download:

/bitwiper.php

Full analysis: https://app.any.run/tasks/6ce96b6b-c74f-4712-9acd-d12aadb9e350
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 22, 2025, 22:02:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
adware
gexin
installer
delphi
inno
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

1303A129181FC5A2BEA6BD104E81BEBA

SHA1:

340ACC315A177E29A01B1A640BADF718E85F73C2

SHA256:

A76183EA576D67C6874F7D6BA0E27F0E984BA5334999324FA9C943F0912B594C

SSDEEP:

98304:mxlAk8BUEbnb0moAFSIQU0LQzZh2uWaYq3hjOryKPnRCWICBTH92fxLvHW9NPbhT:UizvxFw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GEXIN has been detected (SURICATA)

      • AliyunWrapExe.exe (PID: 6048)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • bitwiper.php.exe (PID: 4776)
      • bw_free_easeus.exe (PID: 8064)
      • bw_free_easeus.tmp (PID: 8104)

    • Reads security settings of Internet Explorer

      • AliyunWrapExe.exe (PID: 6048)
      • AliyunWrapExe.exe (PID: 8152)

    • Access to an unwanted program domain was detected

      • AliyunWrapExe.exe (PID: 6048)

    • Reads the Windows owner or organization settings

      • bw_free_easeus.tmp (PID: 8104)

    • Process drops legitimate windows executable

      • bw_free_easeus.tmp (PID: 8104)

    • Drops 7-zip archiver for unpacking

      • bw_free_easeus.tmp (PID: 8104)

    • Drops a system driver (possible attempt to evade defenses)

      • bw_free_easeus.tmp (PID: 8104)

    • The process drops C-runtime libraries

      • bw_free_easeus.tmp (PID: 8104)

  • INFO

    • Creates files or folders in the user directory

      • AliyunWrapExe.exe (PID: 6048)
      • AliyunWrapExe.exe (PID: 8152)

    • Reads the computer name

      • EDownloader.exe (PID: 6972)
      • AliyunWrapExe.exe (PID: 6048)
      • bw_free_easeus.tmp (PID: 8104)
      • InfoForSetup.exe (PID: 8128)
      • AliyunWrapExe.exe (PID: 8152)

    • Checks supported languages

      • InfoForSetup.exe (PID: 1676)
      • InfoForSetup.exe (PID: 5428)
      • AliyunWrapExe.exe (PID: 6048)
      • InfoForSetup.exe (PID: 812)
      • bitwiper.php.exe (PID: 4776)
      • EDownloader.exe (PID: 6972)
      • InfoForSetup.exe (PID: 4224)
      • InfoForSetup.exe (PID: 5576)
      • InfoForSetup.exe (PID: 5512)
      • AliyunWrapExe.exe (PID: 8152)
      • InfoForSetup.exe (PID: 1052)
      • InfoForSetup.exe (PID: 8000)
      • bw_free_easeus.tmp (PID: 8104)
      • InfoForSetup.exe (PID: 8028)
      • bw_free_easeus.exe (PID: 8064)
      • InfoForSetup.exe (PID: 8128)
      • InfoForSetup.exe (PID: 7180)

    • Create files in a temporary directory

      • AliyunWrapExe.exe (PID: 6048)
      • EDownloader.exe (PID: 6972)
      • bitwiper.php.exe (PID: 4776)
      • bw_free_easeus.tmp (PID: 8104)
      • bw_free_easeus.exe (PID: 8064)
      • AliyunWrapExe.exe (PID: 8152)

    • Checks proxy server information

      • AliyunWrapExe.exe (PID: 6048)
      • AliyunWrapExe.exe (PID: 8152)

    • Manual execution by a user

      • firefox.exe (PID: 4696)
      • Taskmgr.exe (PID: 1128)
      • Taskmgr.exe (PID: 4896)
      • DataWiper.exe (PID: 8112)
      • Taskmgr.exe (PID: 7416)
      • Taskmgr.exe (PID: 7484)
      • DataWiper.exe (PID: 7188)
      • WinRAR.exe (PID: 1600)

    • Application launched itself

      • firefox.exe (PID: 4696)
      • firefox.exe (PID: 1180)

    • Reads the machine GUID from the registry

      • EDownloader.exe (PID: 6972)

    • The sample compiled with chinese language support

      • bw_free_easeus.tmp (PID: 8104)

    • The sample compiled with english language support

      • bw_free_easeus.tmp (PID: 8104)
      • WinRAR.exe (PID: 1600)

    • Detects InnoSetup installer (YARA)

      • bw_free_easeus.exe (PID: 8064)
      • bw_free_easeus.tmp (PID: 8104)

    • Compiled with Borland Delphi (YARA)

      • bw_free_easeus.tmp (PID: 8104)
      • bw_free_easeus.exe (PID: 8064)

    • Reads the software policy settings

      • slui.exe (PID: 4560)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 4896)

    • Creates files in the program directory

      • bw_free_easeus.tmp (PID: 8104)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:01:30 03:57:48+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
179
Monitored processes
41
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start bitwiper.php.exe edownloader.exe infoforsetup.exe no specs infoforsetup.exe no specs #GEXIN aliyunwrapexe.exe infoforsetup.exe no specs sppextcomobj.exe no specs slui.exe infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs bw_free_easeus.exe bw_free_easeus.tmp infoforsetup.exe no specs aliyunwrapexe.exe infoforsetup.exe no specs rundll32.exe no specs slui.exe taskmgr.exe no specs taskmgr.exe winrar.exe shellexperiencehost.exe no specs systemsettingsbroker.exe no specs taskmgr.exe no specs taskmgr.exe datawiper.exe no specs datawiper.exe bitwiper.php.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
684"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
812 /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"2\",\"Errorinfo\":\"0\",\"PostURL\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=&lang=English&pcVersion=home&pid=23&tid=1&version=free\",\"ResponseJson\":\"{\\"check\\":1,\\"msg\\":\\"\\u83b7\\u53d6\\u9ed8\\u8ba4\\u5305\\u914d\\u7f6e\\u6210\\u529f\\",\\"data\\":{\\"pid\\":\\"23\\",\\"version\\":\\"free\\",\\"tj_download\\":\\"test\\",\\"referNumber\\":\\"1000000\\",\\"killSwitch\\":\\"true\\",\\"WriteLogSwitch\\":\\"false\\",\\"curNum\\":\\"2.0.1\\",\\"testid\\":\\"1213\\",\\"configid\\":\\"\\",\\"md5\\":\\"7622AD02509AAC05DB21388C5161B5E8\\",\\"download\\":\\"https:\\/\\/d1.easeus.com\\/bitwiper\\/free\\/bw2.0.1_free.exe\\",\\"download2\\":\\"https:\\/\\/d2.easeus.com\\/bitwiper\\/free\\/bw2.0.1_free.exe\\",\\"download3\\":\\"https:\\/\\/d3.easeus.com\\/bitwiper\\/free\\/bw2.0.1_free.exe\\",\\"url\\":[]},\\"time\\":1747951333}\",\"Result\":\"Success\"}"C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\23free\aliyun\InfoForSetup.exeEDownloader.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\downloader_easeus\1.0.0\23free\aliyun\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
856"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -childID 1 -isForBrowser -prefsHandle 2272 -prefMapHandle 2264 -prefsLen 31447 -prefMapSize 244583 -jsInitHandle 1284 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7536b4cf-1967-4c2e-af72-0f4425d61d35} 1180 "\\.\pipe\gecko-crash-server-pipe.1180" 1e4a9a42f50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
960"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4344 -childID 2 -isForBrowser -prefsHandle 4336 -prefMapHandle 4332 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1284 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac12ebef-4a36-4390-8f66-44fe12ae4f59} 1180 "\\.\pipe\gecko-crash-server-pipe.1180" 1e4ac130a10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1052 /SendInfo Window "Home_Installer" Activity "Click_Install" Attribute "{\"Install_Path\":\"C:/Program Files (x86)/EaseUS/EaseUS BitWiper\",\"Language\":\"English\",\"Os\":\"Microsoft Windows 10\",\"Timezone\":\"GMT-00:00\",\"Version\":\"free\",\"Version_Num\":\"2.0.1\"}"C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\23free\aliyun\InfoForSetup.exeEDownloader.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\downloader_easeus\1.0.0\23free\aliyun\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
1128"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
1180"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1600"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\EaseUS.BitWiper.Pro.2.1.0.rar" C:\Users\admin\Downloads\EaseUS.BitWiper.Pro.2.1.0\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1676 /Uid "S-1-5-21-1693682860-607145093-2874071422-1001"C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\23free\aliyun\InfoForSetup.exeEDownloader.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\downloader_easeus\1.0.0\23free\aliyun\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
1852"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2152 -parentBuildID 20240213221259 -prefsHandle 2060 -prefMapHandle 1280 -prefsLen 31031 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec31ce3b-c0d9-410f-8578-db6776af0e97} 1180 "\\.\pipe\gecko-crash-server-pipe.1180" 1e497e82f10 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
22 845
Read events
22 819
Write events
24
Delete events
2

Modification events

(PID) Process:(6048) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6048) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6048) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1180) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(8152) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(8152) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(8152) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(8104) bw_free_easeus.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EaseUS\EDW
Operation:writeName:install_tmp
Value:
1
(PID) Process:(4896) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:delete valueName:Preferences
Value:
(PID) Process:(4896) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:writeName:Preferences
Value:
0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B00000034000000130300008C020000E80300000000000000000000000000000F000000010000000000000058AA043AF67F00000000000000000000000000002E0100001E0000008990000000000000FF00000001015002000000000D0000000000000098AA043AF67F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000B0AA043AF67F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000C8AA043AF67F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000E8AA043AF67F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000000AB043AF67F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000028AB043AF67F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000050AB043AF67F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000080AA043AF67F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000070AB043AF67F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000088AB043AF67F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000A8AB043AF67F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000C8AB043AF67F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D00000000000000F0AB043AF67F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000010AC043AF67F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000058AA043AF67F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000C8AA043AF67F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000B0AA043AF67F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000040AC043AF67F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000068AC043AF67F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E0000000000000090AC043AF67F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000B8AC043AF67F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000D8AC043AF67F0000000000000000000007000000460000001E00000098900000070000000000000001011001000000001100000000000000F8AC043AF67F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000028AB043AF67F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000058AA043AF67F0000000000000000000000000000D70000001E0000009E90000000000000FF0000000101500200000000120000000000000020AD043AF67F00000000000000000000FFFFFFFF2D0000001E0000009B90000001000000000000000004200100000000140000000000000040AD043AF67F00000000000000000000FFFFFFFF640000001E0000009D90000002000000000000000001100100000000130000000000000068AD043AF67F00000000000000000000FFFFFFFF640000001E0000009C900000030000000000000000011001000000000300000000000000B0AA043AF67F00000000000000000000FFFFFFFF640000001E0000008C90000004000000000000000102100000000000070000000000000050AB043AF67F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000080AA043AF67F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000070AB043AF67F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000088AB043AF67F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000A8AB043AF67F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000C8AB043AF67F000000000000000000000A00000064000000490000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000058AA043AF67F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000088AD043AF67F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000B8AD043AF67F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000E0AD043AF67F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000008AE043AF67F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000040AE043AF67F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000070AE043AF67F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000A0AE043AF67F00000000000000000000FFFFFFFF7D0000001E000000B790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000009100000064000000320000006400000050000000320000003200000028000000500000003C0000005000000050000000320000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C00000050000000500000009700000032000000780000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
Executable files
844
Suspicious files
920
Text files
2 651
Unknown types
0

Dropped files

PID
Process
Filename
Type
4776bitwiper.php.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\23free\Korean.initext
MD5:54A4072D5D8D32A7883669892890534B
SHA256:61D1DBE65F36E0445D4B46DDB68E9060F6F845DB38AF63C0B330597CF23B142D
4776bitwiper.php.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\23free\skin.zipcompressed
MD5:227C3C6361DC3A39FF815CADF02DF037
SHA256:3ACFF89DA13619A3C79A5DBFF18288EC0F4B5AF940EC9411CD5EAE2065922FAC
4776bitwiper.php.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\23free\Italian.initext
MD5:2C96B066DB6928169F0FF81105B73A2F
SHA256:BD66DF988A5EEAE11B447F600217B685D63910F72222E5A08205EA24364D09A5
4776bitwiper.php.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\23free\EDownloader.exeexecutable
MD5:8863A01217199088AC8FEA52ECBD647F
SHA256:DEAE73F90A1F606A790F35476C5D867DF16ADFD58464DC83752B89AE71CFD1C9
4776bitwiper.php.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\23free\Malaysian.initext
MD5:FD9AC78A1F8779CEEFCBA1F631B45184
SHA256:31A2D2D5053E9D4EB28796A1937A5CD9D9372CAA1D921A3C4DEE6E3950C53AC4
4776bitwiper.php.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\23free\InitConfigure.initext
MD5:8EDA24FCCD639E323820D5CB0AE4612C
SHA256:5D9DE254F23A846186BDA6810CF95FA8EE26D15ABF80370D0A402C4696068D9E
4776bitwiper.php.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\23free\Polish.initext
MD5:250681D5DBD6253B29727F931967A2F8
SHA256:7E87FCC4DC4DD3F4FF029C0615CD19412918D6EAC4FE56CB674DAC9CDC2086AA
4776bitwiper.php.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\23free\ChineseTrad.initext
MD5:B952CCBAD54724D36811CF73639117F1
SHA256:E6F5CA36A036EE77E9E9DC35067DC593F4FC8E5A942F5B45A40D52447C77D835
4776bitwiper.php.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\23free\Arabic.initext
MD5:D7BED969A3FAFBCB0E508040FA5834D5
SHA256:C6C45CE706E4075233C9BC9FD622D2A6FC3150FF20DA8C8BF544CB4DEBA4A029
4776bitwiper.php.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\23free\French.initext
MD5:E5984DBD18892137CE27F6F07C05D633
SHA256:0E9EF5BC1C829C0E6C5866146553027B2ACE819813D93C1AC50570BBCDF73210
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
95
DNS requests
130
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6972
EDownloader.exe
POST
200
3.167.227.63:80
http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/
unknown
unknown
6048
AliyunWrapExe.exe
GET
200
8.218.236.152:80
http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=23
unknown
unknown
6048
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_bitwiper_installer_ip/shards/lb
unknown
unknown
6048
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_bitwiper_installer_ip/shards/lb
unknown
unknown
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6048
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_bitwiper_installer_ip/shards/lb
unknown
unknown
6048
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_bitwiper_installer_ip/shards/lb
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6048
AliyunWrapExe.exe
8.218.236.152:80
track.easeus.com
Alibaba US Technology Co., Ltd.
HK
suspicious
6972
EDownloader.exe
3.167.227.63:80
download.easeus.com
US
unknown
6048
AliyunWrapExe.exe
47.252.97.212:80
easeusinfo.us-east-1.log.aliyuncs.com
Alibaba US Technology Co., Ltd.
US
unknown
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 184.30.21.171
whitelisted
download.easeus.com
  • 3.167.227.63
  • 3.167.227.3
  • 3.167.227.5
  • 3.167.227.34
unknown
track.easeus.com
  • 8.218.236.152
unknown
easeusinfo.us-east-1.log.aliyuncs.com
  • 47.252.97.212
  • 47.252.97.15
  • 47.252.97.11
  • 47.252.97.13
  • 47.252.97.12
  • 47.252.97.14
  • 47.252.97.9
  • 47.252.97.8
  • 47.252.97.10
unknown
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.130
  • 20.190.159.2
  • 40.126.31.1
  • 40.126.31.73
  • 20.190.159.68
  • 20.190.159.75
  • 40.126.31.130
  • 20.190.159.73
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted

Threats

PID
Process
Class
Message
6048
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
2196
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
6048
AliyunWrapExe.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Gexin Installer POST Request
6048
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
6048
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
6048
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
6048
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
6048
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
6048
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
2196
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/bitwiper.php