=17145678618828b292&lang=English&pcVersion=home&pid=5&tid=1&version=free
EDownloader.exe	[1872]-14:01:27:946 Json url: http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=17145678618828b292&lang=English&pcVersion=home&pid=5&tid=1&version=free
EDownloader.exe	[1872]-14:01:37:274 Json parse Data end(code=0)
EDownloader.exe	[1872]-14:01:37:274 PostData end
EDownloader.exe	[1872]-14:01:37:274 StartPost Error parse tuijian
EDownloader.exe	[1872]-14:01:37:274 Json response: {"check":1,"msg":"\u6210\u529f","data":{"pid":"5","download":"https:\/\/d1.easeus.com\/epm\/free\/epm18.5_free.exe","download2":"https:\/\/d2.easeus.com\/epm\/free\/epm18.5_free.exe","download3":"https:\/\/d3.easeus.com\/epm\/free\/epm18.5_free.exe","version":"free","curNum":"18.5","testid":"","url":["https:\/\/d1.easeus.com\/epm\/free\/epm_free_support_16.5.exe"],"md5":"052A86B300616D09DCB41BE5CA52A517","tj_download":"test","referNumber":"1000000","killSwitch":"true","WriteLogSwitch":"false","configid":""},"time":1714568489}
EDownloader.exe	[928]-14:01:37:290 CHttpHelper::GetDownloadInfo 56 download info code:0

General Info

epm_free_installer.17145678618828b292.exe

D33BDE2AC7340BC96E5920A7307E363B

4E1C33B945A1453636287739CCD6D21BC660AD6B

3F18740138451CBB4116270120B4F7EEAC62F80923F5CDF6614D42977CE074E2

98304:nnCTzRnymY2wmc0OLwFRdXfSV7JHIuh6xR+vSUQiRLQFr+Uf33vOYnb8iise+Eak:eoRd

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Actions looks like stealing of personal data

Creates a writable file in the system directory

Starts NET.EXE for service management

Registers / Runs the DLL via REGSVR32.EXE

SUSPICIOUS

Executable content was dropped or overwritten

Reads the Internet Settings

Reads security settings of Internet Explorer

Uses WMIC.EXE to obtain computer system information

Process drops legitimate windows executable

Creates files in the driver directory

Process checks presence of unattended files

The process drops C-runtime libraries

Drops a system driver (possible attempt to evade defenses)

Drops 7-zip archiver for unpacking

Changes Internet Explorer settings (feature browser emulation)

Reads the Windows owner or organization settings

Executing commands from ".cmd" file

Starts CMD.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

The process executes VB scripts

Executes as Windows Service

Uses WMI to retrieve WMI-managed resources (SCRIPT)

Executes WMI query (SCRIPT)

Creates or modifies Windows services

Checks Windows Trust Settings

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Checks proxy server information

Reads the machine GUID from the registry

Creates files or folders in the user directory

Manual execution by a user

Creates files in the program directory

Checks transactions between databases Windows and Oracle

Reads security settings of Internet Explorer

Creates a software uninstall entry

Application launched itself

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules