File name:

EaseUS_Data_Recovery_Wizard_Free_v15.2.exe

Full analysis: https://app.any.run/tasks/87b9ec58-2c9d-4242-a49e-8f385e89613d
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: April 14, 2025, 10:16:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
adware
gexin
installer
delphi
inno
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

541B95C11851587236243AD9BFF10B09

SHA1:

F299CE92404338858943F37A1A6BD4CF9143D1D0

SHA256:

D9E5FDE02EBF547DDFA96651E6DAC9202E934AC3F4C69E1D28278233EBE28FF7

SSDEEP:

98304:KR6/myT4429xvf1rpEqBQKj6lA1nCdRmSHfiwGVve0f0RrD3jbhayKJa2rGoYO9C:ndL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GEXIN has been detected (SURICATA)

      • AliyunWrapExe.exe (PID: 7524)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EaseUS_Data_Recovery_Wizard_Free_v15.2.exe (PID: 7324)
      • drw16.0.0.0_free.exe (PID: 7200)
      • drw16.0.0.0_free.tmp (PID: 7208)

    • Reads security settings of Internet Explorer

      • EDownloader.exe (PID: 7372)
      • AliyunWrapExe.exe (PID: 7524)
      • AliyunWrapExe.exe (PID: 5024)

    • Access to an unwanted program domain was detected

      • AliyunWrapExe.exe (PID: 7524)

    • Reads Internet Explorer settings

      • EDownloader.exe (PID: 7372)

    • Reads the Windows owner or organization settings

      • drw16.0.0.0_free.tmp (PID: 7208)

    • Reads Microsoft Outlook installation path

      • EDownloader.exe (PID: 7372)

    • Process drops legitimate windows executable

      • drw16.0.0.0_free.tmp (PID: 7208)

    • The process drops C-runtime libraries

      • drw16.0.0.0_free.tmp (PID: 7208)

  • INFO

    • Checks supported languages

      • EDownloader.exe (PID: 7372)
      • EaseUS_Data_Recovery_Wizard_Free_v15.2.exe (PID: 7324)
      • InfoForSetup.exe (PID: 7396)
      • InfoForSetup.exe (PID: 7504)
      • AliyunWrapExe.exe (PID: 7524)
      • InfoForSetup.exe (PID: 7788)
      • InfoForSetup.exe (PID: 7888)
      • InfoForSetup.exe (PID: 8148)
      • InfoForSetup.exe (PID: 6944)
      • drw16.0.0.0_free.tmp (PID: 7208)
      • AliyunWrapExe.exe (PID: 5024)
      • InfoForSetup.exe (PID: 7228)
      • InfoForSetup.exe (PID: 7900)
      • drw16.0.0.0_free.exe (PID: 7200)
      • InfoForSetup.exe (PID: 780)
      • InfoForSetup.exe (PID: 2800)
      • InfoForSetup.exe (PID: 3100)

    • Create files in a temporary directory

      • EaseUS_Data_Recovery_Wizard_Free_v15.2.exe (PID: 7324)
      • EDownloader.exe (PID: 7372)
      • InfoForSetup.exe (PID: 7504)
      • AliyunWrapExe.exe (PID: 7524)
      • drw16.0.0.0_free.exe (PID: 7200)
      • drw16.0.0.0_free.tmp (PID: 7208)
      • AliyunWrapExe.exe (PID: 5024)

    • Reads the computer name

      • EDownloader.exe (PID: 7372)
      • AliyunWrapExe.exe (PID: 7524)
      • drw16.0.0.0_free.tmp (PID: 7208)
      • AliyunWrapExe.exe (PID: 5024)

    • Checks proxy server information

      • AliyunWrapExe.exe (PID: 7524)
      • EDownloader.exe (PID: 7372)
      • AliyunWrapExe.exe (PID: 5024)
      • slui.exe (PID: 7416)

    • Creates files or folders in the user directory

      • AliyunWrapExe.exe (PID: 7524)
      • AliyunWrapExe.exe (PID: 5024)
      • drw16.0.0.0_free.tmp (PID: 7208)

    • Reads the machine GUID from the registry

      • EDownloader.exe (PID: 7372)

    • Creates files in the program directory

      • drw16.0.0.0_free.tmp (PID: 7208)

    • The sample compiled with english language support

      • drw16.0.0.0_free.tmp (PID: 7208)

    • The sample compiled with russian language support

      • drw16.0.0.0_free.tmp (PID: 7208)

    • Detects InnoSetup installer (YARA)

      • drw16.0.0.0_free.tmp (PID: 7208)
      • drw16.0.0.0_free.exe (PID: 7200)

    • Compiled with Borland Delphi (YARA)

      • drw16.0.0.0_free.exe (PID: 7200)
      • drw16.0.0.0_free.tmp (PID: 7208)

    • Reads the software policy settings

      • slui.exe (PID: 7460)
      • slui.exe (PID: 7416)

    • The sample compiled with chinese language support

      • drw16.0.0.0_free.tmp (PID: 7208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:01:30 03:57:48+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
21
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start easeus_data_recovery_wizard_free_v15.2.exe edownloader.exe infoforsetup.exe no specs sppextcomobj.exe no specs slui.exe infoforsetup.exe no specs #GEXIN aliyunwrapexe.exe infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs drw16.0.0.0_free.exe drw16.0.0.0_free.tmp infoforsetup.exe no specs aliyunwrapexe.exe infoforsetup.exe no specs infoforsetup.exe no specs infoforsetup.exe no specs slui.exe easeus_data_recovery_wizard_free_v15.2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
780"C:\Users\admin\AppData\Local\Temp\is-NO8VU.tmp\InfoForSetup.exe" /SendInfo "Window" "Licenseagreement" "Activity" "Click_Accept"C:\Users\admin\AppData\Local\Temp\is-NO8VU.tmp\InfoForSetup.exedrw16.0.0.0_free.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-no8vu.tmp\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
2800"C:\Users\admin\AppData\Local\Temp\is-NO8VU.tmp\InfoForSetup.exe" /SendInfo "Window" "Selectdestinationlocation" "Activity" "Click_Confirm" "Attribute" "{\"Path\":\"C:/Program Files/EaseUS/EaseUS Data Recovery Wizard\"}"C:\Users\admin\AppData\Local\Temp\is-NO8VU.tmp\InfoForSetup.exedrw16.0.0.0_free.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-no8vu.tmp\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
3100"C:\Users\admin\AppData\Local\Temp\is-NO8VU.tmp\InfoForSetup.exe" /SendInfo "Window" "Selectadditionaltasks" "Activity" "Click_Install" "Attribute" "{\"Test_id\":\"FR1600-05291\",\"Version\":\"Free_free\",\"Num\":\"16.0.0.0\",\"Language\":\"en\"}"C:\Users\admin\AppData\Local\Temp\is-NO8VU.tmp\InfoForSetup.exedrw16.0.0.0_free.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-no8vu.tmp\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
5024C:\Users\admin\AppData\Local\Temp\is-NO8VU.tmp\AliyunWrapExe.ExeC:\Users\admin\AppData\Local\Temp\is-NO8VU.tmp\AliyunWrapExe.exe
InfoForSetup.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\is-no8vu.tmp\aliyunwrapexe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\rpcrt4.dll
6944 /SendInfo Window "Installing" Activity "Info_Start_Install_Program"C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\2FreeC\aliyun\InfoForSetup.exeEDownloader.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\downloader_easeus\1.0.0\2freec\aliyun\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
7200 /verysilent /DIR="C:\Program Files\EaseUS\EaseUS Data Recovery Wizard" /LANG=en agreeImprove= GUID=S-1-5-21-1693682860-607145093-2874071422-1001 xurlID=2 TestID=FR1600-05291 C:\Users\admin\AppData\Local\Temp\drw16.0.0.0_free.exe
EDownloader.exe
User:
admin
Company:
EaseUS
Integrity Level:
HIGH
Description:
EaseUS Data Recovery Wizard Setup
Version:
16.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\drw16.0.0.0_free.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7208"C:\Users\admin\AppData\Local\Temp\is-P8IU8.tmp\drw16.0.0.0_free.tmp" /SL5="$702AA,61659532,192512,C:\Users\admin\AppData\Local\Temp\drw16.0.0.0_free.exe" /verysilent /DIR="C:\Program Files\EaseUS\EaseUS Data Recovery Wizard" /LANG=en agreeImprove= GUID=S-1-5-21-1693682860-607145093-2874071422-1001 xurlID=2 TestID=FR1600-05291 C:\Users\admin\AppData\Local\Temp\is-P8IU8.tmp\drw16.0.0.0_free.tmp
drw16.0.0.0_free.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-p8iu8.tmp\drw16.0.0.0_free.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7228"C:\Users\admin\AppData\Local\Temp\is-NO8VU.tmp\InfoForSetup.exe" /SendInfo "Window" "Langsel" "Activity" "Click_Confirm" "Attribute" "{\"Language\":\"en\"}"C:\Users\admin\AppData\Local\Temp\is-NO8VU.tmp\InfoForSetup.exedrw16.0.0.0_free.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-no8vu.tmp\infoforsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
7236"C:\Users\admin\AppData\Local\Temp\EaseUS_Data_Recovery_Wizard_Free_v15.2.exe" C:\Users\admin\AppData\Local\Temp\EaseUS_Data_Recovery_Wizard_Free_v15.2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\easeus_data_recovery_wizard_free_v15.2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7324"C:\Users\admin\AppData\Local\Temp\EaseUS_Data_Recovery_Wizard_Free_v15.2.exe" C:\Users\admin\AppData\Local\Temp\EaseUS_Data_Recovery_Wizard_Free_v15.2.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\easeus_data_recovery_wizard_free_v15.2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 418
Read events
4 409
Write events
9
Delete events
0

Modification events

(PID) Process:(7524) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7524) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7524) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7372) EDownloader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7372) EDownloader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7372) EDownloader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5024) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5024) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5024) AliyunWrapExe.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
584
Suspicious files
113
Text files
4 069
Unknown types
0

Dropped files

PID
Process
Filename
Type
7324EaseUS_Data_Recovery_Wizard_Free_v15.2.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\2FreeC\Arabic.initext
MD5:034B2B7CEFB6DDD4D83622643278A956
SHA256:691CDCDA47CD6C5334614D6F977E694DA7BC5FE05298A12E421B30C8FA2DFFCC
7324EaseUS_Data_Recovery_Wizard_Free_v15.2.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\2FreeC\German.initext
MD5:7D90B08BA1342A509FDDE3719B512311
SHA256:469AAAC85ADB47037F804A63F055A9A8C7D5CD9492099502FE7BEEEFAC882E4A
7324EaseUS_Data_Recovery_Wizard_Free_v15.2.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\2FreeC\ChineseTrad.initext
MD5:669E6E4732F04C1E3827AEBF0E8A9609
SHA256:CFFA81FDF31CB2BD5E8B6AB2615455C781663A580AA100DA906B2FBF4192BFC5
7324EaseUS_Data_Recovery_Wizard_Free_v15.2.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\2FreeC\Danish.initext
MD5:C9FBA9B8994227CA7A44FE8C23DAA4CC
SHA256:D4813AA54C5C36C4C1EF8021B463C624B543A651B448F0D3A552C9D1CD5F1F20
7324EaseUS_Data_Recovery_Wizard_Free_v15.2.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\2FreeC\skin.zipcompressed
MD5:72CCF92A559E407D68387B612386468C
SHA256:74C521BAD09FCD8BB7782A3D028BFDB58D23D9A092387F13F428C7B601FE385D
7324EaseUS_Data_Recovery_Wizard_Free_v15.2.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\2FreeC\Dutch.initext
MD5:0FC061F6D883E8BF41216D8686E252E5
SHA256:24BB88CC4046509351DBB9C6FD968794BD76ABB9533535C07D4BD0642D354D08
7324EaseUS_Data_Recovery_Wizard_Free_v15.2.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\2FreeC\French.initext
MD5:99FA7200487BD5C403887991FA763878
SHA256:3221F618D0D01BAC7FCFC3F6F5B2A47523C2CDE39F4AA68D426B26C9AFBC5AD1
7324EaseUS_Data_Recovery_Wizard_Free_v15.2.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\2FreeC\Italian.initext
MD5:DB6C872DC6F1B72A63C17C95CED3317D
SHA256:8B10170EFD13107098361AAC7135D4986879B9F90198FC359CA03E94FC79A229
7324EaseUS_Data_Recovery_Wizard_Free_v15.2.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\2FreeC\Indonesian.initext
MD5:BCA8911FE628126C07C32E3B8E059FCD
SHA256:4B4BB629172DDE80AAD1373E87A35989521943CC3214F51ADA87DE94B2C1819A
7324EaseUS_Data_Recovery_Wizard_Free_v15.2.exeC:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\2FreeC\Japanese.initext
MD5:C8ABAF56082F7DC95CBEF96ED45796D5
SHA256:2E56CA201793AE96190C93D07B4E2FE3AC93100C8ECA7291957589BDDA3E55AA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
39
DNS requests
18
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7524
AliyunWrapExe.exe
GET
200
8.218.236.152:80
http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=2
unknown
unknown
7372
EDownloader.exe
POST
200
18.239.18.43:80
http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/
unknown
unknown
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7524
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_drw_ip/shards/lb
unknown
unknown
7524
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_drw_ip/shards/lb
unknown
unknown
7524
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_drw_ip/shards/lb
unknown
unknown
7524
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_drw_ip/shards/lb
unknown
unknown
5024
AliyunWrapExe.exe
GET
200
8.218.236.152:80
http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=2
unknown
unknown
7524
AliyunWrapExe.exe
POST
200
47.252.97.212:80
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_drw_ip/shards/lb
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6404
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7524
AliyunWrapExe.exe
8.218.236.152:80
track.easeus.com
Alibaba US Technology Co., Ltd.
HK
suspicious
7372
EDownloader.exe
18.239.18.43:80
download.easeus.com
US
unknown
7524
AliyunWrapExe.exe
47.252.97.212:80
easeusinfo.us-east-1.log.aliyuncs.com
Alibaba US Technology Co., Ltd.
US
unknown
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.72
  • 2.16.164.24
  • 2.16.164.51
  • 2.16.164.16
  • 2.16.164.17
  • 2.16.164.11
  • 2.16.164.10
  • 2.16.164.9
whitelisted
track.easeus.com
  • 8.218.236.152
unknown
download.easeus.com
  • 18.239.18.43
  • 18.239.18.78
  • 18.239.18.84
  • 18.239.18.56
unknown
easeusinfo.us-east-1.log.aliyuncs.com
  • 47.252.97.212
  • 47.252.97.15
  • 47.252.97.14
  • 47.252.97.12
  • 47.252.97.10
  • 47.252.97.11
  • 47.252.97.9
  • 47.252.97.13
  • 47.252.97.8
unknown
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.67
  • 40.126.32.133
  • 40.126.32.140
  • 40.126.32.138
  • 40.126.32.136
  • 20.190.160.132
  • 20.190.160.14
  • 20.190.160.130
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
7524
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
7524
AliyunWrapExe.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Gexin Installer POST Request
7524
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
7524
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
7524
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
7524
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
7524
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
5024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
5024
AliyunWrapExe.exe
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EaseUS_Data_Recovery_Wizard_Free_v15.2.exe