File name:

epm_free

Full analysis: https://app.any.run/tasks/f4d94a63-59f3-44a6-8cb7-f57820207750
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 22, 2024, 09:16:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

91A21C1D08884E53CD6DDC5CB930FC49

SHA1:

1AD3CC1E99573B145BC956417C26249B2041AADA

SHA256:

4D1514934696D4E78DB5769F4D4652DDA9E025549A511669F2C1DE104F360F55

SSDEEP:

98304:WxN5Qq0/EGx7RJKSdUDeJitM44SVN/i5vsyPGVzj4i6xQPNqjR6RLZX33vLGE8KF:gbe+z/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • epm_free_support_16.5.tmp (PID: 3484)
      • EUCloneServer.exe (PID: 3016)

    • Starts NET.EXE for service management

      • net.exe (PID: 4064)
      • cmd.exe (PID: 3132)
      • net.exe (PID: 1588)
      • net.exe (PID: 2836)

    • Registers / Runs the DLL via REGSVR32.EXE

      • cmd.exe (PID: 3132)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • epm_free.exe (PID: 3028)
      • epm_free_support_16.5.exe (PID: 940)
      • epm_free_support_16.5.tmp (PID: 3484)
      • EnsUtils.exe (PID: 3244)
      • DrvSetup.exe (PID: 1944)

    • Executable content was dropped or overwritten

      • epm_free.exe (PID: 3028)
      • epm_free_support_16.5.exe (PID: 940)
      • epm_free_support_16.5.tmp (PID: 3484)
      • DrvSetup.exe (PID: 1944)
      • EnsUtils.exe (PID: 3244)

    • Reads security settings of Internet Explorer

      • AliyunWrapExe.exe (PID: 3436)
      • AliyunWrapExe.exe (PID: 3752)
      • epm_free_support_16.5.tmp (PID: 3484)
      • ensserver.exe (PID: 3468)
      • AliyunWrapExe.exe (PID: 3424)
      • AliyunWrapExe.exe (PID: 2364)
      • EDownloader.exe (PID: 3136)

    • Reads the Internet Settings

      • AliyunWrapExe.exe (PID: 3436)
      • WMIC.exe (PID: 3756)
      • AliyunWrapExe.exe (PID: 3752)
      • epm_free_support_16.5.tmp (PID: 3484)
      • EDownloader.exe (PID: 3136)
      • AliyunWrapExe.exe (PID: 2364)

    • Uses WMIC.EXE to obtain computer system information

      • EDownloader.exe (PID: 3136)

    • Process drops legitimate windows executable

      • epm_free_support_16.5.tmp (PID: 3484)
      • EnsUtils.exe (PID: 3244)

    • The process drops C-runtime libraries

      • epm_free_support_16.5.tmp (PID: 3484)
      • EnsUtils.exe (PID: 3244)

    • Drops a system driver (possible attempt to evade defenses)

      • epm_free_support_16.5.tmp (PID: 3484)
      • DrvSetup.exe (PID: 1944)

    • Drops 7-zip archiver for unpacking

      • epm_free_support_16.5.tmp (PID: 3484)

    • Creates files in the driver directory

      • epm_free_support_16.5.tmp (PID: 3484)
      • DrvSetup.exe (PID: 1944)

    • Process checks presence of unattended files

      • epm_free_support_16.5.tmp (PID: 3484)

    • Changes Internet Explorer settings (feature browser emulation)

      • epm_free_support_16.5.tmp (PID: 3484)
      • EUinApp.exe (PID: 2220)

    • Executing commands from ".cmd" file

      • epm_free_support_16.5.tmp (PID: 3484)

    • Starts CMD.EXE for commands execution

      • epm_free_support_16.5.tmp (PID: 3484)

    • Reads the Windows owner or organization settings

      • epm_free_support_16.5.tmp (PID: 3484)

    • The process executes VB scripts

      • cmd.exe (PID: 3132)

    • Executes as Windows Service

      • dllhost.exe (PID: 184)
      • msdtc.exe (PID: 1168)
      • VSSVC.exe (PID: 4020)
      • ensserver.exe (PID: 3468)
      • vds.exe (PID: 932)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 2644)

    • Executes WMI query (SCRIPT)

      • cscript.exe (PID: 2644)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3132)

    • Creates or modifies Windows services

      • DrvSetup.exe (PID: 1944)
      • setupepmdrv.exe (PID: 2560)

    • Checks Windows Trust Settings

      • ensserver.exe (PID: 3468)

    • Searches for installed software

      • EDownloader.exe (PID: 3136)

    • Creates file in the systems drive root

      • EUCloneServer.exe (PID: 3016)

    • Detected use of alternative data streams (AltDS)

      • EUCloneServer.exe (PID: 3016)

    • There is functionality for taking screenshot (YARA)

      • Main.exe (PID: 2916)

  • INFO

    • Checks supported languages

      • InfoForSetup.exe (PID: 3620)
      • epm_free.exe (PID: 3028)
      • AliyunWrapExe.exe (PID: 3436)
      • InfoForSetup.exe (PID: 3440)
      • EDownloader.exe (PID: 3136)
      • wmpnscfg.exe (PID: 3284)
      • InfoForSetup.exe (PID: 3228)
      • InfoForSetup.exe (PID: 3728)
      • InfoForSetup.exe (PID: 3024)
      • InfoForSetup.exe (PID: 3196)
      • InfoForSetup.exe (PID: 3192)
      • InfoForSetup.exe (PID: 400)
      • epm_free_support_16.5.exe (PID: 940)
      • epm_free_support_16.5.tmp (PID: 3484)
      • InfoForSetup.exe (PID: 1836)
      • DrvSetup.exe (PID: 1944)
      • setupepmdrv.exe (PID: 2560)
      • EnsUtils.exe (PID: 3244)
      • AliyunWrapExe.exe (PID: 3752)
      • ensserver.exe (PID: 3468)
      • AliyunWrapExe.exe (PID: 2364)
      • EUinApp.exe (PID: 2220)
      • SetupUE.exe (PID: 1524)
      • InfoForSetup.exe (PID: 1260)
      • AliyunWrapExe.exe (PID: 3424)
      • InfoForSetup.exe (PID: 3380)
      • InfoForSetup.exe (PID: 3164)
      • InfoForSetup.exe (PID: 3616)
      • epm0.exe (PID: 3552)
      • InfoForSetup.exe (PID: 2164)
      • wpn-grant.exe (PID: 1840)
      • EUCloneServer.exe (PID: 3016)
      • EuDownload.exe (PID: 3996)
      • EuDownload.exe (PID: 3360)
      • Main.exe (PID: 2916)
      • EuDownload.exe (PID: 3748)
      • EuDownload.exe (PID: 4036)
      • EuDownload.exe (PID: 3928)
      • wpn.exe (PID: 1524)

    • Reads the computer name

      • epm_free.exe (PID: 3028)
      • EDownloader.exe (PID: 3136)
      • AliyunWrapExe.exe (PID: 3436)
      • InfoForSetup.exe (PID: 3620)
      • wmpnscfg.exe (PID: 3284)
      • epm_free_support_16.5.tmp (PID: 3484)
      • DrvSetup.exe (PID: 1944)
      • setupepmdrv.exe (PID: 2560)
      • EnsUtils.exe (PID: 3244)
      • AliyunWrapExe.exe (PID: 3752)
      • ensserver.exe (PID: 3468)
      • AliyunWrapExe.exe (PID: 3424)
      • AliyunWrapExe.exe (PID: 2364)
      • wpn-grant.exe (PID: 1840)
      • Main.exe (PID: 2916)
      • EuDownload.exe (PID: 3996)
      • EuDownload.exe (PID: 3360)
      • EuDownload.exe (PID: 3748)
      • EuDownload.exe (PID: 4036)
      • EuDownload.exe (PID: 3928)
      • EUCloneServer.exe (PID: 3016)
      • wpn.exe (PID: 1524)

    • Create files in a temporary directory

      • epm_free.exe (PID: 3028)
      • InfoForSetup.exe (PID: 3440)
      • EDownloader.exe (PID: 3136)
      • AliyunWrapExe.exe (PID: 3436)
      • epm_free_support_16.5.exe (PID: 940)
      • epm_free_support_16.5.tmp (PID: 3484)
      • Main.exe (PID: 2916)
      • EuDownload.exe (PID: 3360)
      • EuDownload.exe (PID: 3748)

    • Checks proxy server information

      • AliyunWrapExe.exe (PID: 3436)
      • AliyunWrapExe.exe (PID: 3752)
      • ensserver.exe (PID: 3468)
      • AliyunWrapExe.exe (PID: 3424)
      • AliyunWrapExe.exe (PID: 2364)

    • Reads the machine GUID from the registry

      • AliyunWrapExe.exe (PID: 3436)
      • AliyunWrapExe.exe (PID: 3752)
      • EnsUtils.exe (PID: 3244)
      • ensserver.exe (PID: 3468)
      • AliyunWrapExe.exe (PID: 3424)
      • AliyunWrapExe.exe (PID: 2364)
      • wpn-grant.exe (PID: 1840)
      • EuDownload.exe (PID: 3360)
      • Main.exe (PID: 2916)
      • EUCloneServer.exe (PID: 3016)
      • EuDownload.exe (PID: 4036)
      • EuDownload.exe (PID: 3748)
      • EuDownload.exe (PID: 3996)
      • wpn.exe (PID: 1524)
      • EuDownload.exe (PID: 3928)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3284)
      • msedge.exe (PID: 3732)

    • Creates files or folders in the user directory

      • AliyunWrapExe.exe (PID: 3436)
      • epm_free_support_16.5.tmp (PID: 3484)
      • AliyunWrapExe.exe (PID: 3752)
      • AliyunWrapExe.exe (PID: 2364)

    • Creates files in the program directory

      • epm_free_support_16.5.tmp (PID: 3484)
      • DrvSetup.exe (PID: 1944)
      • EnsUtils.exe (PID: 3244)
      • ensserver.exe (PID: 3468)
      • AliyunWrapExe.exe (PID: 3752)
      • AliyunWrapExe.exe (PID: 3424)
      • AliyunWrapExe.exe (PID: 2364)
      • EUCloneServer.exe (PID: 3016)
      • Main.exe (PID: 2916)
      • EuDownload.exe (PID: 3996)
      • EuDownload.exe (PID: 4036)
      • EuDownload.exe (PID: 3928)

    • Creates a software uninstall entry

      • epm_free_support_16.5.tmp (PID: 3484)

    • Checks transactions between databases Windows and Oracle

      • dllhost.exe (PID: 184)
      • msdtc.exe (PID: 1168)
      • cscript.exe (PID: 2588)
      • cscript.exe (PID: 2644)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 2644)
      • cscript.exe (PID: 2588)

    • Application launched itself

      • msedge.exe (PID: 3776)
      • msedge.exe (PID: 3732)

    • Reads the software policy settings

      • ensserver.exe (PID: 3468)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:01:30 03:57:48+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
81
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start epm_free.exe edownloader.exe infoforsetup.exe no specs infoforsetup.exe no specs aliyunwrapexe.exe wmpnscfg.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs wmic.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs epm_free_support_16.5.exe epm_free_support_16.5.tmp cmd.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net.exe no specs reg.exe no specs cscript.exe no specs dllhost.exe no specs msdtc.exe no specs regsvr32.exe no specs vssvc.exe no specs cscript.exe no specs rundll32.exe no specs rundll32.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs drvsetup.exe setupepmdrv.exe no specs ensutils.exe aliyunwrapexe.exe ensserver.exe setupue.exe no specs infoforsetup.exe no specs aliyunwrapexe.exe infoforsetup.exe no specs msedge.exe no specs euinapp.exe no specs msedge.exe no specs aliyunwrapexe.exe infoforsetup.exe no specs infoforsetup.exe no specs epm0.exe no specs infoforsetup.exe no specs THREAT main.exe wpn-grant.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs eudownload.exe eudownload.exe eucloneserver.exe msedge.exe no specs msedge.exe no specs eudownload.exe vdsldr.exe no specs vds.exe no specs eudownload.exe msedge.exe no specs eudownload.exe msedge.exe no specs wpn.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs epm_free.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
184C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}C:\Windows\System32\dllhost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
400 /SendInfo Window "Installing" Activity "Info_Start_Install_Program"C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exeEDownloader.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\downloader_easeus\2.2.0\5free\aliyun\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
932C:\Windows\System32\vds.exeC:\Windows\System32\vds.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Virtual Disk Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\oleaut32.dll
940 /verysilent /norestart /log Installer /DIR="C:\Program Files\EaseUS\EaseUS Partition Master" /LANG=English agreeImprove=true GUID=S-1-5-21-1302019708-1500728564-335382590-1000 xurlID=999999 C:\Users\admin\Downloads\epm_free_support_16.5.exe
EDownloader.exe
User:
admin
Company:
EaseUS
Integrity Level:
HIGH
Description:
EaseUS Partition Master Setup
Exit code:
0
Version:
16.5
Modules
Images
c:\users\admin\downloads\epm_free_support_16.5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
972RunDll32 catsrvut.dll,QueryUserDll "C:\Program Files\EaseUS\EaseUS Partition Master\DC\bin\VssEaseusProvider.dll" Global\{B64966D2-0284-44FF-AD80-70B7A2B23102}C:\Windows\System32\rundll32.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
1080reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\EPMVssEaseusProvider /f /v CustomSource /t REG_DWORD /d 1C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1168C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exeservices.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Distributed Transaction Coordinator Service
Version:
2001.12.8530.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msdtc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1180C:\Windows\system32\net1 stop swprvC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
1260"C:\Program Files\EaseUS\EaseUS Partition Master\bin\InfoForSetup.exe" /EnableC:\Program Files\EaseUS\EaseUS Partition Master\bin\InfoForSetup.exeSetupUE.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\easeus\easeus partition master\bin\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1460"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1584 --field-trial-handle=1300,i,3495300727990845737,7247963076983181163,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
30 115
Read events
29 770
Write events
277
Delete events
68

Modification events

(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
1 282
Suspicious files
300
Text files
2 248
Unknown types
5

Dropped files

PID
Process
Filename
Type
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\ChineseTrad.initext
MD5:802704E820D35785E4CFBE3DD78AE935
SHA256:DADBC522D6B9C5F9CD25EF32DE2368B6AD35D7E386279B97B9D86BE31B0E7C7A
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\Japanese.initext
MD5:1AE5200C2D4E9B39B3390755AEE79E65
SHA256:4B205FFA191985B93FCE1FDBD964B80459C15C8583AB9B6B4CC8DA8F8F383E65
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\Italian.initext
MD5:667C44ABE698BE2B1FC254CB211AD0A5
SHA256:E92FFB7D792D8FE01571A40A545FAA038F746C7EE6F8F8A5AD82E8E9989EFEDC
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\French.initext
MD5:15F2A9EA32A78D325B9E46DD973399A9
SHA256:A3E0781372CE985A66DBC516C3C4B4CCBB2524FFC7A9EB5F446DF614AFB94E34
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\Danish.initext
MD5:8422BC72E08EE3CD45DEC0BF0E127304
SHA256:CA835674050651563B0236F8F8E52C80A912B025948BBB8EC53338337E3531A0
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\German.initext
MD5:8D6F85CB9F0F086CE034A1537485483B
SHA256:2210C166999E5766F2D6BBC1F4817A141549D413E5185BD496AEA37031F9F3C0
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\Arabic.initext
MD5:CBA453F3F4672B54B745DA028B8BF7FA
SHA256:391B8404A5EE90BA3B2C8D4A727B2C9A48A2C9979B895DAB3FE34FF38AF971EB
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\Dutch.initext
MD5:A6CB84F6C5670D142C6AD5F5F4CEC586
SHA256:231B7ED6577D842CA2D44D5A3496B9E6B66255F026F82FC594E7723F4DBD861F
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\skin.zipcompressed
MD5:3D595BDC32A372ECCEFE8BE0FB1930F3
SHA256:89802C1A5BAC14FAECCB0D29539A7FC17E1354148EFA2CAB5861B5DE1F8DEF4B
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\EDownloader.exeexecutable
MD5:75C6AA0EA529A99BE1AA7A6CE1D40EB7
SHA256:2FAE081440A24194DAE7AEAB20612CFF53F6C94E6C0D09EAD3BA2CBA70A87E46
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
107
DNS requests
60
Threats
25

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3436
AliyunWrapExe.exe
GET
200
163.171.128.241:80
http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=19
unknown
malicious
1372
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
3136
EDownloader.exe
POST
200
18.172.112.26:80
http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/
unknown
unknown
3436
AliyunWrapExe.exe
POST
200
47.252.97.8:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb
unknown
unknown
3436
AliyunWrapExe.exe
POST
200
47.252.97.8:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb
unknown
unknown
3436
AliyunWrapExe.exe
POST
200
47.252.97.8:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb
unknown
unknown
3436
AliyunWrapExe.exe
POST
200
47.252.97.8:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb
unknown
unknown
1372
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1372
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?60bcd71e49d094b3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
239.255.255.250:3702
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
1372
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3436
AliyunWrapExe.exe
163.171.128.241:80
track.easeus.com
QUANTILNETWORKS
DE
unknown
3136
EDownloader.exe
18.172.112.26:80
download.easeus.com
US
unknown
3436
AliyunWrapExe.exe
47.252.97.8:80
easeusinfo.us-east-1.log.aliyuncs.com
Alibaba US Technology Co., Ltd.
US
unknown
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
download.easeus.com
  • 18.172.112.26
  • 18.172.112.32
  • 18.172.112.123
  • 18.172.112.107
unknown
track.easeus.com
  • 163.171.128.241
  • 163.171.128.150
  • 163.171.156.15
unknown
easeusinfo.us-east-1.log.aliyuncs.com
  • 47.252.97.8
  • 47.252.97.212
  • 47.252.97.14
  • 47.252.97.13
  • 47.252.97.11
  • 47.252.97.9
  • 47.252.97.10
  • 47.252.97.12
  • 47.252.97.15
unknown
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
d1.easeus.com
  • 18.66.112.125
  • 18.66.112.38
  • 18.66.112.6
  • 18.66.112.111
unknown
update.easeus.com
  • 3.160.150.116
  • 3.160.150.120
  • 3.160.150.20
  • 3.160.150.50
whitelisted

Threats

PID
Process
Class
Message
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
1060
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
1060
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Process
Message
EDownloader.exe
[3564]-10:16:36:838 ParseCmdLine param=EXEDIR=C:\Users\admin\Downloads ||| EXENAME=epm_free.exe ||| DOWNLOAD_VERSION=free ||| PRODUCT_VERSION=2.2.0 ||| INSTALL_TYPE=0
EDownloader.exe
[3564]-10:16:36:838 CTools::loadIni configPath=C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\InitConfigure.ini
EDownloader.exe
[1892]-10:16:37:291 Json parse Data Start
EDownloader.exe
[1892]-10:16:37:291 Json url: http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=free
EDownloader.exe
[1892]-10:16:37:291 PostData Start download url=http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=free
EDownloader.exe
[1892]-10:16:38:619 PostData end
EDownloader.exe
[1892]-10:16:38:619 Json response: {"check":1,"msg":"\u6210\u529f","data":{"pid":"5","download":"https:\/\/d1.easeus.com\/epm\/free\/epm1904_free_ob_A.exe","download2":"https:\/\/d2.easeus.com\/epm\/free\/epm1904_free_ob_A.exe","download3":"https:\/\/d3.easeus.com\/epm\/free\/epm1904_free_ob_A.exe","version":"free","curNum":"18.8","testid":"","url":["https:\/\/d1.easeus.com\/epm\/free\/epm_free_support_16.5.exe"],"md5":"C020EE4093FA2F651B328D2F71EA7A9D","tj_download":"test","referNumber":"1000000","killSwitch":"true","WriteLogSwitch":"false","configid":""},"time":1724318198}
EDownloader.exe
[1892]-10:16:38:619 StartPost Error parse tuijian
EDownloader.exe
[1892]-10:16:38:619 Json parse Data end(code=0)
EDownloader.exe
[3564]-10:16:38:619 CHttpHelper::GetDownloadInfo 56 download info code:0
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
epm_free