analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://download.easeus.com/free/tb_free_12.0.exe

Full analysis: https://app.any.run/tasks/3f9040bd-971b-4353-8118-3928102336bf
Verdict: Malicious activity
Analysis date: February 22, 2020, 06:30:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

415A4C78BE9938F0A15A85266DD5A5B5

SHA1:

5CD52CA984CC0BB0ED377007C67F48D86890477D

SHA256:

AA6B0CAFCD8F30A0689700AA70E338723566EE2A2B12EEC813E0E80501445C4E

SSDEEP:

3:N1KaKElTQJaLxLVLN:Ca5k0LrN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 580)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 580)
      • iexplore.exe (PID: 3580)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 580)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 580)

    • Changes settings of System certificates

      • iexplore.exe (PID: 580)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe tb_free_12.0.exe no specs tb_free_12.0.exe tb_free_12.0.tmp no specs

Process information

PID
CMD
Path
Indicators
Parent process
580"C:\Program Files\Internet Explorer\iexplore.exe" "http://download.easeus.com/free/tb_free_12.0.exe"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3580"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:580 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2944"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\tb_free_12.0.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\tb_free_12.0.exeiexplore.exe
User:
admin
Company:
CHENGDU YIWO Tech Development Co., Ltd
Integrity Level:
MEDIUM
Description:
EaseUS Todo Backup Free Setup
Exit code:
3221226540
Version:
12.0
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\tb_free_12.0.exe
c:\systemroot\system32\ntdll.dll
676"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\tb_free_12.0.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\tb_free_12.0.exe
iexplore.exe
User:
admin
Company:
CHENGDU YIWO Tech Development Co., Ltd
Integrity Level:
HIGH
Description:
EaseUS Todo Backup Free Setup
Version:
12.0
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\tb_free_12.0.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
2812"C:\Users\admin\AppData\Local\Temp\is-F926D.tmp\tb_free_12.0.tmp" /SL5="$140224,96556787,677376,C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\tb_free_12.0.exe" C:\Users\admin\AppData\Local\Temp\is-F926D.tmp\tb_free_12.0.tmptb_free_12.0.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Total events
7 931
Read events
1 180
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
8
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
3580iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\tb_free_12.0[1].exe
MD5:
SHA256:
3580iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\tb_free_12.0.exe.fr04acz.partial
MD5:
SHA256:
580iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF79BE30761F49A490.TMP
MD5:
SHA256:
580iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\tb_free_12.0.exe.fr04acz.partial:Zone.Identifier
MD5:
SHA256:
580iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\tb_free_12.0.exe
MD5:
SHA256:
580iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab4AB8.tmp
MD5:
SHA256:
580iexplore.exeC:\Users\admin\AppData\Local\Temp\Tar4AB9.tmp
MD5:
SHA256:
580iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4AF9.tmp
MD5:
SHA256:
580iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{D7F4A199-553C-11EA-972D-5254004A04AF}.datbinary
MD5:00EA239EDBD7227E6B37D0919F760532
SHA256:B8B3F7456D6E992A5F984EAD6B81E6B27FE11CD446A90CD997F8CB6EC333443A
580iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203binary
MD5:BEE913AD48F9CE4FBD424BA5BFD857BD
SHA256:A7F14AFB3E84B3D13919F7DD3ED4DA681F6DF8C95ED5FD50EC0D2451BE01C55D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
8
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3580
iexplore.exe
GET
200
205.185.216.10:80
http://download.easeus.com/free/tb_free_12.0.exe
US
92.7 Mb
malicious
580
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
580
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
580
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
580
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3580
iexplore.exe
205.185.216.10:80
download.easeus.com
Highwinds Network Group, Inc.
US
whitelisted
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
download.easeus.com
  • 205.185.216.10
  • 205.185.216.42
malicious
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
3580
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3580
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://download.easeus.com/free/tb_free_12.0.exe