skuld | 2abb6eefa29e46e8580cfb9f4eff67913423197ed103b694e4158e0e6ed2ba79

Analysis

max time kernel
142s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EzFN-Manager.exe
Size

11.3MB
MD5

4d909890fee721be5605f2b64bdf72fb
SHA1

82fb1d4769025e27cda5e399ddbfb57b21e7b559
SHA256

2abb6eefa29e46e8580cfb9f4eff67913423197ed103b694e4158e0e6ed2ba79
SHA512

43aa1089f736c181d330e2adb1d6622d4f60ca6aac36206bc79e34e1330c945c64d139e9a59600cd17571d595cd1ed4a3f88e05b55f7abd6784f0c4eb22fc5de
SSDEEP

196608:Sa1bPAaYyCtOPI1GIPxSYWnuOKVKxP19TjGe2g/CZqMlEkUb1zBzs:SnMPJIZSY2TKV29vGeTKZqMlEkUxzB

Score

10^/10

skuld xworm discovery execution persistence rat stealer trojan upx

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1309150098055495793/k9e9xgOw-6_C2plzzrJuXKnk0n6rjOfFwyNN15kYdvJC528Av5hMa6QHDC_kqeEBzjsS

Extracted

Family

xworm

Version

5.0

ezfn57.serveo.net:4782

Mutex

UoXEvvukylvflHuQ

Attributes

Install_directory
%ProgramData%
install_file
WinRar.exe

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2884-33-0x0000000000400000-0x0000000000438000-memory.dmp	family_xworm
behavioral1/memory/2884-39-0x0000000000400000-0x0000000000438000-memory.dmp	family_xworm
behavioral1/memory/2884-38-0x0000000000400000-0x0000000000438000-memory.dmp	family_xworm
behavioral1/memory/2884-36-0x0000000000400000-0x0000000000438000-memory.dmp	family_xworm
behavioral1/memory/2884-31-0x0000000000400000-0x0000000000438000-memory.dmp	family_xworm

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2280	powershell.exe
1616	powershell.exe
1460	powershell.exe
2028	powershell.exe
2820	powershell.exe
2820	powershell.exe

Drops startup file 2 IoCs

Processes:

WinRAR.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRar.lnk	WinRAR.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRar.lnk	WinRAR.exe

Executes dropped EXE 7 IoCs

Processes:

WinRAR.exeMicrosoft Teams.exeWinRAR.exeWinRar.exeWinRar.exeWinRar.exeWinRar.exe

pid	Process
2060	WinRAR.exe
1248	Microsoft Teams.exe
2884	WinRAR.exe
2404	WinRar.exe
2736	WinRar.exe
2220	WinRar.exe
2068	WinRar.exe

Loads dropped DLL 10 IoCs

Processes:

EzFN-Manager.exeMsiExec.exeWinRAR.exemsiexec.exe

pid	Process
540	EzFN-Manager.exe
540	EzFN-Manager.exe
484	MsiExec.exe
2884	WinRAR.exe
2784	msiexec.exe
2784	msiexec.exe
1220
1220
1220
1220

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WinRAR.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinRar = "C:\\ProgramData\\WinRar.exe"	WinRAR.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

WinRAR.exeWinRar.exeWinRar.exe

description	pid	Process	procid_target
PID 2060 set thread context of 2884	2060	WinRAR.exe	36
PID 2404 set thread context of 2736	2404	WinRar.exe	57
PID 2220 set thread context of 2068	2220	WinRar.exe	60

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0008000000016dd0-13.dat	upx
behavioral1/memory/540-18-0x000000001C3A0000-0x000000001CE05000-memory.dmp	upx
behavioral1/memory/1248-19-0x0000000000C40000-0x00000000016A5000-memory.dmp	upx
behavioral1/memory/1248-25-0x0000000000C40000-0x00000000016A5000-memory.dmp	upx

Drops file in Program Files directory 17 IoCs

Processes:

msiexec.exepowershell.exe

description	ioc	Process
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season7.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season11.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season5.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season10.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\Uninstall EZFN Launcher.lnk	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\EZFN Launcher\EZFN Launcher.exe	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season9.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season8.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season6.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season3.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season15.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\default_skin.png	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season1.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\certs\placeholder.txt	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season4.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season2.webp	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	Process
File created	C:\Windows\Installer\f7741a3.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f7741a5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7741a3.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f7741a2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7741a2.msi	msiexec.exe
File created	C:\Windows\Installer\{0C27167A-56ED-4093-AFA9-38C1037E1ED3}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{0C27167A-56ED-4093-AFA9-38C1037E1ED3}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI429C.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MsiExec.exepowershell.exepowershell.exeWinRar.exeWinRar.exeWinRAR.exeWinRAR.exepowershell.exepowershell.exeschtasks.exeWinRar.exeWinRar.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRAR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRAR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRar.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe

Modifies registry class 35 IoCs

Processes:

msiexec.exe

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A76172C0DE653904FA9A831C30E7E13D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A76172C0DE653904FA9A831C30E7E13D\External	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\PackageCode = "76FDA8E8A116A814189D1AA5C72D5D7D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\Language = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\ProductIcon = "C:\\Windows\\Installer\\{0C27167A-56ED-4093-AFA9-38C1037E1ED3}\\ProductIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\PackageName = "EZFN Launcher_1.2.7_x64_en-US (1).msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\A76172C0DE653904FA9A831C30E7E13D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A76172C0DE653904FA9A831C30E7E13D	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A76172C0DE653904FA9A831C30E7E13D\MainProgram	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A76172C0DE653904FA9A831C30E7E13D\Environment = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\ProductName = "EZFN Launcher"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\Version = "16908295"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A76172C0DE653904FA9A831C30E7E13D\ShortcutsFeature = "MainProgram"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298\A76172C0DE653904FA9A831C30E7E13D	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\Media	msiexec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
1620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exemsiexec.exepowershell.exe

pid	Process
2028	powershell.exe
2280	powershell.exe
1616	powershell.exe
1460	powershell.exe
2784	msiexec.exe
2784	msiexec.exe
2820	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WinRAR.exemsiexec.exemsiexec.exeWinRAR.exe

description	pid	Process
Token: SeDebugPrivilege	2060	WinRAR.exe
Token: SeShutdownPrivilege	2756	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2784	msiexec.exe
Token: SeTakeOwnershipPrivilege	2784	msiexec.exe
Token: SeSecurityPrivilege	2784	msiexec.exe
Token: SeCreateTokenPrivilege	2756	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2756	msiexec.exe
Token: SeLockMemoryPrivilege	2756	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2756	msiexec.exe
Token: SeMachineAccountPrivilege	2756	msiexec.exe
Token: SeTcbPrivilege	2756	msiexec.exe
Token: SeSecurityPrivilege	2756	msiexec.exe
Token: SeTakeOwnershipPrivilege	2756	msiexec.exe
Token: SeLoadDriverPrivilege	2756	msiexec.exe
Token: SeSystemProfilePrivilege	2756	msiexec.exe
Token: SeSystemtimePrivilege	2756	msiexec.exe
Token: SeProfSingleProcessPrivilege	2756	msiexec.exe
Token: SeIncBasePriorityPrivilege	2756	msiexec.exe
Token: SeCreatePagefilePrivilege	2756	msiexec.exe
Token: SeCreatePermanentPrivilege	2756	msiexec.exe
Token: SeBackupPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2756	msiexec.exe
Token: SeShutdownPrivilege	2756	msiexec.exe
Token: SeDebugPrivilege	2756	msiexec.exe
Token: SeAuditPrivilege	2756	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2756	msiexec.exe
Token: SeChangeNotifyPrivilege	2756	msiexec.exe
Token: SeRemoteShutdownPrivilege	2756	msiexec.exe
Token: SeUndockPrivilege	2756	msiexec.exe
Token: SeSyncAgentPrivilege	2756	msiexec.exe
Token: SeEnableDelegationPrivilege	2756	msiexec.exe
Token: SeManageVolumePrivilege	2756	msiexec.exe
Token: SeImpersonatePrivilege	2756	msiexec.exe
Token: SeCreateGlobalPrivilege	2756	msiexec.exe
Token: SeDebugPrivilege	2884	WinRAR.exe
Token: SeCreateTokenPrivilege	2756	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2756	msiexec.exe
Token: SeLockMemoryPrivilege	2756	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2756	msiexec.exe
Token: SeMachineAccountPrivilege	2756	msiexec.exe
Token: SeTcbPrivilege	2756	msiexec.exe
Token: SeSecurityPrivilege	2756	msiexec.exe
Token: SeTakeOwnershipPrivilege	2756	msiexec.exe
Token: SeLoadDriverPrivilege	2756	msiexec.exe
Token: SeSystemProfilePrivilege	2756	msiexec.exe
Token: SeSystemtimePrivilege	2756	msiexec.exe
Token: SeProfSingleProcessPrivilege	2756	msiexec.exe
Token: SeIncBasePriorityPrivilege	2756	msiexec.exe
Token: SeCreatePagefilePrivilege	2756	msiexec.exe
Token: SeCreatePermanentPrivilege	2756	msiexec.exe
Token: SeBackupPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2756	msiexec.exe
Token: SeShutdownPrivilege	2756	msiexec.exe
Token: SeDebugPrivilege	2756	msiexec.exe
Token: SeAuditPrivilege	2756	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2756	msiexec.exe
Token: SeChangeNotifyPrivilege	2756	msiexec.exe
Token: SeRemoteShutdownPrivilege	2756	msiexec.exe
Token: SeUndockPrivilege	2756	msiexec.exe
Token: SeSyncAgentPrivilege	2756	msiexec.exe
Token: SeEnableDelegationPrivilege	2756	msiexec.exe
Token: SeManageVolumePrivilege	2756	msiexec.exe
Token: SeImpersonatePrivilege	2756	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
2756	msiexec.exe
2756	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EzFN-Manager.exeWinRAR.exemsiexec.exeWinRAR.exetaskeng.exeWinRar.exe

description	pid	Process	procid_target
PID 540 wrote to memory of 2060	540	EzFN-Manager.exe	31
PID 540 wrote to memory of 2060	540	EzFN-Manager.exe	31
PID 540 wrote to memory of 2060	540	EzFN-Manager.exe	31
PID 540 wrote to memory of 2060	540	EzFN-Manager.exe	31
PID 540 wrote to memory of 1248	540	EzFN-Manager.exe	32
PID 540 wrote to memory of 1248	540	EzFN-Manager.exe	32
PID 540 wrote to memory of 1248	540	EzFN-Manager.exe	32
PID 540 wrote to memory of 2756	540	EzFN-Manager.exe	34
PID 540 wrote to memory of 2756	540	EzFN-Manager.exe	34
PID 540 wrote to memory of 2756	540	EzFN-Manager.exe	34
PID 540 wrote to memory of 2756	540	EzFN-Manager.exe	34
PID 540 wrote to memory of 2756	540	EzFN-Manager.exe	34
PID 2060 wrote to memory of 2884	2060	WinRAR.exe	36
PID 2060 wrote to memory of 2884	2060	WinRAR.exe	36
PID 2060 wrote to memory of 2884	2060	WinRAR.exe	36
PID 2060 wrote to memory of 2884	2060	WinRAR.exe	36
PID 2060 wrote to memory of 2884	2060	WinRAR.exe	36
PID 2060 wrote to memory of 2884	2060	WinRAR.exe	36
PID 2060 wrote to memory of 2884	2060	WinRAR.exe	36
PID 2060 wrote to memory of 2884	2060	WinRAR.exe	36
PID 2060 wrote to memory of 2884	2060	WinRAR.exe	36
PID 2784 wrote to memory of 484	2784	msiexec.exe	37
PID 2784 wrote to memory of 484	2784	msiexec.exe	37
PID 2784 wrote to memory of 484	2784	msiexec.exe	37
PID 2784 wrote to memory of 484	2784	msiexec.exe	37
PID 2784 wrote to memory of 484	2784	msiexec.exe	37
PID 2784 wrote to memory of 484	2784	msiexec.exe	37
PID 2784 wrote to memory of 484	2784	msiexec.exe	37
PID 2884 wrote to memory of 2028	2884	WinRAR.exe	39
PID 2884 wrote to memory of 2028	2884	WinRAR.exe	39
PID 2884 wrote to memory of 2028	2884	WinRAR.exe	39
PID 2884 wrote to memory of 2028	2884	WinRAR.exe	39
PID 2884 wrote to memory of 2280	2884	WinRAR.exe	41
PID 2884 wrote to memory of 2280	2884	WinRAR.exe	41
PID 2884 wrote to memory of 2280	2884	WinRAR.exe	41
PID 2884 wrote to memory of 2280	2884	WinRAR.exe	41
PID 2884 wrote to memory of 1616	2884	WinRAR.exe	43
PID 2884 wrote to memory of 1616	2884	WinRAR.exe	43
PID 2884 wrote to memory of 1616	2884	WinRAR.exe	43
PID 2884 wrote to memory of 1616	2884	WinRAR.exe	43
PID 2884 wrote to memory of 1460	2884	WinRAR.exe	45
PID 2884 wrote to memory of 1460	2884	WinRAR.exe	45
PID 2884 wrote to memory of 1460	2884	WinRAR.exe	45
PID 2884 wrote to memory of 1460	2884	WinRAR.exe	45
PID 2884 wrote to memory of 1620	2884	WinRAR.exe	49
PID 2884 wrote to memory of 1620	2884	WinRAR.exe	49
PID 2884 wrote to memory of 1620	2884	WinRAR.exe	49
PID 2884 wrote to memory of 1620	2884	WinRAR.exe	49
PID 2784 wrote to memory of 2820	2784	msiexec.exe	52
PID 2784 wrote to memory of 2820	2784	msiexec.exe	52
PID 2784 wrote to memory of 2820	2784	msiexec.exe	52
PID 1776 wrote to memory of 2404	1776	taskeng.exe	56
PID 1776 wrote to memory of 2404	1776	taskeng.exe	56
PID 1776 wrote to memory of 2404	1776	taskeng.exe	56
PID 1776 wrote to memory of 2404	1776	taskeng.exe	56
PID 2404 wrote to memory of 2736	2404	WinRar.exe	57
PID 2404 wrote to memory of 2736	2404	WinRar.exe	57
PID 2404 wrote to memory of 2736	2404	WinRar.exe	57
PID 2404 wrote to memory of 2736	2404	WinRar.exe	57
PID 2404 wrote to memory of 2736	2404	WinRar.exe	57
PID 2404 wrote to memory of 2736	2404	WinRar.exe	57
PID 2404 wrote to memory of 2736	2404	WinRar.exe	57
PID 2404 wrote to memory of 2736	2404	WinRar.exe	57
PID 2404 wrote to memory of 2736	2404	WinRar.exe	57

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\EzFN-Manager.exe
"C:\Users\Admin\AppData\Local\Temp\EzFN-Manager.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Roaming\WinRAR.exe
  "C:\Users\Admin\AppData\Roaming\WinRAR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Roaming\WinRAR.exe
    "C:\Users\Admin\AppData\Roaming\WinRAR.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRAR.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2028
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinRAR.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2280
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinRar.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1616
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinRar.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1460
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinRar" /tr "C:\ProgramData\WinRar.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1620
- C:\Users\Admin\AppData\Roaming\Microsoft Teams.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft Teams.exe"
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\EZFN Launcher_1.2.7_x64_en-US (1).msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2756

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57B6AA9FFC5FB22927302712E9515620 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ( '/install') -Wait
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2140

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D0" "0000000000000510"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1376

C:\Windows\system32\taskeng.exe
taskeng.exe {18D7F23E-AF95-4213-ADA4-C04F0C7FCC8C} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\ProgramData\WinRar.exe
  C:\ProgramData\WinRar.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\ProgramData\WinRar.exe
    "C:\ProgramData\WinRar.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2736
- C:\ProgramData\WinRar.exe
  C:\ProgramData\WinRar.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2220
- - C:\ProgramData\WinRar.exe
    "C:\ProgramData\WinRar.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EZFN Launcher\EZFN Launcher.lnk

Filesize
2KB

MD5
f7bf25b6a66234643e5bb0ca966eee3b

SHA1
a86362e4b252c78a411a23313917fe1f2867dd1b

SHA256
d405c645ec1677a65243a9be98499711c6883c21be2b1f6a4204a5b4abb1a2f6

SHA512
270630ddecb9f32bf35b4be0184770306ba72e8ec2377362168d3eca93c09314f6201636784f547c628688e2d9024c1ec18022f9a946c69cde7960ea5656f113

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA6C.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Roaming\EZFN Launcher_1.2.7_x64_en-US (1).msi

Filesize
7.5MB

MD5
1425a73d9d6db003b57bfc2134ea9d70

SHA1
d31866a0ccc44f2db6a17402f1219bf75e03b8e4

SHA256
b244361e1dac8d917be21d8e8453112c461f69ff3ec00e1844f6536379b8cd7f

SHA512
8c32528bf68329c497dfe4266355315e2a8f87a3a75b052738f04d7c1212a59374cdfdf6e63467bc80a9fb4f36f2134e738b5fe5aa738de1c9e736bd6bd18b6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
83be3e1b79ad8f378b5b2fccee1fccf4

SHA1
06d8abccb3e0276592a07899690069d14c9f9199

SHA256
f28907f08544566b40da7a8596c5c9684bb7048d55ee78182dae64e12696663f

SHA512
84d4592a2f1a83be42bfc5e99c5c25f0c8bbcd1b676092e1119456117934348a9bae986e0b54136a8fbe49e79b3c0b6f6227394eae1bb8e71f0362cc9ddc611d

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR.exe

Filesize
379KB

MD5
a3c02411444ff8af6ed5d52ff10d21a6

SHA1
77d7160ebe781fae067b1dceae65912f501e213c

SHA256
4963d8ea74645cc1931e28c1e6a378bce443d0e719d54ba61a1e100a93cdba4f

SHA512
62b990f7f7efea5a63bdbddc59f916f63a7942fdc2d14c3321143f7a00bce56d7b67e1374a4403175f8cf7efa7d4cc59cf1b23982f3ac5bccb4726f04e3d1d8d

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\EZFN Launcher\EZFN Launcher.exe

Filesize
9.3MB

MD5
31e71c821bd9ee93c135711542481840

SHA1
4d937379cd0ef71657a125a8b1baea5bdf5b37bd

SHA256
49bf997c7c1b051828ac8f30467eb0e5e12fee50cebe34c9b2f8c938a2a6481d

SHA512
f591fe6c1bfeb1d24a86be87d45c926b0aad1b723a767186fd2ddff45b0af21075133a43e06e027340732bdc05220e3706e5610a8fc04be3d63d4696010a9883

Download Submit
\Users\Admin\AppData\Roaming\Microsoft Teams.exe

Filesize
3.3MB

MD5
ffa33049612a638a2f40c2a89722a6f4

SHA1
a453ea7f4c26dbe56d547988d8afe5fbf642e7df

SHA256
589e6cc7481b257d46466116096f4df95a41daaca908a661a528dd3b658e4ea2

SHA512
e7f05a846dd9cdf20f1330569974b4b2f677f34e74b32964836c6c38b6902c25109dea3259b64543a525a4af49bfb9011ad58365d6c597bc78f99f84aa79c927

Download Submit
memory/540-1-0x00000000010C0000-0x0000000001C0C000-memory.dmp

Filesize
11.3MB

Download
memory/540-18-0x000000001C3A0000-0x000000001CE05000-memory.dmp

Filesize
10.4MB

Download
memory/540-0-0x000007FEF5623000-0x000007FEF5624000-memory.dmp

Filesize
4KB

Download
memory/540-20-0x000000001C3A0000-0x000000001CE05000-memory.dmp

Filesize
10.4MB

Download
memory/1248-19-0x0000000000C40000-0x00000000016A5000-memory.dmp

Filesize
10.4MB

Download
memory/1248-25-0x0000000000C40000-0x00000000016A5000-memory.dmp

Filesize
10.4MB

Download
memory/2060-26-0x000000007412E000-0x000000007412F000-memory.dmp

Filesize
4KB

Download
memory/2060-8-0x000000007412E000-0x000000007412F000-memory.dmp

Filesize
4KB

Download
memory/2060-9-0x0000000001360000-0x00000000013C4000-memory.dmp

Filesize
400KB

Download
memory/2404-157-0x00000000013D0000-0x0000000001434000-memory.dmp

Filesize
400KB

Download
memory/2736-166-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2820-121-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2820-122-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2884-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-27-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-29-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-39-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-38-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download