File name:

epm_free

Full analysis: https://app.any.run/tasks/f4d94a63-59f3-44a6-8cb7-f57820207750
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 22, 2024, 09:16:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

91A21C1D08884E53CD6DDC5CB930FC49

SHA1:

1AD3CC1E99573B145BC956417C26249B2041AADA

SHA256:

4D1514934696D4E78DB5769F4D4652DDA9E025549A511669F2C1DE104F360F55

SSDEEP:

98304:WxN5Qq0/EGx7RJKSdUDeJitM44SVN/i5vsyPGVzj4i6xQPNqjR6RLZX33vLGE8KF:gbe+z/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • epm_free_support_16.5.tmp (PID: 3484)
      • EUCloneServer.exe (PID: 3016)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 3132)
      • net.exe (PID: 1588)
      • net.exe (PID: 2836)
      • net.exe (PID: 4064)

    • Registers / Runs the DLL via REGSVR32.EXE

      • cmd.exe (PID: 3132)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • epm_free.exe (PID: 3028)
      • epm_free_support_16.5.exe (PID: 940)
      • epm_free_support_16.5.tmp (PID: 3484)
      • DrvSetup.exe (PID: 1944)
      • EnsUtils.exe (PID: 3244)

    • Executable content was dropped or overwritten

      • epm_free.exe (PID: 3028)
      • epm_free_support_16.5.tmp (PID: 3484)
      • epm_free_support_16.5.exe (PID: 940)
      • DrvSetup.exe (PID: 1944)
      • EnsUtils.exe (PID: 3244)

    • Reads the Internet Settings

      • AliyunWrapExe.exe (PID: 3436)
      • WMIC.exe (PID: 3756)
      • AliyunWrapExe.exe (PID: 3752)
      • epm_free_support_16.5.tmp (PID: 3484)
      • AliyunWrapExe.exe (PID: 2364)
      • EDownloader.exe (PID: 3136)

    • Reads security settings of Internet Explorer

      • AliyunWrapExe.exe (PID: 3436)
      • AliyunWrapExe.exe (PID: 3752)
      • ensserver.exe (PID: 3468)
      • AliyunWrapExe.exe (PID: 3424)
      • epm_free_support_16.5.tmp (PID: 3484)
      • EDownloader.exe (PID: 3136)
      • AliyunWrapExe.exe (PID: 2364)

    • Uses WMIC.EXE to obtain computer system information

      • EDownloader.exe (PID: 3136)

    • Drops a system driver (possible attempt to evade defenses)

      • epm_free_support_16.5.tmp (PID: 3484)
      • DrvSetup.exe (PID: 1944)

    • Creates files in the driver directory

      • epm_free_support_16.5.tmp (PID: 3484)
      • DrvSetup.exe (PID: 1944)

    • Process drops legitimate windows executable

      • epm_free_support_16.5.tmp (PID: 3484)
      • EnsUtils.exe (PID: 3244)

    • Reads the Windows owner or organization settings

      • epm_free_support_16.5.tmp (PID: 3484)

    • Executing commands from ".cmd" file

      • epm_free_support_16.5.tmp (PID: 3484)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3132)

    • Drops 7-zip archiver for unpacking

      • epm_free_support_16.5.tmp (PID: 3484)

    • Process checks presence of unattended files

      • epm_free_support_16.5.tmp (PID: 3484)

    • Changes Internet Explorer settings (feature browser emulation)

      • epm_free_support_16.5.tmp (PID: 3484)
      • EUinApp.exe (PID: 2220)

    • Starts CMD.EXE for commands execution

      • epm_free_support_16.5.tmp (PID: 3484)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4020)
      • dllhost.exe (PID: 184)
      • msdtc.exe (PID: 1168)
      • ensserver.exe (PID: 3468)
      • vds.exe (PID: 932)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 2644)

    • The process drops C-runtime libraries

      • epm_free_support_16.5.tmp (PID: 3484)
      • EnsUtils.exe (PID: 3244)

    • The process executes VB scripts

      • cmd.exe (PID: 3132)

    • Executes WMI query (SCRIPT)

      • cscript.exe (PID: 2644)

    • Creates or modifies Windows services

      • setupepmdrv.exe (PID: 2560)
      • DrvSetup.exe (PID: 1944)

    • Checks Windows Trust Settings

      • ensserver.exe (PID: 3468)

    • Searches for installed software

      • EDownloader.exe (PID: 3136)

    • There is functionality for taking screenshot (YARA)

      • Main.exe (PID: 2916)

    • Detected use of alternative data streams (AltDS)

      • EUCloneServer.exe (PID: 3016)

    • Creates file in the systems drive root

      • EUCloneServer.exe (PID: 3016)

  • INFO

    • Reads the computer name

      • epm_free.exe (PID: 3028)
      • EDownloader.exe (PID: 3136)
      • InfoForSetup.exe (PID: 3620)
      • AliyunWrapExe.exe (PID: 3436)
      • wmpnscfg.exe (PID: 3284)
      • epm_free_support_16.5.tmp (PID: 3484)
      • DrvSetup.exe (PID: 1944)
      • setupepmdrv.exe (PID: 2560)
      • EnsUtils.exe (PID: 3244)
      • AliyunWrapExe.exe (PID: 3752)
      • ensserver.exe (PID: 3468)
      • AliyunWrapExe.exe (PID: 3424)
      • AliyunWrapExe.exe (PID: 2364)
      • wpn-grant.exe (PID: 1840)
      • Main.exe (PID: 2916)
      • EuDownload.exe (PID: 3360)
      • EuDownload.exe (PID: 3996)
      • EuDownload.exe (PID: 3748)
      • EuDownload.exe (PID: 4036)
      • EuDownload.exe (PID: 3928)
      • EUCloneServer.exe (PID: 3016)
      • wpn.exe (PID: 1524)

    • Checks supported languages

      • epm_free.exe (PID: 3028)
      • EDownloader.exe (PID: 3136)
      • InfoForSetup.exe (PID: 3620)
      • AliyunWrapExe.exe (PID: 3436)
      • InfoForSetup.exe (PID: 3440)
      • InfoForSetup.exe (PID: 3228)
      • wmpnscfg.exe (PID: 3284)
      • InfoForSetup.exe (PID: 3196)
      • InfoForSetup.exe (PID: 1836)
      • InfoForSetup.exe (PID: 3728)
      • InfoForSetup.exe (PID: 3024)
      • InfoForSetup.exe (PID: 3192)
      • InfoForSetup.exe (PID: 400)
      • epm_free_support_16.5.exe (PID: 940)
      • epm_free_support_16.5.tmp (PID: 3484)
      • DrvSetup.exe (PID: 1944)
      • EnsUtils.exe (PID: 3244)
      • AliyunWrapExe.exe (PID: 3752)
      • setupepmdrv.exe (PID: 2560)
      • ensserver.exe (PID: 3468)
      • SetupUE.exe (PID: 1524)
      • AliyunWrapExe.exe (PID: 3424)
      • InfoForSetup.exe (PID: 1260)
      • InfoForSetup.exe (PID: 3380)
      • EUinApp.exe (PID: 2220)
      • AliyunWrapExe.exe (PID: 2364)
      • InfoForSetup.exe (PID: 3164)
      • wpn-grant.exe (PID: 1840)
      • InfoForSetup.exe (PID: 2164)
      • InfoForSetup.exe (PID: 3616)
      • epm0.exe (PID: 3552)
      • EuDownload.exe (PID: 3996)
      • EuDownload.exe (PID: 3360)
      • Main.exe (PID: 2916)
      • EUCloneServer.exe (PID: 3016)
      • EuDownload.exe (PID: 4036)
      • EuDownload.exe (PID: 3748)
      • EuDownload.exe (PID: 3928)
      • wpn.exe (PID: 1524)

    • Create files in a temporary directory

      • epm_free.exe (PID: 3028)
      • InfoForSetup.exe (PID: 3440)
      • EDownloader.exe (PID: 3136)
      • AliyunWrapExe.exe (PID: 3436)
      • epm_free_support_16.5.exe (PID: 940)
      • epm_free_support_16.5.tmp (PID: 3484)
      • Main.exe (PID: 2916)
      • EuDownload.exe (PID: 3360)
      • EuDownload.exe (PID: 3748)

    • Checks proxy server information

      • AliyunWrapExe.exe (PID: 3436)
      • AliyunWrapExe.exe (PID: 3752)
      • ensserver.exe (PID: 3468)
      • AliyunWrapExe.exe (PID: 3424)
      • AliyunWrapExe.exe (PID: 2364)

    • Reads the machine GUID from the registry

      • AliyunWrapExe.exe (PID: 3436)
      • AliyunWrapExe.exe (PID: 3752)
      • EnsUtils.exe (PID: 3244)
      • ensserver.exe (PID: 3468)
      • AliyunWrapExe.exe (PID: 3424)
      • wpn-grant.exe (PID: 1840)
      • AliyunWrapExe.exe (PID: 2364)
      • EuDownload.exe (PID: 3360)
      • EuDownload.exe (PID: 3996)
      • EuDownload.exe (PID: 3748)
      • EUCloneServer.exe (PID: 3016)
      • EuDownload.exe (PID: 4036)
      • Main.exe (PID: 2916)
      • wpn.exe (PID: 1524)
      • EuDownload.exe (PID: 3928)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3284)
      • msedge.exe (PID: 3732)

    • Creates files or folders in the user directory

      • AliyunWrapExe.exe (PID: 3436)
      • epm_free_support_16.5.tmp (PID: 3484)
      • AliyunWrapExe.exe (PID: 3752)
      • AliyunWrapExe.exe (PID: 2364)

    • Creates files in the program directory

      • epm_free_support_16.5.tmp (PID: 3484)
      • DrvSetup.exe (PID: 1944)
      • EnsUtils.exe (PID: 3244)
      • ensserver.exe (PID: 3468)
      • AliyunWrapExe.exe (PID: 3752)
      • Main.exe (PID: 2916)
      • EuDownload.exe (PID: 3996)
      • AliyunWrapExe.exe (PID: 3424)
      • EUCloneServer.exe (PID: 3016)
      • EuDownload.exe (PID: 3928)
      • EuDownload.exe (PID: 4036)
      • AliyunWrapExe.exe (PID: 2364)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 2588)
      • cscript.exe (PID: 2644)

    • Creates a software uninstall entry

      • epm_free_support_16.5.tmp (PID: 3484)

    • Checks transactions between databases Windows and Oracle

      • cscript.exe (PID: 2644)
      • dllhost.exe (PID: 184)
      • msdtc.exe (PID: 1168)
      • cscript.exe (PID: 2588)

    • Reads the software policy settings

      • ensserver.exe (PID: 3468)

    • Application launched itself

      • msedge.exe (PID: 3776)
      • msedge.exe (PID: 3732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:01:30 03:57:48+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
81
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start epm_free.exe edownloader.exe infoforsetup.exe no specs infoforsetup.exe no specs aliyunwrapexe.exe wmpnscfg.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs wmic.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs epm_free_support_16.5.exe epm_free_support_16.5.tmp cmd.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net.exe no specs reg.exe no specs cscript.exe no specs dllhost.exe no specs msdtc.exe no specs regsvr32.exe no specs vssvc.exe no specs cscript.exe no specs rundll32.exe no specs rundll32.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs drvsetup.exe setupepmdrv.exe no specs ensutils.exe aliyunwrapexe.exe ensserver.exe setupue.exe no specs infoforsetup.exe no specs aliyunwrapexe.exe infoforsetup.exe no specs msedge.exe no specs euinapp.exe no specs msedge.exe no specs aliyunwrapexe.exe infoforsetup.exe no specs infoforsetup.exe no specs epm0.exe no specs infoforsetup.exe no specs THREAT main.exe wpn-grant.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs eudownload.exe eudownload.exe eucloneserver.exe msedge.exe no specs msedge.exe no specs eudownload.exe vdsldr.exe no specs vds.exe no specs eudownload.exe msedge.exe no specs eudownload.exe msedge.exe no specs wpn.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs epm_free.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
184C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}C:\Windows\System32\dllhost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
400 /SendInfo Window "Installing" Activity "Info_Start_Install_Program"C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exeEDownloader.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\downloader_easeus\2.2.0\5free\aliyun\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
932C:\Windows\System32\vds.exeC:\Windows\System32\vds.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Virtual Disk Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\oleaut32.dll
940 /verysilent /norestart /log Installer /DIR="C:\Program Files\EaseUS\EaseUS Partition Master" /LANG=English agreeImprove=true GUID=S-1-5-21-1302019708-1500728564-335382590-1000 xurlID=999999 C:\Users\admin\Downloads\epm_free_support_16.5.exe
EDownloader.exe
User:
admin
Company:
EaseUS
Integrity Level:
HIGH
Description:
EaseUS Partition Master Setup
Exit code:
0
Version:
16.5
Modules
Images
c:\users\admin\downloads\epm_free_support_16.5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
972RunDll32 catsrvut.dll,QueryUserDll "C:\Program Files\EaseUS\EaseUS Partition Master\DC\bin\VssEaseusProvider.dll" Global\{B64966D2-0284-44FF-AD80-70B7A2B23102}C:\Windows\System32\rundll32.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
1080reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\EPMVssEaseusProvider /f /v CustomSource /t REG_DWORD /d 1C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1168C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exeservices.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Distributed Transaction Coordinator Service
Version:
2001.12.8530.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msdtc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1180C:\Windows\system32\net1 stop swprvC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
1260"C:\Program Files\EaseUS\EaseUS Partition Master\bin\InfoForSetup.exe" /EnableC:\Program Files\EaseUS\EaseUS Partition Master\bin\InfoForSetup.exeSetupUE.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\easeus\easeus partition master\bin\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1460"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1584 --field-trial-handle=1300,i,3495300727990845737,7247963076983181163,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
30 115
Read events
29 770
Write events
277
Delete events
68

Modification events

(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(3436) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
1 282
Suspicious files
300
Text files
2 248
Unknown types
5

Dropped files

PID
Process
Filename
Type
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\French.initext
MD5:15F2A9EA32A78D325B9E46DD973399A9
SHA256:A3E0781372CE985A66DBC516C3C4B4CCBB2524FFC7A9EB5F446DF614AFB94E34
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\Italian.initext
MD5:667C44ABE698BE2B1FC254CB211AD0A5
SHA256:E92FFB7D792D8FE01571A40A545FAA038F746C7EE6F8F8A5AD82E8E9989EFEDC
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\InitConfigure.initext
MD5:0DF699B43B77ADF78A2B817FE02A40CD
SHA256:471A797282CB28BC85F7DC870E5C38307E651844A9F45C4A70DC8BA91919B09A
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\Korean.initext
MD5:C31EC7D64ED0D7B5D596765D597D9F60
SHA256:E60A751965B230B154FF5B8F6D52E83FFB5443228DFFD55A11DE63936F840EDB
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\Danish.initext
MD5:8422BC72E08EE3CD45DEC0BF0E127304
SHA256:CA835674050651563B0236F8F8E52C80A912B025948BBB8EC53338337E3531A0
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\Dutch.initext
MD5:A6CB84F6C5670D142C6AD5F5F4CEC586
SHA256:231B7ED6577D842CA2D44D5A3496B9E6B66255F026F82FC594E7723F4DBD861F
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\German.initext
MD5:8D6F85CB9F0F086CE034A1537485483B
SHA256:2210C166999E5766F2D6BBC1F4817A141549D413E5185BD496AEA37031F9F3C0
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\Spanish.initext
MD5:FB707968F23F15491D2D8F169F173678
SHA256:F258B0964605A65312B6102B9B018BC6895FA2B192EB9D89C2C113BDB6DB6FEE
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\Polish.initext
MD5:29C977ED855B81F3DAAE700A6754256E
SHA256:9580D1997156ED7584056C53C74FAD54EA8C380856E246CC62C6BA216425D6E6
3028epm_free.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\Portuguese.initext
MD5:45B07E60599222D8AFB336EA5EB283A9
SHA256:A7124D1911D413EFD111EE27B25307151BE3F52FCDD383A8B8B67F4796B22900
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
107
DNS requests
60
Threats
25

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3436
AliyunWrapExe.exe
GET
200
163.171.128.241:80
http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=19
unknown
malicious
1372
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
3436
AliyunWrapExe.exe
POST
200
47.252.97.8:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb
unknown
unknown
3136
EDownloader.exe
POST
200
18.172.112.26:80
http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/
unknown
unknown
3436
AliyunWrapExe.exe
POST
200
47.252.97.8:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb
unknown
unknown
3436
AliyunWrapExe.exe
POST
200
47.252.97.8:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb
unknown
unknown
3436
AliyunWrapExe.exe
POST
200
47.252.97.8:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb
unknown
unknown
3436
AliyunWrapExe.exe
POST
200
47.252.97.8:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_epm_downloader/shards/lb
unknown
unknown
1372
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1372
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
239.255.255.250:3702
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
1372
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3436
AliyunWrapExe.exe
163.171.128.241:80
track.easeus.com
QUANTILNETWORKS
DE
unknown
3136
EDownloader.exe
18.172.112.26:80
download.easeus.com
US
unknown
3436
AliyunWrapExe.exe
47.252.97.8:80
easeusinfo.us-east-1.log.aliyuncs.com
Alibaba US Technology Co., Ltd.
US
unknown
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
download.easeus.com
  • 18.172.112.26
  • 18.172.112.32
  • 18.172.112.123
  • 18.172.112.107
unknown
track.easeus.com
  • 163.171.128.241
  • 163.171.128.150
  • 163.171.156.15
unknown
easeusinfo.us-east-1.log.aliyuncs.com
  • 47.252.97.8
  • 47.252.97.212
  • 47.252.97.14
  • 47.252.97.13
  • 47.252.97.11
  • 47.252.97.9
  • 47.252.97.10
  • 47.252.97.12
  • 47.252.97.15
unknown
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
d1.easeus.com
  • 18.66.112.125
  • 18.66.112.38
  • 18.66.112.6
  • 18.66.112.111
unknown
update.easeus.com
  • 3.160.150.116
  • 3.160.150.120
  • 3.160.150.20
  • 3.160.150.50
whitelisted

Threats

PID
Process
Class
Message
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
1060
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
1060
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
3436
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Process
Message
EDownloader.exe
[3564]-10:16:36:838 ParseCmdLine param=EXEDIR=C:\Users\admin\Downloads ||| EXENAME=epm_free.exe ||| DOWNLOAD_VERSION=free ||| PRODUCT_VERSION=2.2.0 ||| INSTALL_TYPE=0
EDownloader.exe
[3564]-10:16:36:838 CTools::loadIni configPath=C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.2.0\5free\InitConfigure.ini
EDownloader.exe
[1892]-10:16:37:291 Json parse Data Start
EDownloader.exe
[1892]-10:16:37:291 Json url: http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=free
EDownloader.exe
[1892]-10:16:37:291 PostData Start download url=http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=free
EDownloader.exe
[1892]-10:16:38:619 PostData end
EDownloader.exe
[1892]-10:16:38:619 Json response: {"check":1,"msg":"\u6210\u529f","data":{"pid":"5","download":"https:\/\/d1.easeus.com\/epm\/free\/epm1904_free_ob_A.exe","download2":"https:\/\/d2.easeus.com\/epm\/free\/epm1904_free_ob_A.exe","download3":"https:\/\/d3.easeus.com\/epm\/free\/epm1904_free_ob_A.exe","version":"free","curNum":"18.8","testid":"","url":["https:\/\/d1.easeus.com\/epm\/free\/epm_free_support_16.5.exe"],"md5":"C020EE4093FA2F651B328D2F71EA7A9D","tj_download":"test","referNumber":"1000000","killSwitch":"true","WriteLogSwitch":"false","configid":""},"time":1724318198}
EDownloader.exe
[1892]-10:16:38:619 StartPost Error parse tuijian
EDownloader.exe
[1892]-10:16:38:619 Json parse Data end(code=0)
EDownloader.exe
[3564]-10:16:38:619 CHttpHelper::GetDownloadInfo 56 download info code:0
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
epm_free