skuld | 2abb6eefa29e46e8580cfb9f4eff67913423197ed103b694e4158e0e6ed2ba79

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EzFN-Manager.exe
Size

11.3MB
MD5

4d909890fee721be5605f2b64bdf72fb
SHA1

82fb1d4769025e27cda5e399ddbfb57b21e7b559
SHA256

2abb6eefa29e46e8580cfb9f4eff67913423197ed103b694e4158e0e6ed2ba79
SHA512

43aa1089f736c181d330e2adb1d6622d4f60ca6aac36206bc79e34e1330c945c64d139e9a59600cd17571d595cd1ed4a3f88e05b55f7abd6784f0c4eb22fc5de
SSDEEP

196608:Sa1bPAaYyCtOPI1GIPxSYWnuOKVKxP19TjGe2g/CZqMlEkUb1zBzs:SnMPJIZSY2TKV29vGeTKZqMlEkUxzB

Score

10^/10

skuld xworm discovery execution persistence rat stealer trojan upx

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1309150098055495793/k9e9xgOw-6_C2plzzrJuXKnk0n6rjOfFwyNN15kYdvJC528Av5hMa6QHDC_kqeEBzjsS

Extracted

Family

xworm

Version

5.0

ezfn57.serveo.net:4782

Mutex

UoXEvvukylvflHuQ

Attributes

Install_directory
%ProgramData%
install_file
WinRar.exe

aes.plain

Signatures

Detect Xworm Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2564-32-0x0000000000400000-0x0000000000438000-memory.dmp	family_xworm
behavioral1/memory/2564-37-0x0000000000400000-0x0000000000438000-memory.dmp	family_xworm
behavioral1/memory/2564-38-0x0000000000400000-0x0000000000438000-memory.dmp	family_xworm
behavioral1/memory/2564-35-0x0000000000400000-0x0000000000438000-memory.dmp	family_xworm
behavioral1/memory/2564-30-0x0000000000400000-0x0000000000438000-memory.dmp	family_xworm
behavioral1/memory/1852-201-0x00000000000F0000-0x0000000000128000-memory.dmp	family_xworm
behavioral1/memory/1852-198-0x00000000000F0000-0x0000000000128000-memory.dmp	family_xworm
behavioral1/memory/1852-195-0x00000000000F0000-0x0000000000128000-memory.dmp	family_xworm

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2948	powershell.exe
2948	powershell.exe
2080	powershell.exe
1692	powershell.exe
2580	powershell.exe
1628	powershell.exe

Drops startup file 2 IoCs

Processes:

WinRAR.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRar.lnk	WinRAR.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRar.lnk	WinRAR.exe

Executes dropped EXE 7 IoCs

Processes:

WinRAR.exeMicrosoft Teams.exeWinRAR.exeWinRar.exeWinRar.exeWinRar.exeWinRar.exe

pid	Process
2900	WinRAR.exe
2412	Microsoft Teams.exe
2564	WinRAR.exe
1316	WinRar.exe
1964	WinRar.exe
2972	WinRar.exe
1852	WinRar.exe

Loads dropped DLL 10 IoCs

Processes:

EzFN-Manager.exeMsiExec.exeWinRAR.exemsiexec.exe

pid	Process
2136	EzFN-Manager.exe
2136	EzFN-Manager.exe
2916	MsiExec.exe
2564	WinRAR.exe
2760	msiexec.exe
2760	msiexec.exe
1156
1156
1156
1156

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WinRAR.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinRar = "C:\\ProgramData\\WinRar.exe"	WinRAR.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

WinRAR.exeWinRar.exeWinRar.exe

description	pid	Process	procid_target
PID 2900 set thread context of 2564	2900	WinRAR.exe	36
PID 1316 set thread context of 1964	1316	WinRar.exe	57
PID 2972 set thread context of 1852	2972	WinRar.exe	60

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x00060000000186f2-11.dat	upx
behavioral1/memory/2412-19-0x0000000001010000-0x0000000001A75000-memory.dmp	upx
behavioral1/memory/2412-24-0x0000000001010000-0x0000000001A75000-memory.dmp	upx

Drops file in Program Files directory 17 IoCs

Processes:

msiexec.exepowershell.exe

description	ioc	Process
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season9.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season8.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season10.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\default_skin.png	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season1.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\EZFN Launcher.exe	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season7.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season4.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season15.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season6.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season3.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season11.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\certs\placeholder.txt	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season2.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season5.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\Uninstall EZFN Launcher.lnk	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	Process
File created	C:\Windows\Installer\f7741a2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7741a2.msi	msiexec.exe
File created	C:\Windows\Installer\f7741a3.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{0C27167A-56ED-4093-AFA9-38C1037E1ED3}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI424E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{0C27167A-56ED-4093-AFA9-38C1037E1ED3}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\f7741a5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7741a3.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WinRar.exeWinRar.exeWinRAR.exepowershell.exepowershell.exepowershell.exeschtasks.exeWinRar.exeWinRar.exeWinRAR.exeMsiExec.exepowershell.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRAR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRAR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 35 IoCs

Processes:

msiexec.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298\A76172C0DE653904FA9A831C30E7E13D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\PackageName = "EZFN Launcher_1.2.7_x64_en-US (1).msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\ProductIcon = "C:\\Windows\\Installer\\{0C27167A-56ED-4093-AFA9-38C1037E1ED3}\\ProductIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\A76172C0DE653904FA9A831C30E7E13D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A76172C0DE653904FA9A831C30E7E13D\Environment = "MainProgram"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A76172C0DE653904FA9A831C30E7E13D\MainProgram	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\ProductName = "EZFN Launcher"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A76172C0DE653904FA9A831C30E7E13D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A76172C0DE653904FA9A831C30E7E13D\External	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\Language = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A76172C0DE653904FA9A831C30E7E13D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A76172C0DE653904FA9A831C30E7E13D\ShortcutsFeature = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\PackageCode = "76FDA8E8A116A814189D1AA5C72D5D7D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\Version = "16908295"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A76172C0DE653904FA9A831C30E7E13D\Clients = 3a0000000000	msiexec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
1652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exemsiexec.exepowershell.exe

pid	Process
1628	powershell.exe
2080	powershell.exe
1692	powershell.exe
2580	powershell.exe
2760	msiexec.exe
2760	msiexec.exe
2948	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WinRAR.exemsiexec.exemsiexec.exeWinRAR.exe

description	pid	Process
Token: SeDebugPrivilege	2900	WinRAR.exe
Token: SeShutdownPrivilege	2824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeSecurityPrivilege	2760	msiexec.exe
Token: SeCreateTokenPrivilege	2824	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2824	msiexec.exe
Token: SeLockMemoryPrivilege	2824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2824	msiexec.exe
Token: SeMachineAccountPrivilege	2824	msiexec.exe
Token: SeTcbPrivilege	2824	msiexec.exe
Token: SeSecurityPrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeLoadDriverPrivilege	2824	msiexec.exe
Token: SeSystemProfilePrivilege	2824	msiexec.exe
Token: SeSystemtimePrivilege	2824	msiexec.exe
Token: SeProfSingleProcessPrivilege	2824	msiexec.exe
Token: SeIncBasePriorityPrivilege	2824	msiexec.exe
Token: SeCreatePagefilePrivilege	2824	msiexec.exe
Token: SeCreatePermanentPrivilege	2824	msiexec.exe
Token: SeBackupPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeShutdownPrivilege	2824	msiexec.exe
Token: SeDebugPrivilege	2824	msiexec.exe
Token: SeAuditPrivilege	2824	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2824	msiexec.exe
Token: SeChangeNotifyPrivilege	2824	msiexec.exe
Token: SeRemoteShutdownPrivilege	2824	msiexec.exe
Token: SeUndockPrivilege	2824	msiexec.exe
Token: SeSyncAgentPrivilege	2824	msiexec.exe
Token: SeEnableDelegationPrivilege	2824	msiexec.exe
Token: SeManageVolumePrivilege	2824	msiexec.exe
Token: SeImpersonatePrivilege	2824	msiexec.exe
Token: SeCreateGlobalPrivilege	2824	msiexec.exe
Token: SeDebugPrivilege	2564	WinRAR.exe
Token: SeCreateTokenPrivilege	2824	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2824	msiexec.exe
Token: SeLockMemoryPrivilege	2824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2824	msiexec.exe
Token: SeMachineAccountPrivilege	2824	msiexec.exe
Token: SeTcbPrivilege	2824	msiexec.exe
Token: SeSecurityPrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeLoadDriverPrivilege	2824	msiexec.exe
Token: SeSystemProfilePrivilege	2824	msiexec.exe
Token: SeSystemtimePrivilege	2824	msiexec.exe
Token: SeProfSingleProcessPrivilege	2824	msiexec.exe
Token: SeIncBasePriorityPrivilege	2824	msiexec.exe
Token: SeCreatePagefilePrivilege	2824	msiexec.exe
Token: SeCreatePermanentPrivilege	2824	msiexec.exe
Token: SeBackupPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeShutdownPrivilege	2824	msiexec.exe
Token: SeDebugPrivilege	2824	msiexec.exe
Token: SeAuditPrivilege	2824	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2824	msiexec.exe
Token: SeChangeNotifyPrivilege	2824	msiexec.exe
Token: SeRemoteShutdownPrivilege	2824	msiexec.exe
Token: SeUndockPrivilege	2824	msiexec.exe
Token: SeSyncAgentPrivilege	2824	msiexec.exe
Token: SeEnableDelegationPrivilege	2824	msiexec.exe
Token: SeManageVolumePrivilege	2824	msiexec.exe
Token: SeImpersonatePrivilege	2824	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
2824	msiexec.exe
2824	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EzFN-Manager.exeWinRAR.exemsiexec.exeWinRAR.exetaskeng.exeWinRar.exe

description	pid	Process	procid_target
PID 2136 wrote to memory of 2900	2136	EzFN-Manager.exe	31
PID 2136 wrote to memory of 2900	2136	EzFN-Manager.exe	31
PID 2136 wrote to memory of 2900	2136	EzFN-Manager.exe	31
PID 2136 wrote to memory of 2900	2136	EzFN-Manager.exe	31
PID 2136 wrote to memory of 2412	2136	EzFN-Manager.exe	32
PID 2136 wrote to memory of 2412	2136	EzFN-Manager.exe	32
PID 2136 wrote to memory of 2412	2136	EzFN-Manager.exe	32
PID 2136 wrote to memory of 2824	2136	EzFN-Manager.exe	34
PID 2136 wrote to memory of 2824	2136	EzFN-Manager.exe	34
PID 2136 wrote to memory of 2824	2136	EzFN-Manager.exe	34
PID 2136 wrote to memory of 2824	2136	EzFN-Manager.exe	34
PID 2136 wrote to memory of 2824	2136	EzFN-Manager.exe	34
PID 2900 wrote to memory of 2564	2900	WinRAR.exe	36
PID 2900 wrote to memory of 2564	2900	WinRAR.exe	36
PID 2900 wrote to memory of 2564	2900	WinRAR.exe	36
PID 2900 wrote to memory of 2564	2900	WinRAR.exe	36
PID 2900 wrote to memory of 2564	2900	WinRAR.exe	36
PID 2900 wrote to memory of 2564	2900	WinRAR.exe	36
PID 2900 wrote to memory of 2564	2900	WinRAR.exe	36
PID 2900 wrote to memory of 2564	2900	WinRAR.exe	36
PID 2900 wrote to memory of 2564	2900	WinRAR.exe	36
PID 2760 wrote to memory of 2916	2760	msiexec.exe	37
PID 2760 wrote to memory of 2916	2760	msiexec.exe	37
PID 2760 wrote to memory of 2916	2760	msiexec.exe	37
PID 2760 wrote to memory of 2916	2760	msiexec.exe	37
PID 2760 wrote to memory of 2916	2760	msiexec.exe	37
PID 2760 wrote to memory of 2916	2760	msiexec.exe	37
PID 2760 wrote to memory of 2916	2760	msiexec.exe	37
PID 2564 wrote to memory of 1628	2564	WinRAR.exe	39
PID 2564 wrote to memory of 1628	2564	WinRAR.exe	39
PID 2564 wrote to memory of 1628	2564	WinRAR.exe	39
PID 2564 wrote to memory of 1628	2564	WinRAR.exe	39
PID 2564 wrote to memory of 2080	2564	WinRAR.exe	41
PID 2564 wrote to memory of 2080	2564	WinRAR.exe	41
PID 2564 wrote to memory of 2080	2564	WinRAR.exe	41
PID 2564 wrote to memory of 2080	2564	WinRAR.exe	41
PID 2564 wrote to memory of 1692	2564	WinRAR.exe	43
PID 2564 wrote to memory of 1692	2564	WinRAR.exe	43
PID 2564 wrote to memory of 1692	2564	WinRAR.exe	43
PID 2564 wrote to memory of 1692	2564	WinRAR.exe	43
PID 2564 wrote to memory of 2580	2564	WinRAR.exe	45
PID 2564 wrote to memory of 2580	2564	WinRAR.exe	45
PID 2564 wrote to memory of 2580	2564	WinRAR.exe	45
PID 2564 wrote to memory of 2580	2564	WinRAR.exe	45
PID 2564 wrote to memory of 1652	2564	WinRAR.exe	49
PID 2564 wrote to memory of 1652	2564	WinRAR.exe	49
PID 2564 wrote to memory of 1652	2564	WinRAR.exe	49
PID 2564 wrote to memory of 1652	2564	WinRAR.exe	49
PID 2760 wrote to memory of 2948	2760	msiexec.exe	52
PID 2760 wrote to memory of 2948	2760	msiexec.exe	52
PID 2760 wrote to memory of 2948	2760	msiexec.exe	52
PID 1588 wrote to memory of 1316	1588	taskeng.exe	56
PID 1588 wrote to memory of 1316	1588	taskeng.exe	56
PID 1588 wrote to memory of 1316	1588	taskeng.exe	56
PID 1588 wrote to memory of 1316	1588	taskeng.exe	56
PID 1316 wrote to memory of 1964	1316	WinRar.exe	57
PID 1316 wrote to memory of 1964	1316	WinRar.exe	57
PID 1316 wrote to memory of 1964	1316	WinRar.exe	57
PID 1316 wrote to memory of 1964	1316	WinRar.exe	57
PID 1316 wrote to memory of 1964	1316	WinRar.exe	57
PID 1316 wrote to memory of 1964	1316	WinRar.exe	57
PID 1316 wrote to memory of 1964	1316	WinRar.exe	57
PID 1316 wrote to memory of 1964	1316	WinRar.exe	57
PID 1316 wrote to memory of 1964	1316	WinRar.exe	57

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\EzFN-Manager.exe
"C:\Users\Admin\AppData\Local\Temp\EzFN-Manager.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Roaming\WinRAR.exe
  "C:\Users\Admin\AppData\Roaming\WinRAR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Roaming\WinRAR.exe
    "C:\Users\Admin\AppData\Roaming\WinRAR.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRAR.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1628
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinRAR.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2080
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinRar.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1692
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinRar.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2580
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinRar" /tr "C:\ProgramData\WinRar.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1652
- C:\Users\Admin\AppData\Roaming\Microsoft Teams.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft Teams.exe"
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\EZFN Launcher_1.2.7_x64_en-US (1).msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 71A5FC12DEAA8E74CFDB8C5C5FF14D0E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ( '/install') -Wait
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2828

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B4" "0000000000000064"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1904

C:\Windows\system32\taskeng.exe
taskeng.exe {C0922B12-DEF7-4941-BFDC-D476B29FE38B} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\ProgramData\WinRar.exe
  C:\ProgramData\WinRar.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\ProgramData\WinRar.exe
    "C:\ProgramData\WinRar.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1964
- C:\ProgramData\WinRar.exe
  C:\ProgramData\WinRar.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2972
- - C:\ProgramData\WinRar.exe
    "C:\ProgramData\WinRar.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EZFN Launcher\EZFN Launcher.lnk

Filesize
2KB

MD5
633e2c3b2a9017e8b2ae62cb030f36b3

SHA1
51e5007a00135de9b7ef4988b6efac95bc3daf73

SHA256
cf91350fad900ddf31dffdd46503a96315484ec8d1928612e895dd6a333138c4

SHA512
8117439ecd7dd21e01b5894340b51f36376a15062a15866341686c8108aee7538a1e08bd3c7b7e8e904c52162929c095de824b77a067c8bd8c3d94181e9a6bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDB7.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Roaming\EZFN Launcher_1.2.7_x64_en-US (1).msi

Filesize
7.5MB

MD5
1425a73d9d6db003b57bfc2134ea9d70

SHA1
d31866a0ccc44f2db6a17402f1219bf75e03b8e4

SHA256
b244361e1dac8d917be21d8e8453112c461f69ff3ec00e1844f6536379b8cd7f

SHA512
8c32528bf68329c497dfe4266355315e2a8f87a3a75b052738f04d7c1212a59374cdfdf6e63467bc80a9fb4f36f2134e738b5fe5aa738de1c9e736bd6bd18b6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b02ec66f38b6572a512fbebc9a0c80cf

SHA1
720459cf1f8e90da430e7ef62697e2fe4cd61797

SHA256
57cbf3c5d9bb737ef534cbc3f1d46dc8d3334b23a14896fd1a800e3a70eace61

SHA512
e51fa667f4875ca7354300ad2964ed477875f5d457817407095a9b6372b85603a5ed5c4d73a8e671cb67f21d659249b4d757cc2591e4fd5f67d7ca48a45d8ab0

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR.exe

Filesize
379KB

MD5
a3c02411444ff8af6ed5d52ff10d21a6

SHA1
77d7160ebe781fae067b1dceae65912f501e213c

SHA256
4963d8ea74645cc1931e28c1e6a378bce443d0e719d54ba61a1e100a93cdba4f

SHA512
62b990f7f7efea5a63bdbddc59f916f63a7942fdc2d14c3321143f7a00bce56d7b67e1374a4403175f8cf7efa7d4cc59cf1b23982f3ac5bccb4726f04e3d1d8d

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\EZFN Launcher\EZFN Launcher.exe

Filesize
9.3MB

MD5
31e71c821bd9ee93c135711542481840

SHA1
4d937379cd0ef71657a125a8b1baea5bdf5b37bd

SHA256
49bf997c7c1b051828ac8f30467eb0e5e12fee50cebe34c9b2f8c938a2a6481d

SHA512
f591fe6c1bfeb1d24a86be87d45c926b0aad1b723a767186fd2ddff45b0af21075133a43e06e027340732bdc05220e3706e5610a8fc04be3d63d4696010a9883

Download Submit
\Users\Admin\AppData\Roaming\Microsoft Teams.exe

Filesize
3.3MB

MD5
ffa33049612a638a2f40c2a89722a6f4

SHA1
a453ea7f4c26dbe56d547988d8afe5fbf642e7df

SHA256
589e6cc7481b257d46466116096f4df95a41daaca908a661a528dd3b658e4ea2

SHA512
e7f05a846dd9cdf20f1330569974b4b2f677f34e74b32964836c6c38b6902c25109dea3259b64543a525a4af49bfb9011ad58365d6c597bc78f99f84aa79c927

Download Submit
memory/1316-154-0x0000000000BB0000-0x0000000000C14000-memory.dmp

Filesize
400KB

Download
memory/1852-198-0x00000000000F0000-0x0000000000128000-memory.dmp

Filesize
224KB

Download
memory/1852-195-0x00000000000F0000-0x0000000000128000-memory.dmp

Filesize
224KB

Download
memory/1852-201-0x00000000000F0000-0x0000000000128000-memory.dmp

Filesize
224KB

Download
memory/1852-191-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1964-171-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2136-17-0x000000001C6E0000-0x000000001D145000-memory.dmp

Filesize
10.4MB

Download
memory/2136-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/2136-20-0x000000001C6E0000-0x000000001D145000-memory.dmp

Filesize
10.4MB

Download
memory/2136-1-0x00000000011A0000-0x0000000001CEC000-memory.dmp

Filesize
11.3MB

Download
memory/2412-24-0x0000000001010000-0x0000000001A75000-memory.dmp

Filesize
10.4MB

Download
memory/2412-19-0x0000000001010000-0x0000000001A75000-memory.dmp

Filesize
10.4MB

Download
memory/2564-38-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2564-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-37-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-26-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-28-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-30-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2900-25-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/2900-18-0x0000000000D30000-0x0000000000D94000-memory.dmp

Filesize
400KB

Download
memory/2900-8-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/2948-116-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/2948-115-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2972-182-0x0000000000070000-0x00000000000D4000-memory.dmp

Filesize
400KB

Download