68bb2144b5a107bc159bb78a75647a929ef60fd9c3f646fd3eaf6477f016e9ec

Analysis

max time kernel
222s
max time network
226s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 17:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.684bb9a36fc5604f3c0543ede8220f90.exe
Size

182KB
MD5

684bb9a36fc5604f3c0543ede8220f90
SHA1

77edef216d162b3ed07b54154a605bfd3a58bed1
SHA256

68bb2144b5a107bc159bb78a75647a929ef60fd9c3f646fd3eaf6477f016e9ec
SHA512

df2c16309d1f21cf418a73fdd1b8ef6279819994b2cf5187c3d861c6b10efd926df35eab7f2e80566567431a2215ad59f3db814ce14fd760b5acabea01532255
SSDEEP

1536:heT7BVwxfvEFwjRs1PDXFi0VvBYv3kZtAV7ZBbP1yVGqV6zSVSGzsNEE:hmVwRKCULFlav+m7ZB5e3V6z1GzCh

Score

10^/10

dropper evasion persistence trojan upx

Malware Config

Signatures

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/memory/2680-0-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0009000000022df0-6.dat	family_berbew
behavioral2/files/0x0009000000022df0-7.dat	family_berbew
behavioral2/memory/2680-10-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022dfe-13.dat	family_berbew
behavioral2/memory/1728-14-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022dfe-15.dat	family_berbew
behavioral2/files/0x0007000000022dfe-12.dat	family_berbew
behavioral2/files/0x0009000000022df2-20.dat	family_berbew
behavioral2/memory/5048-21-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0009000000022df2-22.dat	family_berbew
behavioral2/files/0x0008000000022df7-28.dat	family_berbew
behavioral2/files/0x0008000000022df7-27.dat	family_berbew
behavioral2/memory/4280-32-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0009000000022df8-34.dat	family_berbew
behavioral2/files/0x0009000000022df8-35.dat	family_berbew
behavioral2/files/0x0009000000022dfa-40.dat	family_berbew
behavioral2/files/0x0009000000022dfa-41.dat	family_berbew
behavioral2/memory/4836-45-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x000a000000022dfb-47.dat	family_berbew
behavioral2/files/0x000a000000022dfb-49.dat	family_berbew
behavioral2/files/0x0008000000022dff-52.dat	family_berbew
behavioral2/files/0x0008000000022dff-53.dat	family_berbew
behavioral2/files/0x0008000000022e00-62.dat	family_berbew
behavioral2/memory/1260-60-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e02-63.dat	family_berbew
behavioral2/files/0x0007000000022e02-64.dat	family_berbew
behavioral2/files/0x0008000000022e00-65.dat	family_berbew
behavioral2/memory/4676-76-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022e03-77.dat	family_berbew
behavioral2/memory/4544-73-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022e04-78.dat	family_berbew
behavioral2/files/0x0008000000022e04-79.dat	family_berbew
behavioral2/memory/1568-81-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022e03-74.dat	family_berbew
behavioral2/memory/3448-85-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/memory/3488-86-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/memory/1284-87-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e07-91.dat	family_berbew
behavioral2/files/0x0007000000022e07-92.dat	family_berbew
behavioral2/files/0x0007000000022e08-94.dat	family_berbew
behavioral2/files/0x0007000000022e08-95.dat	family_berbew
behavioral2/memory/2196-98-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e0a-104.dat	family_berbew
behavioral2/files/0x0007000000022e0a-105.dat	family_berbew
behavioral2/files/0x0007000000022e0b-110.dat	family_berbew
behavioral2/files/0x0007000000022e0b-111.dat	family_berbew
behavioral2/memory/1568-114-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/memory/2584-117-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022e06-123.dat	family_berbew
behavioral2/files/0x0007000000022e0d-125.dat	family_berbew
behavioral2/memory/3820-121-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/memory/4708-124-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022e06-122.dat	family_berbew
behavioral2/memory/1628-120-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e0d-119.dat	family_berbew
behavioral2/memory/2400-133-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/memory/3820-134-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022e0e-136.dat	family_berbew
behavioral2/files/0x0008000000022e0e-137.dat	family_berbew
behavioral2/memory/3448-140-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022e10-141.dat	family_berbew
behavioral2/files/0x0007000000022e10-143.dat	family_berbew
behavioral2/memory/1808-142-0x0000000000400000-0x0000000000429000-memory.dmp	family_berbew

Modifies visibility of file extensions in Explorer 2 TTPs 57 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1728	data.exe
5048	backup.exe
3448	backup.exe
4280	backup.exe
3488	backup.exe
4836	backup.exe
1260	backup.exe
1284	backup.exe
4676	backup.exe
4544	backup.exe
2196	backup.exe
1568	backup.exe
2584	backup.exe
1628	backup.exe
3820	backup.exe
4708	backup.exe
1808	backup.exe
2400	backup.exe
1316	System Restore.exe
5056	backup.exe
388	backup.exe
2720	backup.exe
1044	backup.exe
1972	backup.exe
3816	backup.exe
4956	backup.exe
312	backup.exe
4192	backup.exe
2496	backup.exe
4972	backup.exe
1920	backup.exe
1992	backup.exe
1192	backup.exe
2800	backup.exe
1176	backup.exe
4816	backup.exe
1524	backup.exe
560	backup.exe
2380	data.exe
1088	backup.exe
3804	backup.exe
4276	backup.exe
4948	System Restore.exe
3144	backup.exe
380	backup.exe
400	backup.exe
4500	backup.exe
5084	backup.exe
4696	backup.exe
1352	backup.exe
1560	backup.exe
4304	data.exe
1788	backup.exe
4708	backup.exe
2460	backup.exe
3464	backup.exe
4896	backup.exe
2136	backup.exe
2396	backup.exe
4240	backup.exe
2548	backup.exe
2596	backup.exe
3056	update.exe
1184	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2680-0-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0009000000022df0-6.dat	upx
behavioral2/files/0x0009000000022df0-7.dat	upx
behavioral2/memory/2680-10-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0007000000022dfe-13.dat	upx
behavioral2/memory/1728-14-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0007000000022dfe-15.dat	upx
behavioral2/files/0x0007000000022dfe-12.dat	upx
behavioral2/files/0x0009000000022df2-20.dat	upx
behavioral2/memory/5048-21-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0009000000022df2-22.dat	upx
behavioral2/files/0x0008000000022df7-28.dat	upx
behavioral2/files/0x0008000000022df7-27.dat	upx
behavioral2/memory/4280-32-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0009000000022df8-34.dat	upx
behavioral2/files/0x0009000000022df8-35.dat	upx
behavioral2/files/0x0009000000022dfa-40.dat	upx
behavioral2/files/0x0009000000022dfa-41.dat	upx
behavioral2/memory/4836-45-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x000a000000022dfb-47.dat	upx
behavioral2/files/0x000a000000022dfb-49.dat	upx
behavioral2/files/0x0008000000022dff-52.dat	upx
behavioral2/files/0x0008000000022dff-53.dat	upx
behavioral2/files/0x0008000000022e00-62.dat	upx
behavioral2/memory/1260-60-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0007000000022e02-63.dat	upx
behavioral2/files/0x0007000000022e02-64.dat	upx
behavioral2/files/0x0008000000022e00-65.dat	upx
behavioral2/memory/4676-76-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0008000000022e03-77.dat	upx
behavioral2/memory/4544-73-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0008000000022e04-78.dat	upx
behavioral2/files/0x0008000000022e04-79.dat	upx
behavioral2/memory/1568-81-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0008000000022e03-74.dat	upx
behavioral2/memory/3448-85-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3488-86-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1284-87-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0007000000022e07-91.dat	upx
behavioral2/files/0x0007000000022e07-92.dat	upx
behavioral2/files/0x0007000000022e08-94.dat	upx
behavioral2/files/0x0007000000022e08-95.dat	upx
behavioral2/memory/2196-98-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0007000000022e0a-104.dat	upx
behavioral2/files/0x0007000000022e0a-105.dat	upx
behavioral2/files/0x0007000000022e0b-110.dat	upx
behavioral2/files/0x0007000000022e0b-111.dat	upx
behavioral2/memory/1568-114-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2584-117-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0008000000022e06-123.dat	upx
behavioral2/files/0x0007000000022e0d-125.dat	upx
behavioral2/memory/3820-121-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4708-124-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0008000000022e06-122.dat	upx
behavioral2/memory/1628-120-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0007000000022e0d-119.dat	upx
behavioral2/memory/2400-133-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3820-134-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0008000000022e0e-136.dat	upx
behavioral2/files/0x0008000000022e0e-137.dat	upx
behavioral2/memory/3448-140-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x0007000000022e10-141.dat	upx
behavioral2/files/0x0007000000022e10-143.dat	upx
behavioral2/memory/1808-142-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\update.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe	data.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\System Restore.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 58 IoCs

pid	Process
2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe
1728	data.exe
5048	backup.exe
3448	backup.exe
4280	backup.exe
3488	backup.exe
4836	backup.exe
1260	backup.exe
1284	backup.exe
4544	backup.exe
4676	backup.exe
2196	backup.exe
1568	backup.exe
2584	backup.exe
1628	backup.exe
3820	backup.exe
4708	backup.exe
1808	backup.exe
2400	backup.exe
1316	System Restore.exe
5056	backup.exe
388	backup.exe
2720	backup.exe
1972	backup.exe
1044	backup.exe
3816	backup.exe
4956	backup.exe
4192	backup.exe
2496	backup.exe
1992	backup.exe
312	backup.exe
1920	backup.exe
1192	backup.exe
1176	backup.exe
4972	backup.exe
2800	backup.exe
4816	backup.exe
1524	backup.exe
560	backup.exe
2380	data.exe
1088	backup.exe
3804	backup.exe
4948	System Restore.exe
3144	backup.exe
380	backup.exe
400	backup.exe
4276	backup.exe
1560	backup.exe
4708	backup.exe
1788	backup.exe
4696	backup.exe
4500	backup.exe
4304	data.exe
5084	backup.exe
1352	backup.exe
2460	backup.exe
3464	backup.exe
2136	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1728	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	87
PID 2680 wrote to memory of 1728	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	87
PID 2680 wrote to memory of 1728	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	87
PID 2680 wrote to memory of 5048	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	88
PID 2680 wrote to memory of 5048	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	88
PID 2680 wrote to memory of 5048	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	88
PID 2680 wrote to memory of 3448	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	89
PID 2680 wrote to memory of 3448	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	89
PID 2680 wrote to memory of 3448	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	89
PID 2680 wrote to memory of 4280	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	90
PID 2680 wrote to memory of 4280	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	90
PID 2680 wrote to memory of 4280	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	90
PID 2680 wrote to memory of 3488	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	91
PID 2680 wrote to memory of 3488	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	91
PID 2680 wrote to memory of 3488	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	91
PID 2680 wrote to memory of 4836	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	92
PID 2680 wrote to memory of 4836	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	92
PID 2680 wrote to memory of 4836	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	92
PID 2680 wrote to memory of 1260	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	93
PID 2680 wrote to memory of 1260	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	93
PID 2680 wrote to memory of 1260	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	93
PID 1728 wrote to memory of 1284	1728	data.exe	94
PID 1728 wrote to memory of 1284	1728	data.exe	94
PID 1728 wrote to memory of 1284	1728	data.exe	94
PID 2680 wrote to memory of 4676	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	95
PID 2680 wrote to memory of 4676	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	95
PID 2680 wrote to memory of 4676	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	95
PID 1284 wrote to memory of 4544	1284	backup.exe	96
PID 1284 wrote to memory of 4544	1284	backup.exe	96
PID 1284 wrote to memory of 4544	1284	backup.exe	96
PID 1284 wrote to memory of 2196	1284	backup.exe	98
PID 1284 wrote to memory of 2196	1284	backup.exe	98
PID 1284 wrote to memory of 2196	1284	backup.exe	98
PID 2680 wrote to memory of 1568	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	97
PID 2680 wrote to memory of 1568	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	97
PID 2680 wrote to memory of 1568	2680	NEAS.684bb9a36fc5604f3c0543ede8220f90.exe	97
PID 1284 wrote to memory of 2584	1284	backup.exe	99
PID 1284 wrote to memory of 2584	1284	backup.exe	99
PID 1284 wrote to memory of 2584	1284	backup.exe	99
PID 1568 wrote to memory of 1628	1568	backup.exe	100
PID 1568 wrote to memory of 1628	1568	backup.exe	100
PID 1568 wrote to memory of 1628	1568	backup.exe	100
PID 2584 wrote to memory of 3820	2584	backup.exe	101
PID 2584 wrote to memory of 3820	2584	backup.exe	101
PID 2584 wrote to memory of 3820	2584	backup.exe	101
PID 1628 wrote to memory of 4708	1628	backup.exe	102
PID 1628 wrote to memory of 4708	1628	backup.exe	102
PID 1628 wrote to memory of 4708	1628	backup.exe	102
PID 1284 wrote to memory of 1808	1284	backup.exe	104
PID 1284 wrote to memory of 1808	1284	backup.exe	104
PID 1284 wrote to memory of 1808	1284	backup.exe	104
PID 3820 wrote to memory of 2400	3820	backup.exe	103
PID 3820 wrote to memory of 2400	3820	backup.exe	103
PID 3820 wrote to memory of 2400	3820	backup.exe	103
PID 1808 wrote to memory of 1316	1808	backup.exe	106
PID 1808 wrote to memory of 1316	1808	backup.exe	106
PID 1808 wrote to memory of 1316	1808	backup.exe	106
PID 2584 wrote to memory of 5056	2584	backup.exe	107
PID 2584 wrote to memory of 5056	2584	backup.exe	107
PID 2584 wrote to memory of 5056	2584	backup.exe	107
PID 1316 wrote to memory of 388	1316	System Restore.exe	109
PID 1316 wrote to memory of 388	1316	System Restore.exe	109
PID 1316 wrote to memory of 388	1316	System Restore.exe	109
PID 5056 wrote to memory of 2720	5056	backup.exe	110

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.684bb9a36fc5604f3c0543ede8220f90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.684bb9a36fc5604f3c0543ede8220f90.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\{7A9B1486-ACF7-475D-AFE2-E4002B78CED6}\data.exe
  C:\Users\Admin\AppData\Local\Temp\{7A9B1486-ACF7-475D-AFE2-E4002B78CED6}\data.exe C:\Users\Admin\AppData\Local\Temp\{7A9B1486-ACF7-475D-AFE2-E4002B78CED6}\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1284
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4544
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2196
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2584
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3820
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2400
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5056
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2720
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3816
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4192
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1088
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4696
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        
        PID:4240
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        
        PID:3284
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1176
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4276
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:2252
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:400
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:2636
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\update.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:3332
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:3000
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1192
      - C:\Program Files\Common Files\System\System Restore.exe
        
        "C:\Program Files\Common Files\System\System Restore.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4948
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:1700
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2948
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1992
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:380
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:3876
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3144
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:4208
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:692
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:4772
    - - C:\Program Files\Microsoft Office\update.exe
        
        "C:\Program Files\Microsoft Office\update.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:4768
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1808
    - - C:\Program Files (x86)\Adobe\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\System Restore.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1316
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1044
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4956
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:312
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2460
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2800
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4500
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1560
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:4392
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:4836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Executes dropped EXE
        
        PID:1184
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:3644
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1524
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4708
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2496
      - C:\Program Files (x86)\Common Files\Adobe\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\data.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2380
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3464
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:4892
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2136
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:744
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:1740
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4816
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5084
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Executes dropped EXE
        
        PID:2596
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1888
    - - C:\Program Files (x86)\Internet Explorer\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\data.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4304
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1000
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:4916
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:3300
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:4464
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4972
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3804
      - C:\Users\Admin\3D Objects\update.exe
        
        "C:\Users\Admin\3D Objects\update.exe" C:\Users\Admin\3D Objects\
        6⤵
        Executes dropped EXE
        
        PID:3056
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1060
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:4896
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:4176
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:560
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1788
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        
        PID:3992
    - - C:\Windows\apppatch\System Restore.exe
        
        "C:\Windows\apppatch\System Restore.exe" C:\Windows\apppatch\
        5⤵
        
        PID:2000
- C:\Users\Admin\AppData\Local\Temp\1089149054\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1089149054\backup.exe C:\Users\Admin\AppData\Local\Temp\1089149054\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:5048
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3448
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4280
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3488
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4836
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1260
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4676
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
      C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
182KB

MD5
fb1716b601d5bb0acf2f1b9cb6e754e1

SHA1
17abd5fa8c49095ec5138f09b6a1b0f6e9debf64

SHA256
f1ce90ab4100d18877bc447963b4742b4238632140f69eaf5189afdde53d30de

SHA512
7adaecfc682bd68c91d80228bcff2b1e2525c2da47bce8f73238695156c13be51131e5f4676c83abed625fb8e5bae07f5808419aa4bb7c70f97a355e466b8536

Download Submit
C:\PerfLogs\backup.exe

Filesize
182KB

MD5
fb1716b601d5bb0acf2f1b9cb6e754e1

SHA1
17abd5fa8c49095ec5138f09b6a1b0f6e9debf64

SHA256
f1ce90ab4100d18877bc447963b4742b4238632140f69eaf5189afdde53d30de

SHA512
7adaecfc682bd68c91d80228bcff2b1e2525c2da47bce8f73238695156c13be51131e5f4676c83abed625fb8e5bae07f5808419aa4bb7c70f97a355e466b8536

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
182KB

MD5
c1a1bd0bb8622a854578dc0e0319e801

SHA1
88aa1202c5c8652dd7d1fa2ee0abdfc4220366ff

SHA256
22e9497ad80cf0e607e78345e15335b29fc5402aee64b81eb957fe636b44e57e

SHA512
56b70a85658028355f04bb691082a688118f53936b44cce17adabd52a312a617706b2d9f7aa0d832e83765eeef2f485671af09d0764e80022696cabed0372fd9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
182KB

MD5
c1a1bd0bb8622a854578dc0e0319e801

SHA1
88aa1202c5c8652dd7d1fa2ee0abdfc4220366ff

SHA256
22e9497ad80cf0e607e78345e15335b29fc5402aee64b81eb957fe636b44e57e

SHA512
56b70a85658028355f04bb691082a688118f53936b44cce17adabd52a312a617706b2d9f7aa0d832e83765eeef2f485671af09d0764e80022696cabed0372fd9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe

Filesize
182KB

MD5
e48eb0d641f4d0e23a92c3131119dafe

SHA1
bc219a491c362514175787021f19b001e3ffb0d1

SHA256
5d3f0675625a625a8f6344d755a88cec8dc5ddf54c9500a9a7a47f0a110f2db5

SHA512
5005a794f8e36d043fad78e3129d4a7391c0829ff470f79f336c58bdb4c53923510d35edc45139a9e369a9ce41d600713a64be4f04724d2277422d4b3be464d1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe

Filesize
182KB

MD5
e48eb0d641f4d0e23a92c3131119dafe

SHA1
bc219a491c362514175787021f19b001e3ffb0d1

SHA256
5d3f0675625a625a8f6344d755a88cec8dc5ddf54c9500a9a7a47f0a110f2db5

SHA512
5005a794f8e36d043fad78e3129d4a7391c0829ff470f79f336c58bdb4c53923510d35edc45139a9e369a9ce41d600713a64be4f04724d2277422d4b3be464d1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe

Filesize
182KB

MD5
c1a1bd0bb8622a854578dc0e0319e801

SHA1
88aa1202c5c8652dd7d1fa2ee0abdfc4220366ff

SHA256
22e9497ad80cf0e607e78345e15335b29fc5402aee64b81eb957fe636b44e57e

SHA512
56b70a85658028355f04bb691082a688118f53936b44cce17adabd52a312a617706b2d9f7aa0d832e83765eeef2f485671af09d0764e80022696cabed0372fd9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe

Filesize
182KB

MD5
c1a1bd0bb8622a854578dc0e0319e801

SHA1
88aa1202c5c8652dd7d1fa2ee0abdfc4220366ff

SHA256
22e9497ad80cf0e607e78345e15335b29fc5402aee64b81eb957fe636b44e57e

SHA512
56b70a85658028355f04bb691082a688118f53936b44cce17adabd52a312a617706b2d9f7aa0d832e83765eeef2f485671af09d0764e80022696cabed0372fd9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe

Filesize
182KB

MD5
66b6a9e93d102b14b3ddca41289bd8c1

SHA1
bd3c6f19f49860e2d580c690fc054b8caec043ba

SHA256
150ab5feccc0cb5834b23633509263ee8b94c676015ec360a60a951d62b39dd6

SHA512
ed428679b6901a3054aae07b1b3d2788749f6833220d7d3d9f70dcae5bb610418d123ec29bc1de1061d1962c98bfd2cdc0238265a0be4b053e6a6bdfa8f74f09

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe

Filesize
182KB

MD5
66b6a9e93d102b14b3ddca41289bd8c1

SHA1
bd3c6f19f49860e2d580c690fc054b8caec043ba

SHA256
150ab5feccc0cb5834b23633509263ee8b94c676015ec360a60a951d62b39dd6

SHA512
ed428679b6901a3054aae07b1b3d2788749f6833220d7d3d9f70dcae5bb610418d123ec29bc1de1061d1962c98bfd2cdc0238265a0be4b053e6a6bdfa8f74f09

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
182KB

MD5
ad677cd631b7d14a16bf46b016fd1140

SHA1
d8623d012f53308a52068dd0c927d7302943b939

SHA256
5183dd7074d9efa0c7da91452d39f0059a79913cec205079ebf377b3c0ca672b

SHA512
c056193e35a4579aded4ef1e0c46f97e6d67e70b035eff9da519c26097a4b008e171ebe91f583c1edcf91507ad1db5f5469737a6bd2d0ba2ee87a128da9e3aff

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
182KB

MD5
ad677cd631b7d14a16bf46b016fd1140

SHA1
d8623d012f53308a52068dd0c927d7302943b939

SHA256
5183dd7074d9efa0c7da91452d39f0059a79913cec205079ebf377b3c0ca672b

SHA512
c056193e35a4579aded4ef1e0c46f97e6d67e70b035eff9da519c26097a4b008e171ebe91f583c1edcf91507ad1db5f5469737a6bd2d0ba2ee87a128da9e3aff

Download Submit
C:\Program Files (x86)\Adobe\System Restore.exe

Filesize
182KB

MD5
865454dade0301c3499632fc825fc9d1

SHA1
1124bc7d93c2613f6e89788a6eb233d55932e2c8

SHA256
7126b4f02a48d9deb4f3ff03df6292aa791c364753f701f30fd3ba252ef7443d

SHA512
8940b92833445b2ad9c057bd24e8100595797236e1f89c6803c53c8601a3ee3c021e2718ecc41dbde2bb43b1176b9f654e5bf50ff372ba54e3455f45c6d96c6a

Download Submit
C:\Program Files (x86)\Adobe\System Restore.exe

Filesize
182KB

MD5
865454dade0301c3499632fc825fc9d1

SHA1
1124bc7d93c2613f6e89788a6eb233d55932e2c8

SHA256
7126b4f02a48d9deb4f3ff03df6292aa791c364753f701f30fd3ba252ef7443d

SHA512
8940b92833445b2ad9c057bd24e8100595797236e1f89c6803c53c8601a3ee3c021e2718ecc41dbde2bb43b1176b9f654e5bf50ff372ba54e3455f45c6d96c6a

Download Submit
C:\Program Files (x86)\Common Files\backup.exe

Filesize
182KB

MD5
17ec50eb72a231d2cd047c9cad229084

SHA1
e2acbce5afbeaed23ef7c6b9367c1dc89ddf01ec

SHA256
8f31964f8ff8666b685c9adf926314d9a425b6a27b2d74ffff89ee06c47c6ef9

SHA512
93ee70867eaf007a159a4c057cc1c7e1c8f7fb0af9363230148c907dbdb757609588de9d1599573df1a75c847b1736fe43102ab44839ecaa70a2ce7471bee60d

Download Submit
C:\Program Files (x86)\Common Files\backup.exe

Filesize
182KB

MD5
17ec50eb72a231d2cd047c9cad229084

SHA1
e2acbce5afbeaed23ef7c6b9367c1dc89ddf01ec

SHA256
8f31964f8ff8666b685c9adf926314d9a425b6a27b2d74ffff89ee06c47c6ef9

SHA512
93ee70867eaf007a159a4c057cc1c7e1c8f7fb0af9363230148c907dbdb757609588de9d1599573df1a75c847b1736fe43102ab44839ecaa70a2ce7471bee60d

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
182KB

MD5
ee30ae97e2feac53616fd2812b86a18f

SHA1
0b1e27ff9d55f9c65b67d48a9597f18644af4ec4

SHA256
fbe86a9c5a547201bb2c2560c5dc766b5b353e1c31385f49a8f96e7f554dfdad

SHA512
986331bc24306e48ac3f7a5e8e4e3c1411a5bb77082c0c680ac0a3025e237580c39a1ac403b16bc785dc41f67cfc57c2084aeb174e5f125eccf44399ad5b4c09

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
182KB

MD5
ee30ae97e2feac53616fd2812b86a18f

SHA1
0b1e27ff9d55f9c65b67d48a9597f18644af4ec4

SHA256
fbe86a9c5a547201bb2c2560c5dc766b5b353e1c31385f49a8f96e7f554dfdad

SHA512
986331bc24306e48ac3f7a5e8e4e3c1411a5bb77082c0c680ac0a3025e237580c39a1ac403b16bc785dc41f67cfc57c2084aeb174e5f125eccf44399ad5b4c09

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
182KB

MD5
c504d8729e461403728d50eae2b8e2e5

SHA1
5a21583df44a9b9f7fb7db626c04eab640281033

SHA256
a755ee40c6b074a3a8a2f45e0c216d9bd9f3d91618172e695979aa36714778e5

SHA512
7299ca1afa95adab24ed7a3883a482970c138172697f24293d014f9bbfdef435b52e4dfed49a78b8aa7a6b8973f679cae353caed4e53b14b0635ce6cd1c53f74

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
182KB

MD5
c504d8729e461403728d50eae2b8e2e5

SHA1
5a21583df44a9b9f7fb7db626c04eab640281033

SHA256
a755ee40c6b074a3a8a2f45e0c216d9bd9f3d91618172e695979aa36714778e5

SHA512
7299ca1afa95adab24ed7a3883a482970c138172697f24293d014f9bbfdef435b52e4dfed49a78b8aa7a6b8973f679cae353caed4e53b14b0635ce6cd1c53f74

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
182KB

MD5
3ffde2bc82897bc2639428c608077fd6

SHA1
d6936e2deaf070d7d318870f7a024685faf6bb37

SHA256
d247ebade4e6a0f6e7136b240c6af9525592ed5a75441813c100a0f34f2bdb3a

SHA512
3809352e55fa7a14c5ec24edec64031dd81f146393ffb8a4341d88c81e4984d270ee241a84f319ac0b78a0a3bc37300c3be8ff186ac88beba924ef4de6ebd6bf

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
182KB

MD5
3ffde2bc82897bc2639428c608077fd6

SHA1
d6936e2deaf070d7d318870f7a024685faf6bb37

SHA256
d247ebade4e6a0f6e7136b240c6af9525592ed5a75441813c100a0f34f2bdb3a

SHA512
3809352e55fa7a14c5ec24edec64031dd81f146393ffb8a4341d88c81e4984d270ee241a84f319ac0b78a0a3bc37300c3be8ff186ac88beba924ef4de6ebd6bf

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
182KB

MD5
de586d4c8abe16c71f60f1097e3e8da6

SHA1
bd5f42e03b8ba0bc6d44d607c83564162eb5b89e

SHA256
c6d941e52a718d5654ec4cf050efb2325eebb796f8f149da9de98eb32d7a0223

SHA512
ae07bdd22f94ca3c0452a1e567502d5b831ae7f618606c50dde7385d521825b1c9f6e5b85018b127a8f59b59fc3371a1c19e444fda9662da2306e327a2283d5b

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
182KB

MD5
de586d4c8abe16c71f60f1097e3e8da6

SHA1
bd5f42e03b8ba0bc6d44d607c83564162eb5b89e

SHA256
c6d941e52a718d5654ec4cf050efb2325eebb796f8f149da9de98eb32d7a0223

SHA512
ae07bdd22f94ca3c0452a1e567502d5b831ae7f618606c50dde7385d521825b1c9f6e5b85018b127a8f59b59fc3371a1c19e444fda9662da2306e327a2283d5b

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
182KB

MD5
c80965aa0f7da03e081d0036b78fd0d0

SHA1
6d957e3ea8ff83ecd0513eb65419797c057bc969

SHA256
9d6bb2d828909b5a9d3e4f07aecb9d4973a58bb34c8d7b5590f6268801599fa8

SHA512
fc79d216d3819fa73df52404bf7044664d566fb30dfb1108e273805e196b674991322405ac52ece964330e342f7be8655498a1a34ddc77af85f43875d31a8634

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
182KB

MD5
213d24e3beb8f88e66046679b0991765

SHA1
a521692c1a26b7520523038c00eedf88f859370e

SHA256
4e112b34b2748f7559d9855a94a9b178c887b0778df5b48376c725f3588612cb

SHA512
14f9345a7f7698026e6ce15d5d93641643dce15e7511f22f1d18f350fc87a10bb4af8edd34328bc904338243380c2732326b83349b825c20a9ab04f78e52b6c5

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
182KB

MD5
213d24e3beb8f88e66046679b0991765

SHA1
a521692c1a26b7520523038c00eedf88f859370e

SHA256
4e112b34b2748f7559d9855a94a9b178c887b0778df5b48376c725f3588612cb

SHA512
14f9345a7f7698026e6ce15d5d93641643dce15e7511f22f1d18f350fc87a10bb4af8edd34328bc904338243380c2732326b83349b825c20a9ab04f78e52b6c5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
182KB

MD5
30e411df08b25b540733cf4b10f5006f

SHA1
d1f7cef9647c52211c146f55b5502885aafabe31

SHA256
911af4ee00a014679917c5162fa3872d18f094bdee65694280ebd9f98221751a

SHA512
2cce8e5188b72a25e88ddad4e2499a68a0d9313bcd5ac942b35185d9a74f7679bba5c350a5f2e24bd85995a94f8c796762e59998fa997d0b0219f790658aaf78

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
182KB

MD5
30e411df08b25b540733cf4b10f5006f

SHA1
d1f7cef9647c52211c146f55b5502885aafabe31

SHA256
911af4ee00a014679917c5162fa3872d18f094bdee65694280ebd9f98221751a

SHA512
2cce8e5188b72a25e88ddad4e2499a68a0d9313bcd5ac942b35185d9a74f7679bba5c350a5f2e24bd85995a94f8c796762e59998fa997d0b0219f790658aaf78

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
182KB

MD5
437fe23eda746bdbd6f49c4b514a2d33

SHA1
c986a482e764f8458827544e97f5818c51610ce6

SHA256
0b2a0d73cd70d0b34aaad29a8157fbb62c66430a11750bd17381820459a2d1fa

SHA512
c53e01e68eb201f0886256d17333972dc3177158296f1ab9d28eb961f679aa7d92ab134fb6d95b1836b52f04d10e37a0c0f62cc3c8b8ea5817f4ab5d9e0ed462

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
182KB

MD5
437fe23eda746bdbd6f49c4b514a2d33

SHA1
c986a482e764f8458827544e97f5818c51610ce6

SHA256
0b2a0d73cd70d0b34aaad29a8157fbb62c66430a11750bd17381820459a2d1fa

SHA512
c53e01e68eb201f0886256d17333972dc3177158296f1ab9d28eb961f679aa7d92ab134fb6d95b1836b52f04d10e37a0c0f62cc3c8b8ea5817f4ab5d9e0ed462

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
182KB

MD5
30e411df08b25b540733cf4b10f5006f

SHA1
d1f7cef9647c52211c146f55b5502885aafabe31

SHA256
911af4ee00a014679917c5162fa3872d18f094bdee65694280ebd9f98221751a

SHA512
2cce8e5188b72a25e88ddad4e2499a68a0d9313bcd5ac942b35185d9a74f7679bba5c350a5f2e24bd85995a94f8c796762e59998fa997d0b0219f790658aaf78

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
182KB

MD5
30e411df08b25b540733cf4b10f5006f

SHA1
d1f7cef9647c52211c146f55b5502885aafabe31

SHA256
911af4ee00a014679917c5162fa3872d18f094bdee65694280ebd9f98221751a

SHA512
2cce8e5188b72a25e88ddad4e2499a68a0d9313bcd5ac942b35185d9a74f7679bba5c350a5f2e24bd85995a94f8c796762e59998fa997d0b0219f790658aaf78

Download Submit
C:\Program Files\Google\backup.exe

Filesize
182KB

MD5
e90501a08bd08bb0e2f74fcc38464b32

SHA1
c10e8f14afdcec80182475b2027b24c85b60bef7

SHA256
5eaad5723e9e3a0b86d53d0c149a9e17f66719ed27416c96e8656862e2bf98b9

SHA512
892a2059746a70b2b5de5eb7541ef2b4b1e65b71ea2ea8d32f0d368c3dd60f7cee0a21aafb5689131d5c3d51b5acf9145409534554cb4ba77a84820a054c2266

Download Submit
C:\Program Files\Google\backup.exe

Filesize
182KB

MD5
e90501a08bd08bb0e2f74fcc38464b32

SHA1
c10e8f14afdcec80182475b2027b24c85b60bef7

SHA256
5eaad5723e9e3a0b86d53d0c149a9e17f66719ed27416c96e8656862e2bf98b9

SHA512
892a2059746a70b2b5de5eb7541ef2b4b1e65b71ea2ea8d32f0d368c3dd60f7cee0a21aafb5689131d5c3d51b5acf9145409534554cb4ba77a84820a054c2266

Download Submit
C:\Program Files\backup.exe

Filesize
182KB

MD5
31cda73172870c4c878eb79f03a1052a

SHA1
a24ac965a3998bd4883dba3ee21ae9f391b9bd3f

SHA256
1dae189374b4ecdae99cb7b6ec51d388d6dca92f372f9175c5e1fc1aad893e20

SHA512
d24eeb0bd09120f6e979884207f99fd8534d9432d822ba3aa3e093787ae56c78a86e6d276b66ca2f9eabe6a478d0556d29e00b34875cb16f7db29ca6c699939e

Download Submit
C:\Program Files\backup.exe

Filesize
182KB

MD5
31cda73172870c4c878eb79f03a1052a

SHA1
a24ac965a3998bd4883dba3ee21ae9f391b9bd3f

SHA256
1dae189374b4ecdae99cb7b6ec51d388d6dca92f372f9175c5e1fc1aad893e20

SHA512
d24eeb0bd09120f6e979884207f99fd8534d9432d822ba3aa3e093787ae56c78a86e6d276b66ca2f9eabe6a478d0556d29e00b34875cb16f7db29ca6c699939e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089149054\backup.exe

Filesize
182KB

MD5
63b11168682e566e70df352b452c3ed9

SHA1
860a62a7a91441739202966f40dc4c13b3334a23

SHA256
72a76cbf0ad207bd262c236b5a4dfe70b6b08dfc49b613286d26e3d65051f747

SHA512
bd31560930b41d5d9fc29b528edf38628d04a7e1149f7f8b85d97a31405a2da5ae49ebd65b87ea9fda0e14012db2b165c4536d62462b48a1b8be822ac88a206a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089149054\backup.exe

Filesize
182KB

MD5
63b11168682e566e70df352b452c3ed9

SHA1
860a62a7a91441739202966f40dc4c13b3334a23

SHA256
72a76cbf0ad207bd262c236b5a4dfe70b6b08dfc49b613286d26e3d65051f747

SHA512
bd31560930b41d5d9fc29b528edf38628d04a7e1149f7f8b85d97a31405a2da5ae49ebd65b87ea9fda0e14012db2b165c4536d62462b48a1b8be822ac88a206a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089149054\backup.exe

Filesize
182KB

MD5
63b11168682e566e70df352b452c3ed9

SHA1
860a62a7a91441739202966f40dc4c13b3334a23

SHA256
72a76cbf0ad207bd262c236b5a4dfe70b6b08dfc49b613286d26e3d65051f747

SHA512
bd31560930b41d5d9fc29b528edf38628d04a7e1149f7f8b85d97a31405a2da5ae49ebd65b87ea9fda0e14012db2b165c4536d62462b48a1b8be822ac88a206a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
182KB

MD5
63b11168682e566e70df352b452c3ed9

SHA1
860a62a7a91441739202966f40dc4c13b3334a23

SHA256
72a76cbf0ad207bd262c236b5a4dfe70b6b08dfc49b613286d26e3d65051f747

SHA512
bd31560930b41d5d9fc29b528edf38628d04a7e1149f7f8b85d97a31405a2da5ae49ebd65b87ea9fda0e14012db2b165c4536d62462b48a1b8be822ac88a206a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
182KB

MD5
63b11168682e566e70df352b452c3ed9

SHA1
860a62a7a91441739202966f40dc4c13b3334a23

SHA256
72a76cbf0ad207bd262c236b5a4dfe70b6b08dfc49b613286d26e3d65051f747

SHA512
bd31560930b41d5d9fc29b528edf38628d04a7e1149f7f8b85d97a31405a2da5ae49ebd65b87ea9fda0e14012db2b165c4536d62462b48a1b8be822ac88a206a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
182KB

MD5
1fb8ae61a7f99a53503d1086c31c4492

SHA1
40d7b109d7480d85e3bea7da519fcd80d8a61225

SHA256
203d4d093df07851da581f42cfa11008b4af0dd505a0181b472d450634da3030

SHA512
7de8fbf8ee0769a0d059b3629a05a45f8aab8d52ce8fe5e424c3290eb0b8eb759f1162c9de464138595fdb5bedc7a25aa31ccd354d95cdf09f2bc989e7edd490

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
182KB

MD5
1fb8ae61a7f99a53503d1086c31c4492

SHA1
40d7b109d7480d85e3bea7da519fcd80d8a61225

SHA256
203d4d093df07851da581f42cfa11008b4af0dd505a0181b472d450634da3030

SHA512
7de8fbf8ee0769a0d059b3629a05a45f8aab8d52ce8fe5e424c3290eb0b8eb759f1162c9de464138595fdb5bedc7a25aa31ccd354d95cdf09f2bc989e7edd490

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
182KB

MD5
1fb8ae61a7f99a53503d1086c31c4492

SHA1
40d7b109d7480d85e3bea7da519fcd80d8a61225

SHA256
203d4d093df07851da581f42cfa11008b4af0dd505a0181b472d450634da3030

SHA512
7de8fbf8ee0769a0d059b3629a05a45f8aab8d52ce8fe5e424c3290eb0b8eb759f1162c9de464138595fdb5bedc7a25aa31ccd354d95cdf09f2bc989e7edd490

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
182KB

MD5
1fb8ae61a7f99a53503d1086c31c4492

SHA1
40d7b109d7480d85e3bea7da519fcd80d8a61225

SHA256
203d4d093df07851da581f42cfa11008b4af0dd505a0181b472d450634da3030

SHA512
7de8fbf8ee0769a0d059b3629a05a45f8aab8d52ce8fe5e424c3290eb0b8eb759f1162c9de464138595fdb5bedc7a25aa31ccd354d95cdf09f2bc989e7edd490

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
182KB

MD5
f22c1ac87e30baffb633bd808a645210

SHA1
eb5e793c669d846387aca550649f7b6ab298c825

SHA256
47d2b6c7485a3f5cec809084f3e71eb0367411d5db5dcdd43c4fee8f9e945a09

SHA512
ec852372021f2551b285aea1fe8b7ad0e6f3334d6331639a49847a29cddb1553a79d10da73a95df323894766e0c7969f58b3f0fcd04fbb02526cc3fcefa79633

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
182KB

MD5
f22c1ac87e30baffb633bd808a645210

SHA1
eb5e793c669d846387aca550649f7b6ab298c825

SHA256
47d2b6c7485a3f5cec809084f3e71eb0367411d5db5dcdd43c4fee8f9e945a09

SHA512
ec852372021f2551b285aea1fe8b7ad0e6f3334d6331639a49847a29cddb1553a79d10da73a95df323894766e0c7969f58b3f0fcd04fbb02526cc3fcefa79633

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
182KB

MD5
25370e92dfc2d1034cff0d55f2ce46a6

SHA1
0d82c2151ac2e50a6a077f106cce861fc0b9f64e

SHA256
53d1bb072544e27cc7e3b31d59d2e7729f37cfd3d86259b8cdf81368a92a1434

SHA512
6e52c40ac829e11610ec489a26a9f56c98934c8b4c7ebc5bdd6a273c0dbb89f241b51548a3768d93de4d8bcc9b0c97f9f7f716c95631871e57d35655c69d5999

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
182KB

MD5
25370e92dfc2d1034cff0d55f2ce46a6

SHA1
0d82c2151ac2e50a6a077f106cce861fc0b9f64e

SHA256
53d1bb072544e27cc7e3b31d59d2e7729f37cfd3d86259b8cdf81368a92a1434

SHA512
6e52c40ac829e11610ec489a26a9f56c98934c8b4c7ebc5bdd6a273c0dbb89f241b51548a3768d93de4d8bcc9b0c97f9f7f716c95631871e57d35655c69d5999

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
182KB

MD5
1fb8ae61a7f99a53503d1086c31c4492

SHA1
40d7b109d7480d85e3bea7da519fcd80d8a61225

SHA256
203d4d093df07851da581f42cfa11008b4af0dd505a0181b472d450634da3030

SHA512
7de8fbf8ee0769a0d059b3629a05a45f8aab8d52ce8fe5e424c3290eb0b8eb759f1162c9de464138595fdb5bedc7a25aa31ccd354d95cdf09f2bc989e7edd490

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
182KB

MD5
1fb8ae61a7f99a53503d1086c31c4492

SHA1
40d7b109d7480d85e3bea7da519fcd80d8a61225

SHA256
203d4d093df07851da581f42cfa11008b4af0dd505a0181b472d450634da3030

SHA512
7de8fbf8ee0769a0d059b3629a05a45f8aab8d52ce8fe5e424c3290eb0b8eb759f1162c9de464138595fdb5bedc7a25aa31ccd354d95cdf09f2bc989e7edd490

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
182KB

MD5
63b11168682e566e70df352b452c3ed9

SHA1
860a62a7a91441739202966f40dc4c13b3334a23

SHA256
72a76cbf0ad207bd262c236b5a4dfe70b6b08dfc49b613286d26e3d65051f747

SHA512
bd31560930b41d5d9fc29b528edf38628d04a7e1149f7f8b85d97a31405a2da5ae49ebd65b87ea9fda0e14012db2b165c4536d62462b48a1b8be822ac88a206a

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
182KB

MD5
63b11168682e566e70df352b452c3ed9

SHA1
860a62a7a91441739202966f40dc4c13b3334a23

SHA256
72a76cbf0ad207bd262c236b5a4dfe70b6b08dfc49b613286d26e3d65051f747

SHA512
bd31560930b41d5d9fc29b528edf38628d04a7e1149f7f8b85d97a31405a2da5ae49ebd65b87ea9fda0e14012db2b165c4536d62462b48a1b8be822ac88a206a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
182KB

MD5
63b11168682e566e70df352b452c3ed9

SHA1
860a62a7a91441739202966f40dc4c13b3334a23

SHA256
72a76cbf0ad207bd262c236b5a4dfe70b6b08dfc49b613286d26e3d65051f747

SHA512
bd31560930b41d5d9fc29b528edf38628d04a7e1149f7f8b85d97a31405a2da5ae49ebd65b87ea9fda0e14012db2b165c4536d62462b48a1b8be822ac88a206a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
182KB

MD5
63b11168682e566e70df352b452c3ed9

SHA1
860a62a7a91441739202966f40dc4c13b3334a23

SHA256
72a76cbf0ad207bd262c236b5a4dfe70b6b08dfc49b613286d26e3d65051f747

SHA512
bd31560930b41d5d9fc29b528edf38628d04a7e1149f7f8b85d97a31405a2da5ae49ebd65b87ea9fda0e14012db2b165c4536d62462b48a1b8be822ac88a206a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
182KB

MD5
1fb8ae61a7f99a53503d1086c31c4492

SHA1
40d7b109d7480d85e3bea7da519fcd80d8a61225

SHA256
203d4d093df07851da581f42cfa11008b4af0dd505a0181b472d450634da3030

SHA512
7de8fbf8ee0769a0d059b3629a05a45f8aab8d52ce8fe5e424c3290eb0b8eb759f1162c9de464138595fdb5bedc7a25aa31ccd354d95cdf09f2bc989e7edd490

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
182KB

MD5
1fb8ae61a7f99a53503d1086c31c4492

SHA1
40d7b109d7480d85e3bea7da519fcd80d8a61225

SHA256
203d4d093df07851da581f42cfa11008b4af0dd505a0181b472d450634da3030

SHA512
7de8fbf8ee0769a0d059b3629a05a45f8aab8d52ce8fe5e424c3290eb0b8eb759f1162c9de464138595fdb5bedc7a25aa31ccd354d95cdf09f2bc989e7edd490

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7A9B1486-ACF7-475D-AFE2-E4002B78CED6}\data.exe

Filesize
182KB

MD5
50f0e1be98d979c7cf2aaada7e59b21a

SHA1
929f1a1f629667e497a90d1873ea1095c4e6f99a

SHA256
783362bd89e8c517d32eec48e81421ee526dce881e69d04a4aeca6a5ed39352e

SHA512
5cdaedcbb310c6a83dcd9751cff5af960eba3a35aaa93982c888c12f5b97850784570214e5257629a4007f57e8eaaad37ae260705481d3d43cdea8e5119d0163

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7A9B1486-ACF7-475D-AFE2-E4002B78CED6}\data.exe

Filesize
182KB

MD5
50f0e1be98d979c7cf2aaada7e59b21a

SHA1
929f1a1f629667e497a90d1873ea1095c4e6f99a

SHA256
783362bd89e8c517d32eec48e81421ee526dce881e69d04a4aeca6a5ed39352e

SHA512
5cdaedcbb310c6a83dcd9751cff5af960eba3a35aaa93982c888c12f5b97850784570214e5257629a4007f57e8eaaad37ae260705481d3d43cdea8e5119d0163

Download Submit
C:\Users\backup.exe

Filesize
182KB

MD5
99e39aab9dec04ae8c0c17d2fcb8756b

SHA1
bfd7a028b2328965fa247e9f3285be0beab595ad

SHA256
058f320978e39523ddb345e64f355ba6b8ee46dbb20ece30ac5acb1e44d2ed36

SHA512
605dcc4f2ff25f3f4b907e9ededfa283dfa88dd2c1cb8ad6a0f3605034acf6617012541cd1296549cb305e8e3a30abec1425a46d5a2f36b11cb246ce355692d7

Download Submit
C:\backup.exe

Filesize
182KB

MD5
8df9759c262272c891c2974805642e32

SHA1
be845a7babc51813cd334ae92d9fc5bfcd533284

SHA256
01417429ef417a3f45adb1039e4225500a86e9756e13784eed7d129494ff9264

SHA512
0d9d35f6b5b4af5654c83edcd093cc22d4341fae5a712be437a0e805e42a971c6dc2de3f41ff4944b117cec9b5e02b2ffd6ead8dee61360002c344f8cef143f9

Download Submit
C:\backup.exe

Filesize
182KB

MD5
8df9759c262272c891c2974805642e32

SHA1
be845a7babc51813cd334ae92d9fc5bfcd533284

SHA256
01417429ef417a3f45adb1039e4225500a86e9756e13784eed7d129494ff9264

SHA512
0d9d35f6b5b4af5654c83edcd093cc22d4341fae5a712be437a0e805e42a971c6dc2de3f41ff4944b117cec9b5e02b2ffd6ead8dee61360002c344f8cef143f9

Download Submit
C:\odt\backup.exe

Filesize
182KB

MD5
fb1716b601d5bb0acf2f1b9cb6e754e1

SHA1
17abd5fa8c49095ec5138f09b6a1b0f6e9debf64

SHA256
f1ce90ab4100d18877bc447963b4742b4238632140f69eaf5189afdde53d30de

SHA512
7adaecfc682bd68c91d80228bcff2b1e2525c2da47bce8f73238695156c13be51131e5f4676c83abed625fb8e5bae07f5808419aa4bb7c70f97a355e466b8536

Download Submit
C:\odt\backup.exe

Filesize
182KB

MD5
fb1716b601d5bb0acf2f1b9cb6e754e1

SHA1
17abd5fa8c49095ec5138f09b6a1b0f6e9debf64

SHA256
f1ce90ab4100d18877bc447963b4742b4238632140f69eaf5189afdde53d30de

SHA512
7adaecfc682bd68c91d80228bcff2b1e2525c2da47bce8f73238695156c13be51131e5f4676c83abed625fb8e5bae07f5808419aa4bb7c70f97a355e466b8536

Download Submit
memory/312-376-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/388-198-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/388-348-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/560-292-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1044-175-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1088-294-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1088-343-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1176-312-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1192-263-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1260-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1284-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1284-349-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1316-203-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1316-193-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-359-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1560-368-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1568-114-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1568-81-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1628-120-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1728-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1788-377-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1808-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1920-250-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1972-212-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-347-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-261-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2136-388-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2196-98-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2380-293-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2400-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-375-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-236-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2584-117-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2680-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2680-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2680-382-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-163-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2800-354-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2800-319-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3448-85-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3448-140-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3488-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3488-139-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3804-295-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3816-187-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3820-121-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3820-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4192-226-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4276-373-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4280-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4500-369-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4544-73-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4676-76-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4696-374-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4708-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4708-372-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4836-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4896-385-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4948-296-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4956-223-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5056-197-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5056-346-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5084-365-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads