aacaf8cdd33492631621ef0d6d741dacb65fecfdb1e18da648c2474f76a4a427

Analysis

max time kernel
154s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-de
resource tags

arch:x64arch:x86image:win10v2004-20220812-delocale:de-deos:windows10-2004-x64systemwindows
submitted
03-11-2022 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TB_Free_Installer_20221103.100000.exe
Size

1.3MB
MD5

d76c47211551f7c1f1427b4bad8e6aa9
SHA1

507c01d8cb2a3f71079b4b5110b533f9f6285ac7
SHA256

e680301ef8cbba2694f9826dd6cb4b7363e41040f2bd0af6014369f76751b32b
SHA512

04505ce953e9403a7c79699d3427e57d6237e2875920eb325cfa6bdf6264a095fc3ae7c38aed85bae803b19582e1ed43c0c8425055d543c81c077b5e5ae399b3
SSDEEP

24576:ZOr6qSJAHsD7KkT4kAC1PhCa9KRMdJYIHnsCmgFhKuYdKU6M6+q:m/u1A2ZCLMdJYnCTn8dYME

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 7 IoCs

Processes:

drvsetup.exe

description	ioc	process
File created	C:\Windows\system32\drivers\EuFdDisk.sys	drvsetup.exe
File created	C:\Windows\system32\drivers\EuFdMount.sys	drvsetup.exe
File created	C:\Windows\system32\drivers\EUBKMON.sys	drvsetup.exe
File opened for modification	C:\Windows\system32\drivers\EUBKMON.sys	drvsetup.exe
File created	C:\Windows\system32\drivers\.sys	drvsetup.exe
File created	C:\Windows\system32\drivers\eubakup.sys	drvsetup.exe
File created	C:\Windows\system32\drivers\eudskacs.sys	drvsetup.exe

Executes dropped EXE 35 IoCs

Processes:

EDownloader.exeInfoForSetup.exeInfoForSetup.exeAliyunWrapExe.ExeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeTB_Free_easeus.exeTB_Free_easeus.tmpdrvsetup.exeAppSetup.exeEnsUtils.exeAliyunWrapExe.Exeensserver.exeSetupSendData2Downloader.exeAgent.exeAliyunWrapExe.ExeAgent.exeEUinApp.exeTrayProcess.exewpn-grant.exeInfoForSetup.exeSetupUE.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeAliyunWrapExe.Exewpn.exeTodoBackupService.exeTodoBackupEnumNetByFD_0.exeInfoForSetup.exeLoader.exe

pid	process
1188	EDownloader.exe
3412	InfoForSetup.exe
3360	InfoForSetup.exe
4960	AliyunWrapExe.Exe
4504	InfoForSetup.exe
2384	InfoForSetup.exe
3384	InfoForSetup.exe
224	InfoForSetup.exe
3588	InfoForSetup.exe
2932	InfoForSetup.exe
1708	TB_Free_easeus.exe
2528	TB_Free_easeus.tmp
3516	drvsetup.exe
4836	AppSetup.exe
3952	EnsUtils.exe
3368	AliyunWrapExe.Exe
4176	ensserver.exe
4472	SetupSendData2Downloader.exe
4436	Agent.exe
4340	AliyunWrapExe.Exe
4844	Agent.exe
3772	EUinApp.exe
332	TrayProcess.exe
1616	wpn-grant.exe
1856	InfoForSetup.exe
2644	SetupUE.exe
5032	InfoForSetup.exe
4568	InfoForSetup.exe
112	InfoForSetup.exe
1384	AliyunWrapExe.Exe
1344	wpn.exe
1580	TodoBackupService.exe
4072	TodoBackupEnumNetByFD_0.exe
3116	InfoForSetup.exe
3720	Loader.exe

Registers COM server for autorun 1 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

RunDll32.exeAppSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D67B84AA-3232-46D3-8B30-0AC87FDF65FD}\InprocServer32\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\VssEaseusProvider.dll"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\InprocServer32	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\InprocServer32\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\ImageSh.dll"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45203D3B-3D73-4497-8AFE-D29950AC6C55}\InprocServer32\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\ImageSh.dll"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45203D3B-3D73-4497-8AFE-D29950AC6C55}\InprocServer32\ThreadingModel = "Apartment"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D67B84AA-3232-46D3-8B30-0AC87FDF65FD}\InprocServer32	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCA7DE15-8A25-40FB-B23C-1C55DF71FF0E}\InprocServer32\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\VssEaseusProvider.dll"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\InprocServer32\ThreadingModel = "Apartment"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45203D3B-3D73-4497-8AFE-D29950AC6C55}\InprocServer32	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCA7DE15-8A25-40FB-B23C-1C55DF71FF0E}\InprocServer32	RunDll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TB_Free_easeus.tmpEDownloader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TB_Free_easeus.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	EDownloader.exe

Loads dropped DLL 64 IoCs

Processes:

InfoForSetup.exeInfoForSetup.exeAliyunWrapExe.ExeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeTB_Free_easeus.tmpregsvr32.exeRunDll32.exeRunDll32.exeAppSetup.exeEnsUtils.exeAliyunWrapExe.Exeensserver.exeAliyunWrapExe.ExeAgent.exeAgent.exeTrayProcess.exe

pid	process
3412	InfoForSetup.exe
3360	InfoForSetup.exe
4960	AliyunWrapExe.Exe
4504	InfoForSetup.exe
2384	InfoForSetup.exe
3384	InfoForSetup.exe
224	InfoForSetup.exe
3588	InfoForSetup.exe
2932	InfoForSetup.exe
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
1800	regsvr32.exe
3956	RunDll32.exe
4468	RunDll32.exe
4836	AppSetup.exe
3952	EnsUtils.exe
3952	EnsUtils.exe
3952	EnsUtils.exe
3952	EnsUtils.exe
3368	AliyunWrapExe.Exe
4176	ensserver.exe
4176	ensserver.exe
4176	ensserver.exe
4176	ensserver.exe
4176	ensserver.exe
4176	ensserver.exe
4176	ensserver.exe
4176	ensserver.exe
4176	ensserver.exe
4176	ensserver.exe
4340	AliyunWrapExe.Exe
4436	Agent.exe
4844	Agent.exe
4844	Agent.exe
4844	Agent.exe
4844	Agent.exe
4844	Agent.exe
4844	Agent.exe
4844	Agent.exe
4844	Agent.exe
4844	Agent.exe
4844	Agent.exe
4844	Agent.exe
4844	Agent.exe
4844	Agent.exe
4844	Agent.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TB_Free_easeus.tmpmsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TB_Free_easeus.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TrayProcess = "\"C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\TrayProcess.exe\" autorun"	TB_Free_easeus.tmp
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 17 IoCs

Processes:

ensserver.exeAgent.exeAliyunWrapExe.Exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_D9DB4FD99E4009ED1384A9FB5C596390	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\Eaolog.log	Agent.exe
File opened for modification	C:\Windows\SysWOW64\EUTB.TODJ	Agent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ensserver.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\ens[1].ini	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ensserver.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\index[1].htm	AliyunWrapExe.Exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27	ensserver.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_D9DB4FD99E4009ED1384A9FB5C596390	ensserver.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

Processes:

TB_Free_easeus.tmpEnsUtils.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\bearer\qgenericbearer.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-PD633.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\DriversPack\lsi\2k8-R2\is-SE5KA.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\ens\is-VVMRK.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\is-2BTQL.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\iconView\is-OCEJJ.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\ens\DataFile.ini	EnsUtils.exe
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\iconView\is-EPADA.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\WinChkdsk.exe	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-CEAUC.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\is-R5Q0I.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\multi\res_poland\bin\is-HTIPA.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\icon\is-1FOTS.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\iconView\is-8VB27.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\iconView\is-88KEC.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\libxml2.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-UTPT7.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\DLLs\is-NHOFL.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\euLog.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\is-AH4HQ.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-DGDS5.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-SCRTV.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\uexperice.exe	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\x64\Windows\system32\en-US\is-9LDPK.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\is-6JE7S.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\icon\is-RVPQ3.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\taskCard\is-JIF4M.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\is-T9QMF.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-G8LSB.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-A1970.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\DriversPack\sas\2k8-x86\is-IR7VG.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\opengl32sw.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-PBNTH.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\is-91NDF.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\is-1H7BQ.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-H9K4Q.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-5LC2Q.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-R656A.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\iconView\is-C35RN.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\taskCard\is-NCCE9.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\CorrectMbr.dll	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\mfcm90.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-EHRLF.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-GA5T3.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\iconView\is-APJFJ.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\ens\AliyunConfig.ini	EnsUtils.exe
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\NtfsSupport.dll	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\bin\Qt5QmlModels.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\DriversPack\sas\2k3-x86\is-EIVUJ.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-0J738.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\msvcr120.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\is-3F1G0.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-B8B6O.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-FVCQT.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\icon\is-IP2IM.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\icon\is-F8BRM.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-TP1GM.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-RAD22.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\iconView\is-QDJQF.tmp	TB_Free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\mfc90kor.dll	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-6GPFN.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\bin\is-30QSC.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS-x64\tb\bin\is-RAV1D.tmp	TB_Free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\Todo Backup\res\is-EB5L4.tmp	TB_Free_easeus.tmp

Drops file in Windows directory 5 IoCs

Processes:

msdtc.exedllhost.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Registration\_RegDBWrt.clb	dllhost.exe
File opened for modification	C:\Windows\Registration\_RegDBWrt.clb	dllhost.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4D6AC144-B5D1-45F7-B585-86C1B2D49ECE}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4D6AC144-B5D1-45F7-B585-86C1B2D49ECE}.crmlog	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

EUinApp.exeTB_Free_easeus.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	EUinApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TBConsoleUI.exe = "11000"	EUinApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	TB_Free_easeus.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TBConsoleUI.exe = "9999"	TB_Free_easeus.tmp

Modifies data under HKEY_USERS 17 IoCs

Processes:

AliyunWrapExe.Exeensserver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	AliyunWrapExe.Exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ensserver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AliyunWrapExe.Exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AliyunWrapExe.Exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ensserver.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ensserver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ensserver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AliyunWrapExe.Exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ensserver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AliyunWrapExe.Exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	AliyunWrapExe.Exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	AliyunWrapExe.Exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ensserver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ensserver.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ensserver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ensserver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AliyunWrapExe.Exe

Modifies registry class 64 IoCs

Processes:

RunDll32.exeAppSetup.exedllhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.EaseusSoftwareProvi.1\CLSID	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45203D3B-3D73-4497-8AFE-D29950AC6C55}\TypeLib\ = "{B0A5F209-51D9-4ad8-8E0A-C27BA301497E}"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\SimpleShlExt\ = "{45203D3B-3D73-4497-8AFE-D29950AC6C55}"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4386DFF4-9CE5-4FB3-9D77-F3036B94F4FE}\TypeLib	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4386DFF4-9CE5-4FB3-9D77-F3036B94F4FE}\TypeLib\Version = "1.0"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45203D3B-3D73-4497-8AFE-D29950AC6C55}\InprocServer32	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0A5F209-51D9-4AD8-8E0A-C27BA301497E}\1.0\ = "ImageSh 1.0 Type Library"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F88CC4B5-6EEC-4A00-94E4-EA48EE7E1EF4}\1.0\ = "VssEaseusProvider 1.0 Type Library"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCA7DE15-8A25-40FB-B23C-1C55DF71FF0E}\InprocServer32\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\VssEaseusProvider.dll"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.EaseusSoftwareProvide	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.EaseusSoftwareProvide\CLSID\ = "{FCA7DE15-8A25-40FB-B23C-1C55DF71FF0E}"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImageSh.RightMenu\CurVer\ = "ImageSh.RightMenu.1"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45203D3B-3D73-4497-8AFE-D29950AC6C55}\VersionIndependentProgID\ = "ImageSh.RightMenu"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0A5F209-51D9-4AD8-8E0A-C27BA301497E}\1.0\0	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D67B84AA-3232-46D3-8B30-0AC87FDF65FD}\ProgID\ = "VssEaseusProvider.VSS_OBJECT_PROP_Arr.1"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.VSS_OBJECT_PROP_Array\CurVer\ = "VssEaseusProvider.VSS_OBJECT_PROP_Arr.1"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\Shell\Open\ddeexec	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pbd.file\Shell\Open\ddeexec	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pbd.file\Shell\Open\ddeexec\topic	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0A5F209-51D9-4AD8-8E0A-C27BA301497E}	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0A5F209-51D9-4AD8-8E0A-C27BA301497E}\1.0\HELPDIR	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4386DFF4-9CE5-4FB3-9D77-F3036B94F4FE}	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCA7DE15-8A25-40FB-B23C-1C55DF71FF0E}\ProgID\ = "VssEaseusProvider.EaseusSoftwareProvi.1"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCA7DE15-8A25-40FB-B23C-1C55DF71FF0E}\TypeLib	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.VSS_OBJECT_PROP_Array\CurVer	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\Shell\Open\ddeexec\topic\ = "AppProperties"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ImageSh.RightMenu.1\ = "RightMenu Class"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45203D3B-3D73-4497-8AFE-D29950AC6C55}\TypeLib	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4386DFF4-9CE5-4FB3-9D77-F3036B94F4FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F88CC4B5-6EEC-4A00-94E4-EA48EE7E1EF4}\1.0\HELPDIR	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.EaseusSoftwareProvide\CurVer\ = "VssEaseusProvider.EaseusSoftwareProvi.1"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.VSS_OBJECT_PROP_Array\CLSID\ = "{D67B84AA-3232-46D3-8B30-0AC87FDF65FD}"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\InfoTip = "EaseUS ShellFolder namespace extension"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\Shell\Open\ = "Open(&O)"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0A5F209-51D9-4AD8-8E0A-C27BA301497E}\1.0\FLAGS\ = "0"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4386DFF4-9CE5-4FB3-9D77-F3036B94F4FE}\TypeLib\ = "{B0A5F209-51D9-4AD8-8E0A-C27BA301497E}"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F88CC4B5-6EEC-4A00-94E4-EA48EE7E1EF4}	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F88CC4B5-6EEC-4A00-94E4-EA48EE7E1EF4}\1.0\0\win64\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\VssEaseusProvider.dll"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VssEaseusProvider.VSS_OBJECT_PROP_Arr.1	RunDll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\CLBVersion = "5"	dllhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\Shell\Open\command	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImageSh.RightMenu	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pbd.file\Shell\Open\command	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4386DFF4-9CE5-4FB3-9D77-F3036B94F4FE}\ = "IContextMenuImpl"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4386DFF4-9CE5-4FB3-9D77-F3036B94F4FE}\ = "IContextMenuImpl"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\VssEaseusProvider.DLL	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pbd.file\Shell\Open\command\ = "explorer /idlist,%I,%L"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45203D3B-3D73-4497-8AFE-D29950AC6C55}\InprocServer32\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\ImageSh.dll"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\InprocServer32\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64\\ImageSh.dll"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\ShellFolder	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\Shell\Open\ddeexec\topic	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pbd.file\Shell\Open\ddeexec\application\ = "Folders"	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0A5F209-51D9-4AD8-8E0A-C27BA301497E}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\EaseUS\\Todo Backup\\bin\\x64"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImageSh.RightMenu\CurVer	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F88CC4B5-6EEC-4A00-94E4-EA48EE7E1EF4}\1.0\0	RunDll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppID	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\ = "EaseUS ShellFolder!"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\Shell	AppSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C1051DD2-472F-4B24-B47A-06769096CE34}\Shell\Open\ddeexec\ = "[ViewFolder(\"%l\", %I, %S)]"	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pbd.file\Shell\Open\ddeexec\ifexec	AppSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F88CC4B5-6EEC-4A00-94E4-EA48EE7E1EF4}\1.0	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FCA7DE15-8A25-40FB-B23C-1C55DF71FF0E}\VersionIndependentProgID	RunDll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\CLBVersion = "4"	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pbd.file\Shell\Open\ddeexec\NoActivateHandler	AppSetup.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exe

pid process

4152 reg.exe
3384 reg.exe
224 reg.exe
112 reg.exe
4876 reg.exe
Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

TrayProcess.exe

pid process

332 TrayProcess.exe

pid	process
4152	reg.exe
3384	reg.exe
224	reg.exe
112	reg.exe
4876	reg.exe

pid	process
332	TrayProcess.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

TB_Free_easeus.tmp

pid	process
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp
2528	TB_Free_easeus.tmp

Suspicious behavior: LoadsDriver 4 IoCs

Processes:

drvsetup.exe

pid process

3516 drvsetup.exe
3516 drvsetup.exe
3516 drvsetup.exe
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1892 msedge.exe
1892 msedge.exe
1892 msedge.exe
1892 msedge.exe
1892 msedge.exe
1892 msedge.exe

pid	process
3516	drvsetup.exe
3516	drvsetup.exe
3516	drvsetup.exe
656

pid	process
1892	msedge.exe
1892	msedge.exe
1892	msedge.exe
1892	msedge.exe
1892	msedge.exe
1892	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TB_Free_easeus.tmp

description	pid	process
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp
Token: SeDebugPrivilege	2528	TB_Free_easeus.tmp

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

TB_Free_easeus.tmpTrayProcess.exemsedge.exe

pid	process
2528	TB_Free_easeus.tmp
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
1892	msedge.exe
1892	msedge.exe
1892	msedge.exe
1892	msedge.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

TrayProcess.exe

pid process

332 TrayProcess.exe
332 TrayProcess.exe
332 TrayProcess.exe
332 TrayProcess.exe
332 TrayProcess.exe
332 TrayProcess.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EDownloader.exeTrayProcess.exe

pid process

1188 EDownloader.exe
1188 EDownloader.exe
332 TrayProcess.exe

pid	process
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe
332	TrayProcess.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TB_Free_Installer_20221103.100000.exeEDownloader.exeInfoForSetup.exeTB_Free_easeus.exeTB_Free_easeus.tmpcmd.exenet.exenet.exenet.exedllhost.exe

description	pid	process	target process
PID 4448 wrote to memory of 1188	4448	TB_Free_Installer_20221103.100000.exe	EDownloader.exe
PID 4448 wrote to memory of 1188	4448	TB_Free_Installer_20221103.100000.exe	EDownloader.exe
PID 4448 wrote to memory of 1188	4448	TB_Free_Installer_20221103.100000.exe	EDownloader.exe
PID 1188 wrote to memory of 3412	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 3412	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 3412	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 3360	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 3360	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 3360	1188	EDownloader.exe	InfoForSetup.exe
PID 3360 wrote to memory of 4960	3360	InfoForSetup.exe	AliyunWrapExe.Exe
PID 3360 wrote to memory of 4960	3360	InfoForSetup.exe	AliyunWrapExe.Exe
PID 3360 wrote to memory of 4960	3360	InfoForSetup.exe	AliyunWrapExe.Exe
PID 1188 wrote to memory of 4504	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 4504	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 4504	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 2384	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 2384	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 2384	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 3384	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 3384	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 3384	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 224	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 224	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 224	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 3588	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 3588	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 3588	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 2932	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 2932	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 2932	1188	EDownloader.exe	InfoForSetup.exe
PID 1188 wrote to memory of 1708	1188	EDownloader.exe	TB_Free_easeus.exe
PID 1188 wrote to memory of 1708	1188	EDownloader.exe	TB_Free_easeus.exe
PID 1188 wrote to memory of 1708	1188	EDownloader.exe	TB_Free_easeus.exe
PID 1708 wrote to memory of 2528	1708	TB_Free_easeus.exe	TB_Free_easeus.tmp
PID 1708 wrote to memory of 2528	1708	TB_Free_easeus.exe	TB_Free_easeus.tmp
PID 1708 wrote to memory of 2528	1708	TB_Free_easeus.exe	TB_Free_easeus.tmp
PID 2528 wrote to memory of 4816	2528	TB_Free_easeus.tmp	cmd.exe
PID 2528 wrote to memory of 4816	2528	TB_Free_easeus.tmp	cmd.exe
PID 4816 wrote to memory of 3640	4816	cmd.exe	net.exe
PID 4816 wrote to memory of 3640	4816	cmd.exe	net.exe
PID 3640 wrote to memory of 2664	3640	net.exe	net1.exe
PID 3640 wrote to memory of 2664	3640	net.exe	net1.exe
PID 4816 wrote to memory of 1376	4816	cmd.exe	net.exe
PID 4816 wrote to memory of 1376	4816	cmd.exe	net.exe
PID 1376 wrote to memory of 1616	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1616	1376	net.exe	net1.exe
PID 4816 wrote to memory of 3872	4816	cmd.exe	net.exe
PID 4816 wrote to memory of 3872	4816	cmd.exe	net.exe
PID 3872 wrote to memory of 2640	3872	net.exe	net1.exe
PID 3872 wrote to memory of 2640	3872	net.exe	net1.exe
PID 4816 wrote to memory of 4152	4816	cmd.exe	reg.exe
PID 4816 wrote to memory of 4152	4816	cmd.exe	reg.exe
PID 4816 wrote to memory of 4616	4816	cmd.exe	cscript.exe
PID 4816 wrote to memory of 4616	4816	cmd.exe	cscript.exe
PID 4816 wrote to memory of 1800	4816	cmd.exe	regsvr32.exe
PID 4816 wrote to memory of 1800	4816	cmd.exe	regsvr32.exe
PID 4816 wrote to memory of 4504	4816	cmd.exe	cscript.exe
PID 4816 wrote to memory of 4504	4816	cmd.exe	cscript.exe
PID 2816 wrote to memory of 3956	2816	dllhost.exe	RunDll32.exe
PID 2816 wrote to memory of 3956	2816	dllhost.exe	RunDll32.exe
PID 2816 wrote to memory of 4468	2816	dllhost.exe	RunDll32.exe
PID 2816 wrote to memory of 4468	2816	dllhost.exe	RunDll32.exe
PID 4816 wrote to memory of 3384	4816	cmd.exe	reg.exe
PID 4816 wrote to memory of 3384	4816	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\TB_Free_Installer_20221103.100000.exe
"C:\Users\Admin\AppData\Local\Temp\TB_Free_Installer_20221103.100000.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\EDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\EDownloader.exe" EXEDIR=C:\Users\Admin\AppData\Local\Temp ||| EXENAME=TB_Free_Installer_20221103.100000.exe ||| DOWNLOAD_VERSION=Free ||| PRODUCT_VERSION=1.0.0 ||| INSTALL_TYPE=0
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/Uid "S-1-5-21-2295526160-1155304984-640977766-1000"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3412

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"Germany\",\"Timezone\":\"GMT-00:00\"}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3360

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrapExe.Exe
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrapExe.Exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4960

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"1\",\"Errorinfo\":\"0\",\"PostURL\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=100000&lang=German&pcVersion=home&pid=3&tid=1&version=Free\",\"ResponseJson\":\"{\\"check\\":1,\\"msg\\":\\"\\u6210\\u529f\\",\\"data\\":{\\"pid\\":\\"3\\",\\"version\\":\\"Free\\",\\"tj_download\\":\\"test\\",\\"referNumber\\":\\"1000000\\",\\"killSwitch\\":\\"true\\",\\"WriteLogSwitch\\":\\"false\\",\\"curNum\\":\\"2022\\",\\"testid\\":\\"100000\\",\\"configid\\":\\"\\",\\"md5\\":\\"25e05426bec38a85ddf2006e41e02564\\",\\"download\\":\\"https:\\/\\/download2.easeus.com\\/free\\/TodoBackup_2022_free_2207.exe\\",\\"download2\\":\\"https:\\/\\/download.easeus.com\\/free\\/TodoBackup_2022_free_2207.exe\\",\\"download3\\":\\"https:\\/\\/download3.easeus.com\\/free\\/TodoBackup_2022_free_2207.exe\\",\\"url\\":[]},\\"time\\":1667495146}\",\"Result\":\"Success\"}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4504

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Home_Installer" Activity "Click_Install" Attribute "{\"Install_Path\":\"C:/Program Files (x86)/EaseUS/Todo Backup\",\"Language\":\"German\",\"Os\":\"Microsoft Windows 10\",\"Timezone\":\"GMT-00:00\",\"Version\":\"Free\",\"Version_Num\":\"2022\"}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Version_Compare" Activity "Click_Free"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3384

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Downloading" Activity "Info_Start_Download_Program" Attribute "{\"Pageid\":\"100000\",\"Version\":\"Free\"}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:224

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Downloading" Activity "Result_Download_Program" Attribute "{\"Average_Networkspeed\":\"11.24MB\",\"Cdn\":\"https://download2.easeus.com/free/TodoBackup_2022_free_2207.exe\",\"Elapsedtime\":\"12\",\"Errorinfo\":\"0\",\"Result\":\"Success\"}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3588

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Installing" Activity "Info_Start_Install_Program"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932

C:\Users\Admin\AppData\Local\Temp\TB_Free_easeus.exe
/verysilent /DIR="C:\Program Files (x86)\EaseUS\Todo Backup" /IMAGEPATH="C:\My Backups" /LANG=German agreeImprove=true GUID=S-1-5-21-2295526160-1155304984-640977766-1000 xurlID=100000
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\is-928U4.tmp\TB_Free_easeus.tmp
"C:\Users\Admin\AppData\Local\Temp\is-928U4.tmp\TB_Free_easeus.tmp" /SL5="$501C2,140774561,171008,C:\Users\Admin\AppData\Local\Temp\TB_Free_easeus.exe" /verysilent /DIR="C:\Program Files (x86)\EaseUS\Todo Backup" /IMAGEPATH="C:\My Backups" /LANG=German agreeImprove=true GUID=S-1-5-21-2295526160-1155304984-640977766-1000 xurlID=100000
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\install-EaseUSprovider.cmd""
5⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\system32\net.exe
net stop vds /Y
6⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vds /Y
7⤵
PID:2664

C:\Windows\system32\net.exe
net stop vss /Y
6⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vss /Y
7⤵
PID:1616

C:\Windows\system32\net.exe
net stop swprv
6⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop swprv
7⤵
PID:2640

C:\Windows\system32\reg.exe
reg.exe delete HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\VssEaseusProvider /f
6⤵
- Modifies registry key
PID:4152

C:\Windows\system32\cscript.exe
cscript "C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\\register_app.vbs" -unregister "VssEaseusProvider"
6⤵
PID:4616

C:\Windows\system32\regsvr32.exe
regsvr32 /s /u "C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\\VssEaseusProvider.dll"
6⤵
- Loads dropped DLL
PID:1800

C:\Windows\system32\cscript.exe
cscript "C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\register_app.vbs" -register "VssEaseusProvider" "C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll" "VSS Easeus Provider"
6⤵
PID:4504

C:\Windows\system32\reg.exe
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\VssEaseusProvider /f
6⤵
- Modifies registry key
PID:3384

C:\Windows\system32\reg.exe
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\VssEaseusProvider /f /v CustomSource /t REG_DWORD /d 1
6⤵
- Modifies registry key
PID:224

C:\Windows\system32\reg.exe
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\VssEaseusProvider /f /v EventMessageFile /t REG_EXPAND_SZ /d "C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll"
6⤵
- Modifies registry key
PID:112

C:\Windows\system32\reg.exe
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\VssEaseusProvider /f /v TypesSupported /t REG_DWORD /d 7
6⤵
- Modifies registry key
PID:4876

C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\drvsetup.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\drvsetup.exe" "C:\Program Files (x86)\EaseUS\Todo Backup\drv" -install
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
PID:3516

C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\AppSetup.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\AppSetup.exe" Install
5⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:4836

C:\Program Files (x86)\EaseUS\Todo Backup\bin\ens\EnsUtils.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\ens\EnsUtils.exe" -install "C:\Program Files (x86)\EaseUS\Todo Backup\bin\ens" "BU-TBP-FREE-WIN" "1" "C:\Program Files (x86)\EaseUS\Todo Backup\bin\Loader.exe" 14.3
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3952

C:\Program Files (x86)\EaseUS\Todo Backup\bin\ens\AliyunWrapExe.Exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\ens\AliyunWrapExe.Exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3368

C:\Program Files (x86)\EaseUS\Todo Backup\bin\SetupSendData2Downloader.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\SetupSendData2Downloader.exe" TB_Installer https://www.easeus.de/installation-erfolgreich/todo-backup-free.html
5⤵
- Executes dropped EXE
PID:4472

C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe" install
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4436

C:\Program Files (x86)\EaseUS\Todo Backup\bin\EUinApp.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\EUinApp.exe" TBConsoleUI.exe
5⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:3772

C:\Program Files (x86)\EaseUS\Todo Backup\bin\TrayProcess.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\TrayProcess.exe" install
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:332

C:\Program Files (x86)\EaseUS\Todo Backup\bin\InfoForSetup.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\InfoForSetup.exe" /Uid S-1-5-21-2295526160-1155304984-640977766-1000
5⤵
- Executes dropped EXE
PID:1856

C:\Program Files (x86)\EaseUS\Todo Backup\bin\SetupUE.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\SetupUE.exe" /Enable "{\"Language\":\"German\",\"Version\":\"TodoBackup_Free_2207\",\"Version_Num\":\"14.3\",\"UE\":\"On\"}"
5⤵
- Executes dropped EXE
PID:2644

C:\Program Files (x86)\EaseUS\Todo Backup\bin\InfoForSetup.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\InfoForSetup.exe" /Enable
6⤵
- Executes dropped EXE
PID:5032

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get caption
6⤵
PID:3956

C:\Program Files (x86)\EaseUS\Todo Backup\bin\InfoForSetup.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\InfoForSetup.exe" /SendInfo "Window" "Install" "Activity" "Info_Userinfo" "Attribute" "{\"Language\":\"German\",\"Version\":\"TodoBackup_Free_2207\",\"Version_Num\":\"14.3\",\"UE\":\"On\",\"Country\":\"Germany\",\"Timezone\":\"GMT-00:00\",\"OS\":\"Microsoft Windows 10 Pro 64-bit (10.0.19041.1.256)\"}"
6⤵
- Executes dropped EXE
PID:112

C:\Program Files (x86)\EaseUS\Todo Backup\bin\AliyunWrapExe.Exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\AliyunWrapExe.Exe"
7⤵
- Executes dropped EXE
PID:1384

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Install_Finish" Activity "Result_Install_Program" Attribute "{\"Elapsedtime\":\"43\",\"Result\":\"result_success\"}"
3⤵
- Executes dropped EXE
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.easeus.de/installation-erfolgreich/todo-backup-free.html
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdc81846f8,0x7ffdc8184708,0x7ffdc8184718
4⤵
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13682285773815069791,10472169927488796451,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
4⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13682285773815069791,10472169927488796451,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
4⤵
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,13682285773815069791,10472169927488796451,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
4⤵
PID:5156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13682285773815069791,10472169927488796451,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
4⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13682285773815069791,10472169927488796451,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
4⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,13682285773815069791,10472169927488796451,131072 --lang=de --service-sandbox-type=service --mojo-platform-channel-handle=3984 /prefetch:8
4⤵
PID:5528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13682285773815069791,10472169927488796451,131072 --disable-gpu-compositing --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
4⤵
PID:5664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13682285773815069791,10472169927488796451,131072 --disable-gpu-compositing --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
4⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,13682285773815069791,10472169927488796451,131072 --lang=de --service-sandbox-type=service --mojo-platform-channel-handle=5712 /prefetch:8
4⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13682285773815069791,10472169927488796451,131072 --disable-gpu-compositing --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
4⤵
PID:6056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13682285773815069791,10472169927488796451,131072 --disable-gpu-compositing --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
4⤵
PID:6072

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13682285773815069791,10472169927488796451,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6400 /prefetch:8
4⤵
PID:5356

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff688ff5460,0x7ff688ff5470,0x7ff688ff5480
5⤵
PID:5608

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13682285773815069791,10472169927488796451,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6400 /prefetch:8
4⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
/SendInfo Window "Install_Finish" Activity "Click_Startnow"
3⤵
- Executes dropped EXE
PID:3116

C:\Program Files (x86)\EaseUS\Todo Backup\bin\Loader.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\Loader.exe"
3⤵
- Executes dropped EXE
PID:3720

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\system32\RunDll32.exe
RunDll32 catsrvut.dll,QueryUserDll "C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll" Global\{7F41F033-FC4B-42F9-ACD8-353B1EEED56A}
2⤵
- Loads dropped DLL
PID:3956

C:\Windows\system32\RunDll32.exe
RunDll32 catsrvut.dll,QueryUserDll "C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll" Global\{AB9B5EA7-0415-4815-A55C-3F5B11762296}
2⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:4468

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5008

C:\Program Files (x86)\EaseUS\ENS\ensserver.exe
"C:\Program Files (x86)\EaseUS\ENS\ensserver.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4176

C:\Program Files (x86)\EaseUS\ENS\AliyunWrapExe.Exe
"C:\Program Files (x86)\EaseUS\ENS\AliyunWrapExe.Exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4340

C:\Program Files (x86)\EaseUS\ENS\wpn-grant.exe
"C:\Program Files (x86)\EaseUS\ENS\wpn-grant.exe" -R -c .wpn.js
2⤵
- Executes dropped EXE
PID:1616

C:\Program Files (x86)\EaseUS\ENS\wpn.exe
"C:\Program Files (x86)\EaseUS\ENS\wpn.exe" -c .wpn.js -v -v -v -n test -S -e 364419530012 -K AAAAVNkYvRw:APA91bGpIYNsqC55ZWIoPrfoBz8eR8Dy9FllMFx1ZmgQitIPTlTSxX739tWae4obYfNuBYfJKVnVs1HSFM__JUwwB-4KWIyTZt1vElIWFL4l3n6NcAuhCHCH-ZYDE45CTH10dG-QB7HK
2⤵
- Executes dropped EXE
PID:1344

C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4844

C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe"
2⤵
- Executes dropped EXE
PID:1580

C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupEnumNetByFD_0.exe
"C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupEnumNetByFD_0.exe"
2⤵
- Executes dropped EXE
PID:4072

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2312

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\DrvSetup.exe
Filesize
159KB

MD5
975869901bfde99b777165f231f50bd9

SHA1
6edfb68927427af43a73671011fbd2e513f4a5e3

SHA256
afa9bdf49d23e5352476f2d61916d2b1c2666af92974c18857f402359efcfe14

SHA512
312930bd0b6aadcbfc6b109b674bfa29a76cf51f40282a673efb7a6980db0bcb50f0d58b3cefe2fdccb97bd1381913fdb444465b5b9ac0bec64a809dcfea685e

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll
Filesize
57KB

MD5
0f5654997d589aedbbea6104268cd85d

SHA1
21dacfec1812aebbe3584a6ee37965e32c4f0e81

SHA256
f6e91e3b66addbe15c4d1caac16a8c806b5a6db79f0318d924fc3871743e982d

SHA512
1ee966072c37a7cfda71248532635addf963759618740c04376d7437051c817300cb3efce45b3befde821c73d6ea347f3da4d3d5fdaa3782abefdb5211f64623

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll
Filesize
57KB

MD5
0f5654997d589aedbbea6104268cd85d

SHA1
21dacfec1812aebbe3584a6ee37965e32c4f0e81

SHA256
f6e91e3b66addbe15c4d1caac16a8c806b5a6db79f0318d924fc3871743e982d

SHA512
1ee966072c37a7cfda71248532635addf963759618740c04376d7437051c817300cb3efce45b3befde821c73d6ea347f3da4d3d5fdaa3782abefdb5211f64623

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll
Filesize
57KB

MD5
0f5654997d589aedbbea6104268cd85d

SHA1
21dacfec1812aebbe3584a6ee37965e32c4f0e81

SHA256
f6e91e3b66addbe15c4d1caac16a8c806b5a6db79f0318d924fc3871743e982d

SHA512
1ee966072c37a7cfda71248532635addf963759618740c04376d7437051c817300cb3efce45b3befde821c73d6ea347f3da4d3d5fdaa3782abefdb5211f64623

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\VssEaseusProvider.dll
Filesize
57KB

MD5
0f5654997d589aedbbea6104268cd85d

SHA1
21dacfec1812aebbe3584a6ee37965e32c4f0e81

SHA256
f6e91e3b66addbe15c4d1caac16a8c806b5a6db79f0318d924fc3871743e982d

SHA512
1ee966072c37a7cfda71248532635addf963759618740c04376d7437051c817300cb3efce45b3befde821c73d6ea347f3da4d3d5fdaa3782abefdb5211f64623

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\drvsetup.exe
Filesize
159KB

MD5
975869901bfde99b777165f231f50bd9

SHA1
6edfb68927427af43a73671011fbd2e513f4a5e3

SHA256
afa9bdf49d23e5352476f2d61916d2b1c2666af92974c18857f402359efcfe14

SHA512
312930bd0b6aadcbfc6b109b674bfa29a76cf51f40282a673efb7a6980db0bcb50f0d58b3cefe2fdccb97bd1381913fdb444465b5b9ac0bec64a809dcfea685e

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\install-EaseUSprovider.cmd
Filesize
1KB

MD5
0a3d52f1a9ae473fa34f63a329b9ba4d

SHA1
cbcd0c3f0f09adaa8b358bee3eb39a7f3413384f

SHA256
1304f06bd1152413f1884d8d3943c71990786f2866637608b5af4efdf1f7e525

SHA512
3241d8988d74f1cbd741cce1e71f5ffa77dfe48d8ee75f3a61a16fd96e6f5f74ac5216c7b7d972bdbcd968b15ef632556d30f59071bec6c3d59d1019422531b3

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\register_app.vbs
Filesize
12KB

MD5
f8522e8f3a35f684b4c67735d7b29f42

SHA1
d06e1a6d3a50ebed02e0d73db7e27356c3ccc1a5

SHA256
d9ad6a19df842e72502e7109de42ea47cdf2389e7b6c628f465a42fb6db04e73

SHA512
73cbc3b1b6bf62f5e7aeca794d5af6c375179b8c6d92ec42cab6ddde4bde6f9beefa2ffee5cab1ee1095a44121f81da6dbdf9e6a96f301523a8214156cd00d01

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\bin\x64\uninstall-EaseUSprovider.cmd
Filesize
1KB

MD5
7334c2ac5c9a813ae7411641e51ef8c3

SHA1
fbb3568355ceeb2f3fda2a9d2fa2c80ca3c70508

SHA256
7d803d9872cb3de1337c67041cdb9a1056c5c6c28f8a9eeba631eb0572ab43f0

SHA512
6536f6c0912a4d03a6d89466252f936fc895d5e0c239e9b85315619d061f88816cf7652b444b6063a6023a6a327effabba85d472d4cd86b67f1ffac324bb2412

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\drv\EUBKMON.sys
Filesize
54KB

MD5
13e03547b5a9059dfdcefb1c90be379b

SHA1
52a01540f10e55b6fcdb15e51f2d667c3ac8469f

SHA256
368a7aa6da76d3959f38a95c7c823cb9b1ae5004f10505243897b13b34944025

SHA512
2d8dc3371907973d4503e34fa9df61ee8b0cdb62c1631583bcde84c2dd9d26a1c51188e43289dabdc6bbb16bd2d6ffe054a60cc86624e1a5719b60e80a95ca3c

Download Submit
C:\Program Files (x86)\EaseUS\Todo Backup\drv\eubakup.sys
Filesize
74KB

MD5
2a7e4b4198a151f0649d4f4c748c53f2

SHA1
b42053731f94eb1093a7a5501217e44c0876517f

SHA256
9527cf04e1fc37118a4b1b84ae47f3cae69e4449a640cd4d92b6a4ea84985d8d

SHA512
079dd28a610837d9b7c7b26adcf9bd7eef5aa8f21a60c9302a01ef74022eb26986e963a32d9f9818d3c627f1f963d588abcd645d8c2c0a076f58cbf24d607e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TB_Free_easeus.exe
Filesize
134.9MB

MD5
25e05426bec38a85ddf2006e41e02564

SHA1
8eb2dbe994bb5709050682de9b1423217f5c8f4b

SHA256
291b20ced2e4f8cbb0f9712cabfa0c7b1e86fc45ed2ccbcfd96bbaca199b904d

SHA512
a27320a0d03811e789218654e3a4b8bb4ce5c0f2d93c7ff395392d73cbbb32ec20e80358b132eb6afcada3c233548784ad0870d9fa2d705aff26204605806bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TB_Free_easeus.exe
Filesize
134.9MB

MD5
25e05426bec38a85ddf2006e41e02564

SHA1
8eb2dbe994bb5709050682de9b1423217f5c8f4b

SHA256
291b20ced2e4f8cbb0f9712cabfa0c7b1e86fc45ed2ccbcfd96bbaca199b904d

SHA512
a27320a0d03811e789218654e3a4b8bb4ce5c0f2d93c7ff395392d73cbbb32ec20e80358b132eb6afcada3c233548784ad0870d9fa2d705aff26204605806bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\EDownloader.exe
Filesize
1.2MB

MD5
5726bbd1935cb8a105f3a955894be0e0

SHA1
10c27ce58304997cc2cdede5218803204cfe3e31

SHA256
874da0b886f41905b7417977789f9947e3c02342061b5bde42bf28914663313f

SHA512
0bb3f82b2d9974f0d2836c724c7e2b1f75bca3cf1efcc683c3e43933456c20d9cf730c8d6e86065c4b78177a98bde03d96a1ed93122603a7fb84b5e247b50376

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\EDownloader.exe
Filesize
1.2MB

MD5
5726bbd1935cb8a105f3a955894be0e0

SHA1
10c27ce58304997cc2cdede5218803204cfe3e31

SHA256
874da0b886f41905b7417977789f9947e3c02342061b5bde42bf28914663313f

SHA512
0bb3f82b2d9974f0d2836c724c7e2b1f75bca3cf1efcc683c3e43933456c20d9cf730c8d6e86065c4b78177a98bde03d96a1ed93122603a7fb84b5e247b50376

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\German.ini
Filesize
4KB

MD5
11847d6ded619ef00fe65d073dca2395

SHA1
8584a41c8e07c5990b192f4028a4c6b4883a53d6

SHA256
432729df19211765091f56578437a3564667572430b36dff2bf48b28f15a0c06

SHA512
459c6cdc565d350a9158eb3f18636e390754be9408294af92a51a7380170bf4de31b17c768a17e7bf5c23e05066ec8ace9a25daaabb6c7f2adf47c942e4a133a

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\InitConfigure.ini
Filesize
5KB

MD5
a85f9acc64df19c2295a51eabe505ac5

SHA1
98df21d469964503e5484c588ca14b4be99a7e76

SHA256
211a2504c0cfe8e28bc32de9fc6065150e1d94b24573a96b43684cb0a1a6d258

SHA512
e10eb26f6167e1cb8299482f00f76bd3ac4f38d35197403f9a644789292bdcd6268710d7a3db0fc0b71e79598ad8af28d457fc94af205a280cce10bb07af715d

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\LanguageTransfor.ini
Filesize
261B

MD5
008516fb41014eee340ff4b4ab030cbc

SHA1
199b8bd1af5436f4cb7e86f590525121d43243ec

SHA256
80193c8d307d982cf45fbf62f0eee3b7ec5522deca8a027155875d610c63657c

SHA512
8033c2be1721b13a4785f817eaee76f4c39387751611d09641792935906dcf52bd6accded96bd12abcf2be067e3b8a7cccab5124ab709c41b120ef0440043c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunConfig.ini
Filesize
1KB

MD5
0290af5f90a455782c42e5a2d63b5d92

SHA1
dbdef2cf097cbd330a2e1f4709b6031de1cd98b2

SHA256
f0626e90a803bfb7553f8fb31dbc71287c045d033020b31e74a107b4996c1cdf

SHA512
6d3aa0fae969b61233dcd9c77f7b0f209ccdf5822aa18aeaf15b9b3b810e8eb89a761ea23322472e0216a8d1a90bddcabba13a5ef74d76e3af3488e362ddc00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunConfig.ini
Filesize
1KB

MD5
0290af5f90a455782c42e5a2d63b5d92

SHA1
dbdef2cf097cbd330a2e1f4709b6031de1cd98b2

SHA256
f0626e90a803bfb7553f8fb31dbc71287c045d033020b31e74a107b4996c1cdf

SHA512
6d3aa0fae969b61233dcd9c77f7b0f209ccdf5822aa18aeaf15b9b3b810e8eb89a761ea23322472e0216a8d1a90bddcabba13a5ef74d76e3af3488e362ddc00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.DLL
Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll
Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll
Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll
Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll
Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll
Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll
Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll
Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll
Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrap.dll
Filesize
481KB

MD5
5725291441b2842592f14c3039450e1d

SHA1
4c3694fad2435dd58b7aa15233cded5f4eaa8146

SHA256
37bda4cb9b4bac24306a189e03437202488fc0e6bd4c460479df7e4c4ccab295

SHA512
853528cea71fa0570dfe4b9ab5c23960a1f083338808a1ecb6111627abb82f994af9f7bec43e05b9499f2587f060baca763409269c5f56b18d067b89ca9a727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrapExe.Exe
Filesize
106KB

MD5
674413dbbc708d32d53b386254eedb54

SHA1
281ef9b78e8a80dac4b4efe9d8d76ee4eeedc79c

SHA256
72371235cb364ab3891597f40a3f50bd64660a808979bd28bcf1c0e7154aa949

SHA512
34cd6e982c98d7d4cb763c9bbb20942a507fabc189f3fedd30433d2b79739189a3efbe81f4db465f9e401e3f01939bc8148b178679a0780fe1b000259fd947fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\AliyunWrapExe.exe
Filesize
106KB

MD5
674413dbbc708d32d53b386254eedb54

SHA1
281ef9b78e8a80dac4b4efe9d8d76ee4eeedc79c

SHA256
72371235cb364ab3891597f40a3f50bd64660a808979bd28bcf1c0e7154aa949

SHA512
34cd6e982c98d7d4cb763c9bbb20942a507fabc189f3fedd30433d2b79739189a3efbe81f4db465f9e401e3f01939bc8148b178679a0780fe1b000259fd947fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini
Filesize
2KB

MD5
826553bdaa9db28ec9e2c487963402be

SHA1
3a00da0a0777e5c57af8d60b2d1ab72018f50a50

SHA256
7abc72032f97fbb9bbe6a844c8538a369fcad8b2809c69f38443a28eef77a956

SHA512
396f2a7158d0ca9da10948e822a19bb8a9827602fbc8e83fb0e4a6ef24106b1b1ae731aef82287b9c40ce9e02eee338ecd6bf2eec02b7073f3ef1efe63f5bd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini
Filesize
3KB

MD5
ffbeae274aa030a6c98e9fe6df699f07

SHA1
7ec5ef08fe300364cc78d50983b92afbc31a5797

SHA256
5bc71941cb6f836a58f2eca763582768c703cc8b30a63dad71477d77fcd7c983

SHA512
5c6e0bc0ccfb0576d9408174fb5cc6ece97f21c5dd6e55c6198db36330be75a9874b3f44fe5fcf4eb39cdc8f0d2bf6749c5561de26beb8e2f2a5f4a1a8264dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini
Filesize
784B

MD5
61f0042ba92fe2ee13141dd5485c742f

SHA1
bb2e92bd253898fc46529f4d3263345ec948c5af

SHA256
0c6590842c60dece8c6b6d48094f2d08310d92b8212364de77aefa1182b4e43b

SHA512
6a19d1372340b69d95039c7a67776c501f37f39cefdef3c10c5a0ee5cb75fa3796e9456659fe6582e5106804dd75dcb736af1a273cb4ef237fe7a6c765ccfe33

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini
Filesize
784B

MD5
61f0042ba92fe2ee13141dd5485c742f

SHA1
bb2e92bd253898fc46529f4d3263345ec948c5af

SHA256
0c6590842c60dece8c6b6d48094f2d08310d92b8212364de77aefa1182b4e43b

SHA512
6a19d1372340b69d95039c7a67776c501f37f39cefdef3c10c5a0ee5cb75fa3796e9456659fe6582e5106804dd75dcb736af1a273cb4ef237fe7a6c765ccfe33

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini
Filesize
752B

MD5
a6be5f8ccebd209e13ebbe54fb29eb25

SHA1
e6e821cf8b332a657ff02b25b2432eb0a4b614e4

SHA256
f092200ef7bd499080bffcb679126adf0e40df621e69508662ce7514ff5267b1

SHA512
34ca188e14cbde0da6dc87986b1a783366c0e630ae7849d9d509f2ad419052c799ffec7b17faa1f508e27c5d841e5e86bcba324b55a8916acd3105da3c35405c

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini
Filesize
752B

MD5
a6be5f8ccebd209e13ebbe54fb29eb25

SHA1
e6e821cf8b332a657ff02b25b2432eb0a4b614e4

SHA256
f092200ef7bd499080bffcb679126adf0e40df621e69508662ce7514ff5267b1

SHA512
34ca188e14cbde0da6dc87986b1a783366c0e630ae7849d9d509f2ad419052c799ffec7b17faa1f508e27c5d841e5e86bcba324b55a8916acd3105da3c35405c

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini
Filesize
382B

MD5
36c196ca1d3dfb0c3613495f469b9ab0

SHA1
802a4d42f475e38dce9204b583ad5fd1e213e2a2

SHA256
d84f81420f1f20bcea373529756e5bfcaa180d8b12af019086508abea6a42d36

SHA512
93f972609bf68fe168ac398812b5c0537ca0f789bab52d188e810442e0818d27af69b91cd942df4afbe492bc5480b1fb515697a6e2900bf9f1f658a4209b7ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\DataFile.ini
Filesize
382B

MD5
36c196ca1d3dfb0c3613495f469b9ab0

SHA1
802a4d42f475e38dce9204b583ad5fd1e213e2a2

SHA256
d84f81420f1f20bcea373529756e5bfcaa180d8b12af019086508abea6a42d36

SHA512
93f972609bf68fe168ac398812b5c0537ca0f789bab52d188e810442e0818d27af69b91cd942df4afbe492bc5480b1fb515697a6e2900bf9f1f658a4209b7ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\aliyun\InfoForSetup.exe
Filesize
65KB

MD5
63c4d4021b71947a29db6c5e99678d4a

SHA1
4d24026a82d98240221077dd72f3cc169c0597e5

SHA256
33c5f40b242955b96710a9e54a109b083d014e9d061ce5ac2875aba20c0acab7

SHA512
5cf5c481126fdb422614251dc4ed4052e36fc779226c5a233637f40f55d774d130b66342df47479e368b64f65b2a3eda6f62140e9413eb8540723043ac0f693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\downloader.ico
Filesize
61KB

MD5
894ba3dde651d465dba83d1d1ea8c47f

SHA1
37b4d2077e76509ab57c278fee11b91ce1b85d56

SHA256
7c027c7444f9c584f9a382b3b20d1357e4b91b4018d9c723e6cf170b35ca08bb

SHA512
ccccbd75fb8f06924b7f6ba79d6f26825565248d1be19e8b358347200607d586481afaf06ba7575bab42840f288157118175daa299d192fab1a706ec0d55382e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\1.0.0\3Free\skin.zip
Filesize
263KB

MD5
34edebb901521c0846afa3161eee0e3a

SHA1
b5a64e5156210a0c48d8344af66f96375e6bcdc4

SHA256
6dac590f0af6f01144450ca7bebd72daabe80357b690bbe89027c0f0ef50b762

SHA512
6d53a87f0d1e48fb4b8c1dcb80bfc8ce6ea11277f0daa69d99680bffe2c8548248ed069edfce6455edfddab3f607b3ff2df83f0a427b42ae9c710dd30a3e4e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-928U4.tmp\TB_Free_easeus.tmp
Filesize
1.2MB

MD5
5ad4c56594b1b8bfae7f3690ad4dd5e5

SHA1
1d08f1e466d1bb88a8089d9e7639e5642a435dc3

SHA256
c99ae918fd53eb16fd35a287a50cb2f7c90261a36bc43cbb6208709b041e5afa

SHA512
e4b3e57ed24ee2d7ded7aaea780d9e55a3a3509cd4bf1b245eab174e1aaa8d6caf7f65488762d16ff8a6ab7ff2a5c3cc12c139dbd9c6d3a9f1bd398184c3f972

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-928U4.tmp\TB_Free_easeus.tmp
Filesize
1.2MB

MD5
5ad4c56594b1b8bfae7f3690ad4dd5e5

SHA1
1d08f1e466d1bb88a8089d9e7639e5642a435dc3

SHA256
c99ae918fd53eb16fd35a287a50cb2f7c90261a36bc43cbb6208709b041e5afa

SHA512
e4b3e57ed24ee2d7ded7aaea780d9e55a3a3509cd4bf1b245eab174e1aaa8d6caf7f65488762d16ff8a6ab7ff2a5c3cc12c139dbd9c6d3a9f1bd398184c3f972

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JSRFT.tmp\EaseUSToolDll.dll
Filesize
176KB

MD5
0fa76102cbf2851dd6d800fd2128b27d

SHA1
1afb5e7fa59d1278d8e6a51ad313a4d91808f6c6

SHA256
2c7cc5b60004ee1b8d7149258075d57c6f94cf975e389dc75c4e7b9f26d7f275

SHA512
bf638f79be74491bd88af89b1b0a576b5c72601fd40bcb4ce80e8d60ec83643f22461afeedda1f34e786aa90ee649215a92231cd750b7a91fe2a873c553065e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JSRFT.tmp\EuActiveOnline.dll
Filesize
709KB

MD5
267e481409cc30ce00dd2b2005691f25

SHA1
40392ba911435f932d16fa7c35a84d4905a4cf86

SHA256
cdcc8601a11538e7f899e331e34a6776d87ba5ff7d0a3ac1aeb0ec4fe7f679f8

SHA512
f3a4cdc6d1bcde4c12d56a9ffaeba01c26a319f9b59791aa5ca11ece38ed883d3ef8848ea6c4d6423b05de267e13a43a4f9277d05f98000ba49af317a82a8f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JSRFT.tmp\EuDriverMgr.dll
Filesize
44KB

MD5
6e297a777803b40950840962941fa6c4

SHA1
0c6ee5e17bd7783b0db57a63caafbec23996da61

SHA256
bdd52a12dbe5ed2e0412a13bf87aa4662d677309cf35acba028ef1d397cc722a

SHA512
8983bec16143bb5a988e35565808cc4a02f004e7a57b1b63a0a847b44b2b5c1f6aa3e7d777c37ca2d092e1ac0994c57499f29c38c7eb70b7c1fb5207126d85e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JSRFT.tmp\TBFirewall.dll
Filesize
92KB

MD5
d7aec9e6d2995b87c2877eb103e2af1b

SHA1
da6d1d9ef1ff5fe28a2ffd14e6fe0fa774b205e9

SHA256
ad4b43517f56c014c0cd5e669cc53ca3c335cfe3102a041f9a0f332878492600

SHA512
9d770be88b40f599ed350ed7865b18009ce5506470fef29f989490cb835509a8948e7ddbd8f09549ed6c201c39a9bfff117d8e544fd469a6c3de74ba3bda017c

Download Submit
C:\Windows\Registration\R000000000002.clb
Filesize
22KB

MD5
5635c38eff0e9e9a2110f767b5b02f4f

SHA1
1524151244b967114c3357ba1d689c2046e9b274

SHA256
50f7b780d3274bc6f4c2381023f3b94c4d04ee2d3df2e6358b5dbac36c4b7b24

SHA512
e345bd137d6ebd3d2ae81d73d458d2067cf94cbd33c2aa99a0fefbcd0175567bad9db2d684b0e7abf78c1684e34b493abe9596f953383e086237a2d31bdc2884

Download Submit
C:\Windows\Registration\R000000000003.clb
Filesize
22KB

MD5
8b9c78449cc936fd4eaff9613b1b3b73

SHA1
dc71f88df4f260dc94095487bd33cd6fd3d8e833

SHA256
17400cb7d98fd3193bcae9d50f788289d4707ff46aa7c5480071f484091d6e51

SHA512
882f837456d69e97d3c43f76117714476edc7d2afcfc019ee2706ee57785a4a2649d3aac2021c66143b234aeb0271e069ad499a9bc00f53ee4ed2bf0ac96f5cd

Download Submit
C:\Windows\Registration\R000000000004.clb
Filesize
23KB

MD5
bcb3d18023858258cd74a1c3081d6d8e

SHA1
58bb1be99afb2c06bf65c9820ee0325b6528ead8

SHA256
d7f04cba733042405a474b57179d690a9d25764aa5cc675a96490001615013ad

SHA512
e02076fa963be22bb7338516c85ee84be1291b625ad334975071e08729a068f9f294917cf77863772f89f860cb3259217b3a5a587def043dab5154a970ef6b7a

Download Submit
C:\Windows\Registration\R000000000005.clb
Filesize
23KB

MD5
9229f824750553bc42b08210e422af92

SHA1
3a4c8bb1f8168e6df2095a1050c871713337e875

SHA256
572c2db474b1088c84be5da494cc6b415394874242d85956ce61893e8a437ef2

SHA512
5e696df4fdcc227c924fe848bc6e30506c98d0559cfba31ceec19df7849d13e9e43d5f7c2c5a6ba47175e7fc18340c8f811f59456bcb559dd7d446637ab65576

Download Submit
C:\Windows\Registration\R000000000006.clb
Filesize
23KB

MD5
adc530af4f28ddf5e307dae8fcc56863

SHA1
fcb2bef5eff013a221b2a20c4b05e1834cc587ad

SHA256
2c828c6dc41689bdfdc1c17a14f18f47c9624f80c827144fca398ea03118f884

SHA512
819dea7a2b47cbf002cd4bafc2e9152def37c141ef4c31bec879e8e84647166efa2d7e77efa7a20a7b89bfef12c446ace7b60aec76f9ca76d6eabd8f8919f8d0

Download Submit
memory/112-222-0x0000000000000000-mapping.dmp

Download
memory/112-248-0x0000000000000000-mapping.dmp

Download
memory/224-221-0x0000000000000000-mapping.dmp

Download
memory/224-165-0x0000000000000000-mapping.dmp

Download
memory/332-239-0x00000000057A0000-0x000000000587A000-memory.dmp

Filesize
872KB

Download
memory/332-240-0x0000000005880000-0x0000000005892000-memory.dmp

Filesize
72KB

Download
memory/332-241-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/332-237-0x0000000000000000-mapping.dmp

Download
memory/408-260-0x0000000000000000-mapping.dmp

Download
memory/1188-132-0x0000000000000000-mapping.dmp

Download
memory/1344-250-0x0000000000000000-mapping.dmp

Download
memory/1376-200-0x0000000000000000-mapping.dmp

Download
memory/1384-249-0x0000000000000000-mapping.dmp

Download
memory/1580-252-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/1580-251-0x0000000000000000-mapping.dmp

Download
memory/1616-201-0x0000000000000000-mapping.dmp

Download
memory/1616-238-0x0000000000000000-mapping.dmp

Download
memory/1708-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-182-0x0000000000000000-mapping.dmp

Download
memory/1708-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-207-0x0000000000000000-mapping.dmp

Download
memory/1856-242-0x0000000000000000-mapping.dmp

Download
memory/1892-254-0x0000000000000000-mapping.dmp

Download
memory/2384-159-0x0000000000000000-mapping.dmp

Download
memory/2528-187-0x0000000000000000-mapping.dmp

Download
memory/2640-203-0x0000000000000000-mapping.dmp

Download
memory/2644-243-0x0000000000000000-mapping.dmp

Download
memory/2664-199-0x0000000000000000-mapping.dmp

Download
memory/2932-177-0x0000000000000000-mapping.dmp

Download
memory/3116-255-0x0000000000000000-mapping.dmp

Download
memory/3360-145-0x0000000000000000-mapping.dmp

Download
memory/3368-231-0x0000000000000000-mapping.dmp

Download
memory/3384-163-0x0000000000000000-mapping.dmp

Download
memory/3384-220-0x0000000000000000-mapping.dmp

Download
memory/3412-138-0x0000000000000000-mapping.dmp

Download
memory/3516-224-0x0000000000000000-mapping.dmp

Download
memory/3588-172-0x0000000000000000-mapping.dmp

Download
memory/3640-198-0x0000000000000000-mapping.dmp

Download
memory/3720-257-0x0000000000000000-mapping.dmp

Download
memory/3772-236-0x0000000000000000-mapping.dmp

Download
memory/3872-202-0x0000000000000000-mapping.dmp

Download
memory/3952-230-0x0000000000000000-mapping.dmp

Download
memory/3956-245-0x0000000000000000-mapping.dmp

Download
memory/3956-213-0x0000000000000000-mapping.dmp

Download
memory/4064-259-0x0000000000000000-mapping.dmp

Download
memory/4072-253-0x0000000000000000-mapping.dmp

Download
memory/4152-204-0x0000000000000000-mapping.dmp

Download
memory/4340-233-0x0000000000000000-mapping.dmp

Download
memory/4436-234-0x0000000000000000-mapping.dmp

Download
memory/4468-215-0x0000000000000000-mapping.dmp

Download
memory/4472-232-0x0000000000000000-mapping.dmp

Download
memory/4504-210-0x0000000000000000-mapping.dmp

Download
memory/4504-154-0x0000000000000000-mapping.dmp

Download
memory/4568-247-0x0000000000000000-mapping.dmp

Download
memory/4616-205-0x0000000000000000-mapping.dmp

Download
memory/4816-195-0x0000000000000000-mapping.dmp

Download
memory/4836-229-0x0000000000000000-mapping.dmp

Download
memory/4844-235-0x0000000001A70000-0x0000000001A82000-memory.dmp

Filesize
72KB

Download
memory/4876-223-0x0000000000000000-mapping.dmp

Download
memory/4956-256-0x0000000000000000-mapping.dmp

Download
memory/4960-150-0x0000000000000000-mapping.dmp

Download
memory/5032-244-0x0000000000000000-mapping.dmp

Download
memory/5156-262-0x0000000000000000-mapping.dmp

Download
memory/5340-264-0x0000000000000000-mapping.dmp

Download
memory/5360-266-0x0000000000000000-mapping.dmp

Download
memory/5528-268-0x0000000000000000-mapping.dmp

Download
memory/5664-270-0x0000000000000000-mapping.dmp

Download
memory/5812-272-0x0000000000000000-mapping.dmp

Download
memory/5996-274-0x0000000000000000-mapping.dmp

Download
memory/6056-276-0x0000000000000000-mapping.dmp

Download
memory/6072-278-0x0000000000000000-mapping.dmp

Download