risepro | fa303eadc3cce05e0c0758c95d58e37be1ce42218f2a34392cd68eeff8ff487e

Analysis

max time kernel
136s
max time network
136s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

screen_recorder_install_20240620.1-981596.exe
Size

1.3MB
MD5

423b7c6c49a6a71c2e5de8bb30d82a80
SHA1

a8068703372ae00821df45d3d1e83528d5b75530
SHA256

fa303eadc3cce05e0c0758c95d58e37be1ce42218f2a34392cd68eeff8ff487e
SHA512

d313f7546096291a67235fea8bda15521c3d31663680eb2ceeb6d61d77ca48ec089444f3681cb2de00dce3ea1255d82e55829f124f9df890e41378ea9641e031
SSDEEP

24576:lAAbeg/aRWe00Sc72z5ZexkXjoePAL6be7cpzUQP2zk+QLgumxo/hTjPppgepa/G:y00Sec5Z1oePUFsg+U2/hxpPa/NY

Score

10^/10

risepro discovery execution stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1104	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\UMDF\SET1536.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\UMDF\SET1536.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\UMDF\VirtualMonitor.dll	DrvInst.exe

Downloads MZ/PE file

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\virtualmonitor.inf_amd64_neutral_2a6b16adf0f8c674\virtualmonitor.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{28ee0e8d-cbb8-40cc-e408-86696c9e2404}\SETD105.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{28ee0e8d-cbb8-40cc-e408-86696c9e2404}\VirtualMonitor.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{28ee0e8d-cbb8-40cc-e408-86696c9e2404}\SETD106.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{28ee0e8d-cbb8-40cc-e408-86696c9e2404}\VirtualMonitor.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{28ee0e8d-cbb8-40cc-e408-86696c9e2404}\SETD105.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{28ee0e8d-cbb8-40cc-e408-86696c9e2404}\SETD107.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{28ee0e8d-cbb8-40cc-e408-86696c9e2404}\virtualmonitor.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{28ee0e8d-cbb8-40cc-e408-86696c9e2404}\SETD106.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{28ee0e8d-cbb8-40cc-e408-86696c9e2404}\SETD107.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\virtualmonitor.inf_amd64_neutral_2a6b16adf0f8c674\virtualmonitor.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{28ee0e8d-cbb8-40cc-e408-86696c9e2404}	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\is-O2M5B.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\normal\is-HR4KO.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\normal\is-UT327.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\player\is-5JA87.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\player\is-L1MCS.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Controls.2\is-UVV6R.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\is-OJ7PJ.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Controls.2\is-BNOV1.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Controls.2\Universal\is-5LEIR.tmp	ere_free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini	InfoForSetup.exe
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\is-DFQ5F.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\is-IB60D.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\is-E2P6N.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\player\is-CRG9G.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\player\is-9VQSL.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Controls.2\is-JPN0M.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Controls.2\Fusion\is-PR27V.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Controls.2\Material\is-J18F5.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\is-JQ90T.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\is-O1S10.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\player\is-CBQ5I.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\player\is-PTJ07.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Controls.2\Universal\is-LQF0J.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Extras\is-GEAN1.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\is-13HOV.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\player\is-LA8QL.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Dialogs\is-15QRP.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\is-OCHKM.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\multiple\qt\is-LEEF9.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\normal\is-ML7LB.tmp	ere_free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\RecExperts\bin\avfilter-7.dll	ere_free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\RecExperts\bin\EreDownload.exe	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\is-CG5C3.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\loading\is-MGR2B.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\multiple\qt\is-H5TFF.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\normal\Enhanced\is-BDA9B.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\normal\Navigation\is-R5AF5.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Controls\is-2GR2V.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Controls.2\is-KRJDB.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\is-CL4O1.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\normal\is-M2HPD.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\tray\is-PJLAN.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtMultimedia\is-P6F6R.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Controls\is-4BH4M.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\is-GSE82.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\is-O9EKP.tmp	ere_free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\RecExperts\bin\Qt5WebChannel.dll	ere_free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\RecExperts\bin\mfc90u.dll	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\normal\Navigation\is-CQHPS.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\player\is-S3K0J.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\player\is-Q9M2V.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\player\is-JEVNF.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Controls\Styles\Desktop\is-84LS5.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Controls.2\Fusion\is-993P8.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Controls.2\Fusion\is-BF8N5.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\InnerBuy\res\images\is-I1PGM.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\is-5KAVC.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\is-M7B7J.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\multiple\qt\is-PGAJE.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\normal\RecordingSeting\is-U85M3.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\bin\QtQuick\Controls\Private\is-VIONI.tmp	ere_free_easeus.tmp
File opened for modification	C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini	InfoForSetup.exe
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\is-CTT3G.tmp	ere_free_easeus.tmp
File created	C:\Program Files (x86)\EaseUS\RecExperts\res\is-D2RA4.tmp	ere_free_easeus.tmp

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	devcon.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	devcon.exe
File opened for modification	C:\Windows\setuperr.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	DrvInst.exe

Executes dropped EXE 47 IoCs

pid	Process
2580	EDownloader.exe
2972	InfoForSetup.exe
2700	InfoForSetup.exe
2760	AliyunWrapExe.Exe
1964	InfoForSetup.exe
2404	InfoForSetup.exe
2432	InfoForSetup.exe
2336	InfoForSetup.exe
1916	InfoForSetup.exe
780	ere_free_easeus.exe
540	ere_free_easeus.tmp
3024	EUinApp.exe
3004	TaskSchedulerWeb.exe
2504	VirtualMonitorClient.exe
2720	devcon.exe
828	SetupUE.exe
1800	InfoForSetup.exe
1528	InfoForSetup.exe
1760	InfoForSetup.exe
1316	RecExperts.exe
1752	InfoForSetup.exe
2064	AliyunWrapExe.Exe
2304	InfoForSetup.exe
1272	EreDownload.exe
1892	InfoForSetup.exe
1356	EuDownload.exe
284	InfoForSetup.exe
2112	InfoForSetup.exe
1640	FfmpegProbe.exe
1300	InfoForSetup.exe
5648	InfoForSetup.exe
5996	InfoForSetup.exe
6016	InfoForSetup.exe
6004	InfoForSetup.exe
1848	EreDownload.exe
2952	InfoForSetup.exe
3304	InfoForSetup.exe
3932	InfoForSetup.exe
4168	InfoForSetup.exe
2536	InfoForSetup.exe
4616	InfoForSetup.exe
4816	InfoForSetup.exe
2392	InfoForSetup.exe
1424	InfoForSetup.exe
5428	InfoForSetup.exe
5704	InfoForSetup.exe
5692	erepost.exe

Loads dropped DLL 64 IoCs

pid	Process
2240	screen_recorder_install_20240620.1-981596.exe
2580	EDownloader.exe
2972	InfoForSetup.exe
2580	EDownloader.exe
2700	InfoForSetup.exe
2700	InfoForSetup.exe
2760	AliyunWrapExe.Exe
2580	EDownloader.exe
1964	InfoForSetup.exe
2580	EDownloader.exe
2580	EDownloader.exe
2432	InfoForSetup.exe
2404	InfoForSetup.exe
2580	EDownloader.exe
2336	InfoForSetup.exe
2580	EDownloader.exe
1916	InfoForSetup.exe
2580	EDownloader.exe
780	ere_free_easeus.exe
540	ere_free_easeus.tmp
540	ere_free_easeus.tmp
540	ere_free_easeus.tmp
540	ere_free_easeus.tmp
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
3004	TaskSchedulerWeb.exe
540	ere_free_easeus.tmp
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe
2504	VirtualMonitorClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	EDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	EUinApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	EUinApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	EUinApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\RecExperts.exe = "11000"	EUinApp.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2660	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1316	RecExperts.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
540	ere_free_easeus.tmp
540	ere_free_easeus.tmp
1104	powershell.exe
1356	EuDownload.exe
1316	RecExperts.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1316	RecExperts.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeRestorePrivilege	2720	devcon.exe
Token: SeRestorePrivilege	2720	devcon.exe
Token: SeRestorePrivilege	2720	devcon.exe
Token: SeRestorePrivilege	2720	devcon.exe
Token: SeRestorePrivilege	2720	devcon.exe
Token: SeRestorePrivilege	2720	devcon.exe
Token: SeRestorePrivilege	2720	devcon.exe
Token: SeRestorePrivilege	2720	devcon.exe
Token: SeRestorePrivilege	2720	devcon.exe
Token: SeRestorePrivilege	2720	devcon.exe
Token: SeRestorePrivilege	2720	devcon.exe
Token: SeRestorePrivilege	2720	devcon.exe
Token: SeRestorePrivilege	2720	devcon.exe
Token: SeRestorePrivilege	2720	devcon.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2224	rundll32.exe
Token: SeRestorePrivilege	2224	rundll32.exe
Token: SeRestorePrivilege	2224	rundll32.exe
Token: SeRestorePrivilege	2224	rundll32.exe
Token: SeRestorePrivilege	2224	rundll32.exe
Token: SeRestorePrivilege	2224	rundll32.exe
Token: SeRestorePrivilege	2224	rundll32.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeBackupPrivilege	1660	vssvc.exe
Token: SeRestorePrivilege	1660	vssvc.exe
Token: SeAuditPrivilege	1660	vssvc.exe
Token: SeBackupPrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	1272	DrvInst.exe
Token: SeRestorePrivilege	1272	DrvInst.exe
Token: SeRestorePrivilege	1272	DrvInst.exe
Token: SeRestorePrivilege	1272	DrvInst.exe
Token: SeRestorePrivilege	1272	DrvInst.exe
Token: SeRestorePrivilege	1272	DrvInst.exe
Token: SeRestorePrivilege	1272	DrvInst.exe
Token: SeLoadDriverPrivilege	1272	DrvInst.exe
Token: SeLoadDriverPrivilege	1272	DrvInst.exe
Token: SeLoadDriverPrivilege	1272	DrvInst.exe
Token: SeRestorePrivilege	2720	devcon.exe
Token: SeLoadDriverPrivilege	2720	devcon.exe
Token: SeRestorePrivilege	2796	DrvInst.exe
Token: SeRestorePrivilege	2796	DrvInst.exe
Token: SeRestorePrivilege	2796	DrvInst.exe
Token: SeRestorePrivilege	2796	DrvInst.exe
Token: SeRestorePrivilege	2796	DrvInst.exe
Token: SeRestorePrivilege	2796	DrvInst.exe
Token: SeRestorePrivilege	2796	DrvInst.exe
Token: SeRestorePrivilege	2796	DrvInst.exe
Token: SeLoadDriverPrivilege	2796	DrvInst.exe
Token: SeLoadDriverPrivilege	2796	DrvInst.exe
Token: 33	1316	RecExperts.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
540	ere_free_easeus.tmp
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2580	EDownloader.exe
2580	EDownloader.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
1316	RecExperts.exe
5692	erepost.exe
5692	erepost.exe
5692	erepost.exe
1316	RecExperts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2580	2240	screen_recorder_install_20240620.1-981596.exe	28
PID 2240 wrote to memory of 2580	2240	screen_recorder_install_20240620.1-981596.exe	28
PID 2240 wrote to memory of 2580	2240	screen_recorder_install_20240620.1-981596.exe	28
PID 2240 wrote to memory of 2580	2240	screen_recorder_install_20240620.1-981596.exe	28
PID 2580 wrote to memory of 2972	2580	EDownloader.exe	29
PID 2580 wrote to memory of 2972	2580	EDownloader.exe	29
PID 2580 wrote to memory of 2972	2580	EDownloader.exe	29
PID 2580 wrote to memory of 2972	2580	EDownloader.exe	29
PID 2580 wrote to memory of 2972	2580	EDownloader.exe	29
PID 2580 wrote to memory of 2972	2580	EDownloader.exe	29
PID 2580 wrote to memory of 2972	2580	EDownloader.exe	29
PID 2580 wrote to memory of 2700	2580	EDownloader.exe	30
PID 2580 wrote to memory of 2700	2580	EDownloader.exe	30
PID 2580 wrote to memory of 2700	2580	EDownloader.exe	30
PID 2580 wrote to memory of 2700	2580	EDownloader.exe	30
PID 2580 wrote to memory of 2700	2580	EDownloader.exe	30
PID 2580 wrote to memory of 2700	2580	EDownloader.exe	30
PID 2580 wrote to memory of 2700	2580	EDownloader.exe	30
PID 2700 wrote to memory of 2760	2700	InfoForSetup.exe	31
PID 2700 wrote to memory of 2760	2700	InfoForSetup.exe	31
PID 2700 wrote to memory of 2760	2700	InfoForSetup.exe	31
PID 2700 wrote to memory of 2760	2700	InfoForSetup.exe	31
PID 2580 wrote to memory of 1964	2580	EDownloader.exe	33
PID 2580 wrote to memory of 1964	2580	EDownloader.exe	33
PID 2580 wrote to memory of 1964	2580	EDownloader.exe	33
PID 2580 wrote to memory of 1964	2580	EDownloader.exe	33
PID 2580 wrote to memory of 1964	2580	EDownloader.exe	33
PID 2580 wrote to memory of 1964	2580	EDownloader.exe	33
PID 2580 wrote to memory of 1964	2580	EDownloader.exe	33
PID 2580 wrote to memory of 2404	2580	EDownloader.exe	34
PID 2580 wrote to memory of 2404	2580	EDownloader.exe	34
PID 2580 wrote to memory of 2404	2580	EDownloader.exe	34
PID 2580 wrote to memory of 2404	2580	EDownloader.exe	34
PID 2580 wrote to memory of 2404	2580	EDownloader.exe	34
PID 2580 wrote to memory of 2404	2580	EDownloader.exe	34
PID 2580 wrote to memory of 2404	2580	EDownloader.exe	34
PID 2580 wrote to memory of 2432	2580	EDownloader.exe	35
PID 2580 wrote to memory of 2432	2580	EDownloader.exe	35
PID 2580 wrote to memory of 2432	2580	EDownloader.exe	35
PID 2580 wrote to memory of 2432	2580	EDownloader.exe	35
PID 2580 wrote to memory of 2432	2580	EDownloader.exe	35
PID 2580 wrote to memory of 2432	2580	EDownloader.exe	35
PID 2580 wrote to memory of 2432	2580	EDownloader.exe	35
PID 2580 wrote to memory of 2336	2580	EDownloader.exe	36
PID 2580 wrote to memory of 2336	2580	EDownloader.exe	36
PID 2580 wrote to memory of 2336	2580	EDownloader.exe	36
PID 2580 wrote to memory of 2336	2580	EDownloader.exe	36
PID 2580 wrote to memory of 2336	2580	EDownloader.exe	36
PID 2580 wrote to memory of 2336	2580	EDownloader.exe	36
PID 2580 wrote to memory of 2336	2580	EDownloader.exe	36
PID 2580 wrote to memory of 1916	2580	EDownloader.exe	37
PID 2580 wrote to memory of 1916	2580	EDownloader.exe	37
PID 2580 wrote to memory of 1916	2580	EDownloader.exe	37
PID 2580 wrote to memory of 1916	2580	EDownloader.exe	37
PID 2580 wrote to memory of 1916	2580	EDownloader.exe	37
PID 2580 wrote to memory of 1916	2580	EDownloader.exe	37
PID 2580 wrote to memory of 1916	2580	EDownloader.exe	37
PID 2580 wrote to memory of 780	2580	EDownloader.exe	38
PID 2580 wrote to memory of 780	2580	EDownloader.exe	38
PID 2580 wrote to memory of 780	2580	EDownloader.exe	38
PID 2580 wrote to memory of 780	2580	EDownloader.exe	38
PID 2580 wrote to memory of 780	2580	EDownloader.exe	38
PID 2580 wrote to memory of 780	2580	EDownloader.exe	38
PID 2580 wrote to memory of 780	2580	EDownloader.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\screen_recorder_install_20240620.1-981596.exe
"C:\Users\Admin\AppData\Local\Temp\screen_recorder_install_20240620.1-981596.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\EDownloader.exe
  "C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\EDownloader.exe" EXEDIR=C:\Users\Admin\AppData\Local\Temp ||| EXENAME=screen_recorder_install_20240620.1-981596.exe ||| DOWNLOAD_VERSION=free ||| PRODUCT_VERSION=2.0.0 ||| INSTALL_TYPE=0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\InfoForSetup.exe
    /Uid "S-1-5-21-3691908287-3775019229-3534252667-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2972
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\InfoForSetup.exe
    /SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"United States\",\"Pageid\":\"1-981596\",\"Timezone\":\"GMT-00:00\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\AliyunWrapExe.Exe
      C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\AliyunWrapExe.Exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2760
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\InfoForSetup.exe
    /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"3\",\"Errorinfo\":\"0\",\"Result\":\"Success\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1964
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\InfoForSetup.exe
    /SendInfo Window "Home_Installer" Activity "Click_Install" Attribute "{\"Country\":\"United States\",\"Install_Path\":\"C:/Program Files (x86)/EaseUS/RecExperts\",\"Language\":\"English\",\"Os\":\"Microsoft Windows 7\",\"Pageid\":\"1-981596\",\"Timezone\":\"GMT-00:00\",\"Version\":\"free\",\"Version_Num\":\"3.8.1\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2404
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\InfoForSetup.exe
    /SendInfo Window "Downloading" Activity "Info_Start_Download_Program" Attribute "{\"Downloadfrom\":\"https://d1.easeus.com/ere/free/screenrecorder3.8.1_free_A.exe\",\"Pageid\":\"1-981596\",\"Testid\":\"\",\"Version\":\"free\",\"Versionnumber\":\"3.8.1\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2432
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\InfoForSetup.exe
    /SendInfo Window "Downloading" Activity "Result_Download_Program" Attribute "{\"Average_Networkspeed\":\"10.31MB\",\"Cdn\":\"https://d1.easeus.com/ere/free/screenrecorder3.8.1_free_A.exe\",\"Elapsedtime\":\"7\",\"Errorinfo\":\"0\",\"Result\":\"Success\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2336
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\InfoForSetup.exe
    /SendInfo Window "Installing" Activity "Info_Start_Install_Program"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1916
- - C:\Users\Admin\AppData\Local\Temp\ere_free_easeus.exe
    /verysilent /norestart /log Installer /DIR="C:\Program Files (x86)\EaseUS\RecExperts" /LANG=English GUID=S-1-5-21-3691908287-3775019229-3534252667-1000 /Recommend=1-981596
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:780
  - - C:\Users\Admin\AppData\Local\Temp\is-2VKIG.tmp\ere_free_easeus.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2VKIG.tmp\ere_free_easeus.tmp" /SL5="$201B4,74634738,830976,C:\Users\Admin\AppData\Local\Temp\ere_free_easeus.exe" /verysilent /norestart /log Installer /DIR="C:\Program Files (x86)\EaseUS\RecExperts" /LANG=English GUID=S-1-5-21-3691908287-3775019229-3534252667-1000 /Recommend=1-981596
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:540
    - - C:\Program Files (x86)\EaseUS\RecExperts\bin\EUinApp.exe
        
        "C:\Program Files (x86)\EaseUS\RecExperts\bin\EUinApp.exe" RecExperts.exe
        5⤵
        Executes dropped EXE
        Modifies Internet Explorer settings
        
        PID:3024
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ControlledFolderAccessAllowedApplications 'C:\Program Files (x86)\EaseUS\RecExperts\bin\RecExperts.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
    - - C:\Program Files (x86)\EaseUS\RecExperts\bin\TaskSchedulerWeb.exe
        
        "C:\Program Files (x86)\EaseUS\RecExperts\bin\TaskSchedulerWeb.exe" install EaseUS_RecExperts_Web
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3004
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc once /tn EaseUS_RecExperts_Web /tr "\"C:\Program Files (x86)\EaseUS\RecExperts\bin\TaskSchedulerWeb.exe\"/skipuac" /sd 10/10/3099 /st 01:10 /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2660
    - - C:\Program Files (x86)\EaseUS\RecExperts\bin\VirtualMonitorClient.exe
        
        "C:\Program Files (x86)\EaseUS\RecExperts\bin\VirtualMonitorClient.exe" install
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2504
      - C:\Program Files (x86)\EaseUS\RecExperts\bin\devcon.exe
        
        "C:\Program Files (x86)\EaseUS\RecExperts\bin\devcon.exe" install "C:\Program Files (x86)\EaseUS\RecExperts\bin\Driver\X64\VirtualMonitor.inf" "Root\VirtualMonitor"
        6⤵
        Drops file in System32 directory
        Drops file in Windows directory
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Program Files (x86)\EaseUS\RecExperts\bin\SetupUE.exe
        
        "C:\Program Files (x86)\EaseUS\RecExperts\bin\SetupUE.exe" /Enable "{\"Language\":\"English\",\"Version\":\"ere_free_setup_3.8.1_20240418-1-981596\",\"Version_Num\":\"3.8.1\",\"Pageid\":\"1-981596\",\"UE\":\"On\"}"
        5⤵
        Executes dropped EXE
        
        PID:828
      - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
        
        "C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe" /Enable
        6⤵
        Executes dropped EXE
        
        PID:1800
      - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
        
        "C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe" /SendInfo "Window" "Install" "Activity" "Info_Userinfo" "Attribute" "{\"Language\":\"English\",\"Version\":\"ere_free_setup_3.8.1_20240418-1-981596\",\"Version_Num\":\"3.8.1\",\"Pageid\":\"1-981596\",\"UE\":\"On\",\"Country\":\"United States\",\"Timezone\":\"GMT-00:00\",\"OS\":\"Microsoft Windows 7 64-bit Service Pack 1 (6.1.7601.1.256)\",\"BuildNumber\":\"20240418\"}"
        6⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Program Files (x86)\EaseUS\RecExperts\bin\AliyunWrapExe.Exe
        
        "C:\Program Files (x86)\EaseUS\RecExperts\bin\AliyunWrapExe.Exe"
        7⤵
        Executes dropped EXE
        
        PID:2064
      - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
        
        "C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe" /SendInfo "Window" "Install" "Activity" "Info_Disk" "Attribute" "{\"Diskinfo\":{\"Disk0\":[\"DADY HARDDISK2.5+\", \"255.99GB\", \"GPT\"]}}"
        6⤵
        Executes dropped EXE
        
        PID:2304
      - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
        
        "C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe" /SendInfo "Window" "Install" "Activity" "Info_Device" "Attribute" "{\"Computer\":\"Desktop\",\"CPU\":\"Intel(R) Xeon(R) CPU E5-2689 0 @ 2.60GHz:[8]\",\"GPU\":\"\",\"RAM\":\"\",\"Manufacturer\":\"Supermicro\",\"Model\":\"X9SRE/X9SRE-3F/X9SRi/X9SRi-3F\",,\"OS\":\"Microsoft Windows 7 64-bit Service Pack 1 (6.1.7601.1.256)\",\"MainBoard\":\"\"}"
        6⤵
        Executes dropped EXE
        
        PID:2112
      - C:\Program Files (x86)\EaseUS\RecExperts\bin\FfmpegProbe.exe
        
        "C:\Program Files (x86)\EaseUS\RecExperts\bin\FfmpegProbe.exe"
        6⤵
        Executes dropped EXE
        
        PID:1640
      - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
        
        "C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe" /SendInfo "Window" "Install" "Activity" "Info_Detect" "Attribute" "{\"Result\":None\"}"
        6⤵
        Executes dropped EXE
        
        PID:1300
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\InfoForSetup.exe
    /SendInfo Window "Install_Finish" Activity "Result_Install_Program" Attribute "{\"Country\":\"United States\",\"Elapsedtime\":\"29\",\"Language\":\"English\",\"Pageid\":\"1-981596\",\"Result\":\"result_success\"}"
    3⤵
    - Executes dropped EXE
    PID:1528
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\InfoForSetup.exe
    /SendInfo Window "Install_Finish" Activity "Click_Startnow"
    3⤵
    - Executes dropped EXE
    PID:1760
- - C:\Program Files (x86)\EaseUS\RecExperts\bin\RecExperts.exe
    "C:\Program Files (x86)\EaseUS\RecExperts\bin\RecExperts.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1316
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\EreDownload.exe
      "C:\Program Files (x86)\EaseUS\RecExperts\bin\EreDownload.exe" https://public.easeus.com/media/ere/ai/aiconfig.ini "C:/Program Files (x86)/EaseUS/RecExperts/bin/AiWebCfg_tmp.ini" 0 "" 1 1480
      4⤵
      Executes dropped EXE
      PID:1272
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "OnlineVideo" Activity "Info_Browser" Attribute "{\"Browser\":\"Chrome\"}"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      PID:1892
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\EuDownload.exe
      "C:\Program Files (x86)\EaseUS\RecExperts\bin\EuDownload.exe" https://update.easeus.com/update/ere/innerbuy/ere_Free.ini "C:\Users\Admin\AppData\Local\Temp\euphtupdate.ini" 0 "" 1 2484
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1356
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "Home" Activity "Info_Start" Attribute "{\"Version\":\"3.8.1\"}"
      4⤵
      Executes dropped EXE
      PID:284
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "Home" Activity "Info_VersionExpired" Attribute "{\"LicenseNum\":\"\",\"VersionNum\":\"0.0.0\"}"
      4⤵
      Executes dropped EXE
      PID:5648
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "Home" Activity "Info_Screen" Attribute "{\"Num\":1,\"screen1\":\"1280,720\"}"
      4⤵
      Executes dropped EXE
      PID:5996
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "Home" Activity "Info_Camera"
      4⤵
      Executes dropped EXE
      PID:6004
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "Home" Activity "Info_Microphone" Attribute "{\"Micinfo\":{\"Mic1\":\"Line In (High Definition Audio Device),Inner\"}}"
      4⤵
      Executes dropped EXE
      PID:6016
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\EreDownload.exe
      "C:\Program Files (x86)\EaseUS\RecExperts\bin\EreDownload.exe" https://update.easeus.com/update/ere/recexperts.ini "C:\Users\Admin\AppData\Local\Temp\ere2AE7.tmp" 0 "" 1 2092
      4⤵
      Executes dropped EXE
      PID:1848
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "Home" Activity "Info_VersionExpired" Attribute "{\"LicenseNum\":\"\",\"VersionNum\":\"0.0.0\"}"
      4⤵
      Executes dropped EXE
      PID:2952
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "Home" Activity "Info_Update" Attribute "{\"Update\":\"No\",\"VersionNum\":\"3.8.1\"}"
      4⤵
      Executes dropped EXE
      PID:3304
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "Region" Activity "Click_Region"
      4⤵
      Executes dropped EXE
      PID:3932
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "SystemSound" Source "Main" Activity "Click_Close"
      4⤵
      Executes dropped EXE
      PID:4168
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "Home" Activity "Click_Audio"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      PID:2536
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "Home" Activity "Click_Game"
      4⤵
      Executes dropped EXE
      PID:4616
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "Player" Source "Recordings" Activity "Info_list" Attribute "{\"All\":0,\"Audio\":0,\"Picture\":0,\"Video\":0}"
      4⤵
      Executes dropped EXE
      PID:4816
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "Player" Activity "Click_back"
      4⤵
      Executes dropped EXE
      PID:2392
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "Home" Activity "Click_Close"
      4⤵
      Executes dropped EXE
      PID:1424
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "Home" Activity "Click_OK" Attribute "{\"NoShow\":\"false\",\"Option\":\"Exit\"}"
      4⤵
      Executes dropped EXE
      PID:5428
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\erepost.exe
      "C:/Program Files (x86)/EaseUS/RecExperts/bin/erepost.exe" http://track.easeus.com/product/index.php/?a=statistics&p_type=m_easeus_user_rate "uid=S-1-5-21-3691908287-3775019229-3534252667-1000&version=free&number=3.8.1&rate=1&feedback=&product=easeus_recexperts"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5692
  - - C:\Program Files (x86)\EaseUS\RecExperts\bin\InfoForSetup.exe
      /SendInfo Window "Home" Activity "Info_Exit"
      4⤵
      Executes dropped EXE
      PID:5704

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6794af91-4025-3a7a-4288-b22886382e18}\virtualmonitor.inf" "9" "69225147b" "00000000000003A0" "WinSta0\Default" "0000000000000584" "208" "c:\program files (x86)\easeus\recexperts\bin\driver\x64"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2748
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{263ab4f8-8e77-1260-db4c-3452241b850a} Global\{10c4349b-5da6-5076-d2a8-aa3c4e46df4f} C:\Windows\System32\DriverStore\Temp\{28ee0e8d-cbb8-40cc-e408-86696c9e2404}\virtualmonitor.inf C:\Windows\System32\DriverStore\Temp\{28ee0e8d-cbb8-40cc-e408-86696c9e2404}\VirtualMonitor.cat
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000003D4" "00000000000005D4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\DISPLAY\0000" "C:\Windows\INF\oem2.inf" "virtualmonitor.inf:Standard.NTamd64:MyDevice_Install:10.10.30.904:root\virtualmonitor" "69225147b" "00000000000003A0" "00000000000005B8" "00000000000005D4"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
936B

MD5
a643b94864f228115789d9aad8598834

SHA1
f70b9f19d8db1ae9d666a01485d0fbac5ff79f87

SHA256
522e0f95f7f787e4c8b52856836fafba82ee8656ff6b7ad3f5b14cacba25a701

SHA512
e9b5c50a2d67adaa92604f1477dd92c604113ed75be68dee03bffb49988bd833a101d6759df32b6161334779a0227a2d1ee5689548d5a1a246971a020b338526

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
1KB

MD5
7c258640fa6fe180c4330e75d2e92efb

SHA1
56794355f1a4752c4211d7a2c424c8d93743c785

SHA256
0512285c6ede8f7efd975ec8b339f74cd8d72397d317ab61892494aeaa0dcf09

SHA512
a3e4f729ab28a8feed284a421e1836484081eb000e057da51e7f572f79874071ad078cf6b9014c11a64d5bcf68971b00f6c0e3f3548c13c801bd33f1674b2495

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
1KB

MD5
3d481801d93e36960e93fb7c4b6d9c7c

SHA1
8d467c91002e48398888c7272adf062349f301a3

SHA256
cd908ccdcc25364299d4a2101d4d93c867bd6ba4e60824c580e80619e01e90e5

SHA512
c15f6f944217170f60c2af6c4f92ec5a19e738e7856693fc6d14e9608d18eb5c72e4bed076a730ca289c0047b818b53ee0b7b67f9f4124dee148200ed512039f

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
2KB

MD5
9094179ac6021cd4ebb2fb5ce1f685d7

SHA1
692b0fd6fbfcb888e424aba5542986422e7c1392

SHA256
ab7955aa9d5533eda6c56c011089487426469d6fce1e51b29ccf2dbfda960dd1

SHA512
379de13e93309185ffb0579397e4c0b6f217bc38fd94a16bc8b47236a4744f1bea6a0c5042c72bcc69f2580049ae741bf6b70e3626eac6b97aac7d2904c5373b

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
2KB

MD5
9dc595984693ceac07801fbdc97fa45b

SHA1
a0716f738efadb5778942dba7682b12b588d2e47

SHA256
b83802377717f2ad71a38d3a6d948252b9ab392e6bc289c101e72e41be0047ae

SHA512
3afd13ff26c5287ad24cd46477f838026a9a380f72d8f67c38b1e46b0373581ed11682382f8781929aeaf66dab70cdd2e2a6c0eea1054103e488b532ba838c34

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
1KB

MD5
90ee824f37b4486b02bb13b6f4ac2a03

SHA1
2bd108313f7acd09ab8dc6ca150141d300372a1c

SHA256
d34725c1cbec05d8c24355266244257092f0ed67eab14d467d873747cd28cd6b

SHA512
1cd82dea9d73ef51841fb71a57356ad0f145b6b1fd3fa7497cb6236fa616213b5fb78b1c4ee8660a8249759820ee159b191166056b463084c915820c0510a2f8

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
1KB

MD5
046c5b734e650a55d7e2333a4f2cde0c

SHA1
92ee5a8491f5288202eb590e1ea36cd7ee1c2cd4

SHA256
7192da96788745a1f3d56d81313c521a5370468ae05666b0283623c90b5e4e54

SHA512
3f64c26e6e1a60a758eb65c80a4f0d325b45b3423f8e01341bbe2f3e5cb4ca82630ad76519895b54df5d85f6387838d60be89ad8f39f4d46880e80450243f2ca

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
1KB

MD5
6de72b4bae4aa2e0fac552e481591b29

SHA1
ba9f4c9c563ed5341706282db1419b6dd2aa1069

SHA256
c1bf2baaca2c306b250b165f93730f3d5e2f3779e75b2e5a0547c4ae9ca88022

SHA512
2792eeaeb9307ca89fcfedfdbe80d883deea440c379f18a8bda22aac620dfda198b0f7b2bb893a3a729c07d2e5c53ddd34245e4b91b402f9ae9a4417b5277fae

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
1KB

MD5
0a827b746af4188fe379305e5cddd856

SHA1
b833d60e8b6c2729e3ade32dbe15f2c6ea16ae6a

SHA256
5b2b440a8d6b60cd7e35f34e5c3b899aef4df17f9d940cf56fe1e50194723f75

SHA512
ece78681565db33eec4a6b3816380198712e3df285054f0d5f6d0e1bb7aa5310c00db4ff089b9523f0209419fe33a5ea576a58e90601c97b2564bdf31c34e5ff

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
1KB

MD5
00190e250d5d04dd9b7a648aee7f3b5e

SHA1
405cd74ced4cefcfde9d53e1ce6c96b13666bd59

SHA256
4b4b6c9d9b00a680f8772c3613b4ca22df2d08f39189238def565bfc40979751

SHA512
1a2beba4c6fe4565529fe85b18543ea79df8bc56bdf8a4b665e030d74f09b09853e33fbc57866df993faa5541e8fe0acbd669c7a8304e38d0d7f222101863f45

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
432B

MD5
1202e9f3cd6e4664572daa45ce7c65bf

SHA1
9ba3cbf828e1db2e44ccc495c86b79bf8a74d375

SHA256
e7ae0a4009dbec8c7f6327115fd24677a202ae2b1dcf014aefbc2a10c8a3a10b

SHA512
bb36ee1c7fca80a5f0e656bceec6ca4a20c19f75e15758ba4780315425b9d11dd675765462b3e35c6b4002ffb9805ef44af7b9ab0a2ebdbbafe8cc5a66f2408e

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
1KB

MD5
3a680b732c268eb99e01f0590d70528c

SHA1
b69c6c3e5b223dbf043efea445596a21a589389a

SHA256
d9e47c10a51bc217c5873949f6b174d2f3d9b19eea5a3bd906884f63b65d1664

SHA512
ebc8819ae7e6616d6444af5c97d8645da5d00d3d208678ddf86cbc79352d6ebdc9fd32faf30e3902d23212341d87916067750600bb6c868166111a66569c4a4a

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
1KB

MD5
24e0b29995b046d8236b0f758bc98cb4

SHA1
9d3226d9a360ac4499a7a2790b031a4d2c676624

SHA256
fa83fa7743a24b587405ef950806dae325f763a4075708f0ccdc193db59f59d4

SHA512
5e45e62c244036da7ede410fb07ff928a8db18c2d6a1bd5ade182802c794e5a18475c4c66cd43e0800c1c0df6a56dbc653b24ec3ea17536ef6f3ea04e45a4b37

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
1KB

MD5
4e6b9ae65360f08bfb3af16562e31889

SHA1
1d1bf3764e8f84d7a75e19d978b9ea240f34ebc4

SHA256
c97e0602e733d105f9396c761edde846214b76245becdb08ae6ae5a26d853edf

SHA512
a0fd42f4e3995eb207a95bd79911ae150622065167b029b0f700317b304063764c83944cdeef40d1cea43dc3ad6ae858f89383bf184fb92136433783ff72e1b7

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
788B

MD5
8132aac6d82853f26374570096e45963

SHA1
9a15b45d53fdf7efa6207e4c201f10e6e9ddb848

SHA256
46927e253a54895ab204db8bdab478c0ffcd3293bf5d28e3d54c4535deb579fc

SHA512
ef282d6f01b663cf187a9cd2b6d1be1a6d2cfa0393ba1717ca26f7d4c5963a75bc418c6c63d2acc548262c5b846bb81cb7ca1b1c89b3a56b0df8a291d0008cea

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
340B

MD5
ec5178ee352b8c0d6029fc2ac0f33518

SHA1
77943cd4d87505d7ba048d54a8a7871b58cb4c7a

SHA256
78c46a5f1ca2fd7d7d48305d18ef6623b30b9be338640c8604c38c4645a59c44

SHA512
c9c18e635071b81360827e53cd9ee936ea10855e9da1f6f91a947da6aaf21e3139df6d3269e00c869693a4eda717853aeda8d22cf09e31148654c304613fd0a8

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
738B

MD5
5e667196ff478781da0e053867f8db82

SHA1
9d43cb0064b589b1575876577c761430de0c45a7

SHA256
5cea719ee1779716ef6da490ad0568c2a30d4bcf34554b2ce909ec4bc268dc58

SHA512
7a5e0df57c9284175ecd47c9036ca1047f5baec1c8407eefaaf0b60c058e1fb441732126261ec6e7dffe8c10333c05c1ee6dc5b92040a8802cb8d8ee2c02bbb6

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
1KB

MD5
01817f340b9a9b6661259a5153c7a0b9

SHA1
7f02c0963c55f35a6326c263faf64df22810a51d

SHA256
76088d11b0c39f3019ef7416afc1f5fec303c0bf5f9343c20b88c1f8c8428a0b

SHA512
76e833375a550495b63add608ae25beb4ff619d5648194b5f07bbfa498a1667c5578545323829773b27119003cc80a5c9e0150008d3d258a8159baaa3bc438b7

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
864B

MD5
6ed35b9134d9db9b314b9195942f17ca

SHA1
feebc98f489b485284062b4705cd75889b263f37

SHA256
9dc00795a420b62d68ec7e9eb71ccd215044db1b3c366637a1be095d1907543c

SHA512
a8f1404740b706f7dfd97ba00561af9301bbb881988a4607b39434df271e38cf22b89df5c8a0bab4bc5f1edbab52c6acc1dd5e838a96cab89dd81361774e25ca

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
466B

MD5
466bb836dcc3568a14a68d8fd1d6e1fd

SHA1
5f97a8e809c903b0c8e133db047ef736eb5aec5b

SHA256
0c8514bf496ad4526102349c266274a77bb25f96c7fe3f6db5c78e26785b0b49

SHA512
9a1e55cacf1248af7067d39b8b6f5d41e2c64ab91f562240d12a4e16c33acebdad0c0e2de33e4694edd40b379bb3f9d8f5274a6e968a0fbb663a47df850b8215

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
346B

MD5
1dc05c1716ebcb26d5e420c46eb9c5a5

SHA1
803cf954b76c659abf3027a31bcb7a95f08972a9

SHA256
89058e553ccfc712d4a8940f43ba1edd620a23cebfa047a1f803e9281a450f8e

SHA512
ec61ee0228dbc3fa56d1e80dd346743c2ce4f2a0fbfc9d1e5bd4d5f4394fce5a249010b55683fde67a7ece3f7c2b07462b5087e7832e77518caab3c2d6d8d650

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
410B

MD5
b08bfb187cadc252745508c7480d165d

SHA1
c95a6f07a836829027efb65f45fc32aa568b8b13

SHA256
a125a87542d5d1649829bbbefbd9e3e79ee660dca94716c8bbbca845cfd938c1

SHA512
431ab93542a0949b444de6db2f98f254d90d18d05849ac308cccbcaef10126cb142e0bbc21c4e78fc2a0cb1b2eecd4071cefbd5eded77e8fae70c54447292e0e

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
340B

MD5
c945167bb75cd49a7d8136cc87c17b50

SHA1
5f75b23e70e78f979359c015949ad40bda7e8f92

SHA256
97753f0cd81c94c28ed4573bc27c52b0194f65f75460a2ea0a9bd6340f6d8286

SHA512
2d2efa7f6710a8d8a8f653bc9df41ae2cd8e71fc7aa369c7f00baeb6bf297ff45ad67de0b20235aff8ae49564ad768cd34847607275092a73d3437cd97c9d556

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
338B

MD5
306b8e2e451ceea532dbd867241477c3

SHA1
a1d9fb5fa3acb92ede89cba449059951dbb469bd

SHA256
c7f9907a90879c3efee8f18d8e9db57c4d51f706799b419a90bb536c1fe2cd78

SHA512
01fd7fa5e37478efe1188210fedcfdf8b27510f75695ae5c5fdca763d4c2c771460c88eccad00bda7fef1dde539e37dca3edadfa491a103ae489444cf5ccfe5e

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
544B

MD5
8cfb372acb0a0c63034bd94e6d7331d1

SHA1
81731ce6c68a077333f67e593b75724762cea8c6

SHA256
59a8efa24a2b767e6df5aa1b63e31997e11886427ee532f9922e13ce2924890e

SHA512
5345c09f160e19b82f3425ced8e0ecf3f4aaf4d213fd54748559ee8bb0e28e46d72e7cac005b2b3e34b264cd5b83536c46a287558545edad4f39b3a997b33f14

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
342B

MD5
00edce3824dcb44e1a5c60193087e5f6

SHA1
b67bf3339cdd59b00540098ae7938df75527b4f3

SHA256
26ac031e1f7cfae48a318f3fe598f2bb694912fef33fb8c57511584655ada576

SHA512
ff798b34f7faf03cef9a705f2cd555088261b22babbbdda4810a03255f6a42caf7a658b1885e5c4f54a383400aabf1f136c1e836b13b82ef9c779a3a821bea58

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
340B

MD5
b5ee86491c04f3d8a880f7caf8ff26ee

SHA1
dff6c63f550262b4f7afb93d14ee4d99c12f4935

SHA256
dba770973ded71b1de869c045e33ea3927a5ffd705c18bb2515f3ee50f576581

SHA512
7a46b6089833f63d0cce4b8e501f820205af6de592ef8d3c288c1c15b128afe0ef6d1ca3b6b56e948216f1b4a77c2252bcd46727155ec673d70d78767ac427d4

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
456B

MD5
f370f093f23adb91c48b0303193f351b

SHA1
e8b08d6f5108ce898414a897e364d98403998825

SHA256
bc8aba14c5de8a180e09bf19eb6f65b8c67b5a11de25f6220b20e18d1d7a4c5a

SHA512
60b761a1ace56f9bdccf07e8ee719d2837d695dda78f0e27063b9b0d4c6d9e3278dfb5dbafef2b742bcfa78945853d7843673be98c69726393c21eb1b0b9a5f3

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\DataFile.ini

Filesize
336B

MD5
2dce6929aba2be1a8da3af74f6977e86

SHA1
c04496ecd5a7aaa5ec498d5ef8cb4f9e7fa3accb

SHA256
3c78336aa0b4adf7563d3f9784a075b4672791c47eac67c62bb53fa8b36d7219

SHA512
2076afe88775feec3ce5430e7cdec99ff44901c4df0db56131ed541bb8395f1bd16d03b514aacebbec41c1d698c615e511a334ad4c0317827fd205592b6c53bd

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\VCRUNTIME140.dll

Filesize
85KB

MD5
cc5902b7b94f0e213e02225238723aed

SHA1
5fff49fc19f8f426ffd360fed3e1a59f0f70feb4

SHA256
dacddfb8c14e2532f6418a3f6460e4206dc578a5338c540e340bc208a4e0685f

SHA512
6f4aa64e3e0db7d9851a9863b578dd1f07d6cb5277f2cac870b402aeeddc7259ee110acc24b465280ccfc006057756a570395cab319844c751d5913ab0d98d1e

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
23KB

MD5
f24259dabe9905bf00eef0374053937b

SHA1
b1949c85cfaeb2b2cdf99b51d3191e4e3bd0dd54

SHA256
f99a3f408880834ce3c762fb434cea98c87bc6df19b63d509d1093f2295bbc8e

SHA512
fc46db162ba62b46106c7b5c942e2ee186b126deebb8f2e48daf9892620d4b4acaa244fb4b65e1e6f02e06072a8b61d95e49e2ecbfa676cedc361735abb34f01

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\res\multiple\qt\is-V28OT.tmp

Filesize
16B

MD5
bcebcf42735c6849bdecbb77451021dd

SHA1
4884fd9af6890647b7af1aefa57f38cca49ad899

SHA256
9959b510b15d18937848ad13007e30459d2e993c67e564badbfc18f935695c85

SHA512
f951b511ffb1a6b94b1bcae9df26b41b2ff829560583d7c83e70279d1b5304bde299b3679d863cad6bb79d0beda524fc195b7f054ecf11d2090037526b451b78

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\res\player\is-RFFUD.tmp

Filesize
1KB

MD5
7c231287872d2ab29a58260119a2a36d

SHA1
2a6ed4cfcfc759ce0f964c4682d4a3d48b61c57d

SHA256
29ddf08c080f2b835fc6f76736a64cfc4ad47b0cb29108c07e67607878e947e6

SHA512
538b43adab363f7fd6456e9851eb8f3d9dc49ff4c9e2356b11d7009ca5c3aa9a71687f5264eb6e723a1215c5d5b56f0ad7d0c0d45727cc3e449a0ff423b37762

Download Submit
C:\Program Files (x86)\EaseUS\RecExperts\res\player\is-U9T0C.tmp

Filesize
1KB

MD5
87eaf40b28a2395f2d867318c7cd419e

SHA1
1cdfe0ada6eda864e8917e72ead6d5f5f901b4fa

SHA256
0ff1b597e0c6edb1a9c8f833d69dea12dc2c03d1f35d6dd8f0d2709e808da42d

SHA512
292059352f8fcc6fe5fc5e69cc1577f7276abd7540d58b791f644c03ade6f988ae9f94a14e82b030af42d4826bfcc9d2316543431d2e1499eb6b1248e82e4689

Download Submit
C:\Users\Admin\AppData\Local\EaseUS\EaseUS RecExperts\Operator.ini.lock

Filesize
63B

MD5
7d3f383f79811b71c6bbc2781da026e0

SHA1
f2c1a60ef7c9c5633ee2f62cc544a5f3b71e0587

SHA256
f15b660f03b9c68b1c3422ae41c95628c76abad2f57c9d6ae8681503a89063c5

SHA512
874f4ba25efdad571ae229e9f7a3054760ab5613c1d2c95a60d57350e5fc02cd24ccfbc650371ea29ced15c097a6a9fbc0bac6bfca20dd4e3215785b79696079

Download Submit
C:\Users\Admin\AppData\Local\EaseUS\EaseUS RecExperts\auto_stop

Filesize
120B

MD5
63b497cc091b6d34c01bcff81026deb0

SHA1
c1a2e49a13708b762524a8c0630933dd8febab37

SHA256
10e214eee623cdd207aee4b3b8e3d394d9a5939ddc8b9118385d7d6ebd9406cb

SHA512
11873d280250218534f3676b684e1cd3068bb159d8804f3cbd0ca7198cda2a6515251561bb5df9809d62acb58f92b5225b19de3c97a56e7537279c6ba5e05cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RecExperts.log

Filesize
4KB

MD5
09d3bad9ba16238c42c77c7fe03be5dd

SHA1
c0b1fa86bf45a6ca5af03171f47bfbd05c660939

SHA256
4c4d71ce1bdfbbf97899898191b6c135ccc221ab5cecebf88610702a2fa8d3f1

SHA512
d1409b5e13f4fdcdd91241c44730199abf7ae0581cae2c845fbc333aad773878493bd2de1fbf7201839253cf2fb1c244e148d9e80f2caf7aad640b064b1d5772

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\EasyLog.log

Filesize
1KB

MD5
d72664d1a374f47964adb4c5cf62e548

SHA1
8d2a7f33d9f7aaaf1662304a5943305c223d7de1

SHA256
b38288d0ee9ca56bb8add22fde76daddbe60b37abb539fcab88722b61be92113

SHA512
a82e193493306742b000b9466e3c9e2ac27d91327cffffa53b9f148c857b39b45785544df9de4c834a983cf88746919377c376506c835fed61d6d84b55feb066

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\EasyLog.log

Filesize
807B

MD5
19df4f5b598a1ea69374ae090e777ff6

SHA1
c1e0e7d34003accfa9204041f17a9afbe0c96584

SHA256
96435490abfab54758c102264e2711ebf6dfbed58cfcbd342d4ddfef5cb2daf7

SHA512
85a2dcdc28fdd4a8c610196297e68d737ce0105eaa364e52711bc262d66dffea881fb7cefcc74153c1263cda031f022ff31e395c2fed73fca701d0a4bd12ca21

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\English.ini

Filesize
2KB

MD5
a393df1a25c1dbeda0f884c1a593fb29

SHA1
049bb3c63ed94c963a46d4533ae190e49a555cb6

SHA256
51eb72558b002d35cf8039f8c9c2ff843931e52322282000b9430320fb857165

SHA512
eb06935a28ace81a0c5fc314e4faaaafd0b4e9a9a8d2504b9e6653cc4d71d3147606c947ac555356043c49b7659d01b1be6d4620bb4774db5a8f50b41bbbb9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\InitConfigure.ini

Filesize
3KB

MD5
238b990363ff90929a290b11ef33799c

SHA1
108e52e67d44a03e5097e80307cb6a87f8bf20fd

SHA256
d3b3d86b9a52ff94cba826aa8bc4e4c4c6a04ee05de6248d5e3a972550702d20

SHA512
90fa1a7de81423f47e78953661feb6f7435267635c2daa8f958089e6af4f94e761e088eaad8d54210baeb660e5c2efeefc5bfec4debe024f044b2f45273ff7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\LanguageTransfor.ini

Filesize
305B

MD5
5b9180ca7b92eaf3fc02c35e78e66cbd

SHA1
14a854b2a08a1a4e0eb1f928f85c2e3fe9d18c05

SHA256
a4433bed3d227249d08d37b84c84a001e443586d5cd2cd63f3fede48d282bae8

SHA512
12dad07a3136f779774ab8ddab08c6dc2d78d184fe282719179a1be5f5c519e32f86065e8d5cca675345f25c121eba333604ea59de6aa60361d68f4a633db1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\AliyunConfig.ini

Filesize
1KB

MD5
4025de521a99a48871f7eb68df8a403f

SHA1
0ae848fcfdbb80def4a00815ff747609b679f2bc

SHA256
6bfe091ec241e49dc83fb9b5b832b62325d8d7f9979a543c8ea380276e263c25

SHA512
32d8c4b9fb7b08deea8390e4a0970069077b0e7b284bab151a2b83546dfb49d3b9f2ac3a43a312ad7f785cc175db64b4ad05787456c337c71878a58bcdc8b293

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\AliyunWrap.DLL

Filesize
476KB

MD5
1ff4ff46834cba11482fb5d0f8c533ab

SHA1
6295fbebf55542839454c1a54c3e00355f020043

SHA256
bc2f1685f7157336027d370718dd2428c8a3883450a6191979d22745c3bca7fc

SHA512
659604861088c164d53d87bad6bbd24ef01c539d63322da541de29b9d14398c484396b16f627d2fb32b6d9b934e7a4b4a25bcfecadf9d13a7db4d9e97086c583

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\AliyunWrapExe.exe

Filesize
101KB

MD5
1b6da142052f6736f7a657149de75bee

SHA1
1affdaa5faaa6844e6f47e5827ff351975be6cd3

SHA256
015b2652280118c2c5016fec99fc542e32fd39ddfc9df513fe49677fc9bf6d42

SHA512
bf4eeff93839045d71115e7b7b79755b0b871ceca221a3eaedcccb19b9492672f04ee166192809ecdaa1575160bf2516fad5f5062520613dcc1f062577ae3555

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\DataFile.ini

Filesize
1KB

MD5
57b866eaf5a12befe6a05e728cbe142f

SHA1
785881052c7544417c7591d5fc0ba363cb30cd90

SHA256
ffeae168f037255d9812a4e0a645318a7b6b0980844f0e01528a75f40f59e202

SHA512
e10729215947a7bfd8742f0ed2906f9909bc51197fae05413a425e5774291d157c4ab1ddf711b38c82bf4fba52503fc7218aef394beddeafc29fa6f390d329f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\DataFile.ini

Filesize
848B

MD5
11fbd20722e82a976b9e0994980ee084

SHA1
9e0289c4b7dd9c542d920934962bbb965579002e

SHA256
d4e5670e46d84f97255e484ac14440f105f86f7b324f8ec7db2d3cb65ae7f256

SHA512
a1d28a1eea6c1bc2f8401e5deec908ecd3142affcc4f8626be3999b3556f2241b7599befff3a8acf878d65e152aa1aaf2c1bb331fa875cb20ab00558defde37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\DataFile.ini

Filesize
746B

MD5
45b7e3a640d76f53a966b48756195212

SHA1
feffbfff281b8d3f2d2798e9ccf8d0faafefeaa9

SHA256
df1658779936732ca2d6155f8caf4cab610cd29a440b13305866d41a5ef16515

SHA512
f97f48acbf3b4c26c6e9bdd5258169042a7939a2745de96e52788bbabce3047d582d0d8defe546c2cf5e5f99ba50e08b2b2396409f58080bcf37b81f19c0a0dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\DataFile.ini

Filesize
382B

MD5
5fd1406973123a294712d39beca48ffb

SHA1
2afd7fd108d3c5cae06a7ca0d36ebe5acfc624bc

SHA256
02e5d2041262e80394676dc2fb400c27f1029199fcfc381322f82645942df456

SHA512
1813497d8fa361979f7fea75921ad83ee59f2b39eb4a35aa19e128c4bdded5f056e38cc3c2589494114c238a610bafd6f30320f9fce5794620a1a9984ad660df

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\DataFile.ini

Filesize
570B

MD5
e19fdc072f97dba9c7c5f1f6bad2f639

SHA1
cc9e8ceb27f56a19f12899ebcbbb6ade9edfb9c0

SHA256
e296d40b7172320033fe28bba10f3636465bed94093514fffba3618e1e040b61

SHA512
badd20d31fc01b9780993ce8184a8413e0ea4ecfb74f9466caa6af0495fed3f30ffbdb0c22ced321596adcb9415eb1f74959237f66f08ed12d209cdb01ce74f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\DataFile.ini

Filesize
940B

MD5
63dbb929daeec44592a726c305ef9f0a

SHA1
b12cf4628880bcba04bf5918ded047c56acf8deb

SHA256
24b5d2e75b79f816c24b20444dd615e0da8d9340de64105ef14af68b2f9c3a71

SHA512
f7ee7d6ec714fae7e5ac6dd100e29df6cc69768ba14d5f806b006f5f495093582eed9c33d22fc7785c0700b09216cd18123c52791bea6fae537e1f9cf4a61432

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\DataFile.ini

Filesize
366B

MD5
4ed3d627319070570cf914f8a8e357e1

SHA1
f48560bf7443904ad24831ce37d5a84093d16376

SHA256
dc613d34a39c4112703ef64d504d47cff88b0e08b0d41b582fcf94a0792b6f60

SHA512
e2fe8b4ec8e475cf5f1cb6f41f0e4ff116210fe7e440727831828cfa224a709bbe7a2a8386357e0ab290a0b95f2ee93880e9223f598f64c8e8b4543afde5bad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\DataFile.ini

Filesize
88B

MD5
7f411750d07619f38537e7fd612b8b44

SHA1
cda241a1ce5141288582c8f0ac4850992b427bdc

SHA256
ae89726af2bd0c0218fbf63af20d4464f44dced5156364d817b6e73afc8e9f87

SHA512
35dad46325060004a66e01e10af6a3ebfd94b6751347b6ec64840c4ec03d81480fc324494ea39dded03bf2f1a1ce352b15ab518d14214c15567af17fb32f16b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\DataFile.ini

Filesize
700B

MD5
f79f6be73877440d1dbe65843bdc3e4e

SHA1
39768610f75b1cc30b2ede04709b687ece111e0e

SHA256
18d47490114c34e7cce7c1c29caf863846db44693ec0469ecee0552dd152b275

SHA512
58c3f552eb7219f83aaf86c6c484d954a2fff84b46dac7d2946c0d1a8fbea44a8cbda5c57991ad205069800e9c65fe660d8c589ba798b15ee91d991615dcc603

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\tempInfo.web

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\downloader.ico

Filesize
53KB

MD5
a58460ed7a703471d57297fee1fb81ec

SHA1
c9e0f050dc4b30a832809e357173c0901f05954c

SHA256
6f77ea0cd32fd617bf7788432639fbdb1558a36dcbc944660bbed5e880ac0238

SHA512
96291808f017cfe3c68b0e1958f9898e63293033c828f41a437bc8695acd4b5ac3cd4eaaf4804387e1c15d132fda22d7d4bfa6ae7afc915430c8c768e764000f

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\skin.zip

Filesize
287KB

MD5
2dc2bca2aa7418a83d929530acd475a4

SHA1
d5fc5e57905b96ab4550fbf354c7db450ba7e533

SHA256
8d5c06ac00c6f94120fe35d4117ebf432c7634ef5fde6f69f3d440b93ca43761

SHA512
ae3c7b0fd26835e876e7f1cd4c095db2282f8faa67220efb99a92b01cb493ec3297e7c36a23104b1713573125ba76ae1b57f0527b22c93d43f1fdb7c27664bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6794af91-4025-3a7a-4288-b22886382e18}\VirtualMonitor.cat

Filesize
11KB

MD5
8ec7a6d7a036c9864f38d19dac34a716

SHA1
177340607712cfdaea6cc78910a8f57c102d003a

SHA256
ee8ff553c638b39a7e09894992240bf5c450585558ea3465e14002247a059aa9

SHA512
d6b15e60d2326b3732d6423b32dc965bce8368f522d80b6ccf301bb169c151a4753fe5e9287399b900060e63b3a64aafb4f9b22493205bfb2ff2994b195b0afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6794af91-4025-3a7a-4288-b22886382e18}\VirtualMonitor.dll

Filesize
79KB

MD5
9743b14b12a8d2c64ab1e7a793270fac

SHA1
ae27b7e7113b485c5697135001b3bf3acf690ad4

SHA256
c8717114cd633648de7bba384d60bb4b8b3b2b4b54f62468a7ce37b325b1133f

SHA512
5085c5cc894fce7cc12bb0dba408bbfe4d7cb43ea3a14c635faa899fe46220e987397a95116836576aef4d9197da7ec7e6fbfc791f393731481b46315026b474

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6794af91-4025-3a7a-4288-b22886382e18}\virtualmonitor.inf

Filesize
4KB

MD5
c3cb3364b24278ff0388d7448df33b95

SHA1
b2deb7e15123026b2b0a37a27a0ada7904aa5a03

SHA256
ccbeb6073e50eef751e44e9393f8206000b4b749326ab227102e2fe063ebd540

SHA512
df22f13e342d3733b7a47c7bc3b7c620a17319aa38373792b5b111ea5b0e9122ccc0068ac889f0c113185cc1db360d1446d5beb5c47d4d6d4f439a1496aa1cf9

Download Submit
C:\Windows\inf\oem2.PNF

Filesize
8KB

MD5
e62e87ecd9afed96ee48ebd8fdd93f4c

SHA1
bab169537f2aad5ffc90fb7bbf5a30a96223646c

SHA256
62d8f22177f2b45e89e4d537e67830ff79b756dbe0854da7495cef40b5853c6d

SHA512
fd376e00c98dbc1e0f8e20465e8547bafbc23b8f57fb26a4dce68b141400e7758b72470a9eef7cbe590c06d6b13c91a7fa6f012e84d85a0e702b31c38b9268e0

Download Submit
\Program Files (x86)\EaseUS\RecExperts\bin\EUinApp.exe

Filesize
34KB

MD5
e91cfe665eb49da5a9ec991ab2ad145b

SHA1
a9b078f6657d1b3becb9ff67b8b0b2b691bc050b

SHA256
807329f3e29992740d446885184439a04315d82145da50391979b26494d2aef7

SHA512
48d9508a3614539e1a6e33090002ff105c6e8b463f1123a2fae5cb12546f63b6238688785b88cc706bd6fc8f41d2042049918c988762dab4988d332a5724bfab

Download Submit
\Program Files (x86)\EaseUS\RecExperts\bin\RecExperts.exe

Filesize
8.3MB

MD5
5f97fa4cf89002fecf6f40d4851b057f

SHA1
a5c5d75870c94abd59170d252a0d197ad9254ea8

SHA256
ce4d3795fdb17c8f870701954b40067368260bb4cd167740b49a74b4750bb12a

SHA512
229ba642fc31380ae2af82b4cefd396a8758e815bbf630ef928df0462de4b9d1a09c211d5e6cdee2f712fc294b5cf422c3c4db5b6673deeb076fc2bf7cb4e49e

Download Submit
\Program Files (x86)\EaseUS\RecExperts\bin\TaskSchedulerWeb.exe

Filesize
32KB

MD5
a92b376f114ec3478c487fbda1a56879

SHA1
abdc23ab5e8c6e0d7236082b767e9fdf8fad28d6

SHA256
04574dab89f5975a9dc0c07fcc5e589eab57f092a76842ab892584e01bcff5d5

SHA512
4b004025f7a77cd3b82f96f87a6953992a03393bafd20624b6a5747c8208e0d4d69339ea3d94e40669e27523ffc7e3d065e34b26205f8cbc5bcf469e9f7e76f3

Download Submit
\Program Files (x86)\EaseUS\RecExperts\bin\msvcp140.dll

Filesize
446KB

MD5
b33902774ce0eded02b0cf1b54622736

SHA1
05c4ffb6b9b9ba8a56b7a3187b7d100ab20fe8d5

SHA256
8cabbd2ad374da8e58374c6915592d217966e7ea7e0d4038aa21a2d92a5a0612

SHA512
bb7b40d3907ec7d96ed2827067b9b727bf8cc660be21d8aa40267ed25c44bf06b54654af669c5a47dbb321b3d46275780c00fffbc15a7af0c5bee03bdc3d1988

Download Submit
\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\EDownloader.exe

Filesize
1.2MB

MD5
4d915795d41f42e5059ec91ddf20a9de

SHA1
b326fd86cd6a0b6213b9535c79d82489246783c2

SHA256
1222423e82db8893b227833f4d16f1c073057df5b9bacbb3c4174e00a56261e7

SHA512
8e50684c2deac8efd2ec6211028055777317e5ff51f7c9e19d3cd2ad0d359bb2dd4c1163d5b63b2a079b97b2c27d56f9caa89750e8181b6c433fdcf69310025c

Download Submit
\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\12free\aliyun\InfoForSetup.exe

Filesize
60KB

MD5
af8a1f5caf9c8411d3eee07007450910

SHA1
5a3c2bd68f6e180920e94319f305f56defb995e0

SHA256
e23e375713ec4d7372dc3fababfaa612ecced4f207e7bd68ce5571a21499e2bd

SHA512
feddc353f9f8ce519f88fe8618c52b30eb6dd9a21391c295b95196183be010bbc03d3b605df72936804fc724b7075bc52af153c0ae477966bb7aac046a9da55e

Download Submit
\Users\Admin\AppData\Local\Temp\is-2VKIG.tmp\ere_free_easeus.tmp

Filesize
2.9MB

MD5
575ecf66ea071b6300c98117da29cd9c

SHA1
28a2d8717eb01daa5e3836cb6aa870e5da9b2ee5

SHA256
691b983be239a03b731209e70edee28e024e2ff941f9caad0316dd7405a00ac6

SHA512
094ebc8a3b7d91fa819c5223fc61693becb906f1e7b1f589bc90ff7258a1d0e5ecfe8c936ab99780f481d1c9a5ba5070d7dc4beb1d4376a5606e9eca722ad50e

Download Submit
memory/540-5455-0x0000000000400000-0x00000000006FA000-memory.dmp

Filesize
3.0MB

Download
memory/540-5397-0x0000000000400000-0x00000000006FA000-memory.dmp

Filesize
3.0MB

Download
memory/780-5459-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/780-5380-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/780-221-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1316-6386-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/1316-6382-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-9364-0x00000000008D0000-0x00000000008D2000-memory.dmp

Filesize
8KB

Download
memory/1316-8844-0x0000000009120000-0x000000000912A000-memory.dmp

Filesize
40KB

Download
memory/1316-8845-0x0000000009120000-0x000000000912A000-memory.dmp

Filesize
40KB

Download
memory/1316-8842-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/1316-6222-0x0000000009120000-0x000000000912A000-memory.dmp

Filesize
40KB

Download
memory/1316-6223-0x0000000009120000-0x000000000912A000-memory.dmp

Filesize
40KB

Download
memory/1316-6407-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/1316-6406-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/1316-6405-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/1316-6404-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6403-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/1316-6402-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6401-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6400-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6399-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/1316-6397-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6396-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6395-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6394-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6393-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6392-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6391-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6390-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6389-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6388-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/1316-6387-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/1316-8841-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/1316-6384-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6383-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-5487-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/1316-6381-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6380-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6379-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6378-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-6377-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1316-5486-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/1316-5522-0x00000000042F0000-0x0000000004730000-memory.dmp

Filesize
4.2MB

Download
memory/1316-5524-0x0000000004730000-0x0000000004930000-memory.dmp

Filesize
2.0MB

Download
memory/1640-6231-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/1640-6224-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/1640-6230-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/1640-6296-0x00000000741E0000-0x000000007426F000-memory.dmp

Filesize
572KB

Download
memory/1640-6225-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/1640-6295-0x0000000074290000-0x0000000074584000-memory.dmp

Filesize
3.0MB

Download
memory/1640-6229-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/1640-6294-0x000000006D2D0000-0x0000000070518000-memory.dmp

Filesize
50.3MB

Download
memory/2504-5446-0x000000006B880000-0x000000006D31E000-memory.dmp

Filesize
26.6MB

Download
memory/2504-5405-0x000000006B850000-0x000000006B875000-memory.dmp

Filesize
148KB

Download
memory/2504-5448-0x000000006B6D0000-0x000000006B844000-memory.dmp

Filesize
1.5MB

Download
memory/2504-5443-0x000000006DFA0000-0x000000006E294000-memory.dmp

Filesize
3.0MB

Download
memory/2504-5445-0x000000006D330000-0x000000006DF06000-memory.dmp

Filesize
11.8MB

Download
memory/2504-5444-0x000000006DF10000-0x000000006DF9F000-memory.dmp

Filesize
572KB

Download
memory/2504-5400-0x000000006E3C0000-0x0000000071608000-memory.dmp

Filesize
50.3MB

Download
memory/2504-5442-0x000000006E3C0000-0x0000000071608000-memory.dmp

Filesize
50.3MB

Download
memory/2504-5406-0x000000006B6D0000-0x000000006B844000-memory.dmp

Filesize
1.5MB

Download
memory/2504-5401-0x000000006DFA0000-0x000000006E294000-memory.dmp

Filesize
3.0MB

Download
memory/2504-5402-0x000000006DF10000-0x000000006DF9F000-memory.dmp

Filesize
572KB

Download
memory/2504-5404-0x000000006B880000-0x000000006D31E000-memory.dmp

Filesize
26.6MB

Download
memory/2504-5403-0x000000006D330000-0x000000006DF06000-memory.dmp

Filesize
11.8MB

Download
memory/2504-5447-0x000000006B850000-0x000000006B875000-memory.dmp

Filesize
148KB

Download