File name:

TB_Free_Installer_20231215.681457.exe

Full analysis: https://app.any.run/tasks/ff4e668d-e329-4dc7-b9f9-1cfbe35a957f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 15, 2023, 07:52:00
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

B9A625522B3DBDE8B3DAF4CDA02AA696

SHA1:

A9D8CF95D8BB989FFAE0F9B07FEA292CA16D7A93

SHA256:

7898ACFCC553E78206FA6EF705BF1F1EABE04F3A37F774B03EA57D11163D669E

SSDEEP:

98304:OKEaB1r/sNZEbLyUdNqR5+8cPeEqO0qAVLgctuCuswgGe25sTwaT0o+ssv6OqIPl:T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • TB_Free_Installer_20231215.681457.exe (PID: 5512)
      • TB_free_easeus.exe (PID: 1972)
      • EDownloader.exe (PID: 3964)
      • DrvSetup.exe (PID: 3568)
      • TB_free_easeus.tmp (PID: 2528)
      • EnsUtils.exe (PID: 3396)
      • Agent.exe (PID: 3468)

    • Scans artifacts that could help determine the target

      • AliyunWrapExe.exe (PID: 2024)
      • AliyunWrapExe.exe (PID: 6056)
      • ensserver.exe (PID: 2132)
      • AliyunWrapExe.exe (PID: 3492)
      • AliyunWrapExe.exe (PID: 5172)

    • Creates a writable file in the system directory

      • TB_free_easeus.tmp (PID: 2528)
      • msdtc.exe (PID: 2176)
      • DrvSetup.exe (PID: 3568)
      • InfDefaultInstall.exe (PID: 4100)
      • AliyunWrapExe.exe (PID: 3492)
      • Agent.exe (PID: 3468)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 208)
      • net.exe (PID: 2992)
      • net.exe (PID: 2872)
      • net.exe (PID: 3852)

    • Actions looks like stealing of personal data

      • TB_free_easeus.tmp (PID: 2528)
      • TrayProcess.exe (PID: 1336)
      • TBConsoleUI.exe (PID: 3888)

    • Registers / Runs the DLL via REGSVR32.EXE

      • cmd.exe (PID: 208)

  • SUSPICIOUS

    • Reads the Internet Settings

      • AliyunWrapExe.exe (PID: 2024)
      • EDownloader.exe (PID: 3964)
      • runonce.exe (PID: 952)
      • AliyunWrapExe.exe (PID: 6056)
      • TB_free_easeus.tmp (PID: 2528)
      • AliyunWrapExe.exe (PID: 5172)

    • Reads Microsoft Outlook installation path

      • EDownloader.exe (PID: 3964)

    • Reads Internet Explorer settings

      • EDownloader.exe (PID: 3964)

    • Process requests binary or script from the Internet

      • EDownloader.exe (PID: 3964)

    • Reads the Windows owner or organization settings

      • TB_free_easeus.tmp (PID: 2528)

    • Process drops legitimate windows executable

      • TB_free_easeus.tmp (PID: 2528)
      • EnsUtils.exe (PID: 3396)

    • Drops a system driver (possible attempt to evade defenses)

      • TB_free_easeus.tmp (PID: 2528)
      • DrvSetup.exe (PID: 3568)
      • InfDefaultInstall.exe (PID: 4100)

    • The process drops C-runtime libraries

      • TB_free_easeus.tmp (PID: 2528)
      • EnsUtils.exe (PID: 3396)

    • Drops 7-zip archiver for unpacking

      • TB_free_easeus.tmp (PID: 2528)

    • Process checks presence of unattended files

      • TB_free_easeus.tmp (PID: 2528)

    • Starts CMD.EXE for commands execution

      • TB_free_easeus.tmp (PID: 2528)

    • Executing commands from ".cmd" file

      • TB_free_easeus.tmp (PID: 2528)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 208)

    • The process executes VB scripts

      • cmd.exe (PID: 208)

    • Executes as Windows Service

      • dllhost.exe (PID: 4308)
      • msdtc.exe (PID: 2176)
      • VSSVC.exe (PID: 532)
      • ensserver.exe (PID: 2132)
      • Agent.exe (PID: 3468)
      • vds.exe (PID: 4364)

    • Creates files in the driver directory

      • TB_free_easeus.tmp (PID: 2528)
      • DrvSetup.exe (PID: 3568)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 4976)

    • Executes WMI query (SCRIPT)

      • cscript.exe (PID: 4976)

    • Uses TASKKILL.EXE to kill process

      • DrvSetup.exe (PID: 3568)

    • Searches for installed software

      • TB_free_easeus.tmp (PID: 2528)
      • EDownloader.exe (PID: 3964)

    • Checks Windows Trust Settings

      • ensserver.exe (PID: 2132)

    • Reads the date of Windows installation

      • TB_free_easeus.tmp (PID: 2528)
      • EDownloader.exe (PID: 3964)

    • Uses WMIC.EXE to obtain operating system information

      • SetupUE.exe (PID: 6104)
      • TBConsoleUI.exe (PID: 3888)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 1864)
      • WMIC.exe (PID: 3440)

    • The process checks if it is being run in the virtual environment

      • Agent.exe (PID: 3468)

    • Detected use of alternative data streams (AltDS)

      • Agent.exe (PID: 3468)

  • INFO

    • Checks supported languages

      • TB_Free_Installer_20231215.681457.exe (PID: 5512)
      • InfoForSetup.exe (PID: 2508)
      • EDownloader.exe (PID: 3964)
      • InfoForSetup.exe (PID: 2872)
      • AliyunWrapExe.exe (PID: 2024)
      • InfoForSetup.exe (PID: 3444)
      • InfoForSetup.exe (PID: 1812)
      • InfoForSetup.exe (PID: 2004)
      • InfoForSetup.exe (PID: 1144)
      • TB_free_easeus.exe (PID: 1972)
      • InfoForSetup.exe (PID: 1556)
      • TB_free_easeus.tmp (PID: 2528)
      • DrvSetup.exe (PID: 3568)
      • EnsUtils.exe (PID: 3396)
      • AliyunWrapExe.exe (PID: 6056)
      • AppSetup.exe (PID: 1688)
      • ensserver.exe (PID: 2132)
      • AliyunWrapExe.exe (PID: 3492)
      • Agent.exe (PID: 604)
      • SetupSendData2Downloader.exe (PID: 4988)
      • Agent.exe (PID: 3468)
      • EUinApp.exe (PID: 3632)
      • InfoForSetup.exe (PID: 4428)
      • SetupUE.exe (PID: 6104)
      • TrayProcess.exe (PID: 1336)
      • InfoForSetup.exe (PID: 2964)
      • InfoForSetup.exe (PID: 3856)
      • InfoForSetup.exe (PID: 4464)
      • wpn-grant.exe (PID: 6036)
      • TodoBackupService.exe (PID: 5140)
      • InfoForSetup.exe (PID: 3276)
      • AliyunWrapExe.exe (PID: 5172)
      • Loader.exe (PID: 4060)
      • EuDownload.exe (PID: 4020)
      • EuDownload.exe (PID: 4872)
      • EuDownload.exe (PID: 1408)
      • TBConsoleUI.exe (PID: 3888)

    • Reads the computer name

      • EDownloader.exe (PID: 3964)
      • AliyunWrapExe.exe (PID: 2024)
      • TB_free_easeus.tmp (PID: 2528)
      • DrvSetup.exe (PID: 3568)
      • AppSetup.exe (PID: 1688)
      • EnsUtils.exe (PID: 3396)
      • AliyunWrapExe.exe (PID: 6056)
      • ensserver.exe (PID: 2132)
      • Agent.exe (PID: 3468)
      • Agent.exe (PID: 604)
      • AliyunWrapExe.exe (PID: 3492)
      • TrayProcess.exe (PID: 1336)
      • wpn-grant.exe (PID: 6036)
      • AliyunWrapExe.exe (PID: 5172)
      • TodoBackupService.exe (PID: 5140)
      • TBConsoleUI.exe (PID: 3888)
      • EuDownload.exe (PID: 1408)
      • EuDownload.exe (PID: 4872)
      • EuDownload.exe (PID: 4020)

    • Create files in a temporary directory

      • TB_Free_Installer_20231215.681457.exe (PID: 5512)
      • InfoForSetup.exe (PID: 2508)
      • EDownloader.exe (PID: 3964)
      • AliyunWrapExe.exe (PID: 2024)
      • TB_free_easeus.exe (PID: 1972)
      • TB_free_easeus.tmp (PID: 2528)

    • Dropped object may contain TOR URL's

      • TB_Free_Installer_20231215.681457.exe (PID: 5512)

    • Reads the machine GUID from the registry

      • EDownloader.exe (PID: 3964)
      • ensserver.exe (PID: 2132)
      • wpn-grant.exe (PID: 6036)
      • EuDownload.exe (PID: 4020)
      • EuDownload.exe (PID: 1408)
      • EuDownload.exe (PID: 4872)

    • Checks proxy server information

      • AliyunWrapExe.exe (PID: 2024)
      • EDownloader.exe (PID: 3964)
      • AliyunWrapExe.exe (PID: 6056)
      • AliyunWrapExe.exe (PID: 5172)

    • Creates files or folders in the user directory

      • AliyunWrapExe.exe (PID: 2024)
      • AliyunWrapExe.exe (PID: 6056)
      • AliyunWrapExe.exe (PID: 5172)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 2712)
      • cscript.exe (PID: 4976)

    • Creates files in the program directory

      • TB_free_easeus.tmp (PID: 2528)
      • DrvSetup.exe (PID: 3568)
      • EnsUtils.exe (PID: 3396)
      • ensserver.exe (PID: 2132)
      • Agent.exe (PID: 604)
      • AliyunWrapExe.exe (PID: 6056)
      • AliyunWrapExe.exe (PID: 3492)
      • Agent.exe (PID: 3468)
      • AliyunWrapExe.exe (PID: 5172)
      • EuDownload.exe (PID: 4872)
      • EuDownload.exe (PID: 1408)
      • EuDownload.exe (PID: 4020)

    • Checks transactions between databases Windows and Oracle

      • msdtc.exe (PID: 2176)
      • cscript.exe (PID: 2712)
      • dllhost.exe (PID: 4308)
      • cscript.exe (PID: 4976)

    • Drops the executable file immediately after the start

      • InfDefaultInstall.exe (PID: 4100)

    • Creates files in the driver directory

      • InfDefaultInstall.exe (PID: 4100)

    • Reads the time zone

      • runonce.exe (PID: 952)

    • Creates a software uninstall entry

      • TB_free_easeus.tmp (PID: 2528)

    • Manual execution by a user

      • msedge.exe (PID: 5076)

    • Application launched itself

      • msedge.exe (PID: 5076)
      • msedge.exe (PID: 2972)
      • msedge.exe (PID: 6840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:01:30 04:57:48+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
224
Monitored processes
111
Malicious processes
11
Suspicious processes
1

Behavior graph

Click at the process to see the details
start tb_free_installer_20231215.681457.exe edownloader.exe infoforsetup.exe no specs infoforsetup.exe no specs aliyunwrapexe.exe infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs tb_free_easeus.exe no specs tb_free_easeus.tmp cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs reg.exe no specs cscript.exe no specs dllhost.exe no specs msdtc.exe no specs regsvr32.exe no specs vssvc.exe no specs cscript.exe no specs rundll32.exe no specs rundll32.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs drvsetup.exe no specs infdefaultinstall.exe no specs runonce.exe no specs grpconv.exe no specs taskkill.exe no specs conhost.exe no specs appsetup.exe no specs conhost.exe no specs ensutils.exe no specs conhost.exe no specs aliyunwrapexe.exe ensserver.exe aliyunwrapexe.exe setupsenddata2downloader.exe no specs conhost.exe no specs agent.exe conhost.exe no specs agent.exe euinapp.exe no specs conhost.exe no specs trayprocess.exe infoforsetup.exe no specs setupue.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs wmic.exe no specs conhost.exe no specs wpn-grant.exe conhost.exe no specs infoforsetup.exe no specs aliyunwrapexe.exe vdsldr.exe no specs vds.exe no specs todobackupservice.exe msedge.exe no specs infoforsetup.exe no specs loader.exe no specs msedge.exe no specs tbconsoleui.exe wmic.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs eudownload.exe eudownload.exe eudownload.exe conhost.exe no specs conhost.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs trayprocess.exe no specs eudownload.exe no specs conhost.exe no specs todobackupenumnetbyfd_0.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs eudownload.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs wpn-grant.exe no specs conhost.exe no specs tb_free_installer_20231215.681457.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\install-EaseUSprovider.cmd""C:\Windows\System32\cmd.exeTB_free_easeus.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
368C:\Windows\system32\net1 stop swprvC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.22000.434 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\netutils.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\samcli.dll
532C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
604"C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe" installC:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe
TB_free_easeus.tmp
User:
admin
Company:
CHENGDU YIWO Tech Development Co., Ltd
Integrity Level:
HIGH
Description:
EaseUS Todo Backup Agent Application
Exit code:
1
Version:
5.8.0.0
Modules
Images
c:\program files (x86)\easeus\todo backup\bin\agent.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
632\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSetupSendData2Downloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
952"C:\Windows\system32\runonce.exe" -rC:\Windows\System32\runonce.exeInfDefaultInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run Once Wrapper
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
1116reg.exe delete HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\VssEaseusProvider /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
1128\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeEUinApp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1144 /SendInfo Window "Downloading" Activity "Result_Download_Program" Attribute "{\"Average_Networkspeed\":\"503.00KB\",\"Cdn\":\"https://d1.easeus.com/tb/free/TodoBackup16.0_free.exe\",\"Elapsedtime\":\"290\",\"Errorinfo\":\"0\",\"Result\":\"Success\"}"C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\aliyun\InfoForSetup.exeEDownloader.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\downloader_easeus\1.0.0\3free\aliyun\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1336"C:\Program Files (x86)\EaseUS\Todo Backup\bin\TrayProcess.exe" installC:\Program Files (x86)\EaseUS\Todo Backup\bin\TrayProcess.exe
TB_free_easeus.tmp
User:
admin
Company:
CHENGDU YIWO Tech Development Co., Ltd
Integrity Level:
HIGH
Description:
EaseUS Todo Backup Application
Exit code:
0
Version:
16.0.0.0
Modules
Images
c:\program files (x86)\easeus\todo backup\bin\trayprocess.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
Total events
26 354
Read events
26 209
Write events
132
Delete events
13

Modification events

(PID) Process:(2024) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2024) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2024) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2024) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2024) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2024) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3964) EDownloader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3964) EDownloader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3964) EDownloader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3964) EDownloader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
2 026
Suspicious files
280
Text files
3 636
Unknown types
21

Dropped files

PID
Process
Filename
Type
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\Malay.initext
MD5:AA4398D7E7503A3EDDEF6A62CC6079BF
SHA256:8848BF068AC126D90F8FD3A4A376F2F386414C8C64AB7430C19085DDB0EA835A
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\French.initext
MD5:5CF7184F2D6C19608D287EAE33B1D678
SHA256:7AB67D4EB16F742235309A0A55EAFAC60B39A79D842C84A285A1D62061A9D7EB
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\German.initext
MD5:11847D6DED619EF00FE65D073DCA2395
SHA256:432729DF19211765091F56578437A3564667572430B36DFF2BF48B28F15A0C06
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\skin.zipcompressed
MD5:6128C00BD164D955181B086094E5FC71
SHA256:93F8192AF82712DF7EEEADBBC8DDCBDD4F8338AF96015E4ED11EF7FC9AB09696
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\Italian.initext
MD5:528492B1C61DD427C0030AF1E85021CB
SHA256:2E31D7ACE9D3417EBA9BC93E44C645D5783C23F2C6570807BCC48E94ADE2C857
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\ChineseTrad.initext
MD5:83ED2F53BC9654D852DB7A304DCE10AB
SHA256:CC4D59587283D2F1190D00B56D1C5E100A4DAC71D540141C61975EAD907E8FD2
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\Chinese.initext
MD5:2C1109202C5BD64CFBD15440DBFB9E15
SHA256:503DED4C87EC70CF80920CD35985A34A7F7DF4280E8ACD2915BB105140057AA4
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\EDownloader.exeexecutable
MD5:53832E0D7970B48218429C20777D3965
SHA256:472B7D98B11719A38A097B64D24B4703FB12D9F70DA71C5087AE9F84911AC106
3964EDownloader.exeC:\Users\admin\AppData\Local\Temp\TB_free_easeus.exe.temp
MD5:
SHA256:
3964EDownloader.exeC:\Users\admin\AppData\Local\Temp\TB_free_easeus.exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
101
TCP/UDP connections
117
DNS requests
45
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2024
AliyunWrapExe.exe
GET
200
163.171.156.15:80
http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=0
unknown
binary
21 b
unknown
2024
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_tbp_downloader/shards/lb
unknown
unknown
3964
EDownloader.exe
POST
200
143.204.98.38:80
http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/
unknown
binary
489 b
unknown
2024
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_tbp_downloader/shards/lb
unknown
unknown
880
svchost.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ba8520f5c7f95796
unknown
compressed
4.66 Kb
unknown
2024
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_tbp_downloader/shards/lb
unknown
unknown
2024
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_tbp_downloader/shards/lb
unknown
unknown
1396
svchost.exe
GET
200
104.124.11.219:80
http://www.msftconnecttest.com/connecttest.txt
unknown
text
22 b
unknown
3964
EDownloader.exe
GET
18.66.112.6:443
https://d1.easeus.com/tb/free/TodoBackup16.0_free.exe
unknown
3964
EDownloader.exe
GET
18.66.112.125:443
https://d1.easeus.com/tb/free/TodoBackup16.0_free.exe
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4560
svchost.exe
239.255.255.250:1900
whitelisted
2024
AliyunWrapExe.exe
163.171.156.15:80
track.easeus.com
QUANTILNETWORKS
DE
unknown
3964
EDownloader.exe
143.204.98.38:80
download.easeus.com
AMAZON-02
US
unknown
1396
svchost.exe
104.124.11.185:80
Akamai International B.V.
DE
unknown
5848
OfficeC2RClient.exe
52.109.32.97:443
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
2024
AliyunWrapExe.exe
47.252.97.212:80
easeusinfo.us-east-1.log.aliyuncs.com
Alibaba US Technology Co., Ltd.
US
unknown
880
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
880
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
3964
EDownloader.exe
18.66.112.38:443
d1.easeus.com
AMAZON-02
US
unknown
2852
svchost.exe
20.189.173.2:443
v20.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
download.easeus.com
  • 143.204.98.38
  • 143.204.98.43
  • 143.204.98.3
  • 143.204.98.21
unknown
track.easeus.com
  • 163.171.156.15
unknown
easeusinfo.us-east-1.log.aliyuncs.com
  • 47.252.97.212
  • 47.252.97.15
  • 47.252.97.14
  • 47.252.97.13
  • 47.252.97.12
  • 47.252.97.11
  • 47.252.97.10
  • 47.252.97.9
  • 47.252.97.8
unknown
login.live.com
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.68
  • 20.190.159.4
  • 20.190.159.73
  • 40.126.31.71
  • 40.126.31.67
  • 20.190.159.2
  • 40.126.32.140
  • 40.126.32.74
  • 40.126.32.134
  • 20.190.160.14
  • 40.126.32.138
  • 40.126.32.68
  • 40.126.32.133
  • 40.126.32.76
  • 20.190.160.22
  • 20.190.160.17
  • 20.190.160.20
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
d1.easeus.com
  • 18.66.112.38
  • 18.66.112.111
  • 18.66.112.6
  • 18.66.112.125
unknown
v20.events.data.microsoft.com
  • 20.189.173.2
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.109.89.117
whitelisted
fs.microsoft.com
  • 23.211.8.90
whitelisted

Threats

PID
Process
Class
Message
2024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
2024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
2024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
2024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
1396
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
2024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
2024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
2024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
6056
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
6056
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Process
Message
Agent.exe
Ldq : Agent call CreateService is success!
Agent.exe
Init Log
Agent.exe
Ldq : Agent start install!
Agent.exe
Ldq : Agent call CreateService!
Agent.exe
Init Log
Agent.exe
Ldq : Agent entry ServiceMain!
Agent.exe
Ldq : Agent set service description!
Agent.exe
socket closed
Agent.exe
Failed to Load lib (Err=0x12529002) CheckTool
Agent.exe
Zy : Instance CheckTool!
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TB_Free_Installer_20231215.681457.exe