| File name: | screen_recorder_install_20240304.1-778358.exe |
| Full analysis: | https://app.any.run/tasks/f134c39b-1cd7-42e6-821a-441dfb0fe497 |
| Verdict: | Malicious activity |
| Analysis date: | March 04, 2024, 11:19:54 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | 423B7C6C49A6A71C2E5DE8BB30D82A80 |
| SHA1: | A8068703372AE00821DF45D3D1E83528D5B75530 |
| SHA256: | FA303EADC3CCE05E0C0758C95D58E37BE1CE42218F2A34392CD68EEFF8FF487E |
| SSDEEP: | 49152:inCQjDd2I0hkYqGak5FNWl7hy20uoQk47nYRLkJsj1LKyjQXTkVCU3HgEIDILVGZ:inLD4HhkJU5FNOYuoQX7nYRusj1ecl3E |
MALICIOUS
Drops the executable file immediately after the start
- screen_recorder_install_20240304.1-778358.exe (PID: 2844)
- ere_free_easeus.exe (PID: 2832)
- ere_free_easeus.tmp (PID: 1644)
SUSPICIOUS
Executable content was dropped or overwritten
- screen_recorder_install_20240304.1-778358.exe (PID: 2844)
- ere_free_easeus.tmp (PID: 1644)
- ere_free_easeus.exe (PID: 2832)
Reads the Internet Settings
- AliyunWrapExe.Exe (PID: 2304)
- EDownloader.exe (PID: 2840)
Reads security settings of Internet Explorer
- AliyunWrapExe.Exe (PID: 2304)
- EDownloader.exe (PID: 2840)
Reads Internet Explorer settings
- EDownloader.exe (PID: 2840)
Reads Microsoft Outlook installation path
- EDownloader.exe (PID: 2840)
Reads the Windows owner or organization settings
- ere_free_easeus.tmp (PID: 1644)
Process drops legitimate windows executable
- ere_free_easeus.tmp (PID: 1644)
The process drops C-runtime libraries
- ere_free_easeus.tmp (PID: 1644)
INFO
Checks supported languages
- screen_recorder_install_20240304.1-778358.exe (PID: 2844)
- EDownloader.exe (PID: 2840)
- InfoForSetup.exe (PID: 3228)
- InfoForSetup.exe (PID: 3304)
- AliyunWrapExe.Exe (PID: 2304)
- InfoForSetup.exe (PID: 3092)
- InfoForSetup.exe (PID: 2896)
- InfoForSetup.exe (PID: 2892)
- InfoForSetup.exe (PID: 3068)
- InfoForSetup.exe (PID: 240)
- ere_free_easeus.exe (PID: 2832)
- ere_free_easeus.tmp (PID: 1644)
Reads the computer name
- screen_recorder_install_20240304.1-778358.exe (PID: 2844)
- EDownloader.exe (PID: 2840)
- AliyunWrapExe.Exe (PID: 2304)
- ere_free_easeus.tmp (PID: 1644)
Create files in a temporary directory
- screen_recorder_install_20240304.1-778358.exe (PID: 2844)
- EDownloader.exe (PID: 2840)
- InfoForSetup.exe (PID: 3304)
- AliyunWrapExe.Exe (PID: 2304)
- ere_free_easeus.exe (PID: 2832)
- ere_free_easeus.tmp (PID: 1644)
Checks proxy server information
- AliyunWrapExe.Exe (PID: 2304)
- EDownloader.exe (PID: 2840)
Reads the machine GUID from the registry
- AliyunWrapExe.Exe (PID: 2304)
- EDownloader.exe (PID: 2840)
Creates files or folders in the user directory
- AliyunWrapExe.Exe (PID: 2304)
Creates files in the program directory
- ere_free_easeus.tmp (PID: 1644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:01:30 03:57:48+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26624 |
| InitializedDataSize: | 186368 |
| UninitializedDataSize: | 2048 |
| EntryPoint: | 0x338f |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
52
Monitored processes
13
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 240 | /SendInfo Window "Installing" Activity "Info_Start_Install_Program" | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\InfoForSetup.exe | — | EDownloader.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1644 | "C:\Users\admin\AppData\Local\Temp\is-0CMNR.tmp\ere_free_easeus.tmp" /SL5="$90292,74638634,830976,C:\Users\admin\AppData\Local\Temp\ere_free_easeus.exe" /verysilent /norestart /log Installer /DIR="C:\Program Files\EaseUS\RecExperts" /LANG=English GUID=S-1-5-21-1302019708-1500728564-335382590-1000 /Recommend=1-778358 | C:\Users\admin\AppData\Local\Temp\is-0CMNR.tmp\ere_free_easeus.tmp | ere_free_easeus.exe | ||||||||||||
User: admin Company: EaseUS Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 2304 | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\AliyunWrapExe.Exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\AliyunWrapExe.Exe | InfoForSetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2832 | /verysilent /norestart /log Installer /DIR="C:\Program Files\EaseUS\RecExperts" /LANG=English GUID=S-1-5-21-1302019708-1500728564-335382590-1000 /Recommend=1-778358 | C:\Users\admin\AppData\Local\Temp\ere_free_easeus.exe | EDownloader.exe | ||||||||||||
User: admin Company: EaseUS Integrity Level: HIGH Description: EaseUS RecExperts Setup Exit code: 0 Version: 3.8.1 Modules
| |||||||||||||||
| 2840 | "C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\EDownloader.exe" EXEDIR=C:\Users\admin\AppData\Local\Temp ||| EXENAME=screen_recorder_install_20240304.1-778358.exe ||| DOWNLOAD_VERSION=free ||| PRODUCT_VERSION=2.0.0 ||| INSTALL_TYPE=0 | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\EDownloader.exe | screen_recorder_install_20240304.1-778358.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2844 | "C:\Users\admin\AppData\Local\Temp\screen_recorder_install_20240304.1-778358.exe" | C:\Users\admin\AppData\Local\Temp\screen_recorder_install_20240304.1-778358.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2892 | /SendInfo Window "Home_Installer" Activity "Click_Install" Attribute "{\"Country\":\"United States\",\"Install_Path\":\"C:/Program Files/EaseUS/RecExperts\",\"Language\":\"English\",\"Os\":\"Microsoft Windows 7\",\"Pageid\":\"1-778358\",\"Timezone\":\"GMT-00:00\",\"Version\":\"free\",\"Version_Num\":\"3.8.1\"}" | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\InfoForSetup.exe | — | EDownloader.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2896 | /SendInfo Window "Downloading" Activity "Info_Start_Download_Program" Attribute "{\"Downloadfrom\":\"https://d1.easeus.com/ere/free/screenrecorder3.8.1_free.exe\",\"Pageid\":\"1-778358\",\"Testid\":\"\",\"Version\":\"free\",\"Versionnumber\":\"3.8.1\"}" | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\InfoForSetup.exe | — | EDownloader.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3068 | /SendInfo Window "Downloading" Activity "Result_Download_Program" Attribute "{\"Average_Networkspeed\":\"1.68MB\",\"Cdn\":\"https://d1.easeus.com/ere/free/screenrecorder3.8.1_free.exe\",\"Elapsedtime\":\"43\",\"Errorinfo\":\"0\",\"Result\":\"Success\"}" | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\InfoForSetup.exe | — | EDownloader.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3092 | /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"2\",\"Errorinfo\":\"0\",\"Result\":\"Success\"}" | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\InfoForSetup.exe | — | EDownloader.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
7 579
Read events
7 523
Write events
47
Delete events
9
Modification events
| (PID) Process: | (2304) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2304) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2304) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2304) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2304) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (2304) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyServer |
Value: | |||
| (PID) Process: | (2304) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyOverride |
Value: | |||
| (PID) Process: | (2304) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoConfigURL |
Value: | |||
| (PID) Process: | (2304) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoDetect |
Value: | |||
| (PID) Process: | (2304) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
358
Suspicious files
537
Text files
3 189
Unknown types
128
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2844 | screen_recorder_install_20240304.1-778358.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\EDownloader.exe | executable | |
MD5:4D915795D41F42E5059EC91DDF20A9DE | SHA256:1222423E82DB8893B227833F4D16F1C073057DF5B9BACBB3C4174E00A56261E7 | |||
| 2844 | screen_recorder_install_20240304.1-778358.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\skin.zip | compressed | |
MD5:2DC2BCA2AA7418A83D929530ACD475A4 | SHA256:8D5C06AC00C6F94120FE35D4117EBF432C7634EF5FDE6F69F3D440B93CA43761 | |||
| 2844 | screen_recorder_install_20240304.1-778358.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\Italian.ini | text | |
MD5:5BF7AC0E372CB1D9B9EBB97E3CEA6CC2 | SHA256:97610E6658C9BF465FCE1F518233BA2BB10123B60DC0C11757BEC298E3FE951F | |||
| 2844 | screen_recorder_install_20240304.1-778358.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\French.ini | text | |
MD5:85899BADB122578F572BE3E5663C06B7 | SHA256:DD0F3A544B17FA40F967C376B901F79660D943E2051F88F96A78198CEAAA3545 | |||
| 2840 | EDownloader.exe | C:\Users\admin\AppData\Local\Temp\ere_free_easeus.exe.temp | — | |
MD5:— | SHA256:— | |||
| 2840 | EDownloader.exe | C:\Users\admin\AppData\Local\Temp\ere_free_easeus.exe | — | |
MD5:— | SHA256:— | |||
| 2844 | screen_recorder_install_20240304.1-778358.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\ChineseTrad.ini | text | |
MD5:964707E0B877D24977B07355205B2A89 | SHA256:0F209A6FA2702C531265143B2933949324A0457C97EAB71EC0B87F7A57A76E20 | |||
| 2844 | screen_recorder_install_20240304.1-778358.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\Portuguese.ini | text | |
MD5:EF3BAB1B719B848274647CCD30C5F342 | SHA256:D5D2ECC6C004D1EB2E91F2990EFBD3F7EA3EF376739C00A45A9783C6BEF7B981 | |||
| 2844 | screen_recorder_install_20240304.1-778358.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\InitConfigure.ini | text | |
MD5:238B990363FF90929A290B11EF33799C | SHA256:D3B3D86B9A52FF94CBA826AA8BC4E4C4C6A04EE05DE6248D5E3A972550702D20 | |||
| 2844 | screen_recorder_install_20240304.1-778358.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\Korean.ini | text | |
MD5:038489E87CE495E95854F47D85630D5B | SHA256:36E4D8F30739A0BD453B9931394790E7C60188E45A9FC455C8C15A997DBB46CD | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
4
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2304 | AliyunWrapExe.Exe | GET | 200 | 163.171.156.15:80 | http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=12 | unknown | binary | 21 b | unknown |
2840 | EDownloader.exe | POST | 200 | 13.227.219.91:80 | http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/ | unknown | binary | 506 b | unknown |
2304 | AliyunWrapExe.Exe | POST | 200 | 47.252.97.12:80 | http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_ere_downloader/shards/lb | unknown | — | — | unknown |
2304 | AliyunWrapExe.Exe | POST | 200 | 47.252.97.12:80 | http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_ere_downloader/shards/lb | unknown | — | — | unknown |
2304 | AliyunWrapExe.Exe | POST | 200 | 47.252.97.12:80 | http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_ere_downloader/shards/lb | unknown | — | — | unknown |
2304 | AliyunWrapExe.Exe | POST | 200 | 47.252.97.12:80 | http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_ere_downloader/shards/lb | unknown | — | — | unknown |
2304 | AliyunWrapExe.Exe | POST | — | 47.252.97.12:80 | http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_ere_downloader/shards/lb | unknown | — | — | unknown |
2304 | AliyunWrapExe.Exe | POST | 200 | 47.252.97.12:80 | http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_ere_downloader/shards/lb | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2304 | AliyunWrapExe.Exe | 163.171.156.15:80 | track.easeus.com | QUANTILNETWORKS | DE | unknown |
2840 | EDownloader.exe | 13.227.219.91:80 | download.easeus.com | AMAZON-02 | US | unknown |
2304 | AliyunWrapExe.Exe | 47.252.97.12:80 | easeusinfo.us-east-1.log.aliyuncs.com | Alibaba US Technology Co., Ltd. | US | unknown |
2840 | EDownloader.exe | 18.66.112.125:443 | d1.easeus.com | AMAZON-02 | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
download.easeus.com |
| unknown |
track.easeus.com |
| unknown |
easeusinfo.us-east-1.log.aliyuncs.com |
| unknown |
d1.easeus.com |
| unknown |
Threats
Process | Message |
|---|---|
EDownloader.exe | [2752]-11:20:04:215 ParseCmdLine param=EXEDIR=C:\Users\admin\AppData\Local\Temp ||| EXENAME=screen_recorder_install_20240304.1-778358.exe ||| DOWNLOAD_VERSION=free ||| PRODUCT_VERSION=2.0.0 ||| INSTALL_TYPE=0
|
EDownloader.exe | [2752]-11:20:04:246 Install recomand return=259
|
EDownloader.exe | [2752]-11:20:04:855 Install recomand return=259
|
EDownloader.exe | [2444]-11:20:04:918 PostData Start download url=http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/ param=exeNumber=1-778358&lang=English&pcVersion=home&pid=12&tid=1&version=free
|
EDownloader.exe | [2444]-11:20:06:246 PostData end
|
EDownloader.exe | [2444]-11:20:06:246 Json parse Data Start
|
EDownloader.exe | [2444]-11:20:06:246 Json parse Data end
|
EDownloader.exe | [2752]-11:20:06:246 CHttpHelper::GetDownloadInfo 45 download info code:0
|
EDownloader.exe | [2752]-11:20:06:246 download parm : exeNumber=1-778358&lang=English&pcVersion=home&pid=12&tid=1&version=free
|
EDownloader.exe | [2752]-11:20:06:262 Install recomand return=259
|