11e329f394675a2cf12b6c20ccd696ba555838872e4ec93797186683fe68588e

Analysis

max time kernel
219s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20220812-de
resource tags

arch:x64arch:x86image:win10v2004-20220812-delocale:de-deos:windows10-2004-x64systemwindows
submitted
03-11-2022 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TB_Free_Installer_20220922.5363.exe
Size

1.3MB
MD5

d76c47211551f7c1f1427b4bad8e6aa9
SHA1

507c01d8cb2a3f71079b4b5110b533f9f6285ac7
SHA256

e680301ef8cbba2694f9826dd6cb4b7363e41040f2bd0af6014369f76751b32b
SHA512

04505ce953e9403a7c79699d3427e57d6237e2875920eb325cfa6bdf6264a095fc3ae7c38aed85bae803b19582e1ed43c0c8425055d543c81c077b5e5ae399b3
SSDEEP

24576:ZOr6qSJAHsD7KkT4kAC1PhCa9KRMdJYIHnsCmgFhKuYdKU6M6+q:m/u1A2ZCLMdJYnCTn8dYME

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 7 IoCs

Processes:

drvsetup.exe

description	ioc	process
File created	C:\Windows\system32\drivers\EuFdMount.sys	drvsetup.exe
File created	C:\Windows\system32\drivers\EUBKMON.sys	drvsetup.exe
File opened for modification	C:\Windows\system32\drivers\EUBKMON.sys	drvsetup.exe
File created	C:\Windows\system32\drivers\.sys	drvsetup.exe
File created	C:\Windows\system32\drivers\eubakup.sys	drvsetup.exe
File created	C:\Windows\system32\drivers\eudskacs.sys	drvsetup.exe
File created	C:\Windows\system32\drivers\EuFdDisk.sys	drvsetup.exe

Executes dropped EXE 35 IoCs

Processes:

EDownloader.exeInfoForSetup.exeInfoForSetup.exeAliyunWrapExe.ExeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeTB_Free_easeus.exeTB_Free_easeus.tmpdrvsetup.exeAppSetup.exeEnsUtils.exeAliyunWrapExe.Exeensserver.exeSetupSendData2Downloader.exeAgent.exeAliyunWrapExe.ExeAgent.exeEUinApp.exeTrayProcess.exewpn-grant.exeInfoForSetup.exesvchost.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeAliyunWrapExe.Exewpn.exeTodoBackupService.exemsedge.exeLoader.exeTodoBackupEnumNetByFD_0.exe

pid	process
2448	EDownloader.exe
300	InfoForSetup.exe
2884	InfoForSetup.exe
5012	AliyunWrapExe.Exe
3508	InfoForSetup.exe
5036	InfoForSetup.exe
4620	InfoForSetup.exe
4508	InfoForSetup.exe
1176	InfoForSetup.exe
4636	InfoForSetup.exe
4116	TB_Free_easeus.exe
4860	TB_Free_easeus.tmp
4828	drvsetup.exe
4008	AppSetup.exe
4512	EnsUtils.exe
4324	AliyunWrapExe.Exe
3648	ensserver.exe
3920	SetupSendData2Downloader.exe
4712	Agent.exe
3200	AliyunWrapExe.Exe
1604	Agent.exe
1540	EUinApp.exe
896	TrayProcess.exe
2148	wpn-grant.exe
3036	InfoForSetup.exe
5068	svchost.exe
2968	InfoForSetup.exe
2904	InfoForSetup.exe
720	InfoForSetup.exe
2208	AliyunWrapExe.Exe
2820	wpn.exe
5104	TodoBackupService.exe
704	msedge.exe
2688	Loader.exe
5460	TodoBackupEnumNetByFD_0.exe

Registers COM server for autorun 1 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

RunDll32.exeAppSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCA7DE15-8A25-40FB-B23C-1C55DF71FF0E}\InprocServer32\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\VssEaseusProvider.dll"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45203D3B-3D73-4497-8AFE-D29950AC6C55}\InprocServer32	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45203D3B-3D73-4497-8AFE-D29950AC6C55}\InprocServer32\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\ImageSh.dll"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D67B84AA-3232-46D3-8B30-0AC87FDF65FD}\InprocServer32\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\VssEaseusProvider.dll"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCA7DE15-8A25-40FB-B23C-1C55DF71FF0E}\InprocServer32	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\InprocServer32\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\ImageSh.dll"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\InprocServer32\ThreadingModel = "Apartment"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45203D3B-3D73-4497-8AFE-D29950AC6C55}\InprocServer32\ThreadingModel = "Apartment"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D67B84AA-3232-46D3-8B30-0AC87FDF65FD}\InprocServer32	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\InprocServer32	AppSetup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TB_Free_easeus.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	TB_Free_easeus.tmp

Loads dropped DLL 64 IoCs

Processes:

InfoForSetup.exeInfoForSetup.exeAliyunWrapExe.ExeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeTB_Free_easeus.tmpregsvr32.exeRunDll32.exeRunDll32.exeAppSetup.exeEnsUtils.exeAliyunWrapExe.Exeensserver.exeAliyunWrapExe.ExeAgent.exeAgent.exeTrayProcess.exe

pid	process
300	InfoForSetup.exe
2884	InfoForSetup.exe
5012	AliyunWrapExe.Exe
3508	InfoForSetup.exe
5036	InfoForSetup.exe
4620	InfoForSetup.exe
4508	InfoForSetup.exe
1176	InfoForSetup.exe
4636	InfoForSetup.exe
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4680	regsvr32.exe
4736	RunDll32.exe
4896	RunDll32.exe
4008	AppSetup.exe
4512	EnsUtils.exe
4512	EnsUtils.exe
4512	EnsUtils.exe
4512	EnsUtils.exe
4324	AliyunWrapExe.Exe
3648	ensserver.exe
3648	ensserver.exe
3648	ensserver.exe
3648	ensserver.exe
3648	ensserver.exe
3648	ensserver.exe
3648	ensserver.exe
3648	ensserver.exe
3648	ensserver.exe
3648	ensserver.exe
3648	ensserver.exe
3648	ensserver.exe
3200	AliyunWrapExe.Exe
4712	Agent.exe
1604	Agent.exe
1604	Agent.exe
1604	Agent.exe
1604	Agent.exe
1604	Agent.exe
1604	Agent.exe
1604	Agent.exe
1604	Agent.exe
1604	Agent.exe
1604	Agent.exe
1604	Agent.exe
1604	Agent.exe
1604	Agent.exe
1604	Agent.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TB_Free_easeus.tmpmsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TB_Free_easeus.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TrayProcess = "\"C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\TrayProcess.exe\" autorun"	TB_Free_easeus.tmp
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 17 IoCs

Processes:

ensserver.exeAliyunWrapExe.ExeAgent.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_D9DB4FD99E4009ED1384A9FB5C596390	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ensserver.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ens[1].ini	ensserver.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\index[1].htm	AliyunWrapExe.Exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	AliyunWrapExe.Exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_D9DB4FD99E4009ED1384A9FB5C596390	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\EUTB.TODJ	Agent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\Eaolog.log	Agent.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ensserver.exe

Drops file in Program Files directory 64 IoCs

Processes:

TB_Free_easeus.tmp

description	ioc	process
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\ens\is-LL313.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-6N0M9.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\BuiltInUserMgr.exe	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\FatResizeMove.dll	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\drv\is-CVD04.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-T01C7.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-PUHJ6.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\iconView\is-TKRT6.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\imageformats\qsvg.dll	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\InstallBoot.exe	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\python27.dll	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\msvcr120.dll	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\aws-cpp-sdk-core.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-1SFP9.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\mfc90u.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\iconView\is-LS82A.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-HSLLC.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\iconView\is-EKAA3.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\taskCard\is-7A5L8.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\icon\is-KRM0Q.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\Wakeup.dll	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\RapidNTFS.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-TEIL2.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-ES78J.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\is-7QJ0K.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\icon\is-M3030.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\api-ms-win-core-file-l2-1-0.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-88UMA.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\iconView\is-MER0G.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\loading\is-U2B21.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\taskCard\is-D5HSL.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\api-ms-win-core-string-l1-1-0.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\InnerBuy\res\is-L1U2M.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\icon\is-P6LOT.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\icon\is-25RUG.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\libGuiTheme.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-K1PFG.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\iconView\is-OCJLP.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\msvcr90.dll	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\CloudOperator.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-9148V.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-LGSLJ.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\backup_option\is-PPSQ1.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\DLLs\tcl85.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\multi\res_ko_KR\bin\is-R8I7I.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\iconView\is-M5J7K.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-R34JA.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\is-45KR5.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\icon\is-RBQV2.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\icon\is-7D527.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\icon\is-CM4BE.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\scene\is-PP3E3.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\ens\is-ISS4S.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\is-SNPAB.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\is-PT42T.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\icon\is-FBLGU.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\iconView\is-NVKBF.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\loading\is-6O0NK.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\grub4dos\is-2O765.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\NasDevice.dll	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\TbService.exe	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\printsupport\is-OF6GL.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\icon\is-0UCGE.tmp	TB_Free_easeus.tmp

Drops file in Windows directory 5 IoCs

Processes:

dllhost.exemsdtc.exe

description	ioc	process
File created	C:\Windows\Registration\_RegDBWrt.clb	dllhost.exe
File opened for modification	C:\Windows\Registration\_RegDBWrt.clb	dllhost.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FE5438F5-4855-4FFB-BC43-5D3ECA66EAF1}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FE5438F5-4855-4FFB-BC43-5D3ECA66EAF1}.crmlog	dllhost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

TB_Free_easeus.tmpEUinApp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	TB_Free_easeus.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TBConsoleUI.exe = "9999"	TB_Free_easeus.tmp
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	EUinApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TBConsoleUI.exe = "11000"	EUinApp.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

ensserver.exeAliyunWrapExe.Exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ensserver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AliyunWrapExe.Exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ensserver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ensserver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ensserver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AliyunWrapExe.Exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	AliyunWrapExe.Exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	AliyunWrapExe.Exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ensserver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AliyunWrapExe.Exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AliyunWrapExe.Exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	AliyunWrapExe.Exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ensserver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ensserver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ensserver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AliyunWrapExe.Exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ensserver.exe

Modifies registry class 64 IoCs

Processes:

TB_Free_easeus.tmpAppSetup.exeRunDll32.exedllhost.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pbd\ = "pbd.file"	TB_Free_easeus.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImageSh.RightMenu\ = "RightMenu Class"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4386DFF4-9CE5-4FB3-9D77-F3036B94F4FE}\TypeLib\Version = "1.0"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F88CC4B5-6EEC-4A00-94E4-EA48EE7E1EF4}\1.0\FLAGS	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F88CC4B5-6EEC-4A00-94E4-EA48EE7E1EF4}\1.0\0	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D67B84AA-3232-46D3-8B30-0AC87FDF65FD}\ProgID\ = "VssEaseusProvider.VSS_OBJECT_PROP_Arr.1"	RunDll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\CLBVersion = "7"	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45203D3B-3D73-4497-8AFE-D29950AC6C55}\ = "RightMenu Class"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SimpleShlExt	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45203D3B-3D73-4497-8AFE-D29950AC6C55}\ProgID	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45203D3B-3D73-4497-8AFE-D29950AC6C55}\TypeLib\ = "{B0A5F209-51D9-4ad8-8E0A-C27BA301497E}"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.VSS_OBJECT_PROP_Array\ = "VSS_OBJECT_PROP_Array Class"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\Shell\Open\ddeexec\ifexec	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pbd.file\Shell\Open\ddeexec\topic\ = "AppProperties"	AppSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppID	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.VSS_OBJECT_PROP_Array\CLSID\ = "{D67B84AA-3232-46D3-8B30-0AC87FDF65FD}"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\ = "EaseUS ShellFolder!"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\Implemented Categories	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0A5F209-51D9-4AD8-8E0A-C27BA301497E}\1.0\HELPDIR	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\Shell\Open\ddeexec\topic\ = "AppProperties"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SimpleShlExt\ = "{45203D3B-3D73-4497-8AFE-D29950AC6C55}"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D67B84AA-3232-46D3-8B30-0AC87FDF65FD}\InprocServer32\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\VssEaseusProvider.dll"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCA7DE15-8A25-40FB-B23C-1C55DF71FF0E}\VersionIndependentProgID	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.EaseusSoftwareProvi.1\CLSID\ = "{FCA7DE15-8A25-40FB-B23C-1C55DF71FF0E}"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.EaseusSoftwareProvide\ = "EaseusSoftwareProvider Class"	RunDll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\CLBVersion = "6"	dllhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\Shell	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0A5F209-51D9-4AD8-8E0A-C27BA301497E}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4386DFF4-9CE5-4FB3-9D77-F3036B94F4FE}\ = "IContextMenuImpl"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F88CC4B5-6EEC-4A00-94E4-EA48EE7E1EF4}\1.0\ = "VssEaseusProvider 1.0 Type Library"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.VSS_OBJECT_PROP_Arr.1	RunDll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\CLBVersion = "4"	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\InprocServer32\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\ImageSh.dll"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\Shell\Open\ddeexec\ = "[ViewFolder(\"%l\", %I, %S)]"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImageSh.RightMenu\CurVer\ = "ImageSh.RightMenu.1"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCA7DE15-8A25-40FB-B23C-1C55DF71FF0E}\InprocServer32\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\VssEaseusProvider.dll"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCA7DE15-8A25-40FB-B23C-1C55DF71FF0E}\TypeLib\ = "{F88CC4B5-6EEC-4A00-94E4-EA48EE7E1EF4}"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.EaseusSoftwareProvide	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\ShellFolder	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pbd.file\Shell\Open\command	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImageSh.RightMenu.1	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4386DFF4-9CE5-4FB3-9D77-F3036B94F4FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F88CC4B5-6EEC-4A00-94E4-EA48EE7E1EF4}	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F88CC4B5-6EEC-4A00-94E4-EA48EE7E1EF4}\1.0\HELPDIR	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D67B84AA-3232-46D3-8B30-0AC87FDF65FD}\TypeLib	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pbd.file\Shell\Open\ddeexec\ifexec\ = "[]"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0A5F209-51D9-4AD8-8E0A-C27BA301497E}	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0A5F209-51D9-4AD8-8E0A-C27BA301497E}\1.0\0	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0A5F209-51D9-4AD8-8E0A-C27BA301497E}\1.0\0\win64\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\ImageSh.dll"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pbd.file\DefaultIcon\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\res\\PBD-icon.ico,0"	TB_Free_easeus.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\CLBVersion = "3"	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.VSS_OBJECT_PROP_Arr.1\ = "VSS_OBJECT_PROP_Array Class"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.VSS_OBJECT_PROP_Array\CLSID	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\Shell\Open\ddeexec\application	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pbd.file\CLSID\ = "{C1051DD2-472F-4B24-B47A-06769096CE34}"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0A5F209-51D9-4AD8-8E0A-C27BA301497E}\1.0\ = "ImageSh 1.0 Type Library"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.VSS_OBJECT_PROP_Arr.1\CLSID	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\Shell\Open\command\ = "explorer /idlist,%I,%L"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pbd.file\CLSID	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pbd.file\Shell\Open\ddeexec\ = "[ViewFolder(\"%l\", %I, %S)]"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pbd.file\Shell\Open\ddeexec\application\ = "Folders"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45203D3B-3D73-4497-8AFE-D29950AC6C55}\TypeLib	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F88CC4B5-6EEC-4A00-94E4-EA48EE7E1EF4}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64"	RunDll32.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exe

pid process

2644 reg.exe
3092 reg.exe
1904 reg.exe
4104 reg.exe
4076 reg.exe
Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

TrayProcess.exe

pid process

896 TrayProcess.exe

pid	process
2644	reg.exe
3092	reg.exe
1904	reg.exe
4104	reg.exe
4076	reg.exe

pid	process
896	TrayProcess.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

TB_Free_easeus.tmp

pid	process
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp
4860	TB_Free_easeus.tmp

Suspicious behavior: LoadsDriver 4 IoCs

Processes:

drvsetup.exe

pid process

4828 drvsetup.exe
4828 drvsetup.exe
4828 drvsetup.exe
636
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4048 msedge.exe
4048 msedge.exe
4048 msedge.exe
4048 msedge.exe
4048 msedge.exe
4048 msedge.exe

pid	process
4828	drvsetup.exe
4828	drvsetup.exe
4828	drvsetup.exe
636

pid	process
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TB_Free_easeus.tmp

description	pid	process
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp
Token: SeDebugPrivilege	4860	TB_Free_easeus.tmp

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

TB_Free_easeus.tmpmsedge.exeTrayProcess.exe

pid	process
4860	TB_Free_easeus.tmp
4048	msedge.exe
4048	msedge.exe
4048	msedge.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
4048	msedge.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

TrayProcess.exe

pid process

896 TrayProcess.exe
896 TrayProcess.exe
896 TrayProcess.exe
896 TrayProcess.exe
896 TrayProcess.exe
896 TrayProcess.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EDownloader.exeTrayProcess.exe

pid process

2448 EDownloader.exe
2448 EDownloader.exe
896 TrayProcess.exe

pid	process
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe
896	TrayProcess.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TB_Free_Installer_20220922.5363.exeEDownloader.exeInfoForSetup.exeTB_Free_easeus.exeTB_Free_easeus.tmpcmd.exenet.exenet.exenet.exedllhost.exe

description	pid	process	target process
PID 4048 wrote to memory of 2448	4048	TB_Free_Installer_20220922.5363.exe	EDownloader.exe
PID 4048 wrote to memory of 2448	4048	TB_Free_Installer_20220922.5363.exe	EDownloader.exe
PID 4048 wrote to memory of 2448	4048	TB_Free_Installer_20220922.5363.exe	EDownloader.exe
PID 2448 wrote to memory of 300	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 300	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 300	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 2884	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 2884	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 2884	2448	EDownloader.exe	InfoForSetup.exe
PID 2884 wrote to memory of 5012	2884	InfoForSetup.exe	AliyunWrapExe.Exe
PID 2884 wrote to memory of 5012	2884	InfoForSetup.exe	AliyunWrapExe.Exe
PID 2884 wrote to memory of 5012	2884	InfoForSetup.exe	AliyunWrapExe.Exe
PID 2448 wrote to memory of 3508	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 3508	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 3508	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 5036	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 5036	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 5036	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 4620	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 4620	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 4620	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 4508	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 4508	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 4508	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 1176	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 1176	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 1176	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 4636	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 4636	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 4636	2448	EDownloader.exe	InfoForSetup.exe
PID 2448 wrote to memory of 4116	2448	EDownloader.exe	TB_Free_easeus.exe
PID 2448 wrote to memory of 4116	2448	EDownloader.exe	TB_Free_easeus.exe
PID 2448 wrote to memory of 4116	2448	EDownloader.exe	TB_Free_easeus.exe
PID 4116 wrote to memory of 4860	4116	TB_Free_easeus.exe	TB_Free_easeus.tmp
PID 4116 wrote to memory of 4860	4116	TB_Free_easeus.exe	TB_Free_easeus.tmp
PID 4116 wrote to memory of 4860	4116	TB_Free_easeus.exe	TB_Free_easeus.tmp
PID 4860 wrote to memory of 1288	4860	TB_Free_easeus.tmp	cmd.exe
PID 4860 wrote to memory of 1288	4860	TB_Free_easeus.tmp	cmd.exe
PID 1288 wrote to memory of 2324	1288	cmd.exe	net.exe
PID 1288 wrote to memory of 2324	1288	cmd.exe	net.exe
PID 2324 wrote to memory of 872	2324	net.exe	net1.exe
PID 2324 wrote to memory of 872	2324	net.exe	net1.exe
PID 1288 wrote to memory of 1572	1288	cmd.exe	net.exe
PID 1288 wrote to memory of 1572	1288	cmd.exe	net.exe
PID 1572 wrote to memory of 1412	1572	net.exe	net1.exe
PID 1572 wrote to memory of 1412	1572	net.exe	net1.exe
PID 1288 wrote to memory of 620	1288	cmd.exe	net.exe
PID 1288 wrote to memory of 620	1288	cmd.exe	net.exe
PID 620 wrote to memory of 448	620	net.exe	net1.exe
PID 620 wrote to memory of 448	620	net.exe	net1.exe
PID 1288 wrote to memory of 2644	1288	cmd.exe	reg.exe
PID 1288 wrote to memory of 2644	1288	cmd.exe	reg.exe
PID 1288 wrote to memory of 1236	1288	cmd.exe	cscript.exe
PID 1288 wrote to memory of 1236	1288	cmd.exe	cscript.exe
PID 1288 wrote to memory of 4680	1288	cmd.exe	regsvr32.exe
PID 1288 wrote to memory of 4680	1288	cmd.exe	regsvr32.exe
PID 1288 wrote to memory of 5056	1288	cmd.exe	cscript.exe
PID 1288 wrote to memory of 5056	1288	cmd.exe	cscript.exe
PID 984 wrote to memory of 4736	984	dllhost.exe	RunDll32.exe
PID 984 wrote to memory of 4736	984	dllhost.exe	RunDll32.exe
PID 984 wrote to memory of 4896	984	dllhost.exe	RunDll32.exe
PID 984 wrote to memory of 4896	984	dllhost.exe	RunDll32.exe
PID 1288 wrote to memory of 3092	1288	cmd.exe	reg.exe
PID 1288 wrote to memory of 3092	1288	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\TB_Free_Installer_20220922.5363.exe
"C:\Users\Admin\AppData\Local\Temp\TB_Free_Installer_20220922.5363.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\EDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\EDownloader.exe" EXEDIR=C:\Users\Admin\AppData\Local\Temp ||| EXENAME=TB_Free_Installer_20220922.5363.exe ||| DOWNLOAD_VERSION=Free ||| PRODUCT_VERSION=1.0.0 ||| INSTALL_TYPE=0
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/Uid "S-1-5-21-2629973501-4017243118-3254762364-1000"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:300

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"Germany\",\"Timezone\":\"GMT-00:00\"}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrapExe.Exe
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrapExe.Exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5012

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"0\",\"Errorinfo\":\"0\",\"PostURL\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=5363&lang=German&pcVersion=home&pid=3&tid=1&version=Free\",\"ResponseJson\":\"{\\"check\\":1,\\"msg\\":\\"\\u6210\\u529f\\",\\"data\\":{\\"pid\\":\\"3\\",\\"version\\":\\"Free\\",\\"tj_download\\":\\"test\\",\\"referNumber\\":\\"1000000\\",\\"killSwitch\\":\\"true\\",\\"WriteLogSwitch\\":\\"false\\",\\"curNum\\":\\"2022\\",\\"testid\\":\\"100000\\",\\"configid\\":\\"\\",\\"md5\\":\\"25e05426bec38a85ddf2006e41e02564\\",\\"download\\":\\"https:\\/\\/download2.easeus.com\\/free\\/TodoBackup_2022_free_2207.exe\\",\\"download2\\":\\"https:\\/\\/download.easeus.com\\/free\\/TodoBackup_2022_free_2207.exe\\",\\"download3\\":\\"https:\\/\\/download3.easeus.com\\/free\\/TodoBackup_2022_free_2207.exe\\",\\"url\\":[]},\\"time\\":1667493917}\",\"Result\":\"Success\"}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3508

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Home_Installer" Activity "Click_Install" Attribute "{\"Install_Path\":\"C:/Program Files (x86)/EaseUS/Todo Backup\",\"Language\":\"German\",\"Os\":\"Microsoft Windows 10\",\"Timezone\":\"GMT-00:00\",\"Version\":\"Free\",\"Version_Num\":\"2022\"}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5036

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Version_Compare" Activity "Click_Free"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4620

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Downloading" Activity "Info_Start_Download_Program" Attribute "{\"Pageid\":\"5363\",\"Version\":\"Free\"}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4508

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Downloading" Activity "Result_Download_Program" Attribute "{\"Average_Networkspeed\":\"11.24MB\",\"Cdn\":\"https://download2.easeus.com/free/TodoBackup_2022_free_2207.exe\",\"Elapsedtime\":\"12\",\"Errorinfo\":\"0\",\"Result\":\"Success\"}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1176

C:\Users\Admin\AppData\Local\Temp\TB_Free_easeus.exe
/verysilent /DIR="C:\Program Files (x86)\EaseUS\Todo Backup" /IMAGEPATH="C:\My Backups" /LANG=German agreeImprove=true GUID=S-1-5-21-2629973501-4017243118-3254762364-1000 xurlID=5363
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Installing" Activity "Info_Start_Install_Program"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4636

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Install_Finish" Activity "Result_Install_Program" Attribute "{\"Elapsedtime\":\"31\",\"Result\":\"result_success\"}"
3⤵
- Executes dropped EXE
PID:2904

C:\Program Files (x86)\EaseUS\Todo Backup\bin\Loader.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\Loader.exe"
3⤵
- Executes dropped EXE
PID:2688

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Install_Finish" Activity "Click_Startnow"
3⤵
PID:704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.easeus.de/installation-erfolgreich/todo-backup-free.html
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,8744263630362273835,13552984470905939626,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
4⤵
- Executes dropped EXE
PID:704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,8744263630362273835,13552984470905939626,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
4⤵
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,8744263630362273835,13552984470905939626,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
4⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8744263630362273835,13552984470905939626,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
4⤵
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8744263630362273835,13552984470905939626,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
4⤵
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,8744263630362273835,13552984470905939626,131072 --lang=de --service-sandbox-type=service --mojo-platform-channel-handle=5156 /prefetch:8
4⤵
PID:5520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8744263630362273835,13552984470905939626,131072 --disable-gpu-compositing --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
4⤵
PID:5608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8744263630362273835,13552984470905939626,131072 --disable-gpu-compositing --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
4⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,8744263630362273835,13552984470905939626,131072 --lang=de --service-sandbox-type=service --mojo-platform-channel-handle=5924 /prefetch:8
4⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8744263630362273835,13552984470905939626,131072 --disable-gpu-compositing --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
4⤵
PID:6036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8744263630362273835,13552984470905939626,131072 --disable-gpu-compositing --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
4⤵
PID:6052

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8744263630362273835,13552984470905939626,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6280 /prefetch:8
4⤵
PID:5420

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
PID:5256

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0xe8,0x22c,0x7ff64ac65460,0x7ff64ac65470,0x7ff64ac65480
5⤵
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8744263630362273835,13552984470905939626,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6280 /prefetch:8
4⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa92f346f8,0x7ffa92f34708,0x7ffa92f34718
2⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\is-DPN9V.tmp\TB_Free_easeus.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DPN9V.tmp\TB_Free_easeus.tmp" /SL5="$50044,140774561,171008,C:\Users\Admin\AppData\Local\Temp\TB_Free_easeus.exe" /verysilent /DIR="C:\Program Files (x86)\EaseUS\Todo Backup" /IMAGEPATH="C:\My Backups" /LANG=German agreeImprove=true GUID=S-1-5-21-2629973501-4017243118-3254762364-1000 xurlID=5363
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\install-EaseUSprovider.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\system32\net.exe
net stop vds /Y
3⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vds /Y
4⤵
PID:872

C:\Windows\system32\net.exe
net stop vss /Y
3⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vss /Y
4⤵
PID:1412

C:\Windows\system32\reg.exe
reg.exe delete HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\VssEaseusProvider /f
3⤵
- Modifies registry key
PID:2644

C:\Windows\system32\net.exe
net stop swprv
3⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\system32\cscript.exe
cscript "C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\\register_app.vbs" -unregister "VssEaseusProvider"
3⤵
PID:1236

C:\Windows\system32\regsvr32.exe
regsvr32 /s /u "C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\\VssEaseusProvider.dll"
3⤵
- Loads dropped DLL
PID:4680

C:\Windows\system32\cscript.exe
cscript "C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\register_app.vbs" -register "VssEaseusProvider" "C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll" "VSS Easeus Provider"
3⤵
PID:5056

C:\Windows\system32\reg.exe
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\VssEaseusProvider /f
3⤵
- Modifies registry key
PID:3092

C:\Windows\system32\reg.exe
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\VssEaseusProvider /f /v CustomSource /t REG_DWORD /d 1
3⤵
- Modifies registry key
PID:1904

C:\Windows\system32\reg.exe
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\VssEaseusProvider /f /v EventMessageFile /t REG_EXPAND_SZ /d "C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll"
3⤵
- Modifies registry key
PID:4104

C:\Windows\system32\reg.exe
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\VssEaseusProvider /f /v TypesSupported /t REG_DWORD /d 7
3⤵
- Modifies registry key
PID:4076

C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\drvsetup.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\drvsetup.exe" "C:\Program Files (x86)\EaseUS\Todo Backup\drv" -install
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
PID:4828

C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\AppSetup.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\AppSetup.exe" Install
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:4008

C:\Program Files (x86)\EaseUS\Todo Backup\bin\ens\EnsUtils.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\ens\EnsUtils.exe" -install "C:\Program Files (x86)\EaseUS\Todo Backup\bin\ens" "BU-TBP-FREE-WIN" "1" "C:\Program Files (x86)\EaseUS\Todo Backup\bin\Loader.exe" 14.3
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4512

C:\Program Files (x86)\EaseUS\Todo Backup\bin\ens\AliyunWrapExe.Exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\ens\AliyunWrapExe.Exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4324

C:\Program Files (x86)\EaseUS\Todo Backup\bin\SetupSendData2Downloader.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\SetupSendData2Downloader.exe" TB_Installer https://www.easeus.de/installation-erfolgreich/todo-backup-free.html
2⤵
- Executes dropped EXE
PID:3920

C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe" install
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4712

C:\Program Files (x86)\EaseUS\Todo Backup\bin\EUinApp.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\EUinApp.exe" TBConsoleUI.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:1540

C:\Program Files (x86)\EaseUS\Todo Backup\bin\TrayProcess.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\TrayProcess.exe" install
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:896

C:\Program Files (x86)\EaseUS\Todo Backup\bin\InfoForSetup.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\InfoForSetup.exe" /Uid S-1-5-21-2629973501-4017243118-3254762364-1000
2⤵
- Executes dropped EXE
PID:3036

C:\Program Files (x86)\EaseUS\Todo Backup\bin\SetupUE.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\SetupUE.exe" /Enable "{\"Language\":\"German\",\"Version\":\"TodoBackup_Free_2207\",\"Version_Num\":\"14.3\",\"UE\":\"On\"}"
2⤵
PID:5068

C:\Program Files (x86)\EaseUS\Todo Backup\bin\InfoForSetup.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\InfoForSetup.exe" /Enable
3⤵
- Executes dropped EXE
PID:2968

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get caption
3⤵
PID:4996

C:\Program Files (x86)\EaseUS\Todo Backup\bin\InfoForSetup.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\InfoForSetup.exe" /SendInfo "Window" "Install" "Activity" "Info_Userinfo" "Attribute" "{\"Language\":\"German\",\"Version\":\"TodoBackup_Free_2207\",\"Version_Num\":\"14.3\",\"UE\":\"On\",\"Country\":\"Germany\",\"Timezone\":\"GMT-00:00\",\"OS\":\"Microsoft Windows 10 Pro 64-bit (10.0.19041.1.256)\"}"
3⤵
- Executes dropped EXE
PID:720

C:\Program Files (x86)\EaseUS\Todo Backup\bin\AliyunWrapExe.Exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\AliyunWrapExe.Exe"
4⤵
- Executes dropped EXE
PID:2208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swprv
1⤵
PID:448

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\system32\RunDll32.exe
RunDll32 catsrvut.dll,QueryUserDll "C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll" Global\{EF2DF3D5-3DDA-4FE6-8802-65DA87BBCABD}
2⤵
- Loads dropped DLL
PID:4736

C:\Windows\system32\RunDll32.exe
RunDll32 catsrvut.dll,QueryUserDll "C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll" Global\{D601A4AC-F1F3-4D00-8448-A61EA8FA996C}
2⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:4896

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2028

C:\Program Files (x86)\EaseUS\ENS\ensserver.exe
"C:\Program Files (x86)\EaseUS\ENS\ensserver.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3648

C:\Program Files (x86)\EaseUS\ENS\AliyunWrapExe.Exe
"C:\Program Files (x86)\EaseUS\ENS\AliyunWrapExe.Exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3200

C:\Program Files (x86)\EaseUS\ENS\wpn-grant.exe
"C:\Program Files (x86)\EaseUS\ENS\wpn-grant.exe" -R -c .wpn.js
2⤵
- Executes dropped EXE
PID:2148

C:\Program Files (x86)\EaseUS\ENS\wpn.exe
"C:\Program Files (x86)\EaseUS\ENS\wpn.exe" -c .wpn.js -v -v -v -n test -S -e 364419530012 -K AAAAVNkYvRw:APA91bGpIYNsqC55ZWIoPrfoBz8eR8Dy9FllMFx1ZmgQitIPTlTSxX739tWae4obYfNuBYfJKVnVs1HSFM__JUwwB-4KWIyTZt1vElIWFL4l3n6NcAuhCHCH-ZYDE45CTH10dG-QB7HK
2⤵
- Executes dropped EXE
PID:2820

C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1604

C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe"
2⤵
- Executes dropped EXE
PID:5104

C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupEnumNetByFD_0.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupEnumNetByFD_0.exe"
2⤵
- Executes dropped EXE
PID:5460

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5040

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
- Executes dropped EXE
PID:5068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:5996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\DrvSetup.exe

Filesize
159KB

MD5
975869901bfde99b777165f231f50bd9

SHA1
6edfb68927427af43a73671011fbd2e513f4a5e3

SHA256
afa9bdf49d23e5352476f2d61916d2b1c2666af92974c18857f402359efcfe14

SHA512
312930bd0b6aadcbfc6b109b674bfa29a76cf51f40282a673efb7a6980db0bcb50f0d58b3cefe2fdccb97bd1381913fdb444465b5b9ac0bec64a809dcfea685e

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll

Filesize
57KB

MD5
0f5654997d589aedbbea6104268cd85d

SHA1
21dacfec1812aebbe3584a6ee37965e32c4f0e81

SHA256
f6e91e3b66addbe15c4d1caac16a8c806b5a6db79f0318d924fc3871743e982d

SHA512
1ee966072c37a7cfda71248532635addf963759618740c04376d7437051c817300cb3efce45b3befde821c73d6ea347f3da4d3d5fdaa3782abefdb5211f64623

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll

Filesize
57KB

MD5
0f5654997d589aedbbea6104268cd85d

SHA1
21dacfec1812aebbe3584a6ee37965e32c4f0e81

SHA256
f6e91e3b66addbe15c4d1caac16a8c806b5a6db79f0318d924fc3871743e982d

SHA512
1ee966072c37a7cfda71248532635addf963759618740c04376d7437051c817300cb3efce45b3befde821c73d6ea347f3da4d3d5fdaa3782abefdb5211f64623

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll

Filesize
57KB

MD5
0f5654997d589aedbbea6104268cd85d

SHA1
21dacfec1812aebbe3584a6ee37965e32c4f0e81

SHA256
f6e91e3b66addbe15c4d1caac16a8c806b5a6db79f0318d924fc3871743e982d

SHA512
1ee966072c37a7cfda71248532635addf963759618740c04376d7437051c817300cb3efce45b3befde821c73d6ea347f3da4d3d5fdaa3782abefdb5211f64623

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll

Filesize
57KB

MD5
0f5654997d589aedbbea6104268cd85d

SHA1
21dacfec1812aebbe3584a6ee37965e32c4f0e81

SHA256
f6e91e3b66addbe15c4d1caac16a8c806b5a6db79f0318d924fc3871743e982d

SHA512
1ee966072c37a7cfda71248532635addf963759618740c04376d7437051c817300cb3efce45b3befde821c73d6ea347f3da4d3d5fdaa3782abefdb5211f64623

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\drvsetup.exe

Filesize
159KB

MD5
975869901bfde99b777165f231f50bd9

SHA1
6edfb68927427af43a73671011fbd2e513f4a5e3

SHA256
afa9bdf49d23e5352476f2d61916d2b1c2666af92974c18857f402359efcfe14

SHA512
312930bd0b6aadcbfc6b109b674bfa29a76cf51f40282a673efb7a6980db0bcb50f0d58b3cefe2fdccb97bd1381913fdb444465b5b9ac0bec64a809dcfea685e

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\install-EaseUSprovider.cmd

Filesize
1KB

MD5
0a3d52f1a9ae473fa34f63a329b9ba4d

SHA1
cbcd0c3f0f09adaa8b358bee3eb39a7f3413384f

SHA256
1304f06bd1152413f1884d8d3943c71990786f2866637608b5af4efdf1f7e525

SHA512
3241d8988d74f1cbd741cce1e71f5ffa77dfe48d8ee75f3a61a16fd96e6f5f74ac5216c7b7d972bdbcd968b15ef632556d30f59071bec6c3d59d1019422531b3

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\register_app.vbs

Filesize
12KB

MD5
f8522e8f3a35f684b4c67735d7b29f42

SHA1
d06e1a6d3a50ebed02e0d73db7e27356c3ccc1a5

SHA256
d9ad6a19df842e72502e7109de42ea47cdf2389e7b6c628f465a42fb6db04e73

SHA512
73cbc3b1b6bf62f5e7aeca794d5af6c375179b8c6d92ec42cab6ddde4bde6f9beefa2ffee5cab1ee1095a44121f81da6dbdf9e6a96f301523a8214156cd00d01

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\uninstall-EaseUSprovider.cmd

Filesize
1KB

MD5
7334c2ac5c9a813ae7411641e51ef8c3

SHA1
fbb3568355ceeb2f3fda2a9d2fa2c80ca3c70508

SHA256
7d803d9872cb3de1337c67041cdb9a1056c5c6c28f8a9eeba631eb0572ab43f0

SHA512
6536f6c0912a4d03a6d89466252f936fc895d5e0c239e9b85315619d061f88816cf7652b444b6063a6023a6a327effabba85d472d4cd86b67f1ffac324bb2412

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\drv\EUBKMON.sys

Filesize
54KB

MD5
13e03547b5a9059dfdcefb1c90be379b

SHA1
52a01540f10e55b6fcdb15e51f2d667c3ac8469f

SHA256
368a7aa6da76d3959f38a95c7c823cb9b1ae5004f10505243897b13b34944025

SHA512
2d8dc3371907973d4503e34fa9df61ee8b0cdb62c1631583bcde84c2dd9d26a1c51188e43289dabdc6bbb16bd2d6ffe054a60cc86624e1a5719b60e80a95ca3c

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\drv\eubakup.sys

Filesize
74KB

MD5
2a7e4b4198a151f0649d4f4c748c53f2

SHA1
b42053731f94eb1093a7a5501217e44c0876517f

SHA256
9527cf04e1fc37118a4b1b84ae47f3cae69e4449a640cd4d92b6a4ea84985d8d

SHA512
079dd28a610837d9b7c7b26adcf9bd7eef5aa8f21a60c9302a01ef74022eb26986e963a32d9f9818d3c627f1f963d588abcd645d8c2c0a076f58cbf24d607e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TB_Free_easeus.exe

Filesize
134.9MB

MD5
25e05426bec38a85ddf2006e41e02564

SHA1
8eb2dbe994bb5709050682de9b1423217f5c8f4b

SHA256
291b20ced2e4f8cbb0f9712cabfa0c7b1e86fc45ed2ccbcfd96bbaca199b904d

SHA512
a27320a0d03811e789218654e3a4b8bb4ce5c0f2d93c7ff395392d73cbbb32ec20e80358b132eb6afcada3c233548784ad0870d9fa2d705aff26204605806bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TB_Free_easeus.exe

Filesize
134.9MB

MD5
25e05426bec38a85ddf2006e41e02564

SHA1
8eb2dbe994bb5709050682de9b1423217f5c8f4b

SHA256
291b20ced2e4f8cbb0f9712cabfa0c7b1e86fc45ed2ccbcfd96bbaca199b904d

SHA512
a27320a0d03811e789218654e3a4b8bb4ce5c0f2d93c7ff395392d73cbbb32ec20e80358b132eb6afcada3c233548784ad0870d9fa2d705aff26204605806bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\EDownloader.exe

Filesize
1.2MB

MD5
5726bbd1935cb8a105f3a955894be0e0

SHA1
10c27ce58304997cc2cdede5218803204cfe3e31

SHA256
874da0b886f41905b7417977789f9947e3c02342061b5bde42bf28914663313f

SHA512
0bb3f82b2d9974f0d2836c724c7e2b1f75bca3cf1efcc683c3e43933456c20d9cf730c8d6e86065c4b78177a98bde03d96a1ed93122603a7fb84b5e247b50376

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\EDownloader.exe

Filesize
1.2MB

MD5
5726bbd1935cb8a105f3a955894be0e0

SHA1
10c27ce58304997cc2cdede5218803204cfe3e31

SHA256
874da0b886f41905b7417977789f9947e3c02342061b5bde42bf28914663313f

SHA512
0bb3f82b2d9974f0d2836c724c7e2b1f75bca3cf1efcc683c3e43933456c20d9cf730c8d6e86065c4b78177a98bde03d96a1ed93122603a7fb84b5e247b50376

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\German.ini

Filesize
4KB

MD5
11847d6ded619ef00fe65d073dca2395

SHA1
8584a41c8e07c5990b192f4028a4c6b4883a53d6

SHA256
432729df19211765091f56578437a3564667572430b36dff2bf48b28f15a0c06

SHA512
459c6cdc565d350a9158eb3f18636e390754be9408294af92a51a7380170bf4de31b17c768a17e7bf5c23e05066ec8ace9a25daaabb6c7f2adf47c942e4a133a

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\InitConfigure.ini

Filesize
5KB

MD5
a85f9acc64df19c2295a51eabe505ac5

SHA1
98df21d469964503e5484c588ca14b4be99a7e76

SHA256
211a2504c0cfe8e28bc32de9fc6065150e1d94b24573a96b43684cb0a1a6d258

SHA512
e10eb26f6167e1cb8299482f00f76bd3ac4f38d35197403f9a644789292bdcd6268710d7a3db0fc0b71e79598ad8af28d457fc94af205a280cce10bb07af715d

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\LanguageTransfor.ini

Filesize
261B

MD5
008516fb41014eee340ff4b4ab030cbc

SHA1
199b8bd1af5436f4cb7e86f590525121d43243ec

SHA256
80193c8d307d982cf45fbf62f0eee3b7ec5522deca8a027155875d610c63657c

SHA512
8033c2be1721b13a4785f817eaee76f4c39387751611d09641792935906dcf52bd6accded96bd12abcf2be067e3b8a7cccab5124ab709c41b120ef0440043c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunConfig.ini

Filesize
1KB

MD5
926917a04174d16bfc52c679b93c30de

SHA1
48fb823cfae19800c85d3779615195758b68967d

SHA256
6227467c437f6db349de49abfd16c547c94b277f6b75f598d84fec5f7f7ab083

SHA512
a06bf7baa639df23dfb2fb153619dad136f210ef2ea600a5536d0bb70cf22d5327cc70766106f6577fd3a8e72ffbb969f07fb3eecbbfc300b58c0d74f53ad719

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunConfig.ini

Filesize
1KB

MD5
bafb3e0fa40bbfea4af3f6514bff33b2

SHA1
9f27237df4f36ae50fc2a893b587ffabdc887f0a

SHA256
d552704274e88ea5fe3e054c72007727fceac885a838ec81af40b3e05fdfd82c

SHA512
2f5550f02bc99a4b3c77d229da5e6fec132f8afcd0f6067291cd6afd5e22a73e0046e894c23500a817da87a5b16655f65bf5fb4bf8553186790df69440c4a344

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.DLL

Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll

Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll

Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll

Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll

Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll

Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll

Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll

Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll

Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll

Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrapExe.Exe

Filesize
106KB

MD5
674413dbbc708d32d53b386254eedb54

SHA1
281ef9b78e8a80dac4b4efe9d8d76ee4eeedc79c

SHA256
72371235cb364ab3891597f40a3f50bd64660a808979bd28bcf1c0e7154aa949

SHA512
34cd6e982c98d7d4cb763c9bbb20942a507fabc189f3fedd30433d2b79739189a3efbe81f4db465f9e401e3f01939bc8148b178679a0780fe1b000259fd947fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrapExe.exe

Filesize
106KB

MD5
674413dbbc708d32d53b386254eedb54

SHA1
281ef9b78e8a80dac4b4efe9d8d76ee4eeedc79c

SHA256
72371235cb364ab3891597f40a3f50bd64660a808979bd28bcf1c0e7154aa949

SHA512
34cd6e982c98d7d4cb763c9bbb20942a507fabc189f3fedd30433d2b79739189a3efbe81f4db465f9e401e3f01939bc8148b178679a0780fe1b000259fd947fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini

Filesize
518B

MD5
c4c504b478afbb3981ec55758adf9716

SHA1
9e4136fcdfe94560405b7af31f71d18c8cafaeee

SHA256
9be71b1e5bcfe48c23df3713c97a58d29c29e2428746af104c393787b22e035b

SHA512
d82b6c2353f100eabba9db6d4ba2686158799e8c6748e95da3feab5e8b4940487a1b443f1111c28e34b6845a909101a6fa1602b12397b028017b407f6c6f382d

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini

Filesize
2KB

MD5
0aa019df7ac61a3e79f5d209cc19189d

SHA1
94d2e2e2d635b8102c6a529b275388f50afd9677

SHA256
5d67da517a3af94fdb1796bbbeeb680eca07056575f33d1fac0a48ab9c1f5644

SHA512
88fd7d1874bf2f7deb1bb50ab09b71c01be57d67187da1593ed8760120b5cd074dc5ea4b3ce15f7e0d242c5e46872d541c13ab3b398924ae681ce2b6188a6c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini

Filesize
3KB

MD5
090a59ab8f2240151124cabc8f699048

SHA1
b99b3f35d37e197020ef1394e8a50a5dbf642247

SHA256
1ba9196510e2fe8100ed9459ec9304ac7815b271d7a201c7640c7b78573a1c31

SHA512
876b90bc22c56c5448be386e32420e185aa6db189ada764bdb4d603f8de94e352725ceac5d07925d92a4ba54a1bc8f0ab432bcc2e1a49871bdb99ccb95d8d693

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini

Filesize
360B

MD5
15084f330a87c2e2c34a15646c385cc5

SHA1
14ce34aab50a80ab3c9a0d98238be4fc1427ce9e

SHA256
5871ed8eec0d65e9cd326af903b8f6b33db3866ce23c345534732803a4df66ae

SHA512
60d8ada773e0419b67846fa634525923d9041b00d7420112c63ee6b2ec22c05d0b35fb2183dcfa0d2410ee588fb2f27361174a62b3e0636b5fd33f3ae2f4e471

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini

Filesize
360B

MD5
15084f330a87c2e2c34a15646c385cc5

SHA1
14ce34aab50a80ab3c9a0d98238be4fc1427ce9e

SHA256
5871ed8eec0d65e9cd326af903b8f6b33db3866ce23c345534732803a4df66ae

SHA512
60d8ada773e0419b67846fa634525923d9041b00d7420112c63ee6b2ec22c05d0b35fb2183dcfa0d2410ee588fb2f27361174a62b3e0636b5fd33f3ae2f4e471

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini

Filesize
752B

MD5
de1d643d677b6b9d419908d015c6a14a

SHA1
8e889d66e8296a5ed4e482ece2c101bf673b7452

SHA256
1bce25a62f4d1b3030d3249d985e9ff5002b078303fff88456ce69bcb5c34b7a

SHA512
1b64b5855da65ebc4916cfa555ec10d587d2c99e1d86a6ff8ab6b55e76942f111b6b66ee6902fa0dd7470345067da546fe04354e2a5ffbec7878884c1d3c0576

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini

Filesize
752B

MD5
de1d643d677b6b9d419908d015c6a14a

SHA1
8e889d66e8296a5ed4e482ece2c101bf673b7452

SHA256
1bce25a62f4d1b3030d3249d985e9ff5002b078303fff88456ce69bcb5c34b7a

SHA512
1b64b5855da65ebc4916cfa555ec10d587d2c99e1d86a6ff8ab6b55e76942f111b6b66ee6902fa0dd7470345067da546fe04354e2a5ffbec7878884c1d3c0576

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini

Filesize
382B

MD5
dfe45235f90596bb5ac63ad3e029543e

SHA1
7bc24dccb2dd625ad5c389267db00ef3c4ab0e66

SHA256
da01e41b360ef8c5598c012ae00b207fb20b209b3a2a7339f33ef1631c12d2ac

SHA512
8eb3acb82095501a65da66d231231723c57cc35a3b88f8540e0143e2e3f30d89d586e5121cf66d62e2238b10a129bf44addfdf468d269b542369f5d435721f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini

Filesize
382B

MD5
dfe45235f90596bb5ac63ad3e029543e

SHA1
7bc24dccb2dd625ad5c389267db00ef3c4ab0e66

SHA256
da01e41b360ef8c5598c012ae00b207fb20b209b3a2a7339f33ef1631c12d2ac

SHA512
8eb3acb82095501a65da66d231231723c57cc35a3b88f8540e0143e2e3f30d89d586e5121cf66d62e2238b10a129bf44addfdf468d269b542369f5d435721f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe

Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe

Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe

Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe

Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe

Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe

Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe

Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe

Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe

Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\downloader.ico

Filesize
61KB

MD5
894ba3dde651d465dba83d1d1ea8c47f

SHA1
37b4d2077e76509ab57c278fee11b91ce1b85d56

SHA256
7c027c7444f9c584f9a382b3b20d1357e4b91b4018d9c723e6cf170b35ca08bb

SHA512
ccccbd75fb8f06924b7f6ba79d6f26825565248d1be19e8b358347200607d586481afaf06ba7575bab42840f288157118175daa299d192fab1a706ec0d55382e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\skin.zip

Filesize
263KB

MD5
34edebb901521c0846afa3161eee0e3a

SHA1
b5a64e5156210a0c48d8344af66f96375e6bcdc4

SHA256
6dac590f0af6f01144450ca7bebd72daabe80357b690bbe89027c0f0ef50b762

SHA512
6d53a87f0d1e48fb4b8c1dcb80bfc8ce6ea11277f0daa69d99680bffe2c8548248ed069edfce6455edfddab3f607b3ff2df83f0a427b42ae9c710dd30a3e4e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DPN9V.tmp\TB_Free_easeus.tmp

Filesize
1.2MB

MD5
5ad4c56594b1b8bfae7f3690ad4dd5e5

SHA1
1d08f1e466d1bb88a8089d9e7639e5642a435dc3

SHA256
c99ae918fd53eb16fd35a287a50cb2f7c90261a36bc43cbb6208709b041e5afa

SHA512
e4b3e57ed24ee2d7ded7aaea780d9e55a3a3509cd4bf1b245eab174e1aaa8d6caf7f65488762d16ff8a6ab7ff2a5c3cc12c139dbd9c6d3a9f1bd398184c3f972

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DPN9V.tmp\TB_Free_easeus.tmp

Filesize
1.2MB

MD5
5ad4c56594b1b8bfae7f3690ad4dd5e5

SHA1
1d08f1e466d1bb88a8089d9e7639e5642a435dc3

SHA256
c99ae918fd53eb16fd35a287a50cb2f7c90261a36bc43cbb6208709b041e5afa

SHA512
e4b3e57ed24ee2d7ded7aaea780d9e55a3a3509cd4bf1b245eab174e1aaa8d6caf7f65488762d16ff8a6ab7ff2a5c3cc12c139dbd9c6d3a9f1bd398184c3f972

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N6T6N.tmp\EaseUSToolDll.dll

Filesize
176KB

MD5
0fa76102cbf2851dd6d800fd2128b27d

SHA1
1afb5e7fa59d1278d8e6a51ad313a4d91808f6c6

SHA256
2c7cc5b60004ee1b8d7149258075d57c6f94cf975e389dc75c4e7b9f26d7f275

SHA512
bf638f79be74491bd88af89b1b0a576b5c72601fd40bcb4ce80e8d60ec83643f22461afeedda1f34e786aa90ee649215a92231cd750b7a91fe2a873c553065e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N6T6N.tmp\EuActiveOnline.dll

Filesize
709KB

MD5
267e481409cc30ce00dd2b2005691f25

SHA1
40392ba911435f932d16fa7c35a84d4905a4cf86

SHA256
cdcc8601a11538e7f899e331e34a6776d87ba5ff7d0a3ac1aeb0ec4fe7f679f8

SHA512
f3a4cdc6d1bcde4c12d56a9ffaeba01c26a319f9b59791aa5ca11ece38ed883d3ef8848ea6c4d6423b05de267e13a43a4f9277d05f98000ba49af317a82a8f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N6T6N.tmp\EuDriverMgr.dll

Filesize
44KB

MD5
6e297a777803b40950840962941fa6c4

SHA1
0c6ee5e17bd7783b0db57a63caafbec23996da61

SHA256
bdd52a12dbe5ed2e0412a13bf87aa4662d677309cf35acba028ef1d397cc722a

SHA512
8983bec16143bb5a988e35565808cc4a02f004e7a57b1b63a0a847b44b2b5c1f6aa3e7d777c37ca2d092e1ac0994c57499f29c38c7eb70b7c1fb5207126d85e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N6T6N.tmp\TBFirewall.dll

Filesize
92KB

MD5
d7aec9e6d2995b87c2877eb103e2af1b

SHA1
da6d1d9ef1ff5fe28a2ffd14e6fe0fa774b205e9

SHA256
ad4b43517f56c014c0cd5e669cc53ca3c335cfe3102a041f9a0f332878492600

SHA512
9d770be88b40f599ed350ed7865b18009ce5506470fef29f989490cb835509a8948e7ddbd8f09549ed6c201c39a9bfff117d8e544fd469a6c3de74ba3bda017c

Download Submit
C:\Windows\Registration\R000000000002.clb

Filesize
22KB

MD5
f22f5d49ca2bc42dbf8fb6b479dba4e4

SHA1
21e3c39c11839efb4527864e48cef06172e2b88e

SHA256
e9e25ef1220a9e7d3051f3ba3cc3b1aee74c8e5cb6df9cd41c654c07f5957456

SHA512
a73a5ef870bac925a93177daeec5f06575ea6780736f6832605621562fac107817af7b876ccf382861e30dcfa2aa6c456329d37dab38061bf8c9df947845c3a8

Download Submit
C:\Windows\Registration\R000000000003.clb

Filesize
22KB

MD5
cefea338bbd283cecacfdb835d7a0bb4

SHA1
7c6d046e0d3c15a054faa81e146514ec6673fdad

SHA256
c271f79f5458aa28821c9d96780b495fe3aafa4020adbcd2383e1ab46b33720b

SHA512
43c5e1d34ab520a43dac9393ec4b72cacba3c1f30cbcdd4b327809ec100a3e6726adb6bdefcfa64785d81a6e67f8134d79ae69fcf78aa3c214476d06dd687dcf

Download Submit
C:\Windows\Registration\R000000000004.clb

Filesize
23KB

MD5
c97e9e0f2d2d4baeb2d73d4067e98ca0

SHA1
437c7cf39498a99bf1861eb9c29f6855d8f85b40

SHA256
d5df761687bc47b82b563b8a0e2a9ed2bd24c6a81ae297d5a0c91251386eb055

SHA512
579da4d2937ee3b9985f039e58e6ba90a01fde4ebc0bc98a1c03dea4b8c732d1c276578570d99eec50a9c343ec19eb4d343074b6055c40385fe798b17791e0b9

Download Submit
C:\Windows\Registration\R000000000005.clb

Filesize
23KB

MD5
1887342960e0007b940f7c527c398aed

SHA1
bdb1ef2de43934c9b997399211e7b3ce21a4c7e1

SHA256
eeca065dce7d27e3398517468e8b401ba33dcfb9e32b473e481fd8d1c642dee5

SHA512
7865042888fe44d565370404a0089857d3e48ad6e53bd77ab4815662939203bc465f29f5ced340531f93a3a0a27e4546945d7e8c445a9f5e3d0046422d47071d

Download Submit
C:\Windows\Registration\R000000000006.clb

Filesize
23KB

MD5
4b97dc1b764a56adf62c1b9f59f8ebec

SHA1
801652b412e93d5014049208e1b1c15c46b92da0

SHA256
286ff98da27601de2b1d0b1ac7c068e66594be9bf2932fff68f1b9b18f03b70e

SHA512
dc759a0512bed9d1ba33647aaa8d12d1330e4c1c5959f149c35333465e39d86f9b4685bd5eba7e2618ab039a0d8a3365971282630ab588f370ffa63e9b5dbe11

Download Submit
memory/300-138-0x0000000000000000-mapping.dmp

Download
memory/448-203-0x0000000000000000-mapping.dmp

Download
memory/620-202-0x0000000000000000-mapping.dmp

Download
memory/704-254-0x0000000000000000-mapping.dmp

Download
memory/704-259-0x0000000000000000-mapping.dmp

Download
memory/720-248-0x0000000000000000-mapping.dmp

Download
memory/872-199-0x0000000000000000-mapping.dmp

Download
memory/896-241-0x0000000005C80000-0x0000000005C92000-memory.dmp

Filesize
72KB

Download
memory/896-239-0x00000000018F0000-0x0000000001900000-memory.dmp

Filesize
64KB

Download
memory/896-240-0x00000000039A0000-0x0000000003A7A000-memory.dmp

Filesize
872KB

Download
memory/896-237-0x0000000000000000-mapping.dmp

Download
memory/1176-172-0x0000000000000000-mapping.dmp

Download
memory/1236-205-0x0000000000000000-mapping.dmp

Download
memory/1288-195-0x0000000000000000-mapping.dmp

Download
memory/1412-201-0x0000000000000000-mapping.dmp

Download
memory/1540-236-0x0000000000000000-mapping.dmp

Download
memory/1572-200-0x0000000000000000-mapping.dmp

Download
memory/1604-235-0x0000000000D00000-0x0000000000D12000-memory.dmp

Filesize
72KB

Download
memory/1904-221-0x0000000000000000-mapping.dmp

Download
memory/2148-238-0x0000000000000000-mapping.dmp

Download
memory/2208-249-0x0000000000000000-mapping.dmp

Download
memory/2324-198-0x0000000000000000-mapping.dmp

Download
memory/2448-261-0x0000000000000000-mapping.dmp

Download
memory/2448-132-0x0000000000000000-mapping.dmp

Download
memory/2644-204-0x0000000000000000-mapping.dmp

Download
memory/2688-255-0x0000000000000000-mapping.dmp

Download
memory/2820-250-0x0000000000000000-mapping.dmp

Download
memory/2884-145-0x0000000000000000-mapping.dmp

Download
memory/2904-247-0x0000000000000000-mapping.dmp

Download
memory/2968-244-0x0000000000000000-mapping.dmp

Download
memory/3036-242-0x0000000000000000-mapping.dmp

Download
memory/3092-220-0x0000000000000000-mapping.dmp

Download
memory/3200-233-0x0000000000000000-mapping.dmp

Download
memory/3508-154-0x0000000000000000-mapping.dmp

Download
memory/3920-232-0x0000000000000000-mapping.dmp

Download
memory/4008-229-0x0000000000000000-mapping.dmp

Download
memory/4048-253-0x0000000000000000-mapping.dmp

Download
memory/4076-223-0x0000000000000000-mapping.dmp

Download
memory/4092-258-0x0000000000000000-mapping.dmp

Download
memory/4104-222-0x0000000000000000-mapping.dmp

Download
memory/4116-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-182-0x0000000000000000-mapping.dmp

Download
memory/4324-231-0x0000000000000000-mapping.dmp

Download
memory/4380-256-0x0000000000000000-mapping.dmp

Download
memory/4508-165-0x0000000000000000-mapping.dmp

Download
memory/4512-230-0x0000000000000000-mapping.dmp

Download
memory/4620-163-0x0000000000000000-mapping.dmp

Download
memory/4636-177-0x0000000000000000-mapping.dmp

Download
memory/4680-207-0x0000000000000000-mapping.dmp

Download
memory/4712-234-0x0000000000000000-mapping.dmp

Download
memory/4736-213-0x0000000000000000-mapping.dmp

Download
memory/4828-224-0x0000000000000000-mapping.dmp

Download
memory/4860-187-0x0000000000000000-mapping.dmp

Download
memory/4896-215-0x0000000000000000-mapping.dmp

Download
memory/4996-245-0x0000000000000000-mapping.dmp

Download
memory/5012-150-0x0000000000000000-mapping.dmp

Download
memory/5036-159-0x0000000000000000-mapping.dmp

Download
memory/5056-210-0x0000000000000000-mapping.dmp

Download
memory/5068-243-0x0000000000000000-mapping.dmp

Download
memory/5104-252-0x0000000002F70000-0x0000000002F82000-memory.dmp

Filesize
72KB

Download
memory/5104-251-0x0000000000000000-mapping.dmp

Download
memory/5224-263-0x0000000000000000-mapping.dmp

Download
memory/5240-265-0x0000000000000000-mapping.dmp

Download
memory/5460-278-0x0000000000000000-mapping.dmp

Download
memory/5520-267-0x0000000000000000-mapping.dmp

Download
memory/5608-269-0x0000000000000000-mapping.dmp

Download
memory/5808-271-0x0000000000000000-mapping.dmp

Download
memory/5896-273-0x0000000000000000-mapping.dmp

Download
memory/6036-275-0x0000000000000000-mapping.dmp

Download
memory/6052-277-0x0000000000000000-mapping.dmp

Download