File name:

epm.exe

Full analysis: https://app.any.run/tasks/7fae0220-e5e1-4796-bf64-b78a3631fcb0
Verdict: Malicious activity
Analysis date: June 19, 2025, 00:03:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
inno
installer
delphi
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

B4071CFDB17E9394159806F46007CD5E

SHA1:

1C3F2E425878CB1B5A0098A2E9758A488D7DBADD

SHA256:

5319BAA3A2A3AD5754B334D8B2ED4F163751F71432F3C7162A6D96109F703996

SSDEEP:

393216:TEmX0nP2seMTabXNMrgyfW2sVP4eH9uOW0uE:Tx8sN1yfyV1YZHE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • epm.exe (PID: 6688)
      • setupempdrv03.exe (PID: 1028)
      • EpmNews.exe (PID: 472)
      • setupempdrvx64.exe (PID: 7092)
      • uexperice.exe (PID: 7004)
      • uexperice.exe (PID: 6012)
      • uexperice.exe (PID: 1644)
      • uexperice.exe (PID: 1760)
      • uexperice.exe (PID: 3564)
      • TrayTipConfig.exe (PID: 5616)
      • uexperice.exe (PID: 6688)
      • TrayTipConfig.exe (PID: 7048)
      • EpmNews.exe (PID: 2296)
      • TrayTipAgentE.exe (PID: 3556)
      • tb_free_installer.exe (PID: 2976)
      • EPMStartLoader.exe (PID: 5368)
      • EaseUSInstaller.exe (PID: 1336)
      • TrayTipAgentE.exe (PID: 2128)
      • 7za.exe (PID: 4560)
      • 7za.exe (PID: 6772)
      • epm0.exe (PID: 5620)
      • Main.exe (PID: 1200)
      • TrayTipConfig.exe (PID: 1712)

    • Changes the autorun value in the registry

      • epm.tmp (PID: 4544)
      • TrayTipAgentE.exe (PID: 3556)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • epm.tmp (PID: 4544)

    • Executable content was dropped or overwritten

      • epm.exe (PID: 4760)
      • epm.tmp (PID: 4544)
      • tb_free_installer.exe (PID: 2976)

    • Process drops legitimate windows executable

      • epm.tmp (PID: 4544)

    • There is functionality for taking screenshot (YARA)

      • epm.tmp (PID: 4544)
      • rundll32.exe (PID: 5556)
      • EpmNews.exe (PID: 472)

    • The process drops C-runtime libraries

      • epm.tmp (PID: 4544)

    • Drops a system driver (possible attempt to evade defenses)

      • epm.tmp (PID: 4544)

    • Drops 7-zip archiver for unpacking

      • epm.tmp (PID: 4544)

    • Creates files in the driver directory

      • epm.tmp (PID: 4544)

    • Reads security settings of Internet Explorer

      • epm.tmp (PID: 4544)
      • tb_free_installer.exe (PID: 2976)
      • EaseUSInstaller.exe (PID: 1336)
      • EPMStartLoader.exe (PID: 5368)
      • Main.exe (PID: 1200)

    • Reads Microsoft Outlook installation path

      • EaseUSInstaller.exe (PID: 1336)

    • Reads Internet Explorer settings

      • EaseUSInstaller.exe (PID: 1336)

    • Executes as Windows Service

      • vds.exe (PID: 2492)

    • Searches for installed software

      • Main.exe (PID: 1200)

  • INFO

    • Checks supported languages

      • epm.exe (PID: 4760)
      • epm.tmp (PID: 4544)
      • setupempdrv03.exe (PID: 1028)
      • setupempdrvx64.exe (PID: 7092)
      • uexperice.exe (PID: 6688)
      • uexperice.exe (PID: 6012)
      • uexperice.exe (PID: 1644)
      • uexperice.exe (PID: 1760)
      • uexperice.exe (PID: 7004)
      • uexperice.exe (PID: 3564)
      • TrayTipConfig.exe (PID: 5616)
      • TrayTipConfig.exe (PID: 7048)
      • TrayTipAgentE.exe (PID: 3556)
      • EpmNews.exe (PID: 2296)
      • tb_free_installer.exe (PID: 2976)
      • EaseUSInstaller.exe (PID: 1336)
      • EPMStartLoader.exe (PID: 5368)
      • TrayTipAgentE.exe (PID: 2128)
      • 7za.exe (PID: 4560)
      • 7za.exe (PID: 6772)
      • Main.exe (PID: 1200)
      • epm0.exe (PID: 5620)
      • TrayTipConfig.exe (PID: 1712)
      • EpmNews.exe (PID: 472)

    • Create files in a temporary directory

      • epm.exe (PID: 4760)
      • epm.tmp (PID: 4544)
      • rundll32.exe (PID: 5556)
      • tb_free_installer.exe (PID: 2976)
      • EPMStartLoader.exe (PID: 5368)

    • Reads the computer name

      • epm.tmp (PID: 4544)
      • setupempdrv03.exe (PID: 1028)
      • setupempdrvx64.exe (PID: 7092)
      • EpmNews.exe (PID: 472)
      • uexperice.exe (PID: 3564)
      • TrayTipAgentE.exe (PID: 3556)
      • EPMStartLoader.exe (PID: 5368)
      • tb_free_installer.exe (PID: 2976)
      • EaseUSInstaller.exe (PID: 1336)
      • TrayTipAgentE.exe (PID: 2128)
      • Main.exe (PID: 1200)

    • Detects InnoSetup installer (YARA)

      • epm.exe (PID: 4760)
      • epm.tmp (PID: 4544)

    • The sample compiled with english language support

      • epm.tmp (PID: 4544)
      • tb_free_installer.exe (PID: 2976)

    • Reads the machine GUID from the registry

      • epm.tmp (PID: 4544)
      • Main.exe (PID: 1200)

    • Compiled with Borland Delphi (YARA)

      • epm.exe (PID: 4760)
      • epm.tmp (PID: 4544)

    • Checks proxy server information

      • rundll32.exe (PID: 5556)
      • slui.exe (PID: 1356)
      • EaseUSInstaller.exe (PID: 1336)
      • Main.exe (PID: 1200)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 5556)

    • The sample compiled with chinese language support

      • epm.tmp (PID: 4544)

    • The sample compiled with russian language support

      • epm.tmp (PID: 4544)

    • Reads the software policy settings

      • slui.exe (PID: 1356)
      • Main.exe (PID: 1200)

    • Creates files or folders in the user directory

      • epm.tmp (PID: 4544)
      • Main.exe (PID: 1200)

    • Launching a file from a Registry key

      • epm.tmp (PID: 4544)
      • TrayTipAgentE.exe (PID: 3556)

    • Creates a software uninstall entry

      • epm.tmp (PID: 4544)

    • Creates files in the program directory

      • epm.tmp (PID: 4544)
      • uexperice.exe (PID: 6688)
      • uexperice.exe (PID: 3564)
      • TrayTipConfig.exe (PID: 5616)
      • TrayTipConfig.exe (PID: 7048)
      • TrayTipAgentE.exe (PID: 3556)
      • Main.exe (PID: 1200)

    • Manual execution by a user

      • EpmNews.exe (PID: 472)
      • TrayTipAgentE.exe (PID: 2128)
      • msedge.exe (PID: 5244)

    • Application launched itself

      • msedge.exe (PID: 6096)
      • msedge.exe (PID: 7032)
      • msedge.exe (PID: 6320)
      • msedge.exe (PID: 5244)

    • Process checks computer location settings

      • tb_free_installer.exe (PID: 2976)
      • Main.exe (PID: 1200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.6)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.9)
.exe | DOS Executable Generic (18.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:10:09 08:48:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 60416
InitializedDataSize: 52736
UninitializedDataSize: -
EntryPoint: 0xf3bc
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 10.8.0.0
ProductVersionNumber: 10.8.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: EaseUS
FileDescription: EaseUS Partition Master Setup
FileVersion: 10.8
LegalCopyright: Copyright (c) 2004-2015 CHENGDU YIWO Tech Development Co., Ltd (YIWO Tech Ltd, for short).
ProductName: EaseUS Partition Master
ProductVersion: 10.8
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
184
Monitored processes
57
Malicious processes
8
Suspicious processes
17

Behavior graph

Click at the process to see the details
start epm.exe epm.tmp rundll32.exe no specs slui.exe setupempdrv03.exe no specs setupempdrvx64.exe no specs epmnews.exe no specs uexperice.exe no specs conhost.exe no specs uexperice.exe no specs conhost.exe no specs uexperice.exe no specs conhost.exe no specs uexperice.exe no specs conhost.exe no specs uexperice.exe no specs conhost.exe no specs uexperice.exe conhost.exe no specs traytipconfig.exe no specs conhost.exe no specs traytipconfig.exe no specs conhost.exe no specs traytipagente.exe epmnews.exe no specs msedge.exe no specs tb_free_installer.exe epmstartloader.exe msedge.exe no specs easeusinstaller.exe traytipagente.exe 7za.exe no specs conhost.exe no specs 7za.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs epm0.exe no specs main.exe traytipconfig.exe no specs conhost.exe no specs msedge.exe no specs vdsldr.exe no specs vds.exe no specs msedge.exe no specs epm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
472"C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.8\bin\EpmNews.exe"C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.8\bin\EpmNews.exeexplorer.exe
User:
admin
Company:
CHENGDU YIWO Tech Development Co., Ltd
Integrity Level:
MEDIUM
Description:
EaseUS Partition Master Free Edition Application
Version:
10.8.0.0
Modules
Images
c:\program files (x86)\easeus\easeus partition master 10.8\bin\epmnews.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1028"C:\WINDOWS\system32\setupempdrv03.exe"C:\Windows\SysWOW64\setupempdrv03.exeepm.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\syswow64\setupempdrv03.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1068"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x2a8,0x2ac,0x2b0,0x2a0,0x2b8,0x7ffc44b8f208,0x7ffc44b8f214,0x7ffc44b8f220C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1200Main.exeC:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.8\bin\Main.exe
epm0.exe
User:
admin
Company:
CHENGDU YIWO Tech Development Co., Ltd
Integrity Level:
HIGH
Description:
EaseUS Partition Master Main Application
Version:
10, 8, 0, 0
Modules
Images
c:\program files (x86)\easeus\easeus partition master 10.8\bin\main.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1216\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7za.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1296"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x170,0x298,0x29c,0x290,0x2d4,0x7ffc44b8f208,0x7ffc44b8f214,0x7ffc44b8f220C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1336"C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\tb_free_installer\EaseUSInstaller.exe" -silent -lang=EnglishC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\tb_free_installer\EaseUSInstaller.exe
tb_free_installer.exe
User:
admin
Company:
CHENGDU YIWO Tech Development Co., Ltd
Integrity Level:
HIGH
Description:
EaseUS Installer
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\7zipsfx.000\tb_free_installer\easeusinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
1356C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1644"C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.8\bin\uexperice.exe" -t 20485 "1033"C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.8\bin\uexperice.exeepm.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\easeus\easeus partition master 10.8\bin\uexperice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1644"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2216,i,756742882717598982,3719584293487908407,262144 --variations-seed-version --mojo-platform-channel-handle=2536 /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
16 455
Read events
16 380
Write events
74
Delete events
1

Modification events

(PID) Process:(4544) epm.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EaseUS\EPM
Operation:writeName:install_tmp
Value:
1
(PID) Process:(4544) epm.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EaseUS\EPM
Operation:writeName:EPMInstallPath
Value:
C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.8\bin\
(PID) Process:(4544) epm.tmpKey:HKEY_CURRENT_USER\SOFTWARE\EaseUS\EaseUS Partition Master\AutoUpdate
Operation:writeName:StartChk
Value:
1
(PID) Process:(4544) epm.tmpKey:HKEY_CURRENT_USER\SOFTWARE\EaseUS\EaseUS Partition Master\PopUp
Operation:writeName:StartChk
Value:
1
(PID) Process:(4544) epm.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EaseUS\EPM
Operation:writeName:Language
Value:
English
(PID) Process:(4544) epm.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:EaseUS EPM tray
Value:
C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.8\bin\EpmNews.exe
(PID) Process:(4544) epm.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EaseUS Partition Master_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.5.2 (u)
(PID) Process:(4544) epm.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EaseUS Partition Master_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.8
(PID) Process:(4544) epm.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EaseUS Partition Master_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.8\
(PID) Process:(4544) epm.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EaseUS Partition Master_is1
Operation:writeName:Inno Setup: Icon Group
Value:
EaseUS Partition Master 10.8
Executable files
384
Suspicious files
136
Text files
1 646
Unknown types
0

Dropped files

PID
Process
Filename
Type
4544epm.tmpC:\Users\admin\AppData\Local\Temp\is-DRQ7S.tmp\OCSetupHlp.dllexecutable
MD5:580A87DE969139496CAE52A2967CA356
SHA256:ABF302B33A70FAC450A05A7554CE7E8696233647C27AD1C0B29C8F7C4BDCBCEE
4544epm.tmpC:\Users\admin\AppData\Local\Temp\is-DRQ7S.tmp\free.rtftext
MD5:08C33C5EC73DC6DE1BB6FE24214F0822
SHA256:B3A34BC82161CB55F970CB130E169592AE483C8BCD95AD9822E250567C6D4E62
4544epm.tmpC:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.8\unins000.exeexecutable
MD5:C76686DA5BFC7508E4ABA5636B224FDF
SHA256:EE8AD3BE358A6B960A0533AD4CE655819B8C73AC80AB2AAFDBAD35E87C3E4BEC
4544epm.tmpC:\Users\admin\AppData\Local\Temp\is-DRQ7S.tmp\version_cmp_english.bmpimage
MD5:EE24050E5058AC5206172FCF441F3C2B
SHA256:C97402CC3E818B824C0C0F1B1FAC9D3AAFF856C81EC76AA97C8D2C3C6DD0CA68
4760epm.exeC:\Users\admin\AppData\Local\Temp\is-PGLOT.tmp\epm.tmpexecutable
MD5:C76686DA5BFC7508E4ABA5636B224FDF
SHA256:EE8AD3BE358A6B960A0533AD4CE655819B8C73AC80AB2AAFDBAD35E87C3E4BEC
4544epm.tmpC:\Users\admin\AppData\Local\Temp\is-DRQ7S.tmp\_isetup\_setup64.tmpexecutable
MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
SHA256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
4544epm.tmpC:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.8\bin\license.rtftext
MD5:08C33C5EC73DC6DE1BB6FE24214F0822
SHA256:B3A34BC82161CB55F970CB130E169592AE483C8BCD95AD9822E250567C6D4E62
4544epm.tmpC:\Users\admin\AppData\Local\Temp\is-DRQ7S.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
4544epm.tmpC:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.8\bin\is-JLLPS.tmptext
MD5:08C33C5EC73DC6DE1BB6FE24214F0822
SHA256:B3A34BC82161CB55F970CB130E169592AE483C8BCD95AD9822E250567C6D4E62
4544epm.tmpC:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.8\bin\EuActiveOnline.dllexecutable
MD5:84AEA4E5A03C3A7E1938A41026D1213C
SHA256:2EC3733A5B4469CD8A829DC050820DD4844BB0876C750D6763E564873C7FDE03
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
91
TCP/UDP connections
101
DNS requests
63
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
GET
200
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
23.9 Kb
whitelisted
2280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2280
SIHClient.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2280
SIHClient.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.176
  • 23.48.23.156
  • 23.48.23.147
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.130
  • 20.190.159.129
  • 20.190.159.75
  • 40.126.31.2
  • 40.126.31.67
  • 20.190.159.71
  • 40.126.31.3
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
api.opencandy.com
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
1644
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
1644
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
1644
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
1644
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Process
Message
uexperice.exe
2025-06-19 00:06:01:984[UE] --Info. try send=1
uexperice.exe
2025-06-19 00:06:01:984[UE] --Info. join=1
uexperice.exe
2025-06-19 00:06:01:984[UE] --Info. top num =3
uexperice.exe
2025-06-19 00:06:01:984[UE] --Info. log level=3
uexperice.exe
2025-06-19 00:06:01:999[UE] --Info. InstallSpy. inst=033F2CF8
uexperice.exe
2025-06-19 00:06:01:999[UE] --Info. SetText. id=0x5004 (20484), text=58, inst=033F2CF8
uexperice.exe
2025-06-19 00:06:01:999[UE] --Info. SetText. id=0x3 (3), text=1, inst=033F2CF8
uexperice.exe
2025-06-19 00:06:01:999[UE] --Info. SetText. id=0x5005 (20485), text=1033, inst=033F2CF8
uexperice.exe
2025-06-19 00:06:01:999[UE] --Info. regedit no CSDVersion
uexperice.exe
2025-06-19 00:06:01:999[UE] --Info. url=http://track.easeus.com/product/index.php/?a=statistics&p_type=m_epm_userinfos
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
epm.exe