File name:

TB_Free_Installer_20231215.681457.exe

Full analysis: https://app.any.run/tasks/ff4e668d-e329-4dc7-b9f9-1cfbe35a957f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 15, 2023, 07:52:00
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

B9A625522B3DBDE8B3DAF4CDA02AA696

SHA1:

A9D8CF95D8BB989FFAE0F9B07FEA292CA16D7A93

SHA256:

7898ACFCC553E78206FA6EF705BF1F1EABE04F3A37F774B03EA57D11163D669E

SSDEEP:

98304:OKEaB1r/sNZEbLyUdNqR5+8cPeEqO0qAVLgctuCuswgGe25sTwaT0o+ssv6OqIPl:T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • AliyunWrapExe.exe (PID: 2024)
      • AliyunWrapExe.exe (PID: 6056)
      • AliyunWrapExe.exe (PID: 3492)
      • ensserver.exe (PID: 2132)
      • AliyunWrapExe.exe (PID: 5172)

    • Drops the executable file immediately after the start

      • TB_free_easeus.exe (PID: 1972)
      • TB_Free_Installer_20231215.681457.exe (PID: 5512)
      • EDownloader.exe (PID: 3964)
      • DrvSetup.exe (PID: 3568)
      • EnsUtils.exe (PID: 3396)
      • TB_free_easeus.tmp (PID: 2528)
      • Agent.exe (PID: 3468)

    • Actions looks like stealing of personal data

      • TB_free_easeus.tmp (PID: 2528)
      • TrayProcess.exe (PID: 1336)
      • TBConsoleUI.exe (PID: 3888)

    • Creates a writable file in the system directory

      • TB_free_easeus.tmp (PID: 2528)
      • msdtc.exe (PID: 2176)
      • DrvSetup.exe (PID: 3568)
      • InfDefaultInstall.exe (PID: 4100)
      • AliyunWrapExe.exe (PID: 3492)
      • Agent.exe (PID: 3468)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 208)
      • net.exe (PID: 2872)
      • net.exe (PID: 3852)
      • net.exe (PID: 2992)

    • Registers / Runs the DLL via REGSVR32.EXE

      • cmd.exe (PID: 208)

  • SUSPICIOUS

    • Reads the Internet Settings

      • EDownloader.exe (PID: 3964)
      • AliyunWrapExe.exe (PID: 2024)
      • runonce.exe (PID: 952)
      • AliyunWrapExe.exe (PID: 6056)
      • TB_free_easeus.tmp (PID: 2528)
      • AliyunWrapExe.exe (PID: 5172)

    • Reads Microsoft Outlook installation path

      • EDownloader.exe (PID: 3964)

    • Reads Internet Explorer settings

      • EDownloader.exe (PID: 3964)

    • Process requests binary or script from the Internet

      • EDownloader.exe (PID: 3964)

    • Reads the Windows owner or organization settings

      • TB_free_easeus.tmp (PID: 2528)

    • Process drops legitimate windows executable

      • TB_free_easeus.tmp (PID: 2528)
      • EnsUtils.exe (PID: 3396)

    • The process drops C-runtime libraries

      • TB_free_easeus.tmp (PID: 2528)
      • EnsUtils.exe (PID: 3396)

    • Creates files in the driver directory

      • TB_free_easeus.tmp (PID: 2528)
      • DrvSetup.exe (PID: 3568)

    • Drops 7-zip archiver for unpacking

      • TB_free_easeus.tmp (PID: 2528)

    • Process checks presence of unattended files

      • TB_free_easeus.tmp (PID: 2528)

    • Drops a system driver (possible attempt to evade defenses)

      • TB_free_easeus.tmp (PID: 2528)
      • DrvSetup.exe (PID: 3568)
      • InfDefaultInstall.exe (PID: 4100)

    • Executing commands from ".cmd" file

      • TB_free_easeus.tmp (PID: 2528)

    • The process executes VB scripts

      • cmd.exe (PID: 208)

    • Starts CMD.EXE for commands execution

      • TB_free_easeus.tmp (PID: 2528)

    • Executes as Windows Service

      • dllhost.exe (PID: 4308)
      • msdtc.exe (PID: 2176)
      • VSSVC.exe (PID: 532)
      • ensserver.exe (PID: 2132)
      • Agent.exe (PID: 3468)
      • vds.exe (PID: 4364)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 208)

    • Executes WMI query (SCRIPT)

      • cscript.exe (PID: 4976)

    • Uses TASKKILL.EXE to kill process

      • DrvSetup.exe (PID: 3568)

    • Searches for installed software

      • TB_free_easeus.tmp (PID: 2528)
      • EDownloader.exe (PID: 3964)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 4976)

    • Checks Windows Trust Settings

      • ensserver.exe (PID: 2132)

    • Reads the date of Windows installation

      • TB_free_easeus.tmp (PID: 2528)
      • EDownloader.exe (PID: 3964)

    • Uses WMIC.EXE to obtain operating system information

      • SetupUE.exe (PID: 6104)
      • TBConsoleUI.exe (PID: 3888)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 1864)
      • WMIC.exe (PID: 3440)

    • The process checks if it is being run in the virtual environment

      • Agent.exe (PID: 3468)

    • Detected use of alternative data streams (AltDS)

      • Agent.exe (PID: 3468)

  • INFO

    • Dropped object may contain TOR URL's

      • TB_Free_Installer_20231215.681457.exe (PID: 5512)

    • Create files in a temporary directory

      • TB_Free_Installer_20231215.681457.exe (PID: 5512)
      • AliyunWrapExe.exe (PID: 2024)
      • InfoForSetup.exe (PID: 2508)
      • TB_free_easeus.exe (PID: 1972)
      • TB_free_easeus.tmp (PID: 2528)
      • EDownloader.exe (PID: 3964)

    • Reads the computer name

      • EDownloader.exe (PID: 3964)
      • AliyunWrapExe.exe (PID: 2024)
      • TB_free_easeus.tmp (PID: 2528)
      • DrvSetup.exe (PID: 3568)
      • EnsUtils.exe (PID: 3396)
      • AppSetup.exe (PID: 1688)
      • AliyunWrapExe.exe (PID: 6056)
      • ensserver.exe (PID: 2132)
      • AliyunWrapExe.exe (PID: 3492)
      • Agent.exe (PID: 604)
      • Agent.exe (PID: 3468)
      • wpn-grant.exe (PID: 6036)
      • AliyunWrapExe.exe (PID: 5172)
      • TrayProcess.exe (PID: 1336)
      • TodoBackupService.exe (PID: 5140)
      • TBConsoleUI.exe (PID: 3888)
      • EuDownload.exe (PID: 1408)
      • EuDownload.exe (PID: 4020)
      • EuDownload.exe (PID: 4872)

    • Checks supported languages

      • InfoForSetup.exe (PID: 2508)
      • EDownloader.exe (PID: 3964)
      • InfoForSetup.exe (PID: 3444)
      • InfoForSetup.exe (PID: 1144)
      • TB_Free_Installer_20231215.681457.exe (PID: 5512)
      • InfoForSetup.exe (PID: 1556)
      • InfoForSetup.exe (PID: 1812)
      • InfoForSetup.exe (PID: 2004)
      • TB_free_easeus.tmp (PID: 2528)
      • InfoForSetup.exe (PID: 2872)
      • AliyunWrapExe.exe (PID: 2024)
      • TB_free_easeus.exe (PID: 1972)
      • DrvSetup.exe (PID: 3568)
      • EnsUtils.exe (PID: 3396)
      • AppSetup.exe (PID: 1688)
      • AliyunWrapExe.exe (PID: 6056)
      • ensserver.exe (PID: 2132)
      • AliyunWrapExe.exe (PID: 3492)
      • SetupSendData2Downloader.exe (PID: 4988)
      • Agent.exe (PID: 604)
      • Agent.exe (PID: 3468)
      • EUinApp.exe (PID: 3632)
      • TrayProcess.exe (PID: 1336)
      • SetupUE.exe (PID: 6104)
      • InfoForSetup.exe (PID: 2964)
      • wpn-grant.exe (PID: 6036)
      • InfoForSetup.exe (PID: 4464)
      • InfoForSetup.exe (PID: 3856)
      • AliyunWrapExe.exe (PID: 5172)
      • TodoBackupService.exe (PID: 5140)
      • Loader.exe (PID: 4060)
      • InfoForSetup.exe (PID: 3276)
      • TBConsoleUI.exe (PID: 3888)
      • EuDownload.exe (PID: 4872)
      • EuDownload.exe (PID: 1408)
      • EuDownload.exe (PID: 4020)
      • InfoForSetup.exe (PID: 4428)

    • Creates files or folders in the user directory

      • AliyunWrapExe.exe (PID: 2024)
      • AliyunWrapExe.exe (PID: 6056)
      • AliyunWrapExe.exe (PID: 5172)

    • Checks proxy server information

      • EDownloader.exe (PID: 3964)
      • AliyunWrapExe.exe (PID: 2024)
      • AliyunWrapExe.exe (PID: 6056)
      • AliyunWrapExe.exe (PID: 5172)

    • Creates files in the program directory

      • TB_free_easeus.tmp (PID: 2528)
      • DrvSetup.exe (PID: 3568)
      • EnsUtils.exe (PID: 3396)
      • ensserver.exe (PID: 2132)
      • Agent.exe (PID: 604)
      • AliyunWrapExe.exe (PID: 6056)
      • AliyunWrapExe.exe (PID: 3492)
      • Agent.exe (PID: 3468)
      • AliyunWrapExe.exe (PID: 5172)
      • EuDownload.exe (PID: 4872)
      • EuDownload.exe (PID: 4020)
      • EuDownload.exe (PID: 1408)

    • Reads the machine GUID from the registry

      • EDownloader.exe (PID: 3964)
      • ensserver.exe (PID: 2132)
      • wpn-grant.exe (PID: 6036)
      • EuDownload.exe (PID: 1408)
      • EuDownload.exe (PID: 4872)
      • EuDownload.exe (PID: 4020)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 2712)
      • cscript.exe (PID: 4976)

    • Checks transactions between databases Windows and Oracle

      • dllhost.exe (PID: 4308)
      • cscript.exe (PID: 2712)
      • cscript.exe (PID: 4976)
      • msdtc.exe (PID: 2176)

    • Creates files in the driver directory

      • InfDefaultInstall.exe (PID: 4100)

    • Drops the executable file immediately after the start

      • InfDefaultInstall.exe (PID: 4100)

    • Reads the time zone

      • runonce.exe (PID: 952)

    • Creates a software uninstall entry

      • TB_free_easeus.tmp (PID: 2528)

    • Manual execution by a user

      • msedge.exe (PID: 5076)

    • Application launched itself

      • msedge.exe (PID: 2972)
      • msedge.exe (PID: 5076)
      • msedge.exe (PID: 6840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:01:30 04:57:48+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
224
Monitored processes
111
Malicious processes
11
Suspicious processes
1

Behavior graph

Click at the process to see the details
start tb_free_installer_20231215.681457.exe edownloader.exe infoforsetup.exe no specs infoforsetup.exe no specs aliyunwrapexe.exe infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs tb_free_easeus.exe no specs tb_free_easeus.tmp cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs reg.exe no specs cscript.exe no specs dllhost.exe no specs msdtc.exe no specs regsvr32.exe no specs vssvc.exe no specs cscript.exe no specs rundll32.exe no specs rundll32.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs drvsetup.exe no specs infdefaultinstall.exe no specs runonce.exe no specs grpconv.exe no specs taskkill.exe no specs conhost.exe no specs appsetup.exe no specs conhost.exe no specs ensutils.exe no specs conhost.exe no specs aliyunwrapexe.exe ensserver.exe aliyunwrapexe.exe setupsenddata2downloader.exe no specs conhost.exe no specs agent.exe conhost.exe no specs agent.exe euinapp.exe no specs conhost.exe no specs trayprocess.exe infoforsetup.exe no specs setupue.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs wmic.exe no specs conhost.exe no specs wpn-grant.exe conhost.exe no specs infoforsetup.exe no specs aliyunwrapexe.exe vdsldr.exe no specs vds.exe no specs todobackupservice.exe msedge.exe no specs infoforsetup.exe no specs loader.exe no specs msedge.exe no specs tbconsoleui.exe wmic.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs eudownload.exe eudownload.exe eudownload.exe conhost.exe no specs conhost.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs trayprocess.exe no specs eudownload.exe no specs conhost.exe no specs todobackupenumnetbyfd_0.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs eudownload.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs wpn-grant.exe no specs conhost.exe no specs tb_free_installer_20231215.681457.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\install-EaseUSprovider.cmd""C:\Windows\System32\cmd.exeTB_free_easeus.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
368C:\Windows\system32\net1 stop swprvC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.22000.434 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\netutils.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\samcli.dll
532C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
604"C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe" installC:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe
TB_free_easeus.tmp
User:
admin
Company:
CHENGDU YIWO Tech Development Co., Ltd
Integrity Level:
HIGH
Description:
EaseUS Todo Backup Agent Application
Exit code:
1
Version:
5.8.0.0
Modules
Images
c:\program files (x86)\easeus\todo backup\bin\agent.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
632\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSetupSendData2Downloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
952"C:\Windows\system32\runonce.exe" -rC:\Windows\System32\runonce.exeInfDefaultInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run Once Wrapper
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
1116reg.exe delete HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\VssEaseusProvider /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
1128\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeEUinApp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1144 /SendInfo Window "Downloading" Activity "Result_Download_Program" Attribute "{\"Average_Networkspeed\":\"503.00KB\",\"Cdn\":\"https://d1.easeus.com/tb/free/TodoBackup16.0_free.exe\",\"Elapsedtime\":\"290\",\"Errorinfo\":\"0\",\"Result\":\"Success\"}"C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\aliyun\InfoForSetup.exeEDownloader.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\downloader_easeus\1.0.0\3free\aliyun\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1336"C:\Program Files (x86)\EaseUS\Todo Backup\bin\TrayProcess.exe" installC:\Program Files (x86)\EaseUS\Todo Backup\bin\TrayProcess.exe
TB_free_easeus.tmp
User:
admin
Company:
CHENGDU YIWO Tech Development Co., Ltd
Integrity Level:
HIGH
Description:
EaseUS Todo Backup Application
Exit code:
0
Version:
16.0.0.0
Modules
Images
c:\program files (x86)\easeus\todo backup\bin\trayprocess.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
Total events
26 354
Read events
26 209
Write events
132
Delete events
13

Modification events

(PID) Process:(2024) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2024) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2024) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2024) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2024) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2024) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3964) EDownloader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3964) EDownloader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3964) EDownloader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3964) EDownloader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
2 026
Suspicious files
280
Text files
3 636
Unknown types
21

Dropped files

PID
Process
Filename
Type
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\Chinese.initext
MD5:2C1109202C5BD64CFBD15440DBFB9E15
SHA256:503DED4C87EC70CF80920CD35985A34A7F7DF4280E8ACD2915BB105140057AA4
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\German.initext
MD5:11847D6DED619EF00FE65D073DCA2395
SHA256:432729DF19211765091F56578437A3564667572430B36DFF2BF48B28F15A0C06
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\skin.zipcompressed
MD5:6128C00BD164D955181B086094E5FC71
SHA256:93F8192AF82712DF7EEEADBBC8DDCBDD4F8338AF96015E4ED11EF7FC9AB09696
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\Thai.initext
MD5:BCC36966A90CAE79F672FBEE5837B7C6
SHA256:1CED29046919352C215B50096D00FCB1D899072C309B7AFB807F3696E9459871
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\ChineseTrad.initext
MD5:83ED2F53BC9654D852DB7A304DCE10AB
SHA256:CC4D59587283D2F1190D00B56D1C5E100A4DAC71D540141C61975EAD907E8FD2
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\aliyun\AliyunConfig.initext
MD5:926917A04174D16BFC52C679B93C30DE
SHA256:6227467C437F6DB349DE49ABFD16C547C94B277F6B75F598D84FEC5F7F7AB083
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\LanguageTransfor.initext
MD5:008516FB41014EEE340FF4B4AB030CBC
SHA256:80193C8D307D982CF45FBF62F0EEE3B7EC5522DECA8A027155875D610C63657C
5512TB_Free_Installer_20231215.681457.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\aliyun\AliyunConfig_tmp.initext
MD5:A8D163D9B41A27BEC4AF06CE151D7B65
SHA256:F6C91DF5C03EDED837330E0CB2FFD170FE9003A726065190E56E922FA3824DC2
3964EDownloader.exeC:\Users\admin\AppData\Local\Temp\TB_free_easeus.exe.temp
MD5:
SHA256:
3964EDownloader.exeC:\Users\admin\AppData\Local\Temp\TB_free_easeus.exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
101
TCP/UDP connections
117
DNS requests
45
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2024
AliyunWrapExe.exe
GET
200
163.171.156.15:80
http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=0
unknown
binary
21 b
unknown
880
svchost.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ba8520f5c7f95796
unknown
compressed
4.66 Kb
unknown
2024
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_tbp_downloader/shards/lb
unknown
unknown
2024
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_tbp_downloader/shards/lb
unknown
unknown
3964
EDownloader.exe
POST
200
143.204.98.38:80
http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/
unknown
binary
489 b
unknown
2024
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_tbp_downloader/shards/lb
unknown
unknown
3964
EDownloader.exe
GET
18.66.112.6:443
https://d1.easeus.com/tb/free/TodoBackup16.0_free.exe
unknown
unknown
2024
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_tbp_downloader/shards/lb
unknown
unknown
1396
svchost.exe
GET
200
104.124.11.219:80
http://www.msftconnecttest.com/connecttest.txt
unknown
text
22 b
unknown
3964
EDownloader.exe
GET
18.66.112.125:443
https://d1.easeus.com/tb/free/TodoBackup16.0_free.exe
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4560
svchost.exe
239.255.255.250:1900
whitelisted
2024
AliyunWrapExe.exe
163.171.156.15:80
track.easeus.com
QUANTILNETWORKS
DE
unknown
3964
EDownloader.exe
143.204.98.38:80
download.easeus.com
AMAZON-02
US
unknown
1396
svchost.exe
104.124.11.185:80
Akamai International B.V.
DE
unknown
5848
OfficeC2RClient.exe
52.109.32.97:443
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
2024
AliyunWrapExe.exe
47.252.97.212:80
easeusinfo.us-east-1.log.aliyuncs.com
Alibaba US Technology Co., Ltd.
US
unknown
880
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
880
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
3964
EDownloader.exe
18.66.112.38:443
d1.easeus.com
AMAZON-02
US
unknown
2852
svchost.exe
20.189.173.2:443
v20.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
download.easeus.com
  • 143.204.98.38
  • 143.204.98.43
  • 143.204.98.3
  • 143.204.98.21
unknown
track.easeus.com
  • 163.171.156.15
unknown
easeusinfo.us-east-1.log.aliyuncs.com
  • 47.252.97.212
  • 47.252.97.15
  • 47.252.97.14
  • 47.252.97.13
  • 47.252.97.12
  • 47.252.97.11
  • 47.252.97.10
  • 47.252.97.9
  • 47.252.97.8
unknown
login.live.com
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.68
  • 20.190.159.4
  • 20.190.159.73
  • 40.126.31.71
  • 40.126.31.67
  • 20.190.159.2
  • 40.126.32.140
  • 40.126.32.74
  • 40.126.32.134
  • 20.190.160.14
  • 40.126.32.138
  • 40.126.32.68
  • 40.126.32.133
  • 40.126.32.76
  • 20.190.160.22
  • 20.190.160.17
  • 20.190.160.20
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
d1.easeus.com
  • 18.66.112.38
  • 18.66.112.111
  • 18.66.112.6
  • 18.66.112.125
unknown
v20.events.data.microsoft.com
  • 20.189.173.2
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.109.89.117
whitelisted
fs.microsoft.com
  • 23.211.8.90
whitelisted

Threats

PID
Process
Class
Message
2024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
2024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
2024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
2024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
1396
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
2024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
2024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
2024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
6056
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
6056
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Process
Message
Agent.exe
Ldq : Agent call CreateService is success!
Agent.exe
Init Log
Agent.exe
Ldq : Agent start install!
Agent.exe
Ldq : Agent call CreateService!
Agent.exe
Init Log
Agent.exe
Ldq : Agent entry ServiceMain!
Agent.exe
Ldq : Agent set service description!
Agent.exe
socket closed
Agent.exe
Failed to Load lib (Err=0x12529002) CheckTool
Agent.exe
Zy : Instance CheckTool!
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TB_Free_Installer_20231215.681457.exe