ff3299bfa4a48663ce6aa29d2770e7255c49f196d3bb944e00c4f625c0c95c79

Analysis

max time kernel
40s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f3c052df138dfd5b618c62f85091f640.exe
Size

378KB
MD5

f3c052df138dfd5b618c62f85091f640
SHA1

993f55cdc9b181254b4d11db218c28cbf60e8314
SHA256

ff3299bfa4a48663ce6aa29d2770e7255c49f196d3bb944e00c4f625c0c95c79
SHA512

974856d168e7a90f60c8681b2962f8956cd46e7b1753cafda83910af680f84b6815affe3b5b69a24a9b65a87ce92d62444bd92865b213d2038e509711bc4678f
SSDEEP

384:XqnuO1JCHYdHz4XpfHEI6/dDEPjaVC6fMbUyFm0tyXLBI89wvuAv1mwnA3Z3BXRN:Xqnum1F6/789ujYTyLylze70wi3BEmF

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.f3c052df138dfd5b618c62f85091f640.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1728	backup.exe
2644	backup.exe
2640	backup.exe
2504	backup.exe
2440	backup.exe
2000	backup.exe
3040	System Restore.exe
672	backup.exe
2844	backup.exe
2864	backup.exe
2188	backup.exe
748	backup.exe
2472	backup.exe
1224	backup.exe
2156	backup.exe
2056	backup.exe
1940	backup.exe
2264	backup.exe
1112	backup.exe
2276	data.exe
3020	backup.exe
2104	backup.exe
2992	backup.exe
2224	backup.exe
1704	backup.exe
2952	backup.exe
2728	backup.exe
2880	backup.exe
2108	backup.exe
2584	data.exe
2708	update.exe
2500	backup.exe
2480	backup.exe
2976	backup.exe
2792	backup.exe
2848	backup.exe
3052	backup.exe
2956	backup.exe
2844	backup.exe
1640	backup.exe
1524	backup.exe
1496	backup.exe
2008	backup.exe
1972	backup.exe
2004	System Restore.exe
876	backup.exe
1864	backup.exe
2264	backup.exe
308	backup.exe
532	backup.exe
1084	backup.exe
1512	backup.exe
900	backup.exe
2944	backup.exe
1772	backup.exe
2872	backup.exe
3020	backup.exe
1544	backup.exe
1604	backup.exe
1616	backup.exe
2624	backup.exe
2224	backup.exe
2352	backup.exe
2544	update.exe

Loads dropped DLL 64 IoCs

pid	Process
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe
672	backup.exe
672	backup.exe
2844	backup.exe
2844	backup.exe
672	backup.exe
672	backup.exe
2188	backup.exe
2188	backup.exe
748	backup.exe
748	backup.exe
2188	backup.exe
2188	backup.exe
1224	backup.exe
1224	backup.exe
2156	backup.exe
2156	backup.exe
2156	backup.exe
2156	backup.exe
1940	backup.exe
1940	backup.exe
1940	backup.exe
1940	backup.exe
2188	backup.exe
2188	backup.exe
1224	backup.exe
672	backup.exe
1224	backup.exe
672	backup.exe
2156	backup.exe
2156	backup.exe
1940	backup.exe
1940	backup.exe
2104	backup.exe
2104	backup.exe
1224	backup.exe
1224	backup.exe
2188	backup.exe
2276	data.exe
2276	data.exe
1940	backup.exe
1940	backup.exe
1704	backup.exe
2992	backup.exe
1704	backup.exe
2992	backup.exe
2952	backup.exe
2952	backup.exe
2708	update.exe
2708	update.exe
2708	update.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2576-0-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0035000000016fda-5.dat	upx
behavioral1/files/0x0035000000016fda-11.dat	upx
behavioral1/files/0x0035000000016fda-9.dat	upx
behavioral1/files/0x0035000000016fda-7.dat	upx
behavioral1/files/0x00060000000186cf-15.dat	upx
behavioral1/files/0x00060000000186cf-17.dat	upx
behavioral1/memory/2644-22-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x00060000000186cf-21.dat	upx
behavioral1/memory/2644-26-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0008000000018b16-27.dat	upx
behavioral1/files/0x0008000000018b16-29.dat	upx
behavioral1/files/0x0008000000018b16-33.dat	upx
behavioral1/files/0x0008000000018b10-40.dat	upx
behavioral1/files/0x0008000000018b10-45.dat	upx
behavioral1/memory/2504-46-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2576-39-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0008000000018b10-37.dat	upx
behavioral1/memory/2504-50-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0033000000016fdf-51.dat	upx
behavioral1/files/0x0033000000016fdf-54.dat	upx
behavioral1/files/0x0033000000016fdf-59.dat	upx
behavioral1/memory/1728-58-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2440-63-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0006000000018b9b-64.dat	upx
behavioral1/files/0x0006000000018b9b-66.dat	upx
behavioral1/files/0x0006000000018b9b-70.dat	upx
behavioral1/memory/2000-74-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0006000000018bc0-75.dat	upx
behavioral1/files/0x0006000000018bc0-77.dat	upx
behavioral1/memory/2640-78-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0006000000018bc0-83.dat	upx
behavioral1/memory/3040-86-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0035000000016fda-88.dat	upx
behavioral1/files/0x0006000000018bc4-94.dat	upx
behavioral1/files/0x0006000000018bc4-99.dat	upx
behavioral1/files/0x0005000000019322-101.dat	upx
behavioral1/files/0x0005000000019322-103.dat	upx
behavioral1/files/0x0005000000019322-107.dat	upx
behavioral1/files/0x0005000000019322-112.dat	upx
behavioral1/files/0x0005000000019394-114.dat	upx
behavioral1/files/0x0005000000019394-116.dat	upx
behavioral1/files/0x0005000000019394-120.dat	upx
behavioral1/memory/2844-126-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2864-137-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x000600000001932c-138.dat	upx
behavioral1/files/0x000600000001932c-140.dat	upx
behavioral1/memory/672-145-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x000600000001932c-144.dat	upx
behavioral1/files/0x000600000001932c-148.dat	upx
behavioral1/files/0x0006000000019396-152.dat	upx
behavioral1/files/0x0006000000019396-150.dat	upx
behavioral1/files/0x0006000000019396-157.dat	upx
behavioral1/files/0x0006000000019396-160.dat	upx
behavioral1/files/0x0005000000019472-162.dat	upx
behavioral1/files/0x0005000000019472-164.dat	upx
behavioral1/files/0x0005000000019472-169.dat	upx
behavioral1/files/0x0006000000019480-177.dat	upx
behavioral1/files/0x0006000000019480-175.dat	upx
behavioral1/memory/748-174-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2472-173-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0006000000019480-182.dat	upx
behavioral1/files/0x0006000000019480-185.dat	upx
behavioral1/files/0x0005000000019495-187.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\System Restore.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	data.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\data.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe
1728	backup.exe
2644	backup.exe
2640	backup.exe
2504	backup.exe
2440	backup.exe
2000	backup.exe
3040	System Restore.exe
672	backup.exe
2844	backup.exe
2864	backup.exe
2188	backup.exe
748	backup.exe
2472	backup.exe
1224	backup.exe
2156	backup.exe
2056	backup.exe
1940	backup.exe
2264	backup.exe
1112	backup.exe
2276	data.exe
3020	backup.exe
2104	backup.exe
2992	backup.exe
2224	backup.exe
1704	backup.exe
2952	backup.exe
2728	backup.exe
2108	backup.exe
2584	data.exe
2708	update.exe
2880	backup.exe
2500	backup.exe
2480	backup.exe
2976	backup.exe
2792	backup.exe
3052	backup.exe
2848	backup.exe
2956	backup.exe
2844	backup.exe
1496	backup.exe
1640	backup.exe
1524	backup.exe
2008	backup.exe
2004	System Restore.exe
1972	backup.exe
876	backup.exe
308	backup.exe
2264	backup.exe
1864	backup.exe
532	backup.exe
1084	backup.exe
900	backup.exe
1772	backup.exe
2872	backup.exe
2944	backup.exe
1544	backup.exe
1512	backup.exe
3020	backup.exe
1616	backup.exe
1604	backup.exe
2224	backup.exe
2624	backup.exe
2352	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 1728	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	28
PID 2576 wrote to memory of 1728	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	28
PID 2576 wrote to memory of 1728	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	28
PID 2576 wrote to memory of 1728	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	28
PID 2576 wrote to memory of 2644	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	29
PID 2576 wrote to memory of 2644	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	29
PID 2576 wrote to memory of 2644	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	29
PID 2576 wrote to memory of 2644	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	29
PID 2576 wrote to memory of 2640	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	30
PID 2576 wrote to memory of 2640	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	30
PID 2576 wrote to memory of 2640	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	30
PID 2576 wrote to memory of 2640	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	30
PID 2576 wrote to memory of 2504	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	31
PID 2576 wrote to memory of 2504	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	31
PID 2576 wrote to memory of 2504	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	31
PID 2576 wrote to memory of 2504	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	31
PID 2576 wrote to memory of 2440	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	32
PID 2576 wrote to memory of 2440	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	32
PID 2576 wrote to memory of 2440	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	32
PID 2576 wrote to memory of 2440	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	32
PID 2576 wrote to memory of 2000	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	33
PID 2576 wrote to memory of 2000	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	33
PID 2576 wrote to memory of 2000	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	33
PID 2576 wrote to memory of 2000	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	33
PID 2576 wrote to memory of 3040	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	34
PID 2576 wrote to memory of 3040	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	34
PID 2576 wrote to memory of 3040	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	34
PID 2576 wrote to memory of 3040	2576	NEAS.f3c052df138dfd5b618c62f85091f640.exe	34
PID 1728 wrote to memory of 672	1728	backup.exe	35
PID 1728 wrote to memory of 672	1728	backup.exe	35
PID 1728 wrote to memory of 672	1728	backup.exe	35
PID 1728 wrote to memory of 672	1728	backup.exe	35
PID 672 wrote to memory of 2844	672	backup.exe	36
PID 672 wrote to memory of 2844	672	backup.exe	36
PID 672 wrote to memory of 2844	672	backup.exe	36
PID 672 wrote to memory of 2844	672	backup.exe	36
PID 2844 wrote to memory of 2864	2844	backup.exe	37
PID 2844 wrote to memory of 2864	2844	backup.exe	37
PID 2844 wrote to memory of 2864	2844	backup.exe	37
PID 2844 wrote to memory of 2864	2844	backup.exe	37
PID 672 wrote to memory of 2188	672	backup.exe	38
PID 672 wrote to memory of 2188	672	backup.exe	38
PID 672 wrote to memory of 2188	672	backup.exe	38
PID 672 wrote to memory of 2188	672	backup.exe	38
PID 2188 wrote to memory of 748	2188	backup.exe	39
PID 2188 wrote to memory of 748	2188	backup.exe	39
PID 2188 wrote to memory of 748	2188	backup.exe	39
PID 2188 wrote to memory of 748	2188	backup.exe	39
PID 748 wrote to memory of 2472	748	backup.exe	40
PID 748 wrote to memory of 2472	748	backup.exe	40
PID 748 wrote to memory of 2472	748	backup.exe	40
PID 748 wrote to memory of 2472	748	backup.exe	40
PID 2188 wrote to memory of 1224	2188	backup.exe	41
PID 2188 wrote to memory of 1224	2188	backup.exe	41
PID 2188 wrote to memory of 1224	2188	backup.exe	41
PID 2188 wrote to memory of 1224	2188	backup.exe	41
PID 1224 wrote to memory of 2156	1224	backup.exe	42
PID 1224 wrote to memory of 2156	1224	backup.exe	42
PID 1224 wrote to memory of 2156	1224	backup.exe	42
PID 1224 wrote to memory of 2156	1224	backup.exe	42
PID 2156 wrote to memory of 2056	2156	backup.exe	43
PID 2156 wrote to memory of 2056	2156	backup.exe	43
PID 2156 wrote to memory of 2056	2156	backup.exe	43
PID 2156 wrote to memory of 2056	2156	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.f3c052df138dfd5b618c62f85091f640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.f3c052df138dfd5b618c62f85091f640.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f3c052df138dfd5b618c62f85091f640.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2576
- C:\Users\Admin\AppData\Local\Temp\1286746945\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1286746945\backup.exe C:\Users\Admin\AppData\Local\Temp\1286746945\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1728
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2864
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2188
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:748
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2472
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1224
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2156
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2264
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2224
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:308
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        
        PID:772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        
        PID:2676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:2444
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        
        PID:1292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:2352
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:2652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:592
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2992
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2584
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2956
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1084
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2352
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2656
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:804
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2952
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2308
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2276
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2808
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1648
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3020
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1704
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2108
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3052
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2264
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:900
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1636
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:832
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2700
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1644
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2856
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1480
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:2728
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1904
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1344
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1128
    - - C:\Program Files\DVD Maker\data.exe
        
        "C:\Program Files\DVD Maker\data.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2276
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2728
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2480
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2844
      - C:\Program Files\DVD Maker\fr-FR\System Restore.exe
        
        "C:\Program Files\DVD Maker\fr-FR\System Restore.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2004
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:532
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1512
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2224
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:2840
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:2312
    - - C:\Program Files\Google\update.exe
        
        "C:\Program Files\Google\update.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2708
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2008
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1864
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1772
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1604
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:2164
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        
        PID:2536
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        
        PID:896
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        
        PID:2640
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        
        PID:2664
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1096
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2880
      - C:\Program Files\Internet Explorer\de-DE\data.exe
        
        "C:\Program Files\Internet Explorer\de-DE\data.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1396
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2568
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1088
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2528
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1132
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1932
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2496
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:996
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2628
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2272
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2292
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2504
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1484
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1972
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1616
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:808
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2104
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2952
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2500
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2848
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1640
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2872
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2624
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1924
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:2512
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:844
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:320
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1920
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1348
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:2032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:2056
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1608
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:2168
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1124
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:2476
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2832
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2780
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1656
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:2572
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:876
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2296
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1948
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2140
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2768
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1880
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1224
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:3068
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:3040
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\System Restore.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2556
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2612
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1524
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3020
    - - C:\Users\Admin\update.exe
        
        C:\Users\Admin\update.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:2544
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:2864
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1148
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1692
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1944
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2036
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2284
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1716
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2980
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2932
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2504
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2440
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
378KB

MD5
4574c57b978c3a356a6f41edbdcc1004

SHA1
f70c3f477f4ebd47a512d5ff57db25b47cc16346

SHA256
da7e942802dd48caf2069bbfcab27678bc698ae55336bbb40a24a5ce829cc7b4

SHA512
667b6e589bb8a895a0a90dc9bd43eb862687efaf95b350ba9735d61755ae32a9ef04d4886ebf4883a0abd6ba88b5580174f957ad6967ccec75751b7979e216e3

Download Submit
C:\PerfLogs\backup.exe

Filesize
378KB

MD5
1fcbe78e0d8b51d548fcf740b9557245

SHA1
1ce3f4f2fa09b2173525ba93b3806ae795fb540f

SHA256
b105107e40427aebc122da81a2c853cec80f1d7c17610821aa1b66dcd7498b7f

SHA512
1b05f473226d12238ee8b5bee5fe6ed1423dba14eb91812083187111dca8973385073398d84d161cd07c9e4586e86a38e308381e1ec3055fd0b081ab5cb9bb8b

Download Submit
C:\PerfLogs\backup.exe

Filesize
378KB

MD5
1fcbe78e0d8b51d548fcf740b9557245

SHA1
1ce3f4f2fa09b2173525ba93b3806ae795fb540f

SHA256
b105107e40427aebc122da81a2c853cec80f1d7c17610821aa1b66dcd7498b7f

SHA512
1b05f473226d12238ee8b5bee5fe6ed1423dba14eb91812083187111dca8973385073398d84d161cd07c9e4586e86a38e308381e1ec3055fd0b081ab5cb9bb8b

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
378KB

MD5
3bc817d1b4eefe5b5f98dec12749970e

SHA1
89e237604d0b8bcfb4779f1d6c0672e9b2ba7872

SHA256
2812cfafd6571941fef0056c9311dae36a0c0b09fdfe1dc8fd72013198ad3536

SHA512
08127436cac794814229d97a6a1d19e05c50a7d8a01cbfd06b0cc50f1fc0f07112c0683611c8a99c37338d12f328a717780cbc0e469114fa1ab2c6af9d31f7f0

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
378KB

MD5
12ad36834c0d921d5dc68f39f8275eca

SHA1
eae87bd778d7701b3d408c45e0c0951a8692c680

SHA256
4d9499b770699e46dd79cfb09a7b7b295ebd16e755482ea265612d3d4a6ce50d

SHA512
2ded1fb6cac08c40a013d03919cc6436ffccdf2257f62e1049a98b1621b8e2b6a9a7c9558fd9616fef90cc1acaea437202830224a67e1f9dcf34db0ffdd67802

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
378KB

MD5
12ad36834c0d921d5dc68f39f8275eca

SHA1
eae87bd778d7701b3d408c45e0c0951a8692c680

SHA256
4d9499b770699e46dd79cfb09a7b7b295ebd16e755482ea265612d3d4a6ce50d

SHA512
2ded1fb6cac08c40a013d03919cc6436ffccdf2257f62e1049a98b1621b8e2b6a9a7c9558fd9616fef90cc1acaea437202830224a67e1f9dcf34db0ffdd67802

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
378KB

MD5
410e4b5c698cbd3e4d1ac3abe54cffae

SHA1
647f16ba7500b31d36f5850b4a52b90b8f0b4a40

SHA256
4870038cf704778d60e3ff15165b64773e1fa047d64a650a1207c4885c225fdb

SHA512
c0d820520c2d7b9c453527d75377327f8a4696833a5a42d67eac63dcc4cc9c9e720e9b4034c0968e1e0e1e98b13ec0878786fcf5dde300ddd119042d524595e3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
378KB

MD5
cca153139b9c7ec4cab1333880cc1164

SHA1
b6ba745d651f9a8b00e143e100ebf87ea101b779

SHA256
f2dc9e0197614b457f499cbe592d4e828ebf0302f177d12be470ab6ec0b1efad

SHA512
35d4b7c016fb105c5bf2dd6f13c6843e368d2758fc349f12380f75d50cd52d9d4b02c695389f1ede0861c3ddbc937d2df017cfef47056a36171823f836a3daca

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
378KB

MD5
cca153139b9c7ec4cab1333880cc1164

SHA1
b6ba745d651f9a8b00e143e100ebf87ea101b779

SHA256
f2dc9e0197614b457f499cbe592d4e828ebf0302f177d12be470ab6ec0b1efad

SHA512
35d4b7c016fb105c5bf2dd6f13c6843e368d2758fc349f12380f75d50cd52d9d4b02c695389f1ede0861c3ddbc937d2df017cfef47056a36171823f836a3daca

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
378KB

MD5
38380ca1ddb8cf7c7de939b32ce6c769

SHA1
9336464afd0a7451474e0e3389bd766edc6951ac

SHA256
98459447a4db739b4e6add0533d9fd4734b16196eac150d299e8337f09c3bc5b

SHA512
d300b64476b1c93636f4e841d59e8642fc3a4f6ac766b139a7c23fb8652350e3ed2e0a5bfc9e5ef18a169920d8ba24dd258c2cf3235f2d312886bcbd507bbe71

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
378KB

MD5
410e4b5c698cbd3e4d1ac3abe54cffae

SHA1
647f16ba7500b31d36f5850b4a52b90b8f0b4a40

SHA256
4870038cf704778d60e3ff15165b64773e1fa047d64a650a1207c4885c225fdb

SHA512
c0d820520c2d7b9c453527d75377327f8a4696833a5a42d67eac63dcc4cc9c9e720e9b4034c0968e1e0e1e98b13ec0878786fcf5dde300ddd119042d524595e3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
378KB

MD5
410e4b5c698cbd3e4d1ac3abe54cffae

SHA1
647f16ba7500b31d36f5850b4a52b90b8f0b4a40

SHA256
4870038cf704778d60e3ff15165b64773e1fa047d64a650a1207c4885c225fdb

SHA512
c0d820520c2d7b9c453527d75377327f8a4696833a5a42d67eac63dcc4cc9c9e720e9b4034c0968e1e0e1e98b13ec0878786fcf5dde300ddd119042d524595e3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
378KB

MD5
38380ca1ddb8cf7c7de939b32ce6c769

SHA1
9336464afd0a7451474e0e3389bd766edc6951ac

SHA256
98459447a4db739b4e6add0533d9fd4734b16196eac150d299e8337f09c3bc5b

SHA512
d300b64476b1c93636f4e841d59e8642fc3a4f6ac766b139a7c23fb8652350e3ed2e0a5bfc9e5ef18a169920d8ba24dd258c2cf3235f2d312886bcbd507bbe71

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
378KB

MD5
12ad36834c0d921d5dc68f39f8275eca

SHA1
eae87bd778d7701b3d408c45e0c0951a8692c680

SHA256
4d9499b770699e46dd79cfb09a7b7b295ebd16e755482ea265612d3d4a6ce50d

SHA512
2ded1fb6cac08c40a013d03919cc6436ffccdf2257f62e1049a98b1621b8e2b6a9a7c9558fd9616fef90cc1acaea437202830224a67e1f9dcf34db0ffdd67802

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
378KB

MD5
12ad36834c0d921d5dc68f39f8275eca

SHA1
eae87bd778d7701b3d408c45e0c0951a8692c680

SHA256
4d9499b770699e46dd79cfb09a7b7b295ebd16e755482ea265612d3d4a6ce50d

SHA512
2ded1fb6cac08c40a013d03919cc6436ffccdf2257f62e1049a98b1621b8e2b6a9a7c9558fd9616fef90cc1acaea437202830224a67e1f9dcf34db0ffdd67802

Download Submit
C:\Program Files\backup.exe

Filesize
378KB

MD5
e2b7f9954dfcb6903d903c3474c50971

SHA1
23fc65b54aab4c7b06d36eddca80a12c99f7d7aa

SHA256
0c0935242f91564a034a98b0b32566d1eed0ae4f05125051f39d578fb15fbfef

SHA512
8604a39e3a0e3270a1752402183affd1ed09fcf16f1277420dc2ce3a732026f6d829127d9d6fd18f1d4c6005bb0e87c90c97b8549c1d029045ee9b5ee121db8b

Download Submit
C:\Program Files\backup.exe

Filesize
378KB

MD5
e2b7f9954dfcb6903d903c3474c50971

SHA1
23fc65b54aab4c7b06d36eddca80a12c99f7d7aa

SHA256
0c0935242f91564a034a98b0b32566d1eed0ae4f05125051f39d578fb15fbfef

SHA512
8604a39e3a0e3270a1752402183affd1ed09fcf16f1277420dc2ce3a732026f6d829127d9d6fd18f1d4c6005bb0e87c90c97b8549c1d029045ee9b5ee121db8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1286746945\backup.exe

Filesize
378KB

MD5
82071442ec603bc112bea749823fb073

SHA1
e08aa03948e072d9a12e961620a950ab76861a19

SHA256
90d8426e72cee4818572f15ee144d98c35287386cba0e75927fa65bc898da8c0

SHA512
8321f1aa1bd46c2e4d91f989803d68262d6e08212a3fbabd2ed56fba94ef02d3b3ab5c97ce21ee9c6fc16d2a24e9df726b1d7c0a540603bf1f11c5781ae8eb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\1286746945\backup.exe

Filesize
378KB

MD5
82071442ec603bc112bea749823fb073

SHA1
e08aa03948e072d9a12e961620a950ab76861a19

SHA256
90d8426e72cee4818572f15ee144d98c35287386cba0e75927fa65bc898da8c0

SHA512
8321f1aa1bd46c2e4d91f989803d68262d6e08212a3fbabd2ed56fba94ef02d3b3ab5c97ce21ee9c6fc16d2a24e9df726b1d7c0a540603bf1f11c5781ae8eb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\1286746945\backup.exe

Filesize
378KB

MD5
82071442ec603bc112bea749823fb073

SHA1
e08aa03948e072d9a12e961620a950ab76861a19

SHA256
90d8426e72cee4818572f15ee144d98c35287386cba0e75927fa65bc898da8c0

SHA512
8321f1aa1bd46c2e4d91f989803d68262d6e08212a3fbabd2ed56fba94ef02d3b3ab5c97ce21ee9c6fc16d2a24e9df726b1d7c0a540603bf1f11c5781ae8eb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
378KB

MD5
82071442ec603bc112bea749823fb073

SHA1
e08aa03948e072d9a12e961620a950ab76861a19

SHA256
90d8426e72cee4818572f15ee144d98c35287386cba0e75927fa65bc898da8c0

SHA512
8321f1aa1bd46c2e4d91f989803d68262d6e08212a3fbabd2ed56fba94ef02d3b3ab5c97ce21ee9c6fc16d2a24e9df726b1d7c0a540603bf1f11c5781ae8eb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
378KB

MD5
82071442ec603bc112bea749823fb073

SHA1
e08aa03948e072d9a12e961620a950ab76861a19

SHA256
90d8426e72cee4818572f15ee144d98c35287386cba0e75927fa65bc898da8c0

SHA512
8321f1aa1bd46c2e4d91f989803d68262d6e08212a3fbabd2ed56fba94ef02d3b3ab5c97ce21ee9c6fc16d2a24e9df726b1d7c0a540603bf1f11c5781ae8eb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
378KB

MD5
0810d0357d9f87c2e69151842c5a4554

SHA1
7fc44415244affc413d521bc73ff527e924502d8

SHA256
edad358e693b59b62440c2f0984475eeb12bd53fe3e8e66e14a49f37f1dd1238

SHA512
63f9e732f4c3313acfdbc461862f23c5e0c4b28cc9fa9b6f1248e943a16f071a3a8cd2f66caeb72b7d7f2f4e65b495cf9e5c50ba3c2330e559b58ffff55033ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe

Filesize
378KB

MD5
0810d0357d9f87c2e69151842c5a4554

SHA1
7fc44415244affc413d521bc73ff527e924502d8

SHA256
edad358e693b59b62440c2f0984475eeb12bd53fe3e8e66e14a49f37f1dd1238

SHA512
63f9e732f4c3313acfdbc461862f23c5e0c4b28cc9fa9b6f1248e943a16f071a3a8cd2f66caeb72b7d7f2f4e65b495cf9e5c50ba3c2330e559b58ffff55033ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
378KB

MD5
82071442ec603bc112bea749823fb073

SHA1
e08aa03948e072d9a12e961620a950ab76861a19

SHA256
90d8426e72cee4818572f15ee144d98c35287386cba0e75927fa65bc898da8c0

SHA512
8321f1aa1bd46c2e4d91f989803d68262d6e08212a3fbabd2ed56fba94ef02d3b3ab5c97ce21ee9c6fc16d2a24e9df726b1d7c0a540603bf1f11c5781ae8eb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
378KB

MD5
0810d0357d9f87c2e69151842c5a4554

SHA1
7fc44415244affc413d521bc73ff527e924502d8

SHA256
edad358e693b59b62440c2f0984475eeb12bd53fe3e8e66e14a49f37f1dd1238

SHA512
63f9e732f4c3313acfdbc461862f23c5e0c4b28cc9fa9b6f1248e943a16f071a3a8cd2f66caeb72b7d7f2f4e65b495cf9e5c50ba3c2330e559b58ffff55033ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
23KB

MD5
d10bce5593195f5a42ae454b0096ba93

SHA1
dee24b93f9baf16b7472775bb567f235dede3581

SHA256
0cc505cd0fadb45180932cae2e3007e9827b77ad7369474840688646a9f6dbfb

SHA512
3d6f29328059b6386f9f6b266c9d2c120aba72e04f55c0ad306d09e28260279a3659dbc6af96013f1418dee63bb54382991fbd9d094eabaf1677ad365cdc71a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
378KB

MD5
bf1d7e35a86cd971010a556e77e55637

SHA1
b1001e0f4df379f47ebd60b99be31cd7618b283a

SHA256
779c491d90933d4cf91e2052ffbff69b4fe9a3f17ea2daa638a8ef85ae50ee2b

SHA512
43f08f5bf10f698b5233e2d236fbc05f57688abc83298759987dbf6252d81b70652899bd7f5fe68014e5721caf9070c8db13b8f09519f765bba16b74048a2d94

Download Submit
C:\backup.exe

Filesize
378KB

MD5
bf1d7e35a86cd971010a556e77e55637

SHA1
b1001e0f4df379f47ebd60b99be31cd7618b283a

SHA256
779c491d90933d4cf91e2052ffbff69b4fe9a3f17ea2daa638a8ef85ae50ee2b

SHA512
43f08f5bf10f698b5233e2d236fbc05f57688abc83298759987dbf6252d81b70652899bd7f5fe68014e5721caf9070c8db13b8f09519f765bba16b74048a2d94

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
378KB

MD5
4574c57b978c3a356a6f41edbdcc1004

SHA1
f70c3f477f4ebd47a512d5ff57db25b47cc16346

SHA256
da7e942802dd48caf2069bbfcab27678bc698ae55336bbb40a24a5ce829cc7b4

SHA512
667b6e589bb8a895a0a90dc9bd43eb862687efaf95b350ba9735d61755ae32a9ef04d4886ebf4883a0abd6ba88b5580174f957ad6967ccec75751b7979e216e3

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
378KB

MD5
4574c57b978c3a356a6f41edbdcc1004

SHA1
f70c3f477f4ebd47a512d5ff57db25b47cc16346

SHA256
da7e942802dd48caf2069bbfcab27678bc698ae55336bbb40a24a5ce829cc7b4

SHA512
667b6e589bb8a895a0a90dc9bd43eb862687efaf95b350ba9735d61755ae32a9ef04d4886ebf4883a0abd6ba88b5580174f957ad6967ccec75751b7979e216e3

Download Submit
\PerfLogs\backup.exe

Filesize
378KB

MD5
1fcbe78e0d8b51d548fcf740b9557245

SHA1
1ce3f4f2fa09b2173525ba93b3806ae795fb540f

SHA256
b105107e40427aebc122da81a2c853cec80f1d7c17610821aa1b66dcd7498b7f

SHA512
1b05f473226d12238ee8b5bee5fe6ed1423dba14eb91812083187111dca8973385073398d84d161cd07c9e4586e86a38e308381e1ec3055fd0b081ab5cb9bb8b

Download Submit
\PerfLogs\backup.exe

Filesize
378KB

MD5
1fcbe78e0d8b51d548fcf740b9557245

SHA1
1ce3f4f2fa09b2173525ba93b3806ae795fb540f

SHA256
b105107e40427aebc122da81a2c853cec80f1d7c17610821aa1b66dcd7498b7f

SHA512
1b05f473226d12238ee8b5bee5fe6ed1423dba14eb91812083187111dca8973385073398d84d161cd07c9e4586e86a38e308381e1ec3055fd0b081ab5cb9bb8b

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
378KB

MD5
3bc817d1b4eefe5b5f98dec12749970e

SHA1
89e237604d0b8bcfb4779f1d6c0672e9b2ba7872

SHA256
2812cfafd6571941fef0056c9311dae36a0c0b09fdfe1dc8fd72013198ad3536

SHA512
08127436cac794814229d97a6a1d19e05c50a7d8a01cbfd06b0cc50f1fc0f07112c0683611c8a99c37338d12f328a717780cbc0e469114fa1ab2c6af9d31f7f0

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
378KB

MD5
3bc817d1b4eefe5b5f98dec12749970e

SHA1
89e237604d0b8bcfb4779f1d6c0672e9b2ba7872

SHA256
2812cfafd6571941fef0056c9311dae36a0c0b09fdfe1dc8fd72013198ad3536

SHA512
08127436cac794814229d97a6a1d19e05c50a7d8a01cbfd06b0cc50f1fc0f07112c0683611c8a99c37338d12f328a717780cbc0e469114fa1ab2c6af9d31f7f0

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
378KB

MD5
12ad36834c0d921d5dc68f39f8275eca

SHA1
eae87bd778d7701b3d408c45e0c0951a8692c680

SHA256
4d9499b770699e46dd79cfb09a7b7b295ebd16e755482ea265612d3d4a6ce50d

SHA512
2ded1fb6cac08c40a013d03919cc6436ffccdf2257f62e1049a98b1621b8e2b6a9a7c9558fd9616fef90cc1acaea437202830224a67e1f9dcf34db0ffdd67802

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
378KB

MD5
12ad36834c0d921d5dc68f39f8275eca

SHA1
eae87bd778d7701b3d408c45e0c0951a8692c680

SHA256
4d9499b770699e46dd79cfb09a7b7b295ebd16e755482ea265612d3d4a6ce50d

SHA512
2ded1fb6cac08c40a013d03919cc6436ffccdf2257f62e1049a98b1621b8e2b6a9a7c9558fd9616fef90cc1acaea437202830224a67e1f9dcf34db0ffdd67802

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
378KB

MD5
410e4b5c698cbd3e4d1ac3abe54cffae

SHA1
647f16ba7500b31d36f5850b4a52b90b8f0b4a40

SHA256
4870038cf704778d60e3ff15165b64773e1fa047d64a650a1207c4885c225fdb

SHA512
c0d820520c2d7b9c453527d75377327f8a4696833a5a42d67eac63dcc4cc9c9e720e9b4034c0968e1e0e1e98b13ec0878786fcf5dde300ddd119042d524595e3

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
378KB

MD5
410e4b5c698cbd3e4d1ac3abe54cffae

SHA1
647f16ba7500b31d36f5850b4a52b90b8f0b4a40

SHA256
4870038cf704778d60e3ff15165b64773e1fa047d64a650a1207c4885c225fdb

SHA512
c0d820520c2d7b9c453527d75377327f8a4696833a5a42d67eac63dcc4cc9c9e720e9b4034c0968e1e0e1e98b13ec0878786fcf5dde300ddd119042d524595e3

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
378KB

MD5
cca153139b9c7ec4cab1333880cc1164

SHA1
b6ba745d651f9a8b00e143e100ebf87ea101b779

SHA256
f2dc9e0197614b457f499cbe592d4e828ebf0302f177d12be470ab6ec0b1efad

SHA512
35d4b7c016fb105c5bf2dd6f13c6843e368d2758fc349f12380f75d50cd52d9d4b02c695389f1ede0861c3ddbc937d2df017cfef47056a36171823f836a3daca

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
378KB

MD5
cca153139b9c7ec4cab1333880cc1164

SHA1
b6ba745d651f9a8b00e143e100ebf87ea101b779

SHA256
f2dc9e0197614b457f499cbe592d4e828ebf0302f177d12be470ab6ec0b1efad

SHA512
35d4b7c016fb105c5bf2dd6f13c6843e368d2758fc349f12380f75d50cd52d9d4b02c695389f1ede0861c3ddbc937d2df017cfef47056a36171823f836a3daca

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
378KB

MD5
38380ca1ddb8cf7c7de939b32ce6c769

SHA1
9336464afd0a7451474e0e3389bd766edc6951ac

SHA256
98459447a4db739b4e6add0533d9fd4734b16196eac150d299e8337f09c3bc5b

SHA512
d300b64476b1c93636f4e841d59e8642fc3a4f6ac766b139a7c23fb8652350e3ed2e0a5bfc9e5ef18a169920d8ba24dd258c2cf3235f2d312886bcbd507bbe71

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
378KB

MD5
38380ca1ddb8cf7c7de939b32ce6c769

SHA1
9336464afd0a7451474e0e3389bd766edc6951ac

SHA256
98459447a4db739b4e6add0533d9fd4734b16196eac150d299e8337f09c3bc5b

SHA512
d300b64476b1c93636f4e841d59e8642fc3a4f6ac766b139a7c23fb8652350e3ed2e0a5bfc9e5ef18a169920d8ba24dd258c2cf3235f2d312886bcbd507bbe71

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
378KB

MD5
410e4b5c698cbd3e4d1ac3abe54cffae

SHA1
647f16ba7500b31d36f5850b4a52b90b8f0b4a40

SHA256
4870038cf704778d60e3ff15165b64773e1fa047d64a650a1207c4885c225fdb

SHA512
c0d820520c2d7b9c453527d75377327f8a4696833a5a42d67eac63dcc4cc9c9e720e9b4034c0968e1e0e1e98b13ec0878786fcf5dde300ddd119042d524595e3

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
378KB

MD5
410e4b5c698cbd3e4d1ac3abe54cffae

SHA1
647f16ba7500b31d36f5850b4a52b90b8f0b4a40

SHA256
4870038cf704778d60e3ff15165b64773e1fa047d64a650a1207c4885c225fdb

SHA512
c0d820520c2d7b9c453527d75377327f8a4696833a5a42d67eac63dcc4cc9c9e720e9b4034c0968e1e0e1e98b13ec0878786fcf5dde300ddd119042d524595e3

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
378KB

MD5
38380ca1ddb8cf7c7de939b32ce6c769

SHA1
9336464afd0a7451474e0e3389bd766edc6951ac

SHA256
98459447a4db739b4e6add0533d9fd4734b16196eac150d299e8337f09c3bc5b

SHA512
d300b64476b1c93636f4e841d59e8642fc3a4f6ac766b139a7c23fb8652350e3ed2e0a5bfc9e5ef18a169920d8ba24dd258c2cf3235f2d312886bcbd507bbe71

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
378KB

MD5
38380ca1ddb8cf7c7de939b32ce6c769

SHA1
9336464afd0a7451474e0e3389bd766edc6951ac

SHA256
98459447a4db739b4e6add0533d9fd4734b16196eac150d299e8337f09c3bc5b

SHA512
d300b64476b1c93636f4e841d59e8642fc3a4f6ac766b139a7c23fb8652350e3ed2e0a5bfc9e5ef18a169920d8ba24dd258c2cf3235f2d312886bcbd507bbe71

Download Submit
\Program Files\Common Files\backup.exe

Filesize
378KB

MD5
12ad36834c0d921d5dc68f39f8275eca

SHA1
eae87bd778d7701b3d408c45e0c0951a8692c680

SHA256
4d9499b770699e46dd79cfb09a7b7b295ebd16e755482ea265612d3d4a6ce50d

SHA512
2ded1fb6cac08c40a013d03919cc6436ffccdf2257f62e1049a98b1621b8e2b6a9a7c9558fd9616fef90cc1acaea437202830224a67e1f9dcf34db0ffdd67802

Download Submit
\Program Files\Common Files\backup.exe

Filesize
378KB

MD5
12ad36834c0d921d5dc68f39f8275eca

SHA1
eae87bd778d7701b3d408c45e0c0951a8692c680

SHA256
4d9499b770699e46dd79cfb09a7b7b295ebd16e755482ea265612d3d4a6ce50d

SHA512
2ded1fb6cac08c40a013d03919cc6436ffccdf2257f62e1049a98b1621b8e2b6a9a7c9558fd9616fef90cc1acaea437202830224a67e1f9dcf34db0ffdd67802

Download Submit
\Program Files\DVD Maker\data.exe

Filesize
378KB

MD5
e52d3c12f9f7710f118eb08e88417d02

SHA1
7c8092925244b1e6ce4eae315e6572a216867d6c

SHA256
534024b385e17f3b2697c41a484bb5e3c14275527cd920b253af06fde62da590

SHA512
6aaaa9175002e4924bc57c6f19bc58138d55707637d28bb6c454dbf4451d717fadeb383502aac50e878084cfd4f09dc89d2747f5aeaa0b113583dcbbdad0c664

Download Submit
\Program Files\backup.exe

Filesize
378KB

MD5
e2b7f9954dfcb6903d903c3474c50971

SHA1
23fc65b54aab4c7b06d36eddca80a12c99f7d7aa

SHA256
0c0935242f91564a034a98b0b32566d1eed0ae4f05125051f39d578fb15fbfef

SHA512
8604a39e3a0e3270a1752402183affd1ed09fcf16f1277420dc2ce3a732026f6d829127d9d6fd18f1d4c6005bb0e87c90c97b8549c1d029045ee9b5ee121db8b

Download Submit
\Program Files\backup.exe

Filesize
378KB

MD5
e2b7f9954dfcb6903d903c3474c50971

SHA1
23fc65b54aab4c7b06d36eddca80a12c99f7d7aa

SHA256
0c0935242f91564a034a98b0b32566d1eed0ae4f05125051f39d578fb15fbfef

SHA512
8604a39e3a0e3270a1752402183affd1ed09fcf16f1277420dc2ce3a732026f6d829127d9d6fd18f1d4c6005bb0e87c90c97b8549c1d029045ee9b5ee121db8b

Download Submit
\Users\Admin\AppData\Local\Temp\1286746945\backup.exe

Filesize
378KB

MD5
82071442ec603bc112bea749823fb073

SHA1
e08aa03948e072d9a12e961620a950ab76861a19

SHA256
90d8426e72cee4818572f15ee144d98c35287386cba0e75927fa65bc898da8c0

SHA512
8321f1aa1bd46c2e4d91f989803d68262d6e08212a3fbabd2ed56fba94ef02d3b3ab5c97ce21ee9c6fc16d2a24e9df726b1d7c0a540603bf1f11c5781ae8eb44

Download Submit
\Users\Admin\AppData\Local\Temp\1286746945\backup.exe

Filesize
378KB

MD5
82071442ec603bc112bea749823fb073

SHA1
e08aa03948e072d9a12e961620a950ab76861a19

SHA256
90d8426e72cee4818572f15ee144d98c35287386cba0e75927fa65bc898da8c0

SHA512
8321f1aa1bd46c2e4d91f989803d68262d6e08212a3fbabd2ed56fba94ef02d3b3ab5c97ce21ee9c6fc16d2a24e9df726b1d7c0a540603bf1f11c5781ae8eb44

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
378KB

MD5
82071442ec603bc112bea749823fb073

SHA1
e08aa03948e072d9a12e961620a950ab76861a19

SHA256
90d8426e72cee4818572f15ee144d98c35287386cba0e75927fa65bc898da8c0

SHA512
8321f1aa1bd46c2e4d91f989803d68262d6e08212a3fbabd2ed56fba94ef02d3b3ab5c97ce21ee9c6fc16d2a24e9df726b1d7c0a540603bf1f11c5781ae8eb44

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
378KB

MD5
82071442ec603bc112bea749823fb073

SHA1
e08aa03948e072d9a12e961620a950ab76861a19

SHA256
90d8426e72cee4818572f15ee144d98c35287386cba0e75927fa65bc898da8c0

SHA512
8321f1aa1bd46c2e4d91f989803d68262d6e08212a3fbabd2ed56fba94ef02d3b3ab5c97ce21ee9c6fc16d2a24e9df726b1d7c0a540603bf1f11c5781ae8eb44

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
378KB

MD5
82071442ec603bc112bea749823fb073

SHA1
e08aa03948e072d9a12e961620a950ab76861a19

SHA256
90d8426e72cee4818572f15ee144d98c35287386cba0e75927fa65bc898da8c0

SHA512
8321f1aa1bd46c2e4d91f989803d68262d6e08212a3fbabd2ed56fba94ef02d3b3ab5c97ce21ee9c6fc16d2a24e9df726b1d7c0a540603bf1f11c5781ae8eb44

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
378KB

MD5
82071442ec603bc112bea749823fb073

SHA1
e08aa03948e072d9a12e961620a950ab76861a19

SHA256
90d8426e72cee4818572f15ee144d98c35287386cba0e75927fa65bc898da8c0

SHA512
8321f1aa1bd46c2e4d91f989803d68262d6e08212a3fbabd2ed56fba94ef02d3b3ab5c97ce21ee9c6fc16d2a24e9df726b1d7c0a540603bf1f11c5781ae8eb44

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
378KB

MD5
0810d0357d9f87c2e69151842c5a4554

SHA1
7fc44415244affc413d521bc73ff527e924502d8

SHA256
edad358e693b59b62440c2f0984475eeb12bd53fe3e8e66e14a49f37f1dd1238

SHA512
63f9e732f4c3313acfdbc461862f23c5e0c4b28cc9fa9b6f1248e943a16f071a3a8cd2f66caeb72b7d7f2f4e65b495cf9e5c50ba3c2330e559b58ffff55033ea

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
378KB

MD5
0810d0357d9f87c2e69151842c5a4554

SHA1
7fc44415244affc413d521bc73ff527e924502d8

SHA256
edad358e693b59b62440c2f0984475eeb12bd53fe3e8e66e14a49f37f1dd1238

SHA512
63f9e732f4c3313acfdbc461862f23c5e0c4b28cc9fa9b6f1248e943a16f071a3a8cd2f66caeb72b7d7f2f4e65b495cf9e5c50ba3c2330e559b58ffff55033ea

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe

Filesize
378KB

MD5
0810d0357d9f87c2e69151842c5a4554

SHA1
7fc44415244affc413d521bc73ff527e924502d8

SHA256
edad358e693b59b62440c2f0984475eeb12bd53fe3e8e66e14a49f37f1dd1238

SHA512
63f9e732f4c3313acfdbc461862f23c5e0c4b28cc9fa9b6f1248e943a16f071a3a8cd2f66caeb72b7d7f2f4e65b495cf9e5c50ba3c2330e559b58ffff55033ea

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe

Filesize
378KB

MD5
0810d0357d9f87c2e69151842c5a4554

SHA1
7fc44415244affc413d521bc73ff527e924502d8

SHA256
edad358e693b59b62440c2f0984475eeb12bd53fe3e8e66e14a49f37f1dd1238

SHA512
63f9e732f4c3313acfdbc461862f23c5e0c4b28cc9fa9b6f1248e943a16f071a3a8cd2f66caeb72b7d7f2f4e65b495cf9e5c50ba3c2330e559b58ffff55033ea

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
378KB

MD5
82071442ec603bc112bea749823fb073

SHA1
e08aa03948e072d9a12e961620a950ab76861a19

SHA256
90d8426e72cee4818572f15ee144d98c35287386cba0e75927fa65bc898da8c0

SHA512
8321f1aa1bd46c2e4d91f989803d68262d6e08212a3fbabd2ed56fba94ef02d3b3ab5c97ce21ee9c6fc16d2a24e9df726b1d7c0a540603bf1f11c5781ae8eb44

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
378KB

MD5
82071442ec603bc112bea749823fb073

SHA1
e08aa03948e072d9a12e961620a950ab76861a19

SHA256
90d8426e72cee4818572f15ee144d98c35287386cba0e75927fa65bc898da8c0

SHA512
8321f1aa1bd46c2e4d91f989803d68262d6e08212a3fbabd2ed56fba94ef02d3b3ab5c97ce21ee9c6fc16d2a24e9df726b1d7c0a540603bf1f11c5781ae8eb44

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
378KB

MD5
0810d0357d9f87c2e69151842c5a4554

SHA1
7fc44415244affc413d521bc73ff527e924502d8

SHA256
edad358e693b59b62440c2f0984475eeb12bd53fe3e8e66e14a49f37f1dd1238

SHA512
63f9e732f4c3313acfdbc461862f23c5e0c4b28cc9fa9b6f1248e943a16f071a3a8cd2f66caeb72b7d7f2f4e65b495cf9e5c50ba3c2330e559b58ffff55033ea

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
378KB

MD5
0810d0357d9f87c2e69151842c5a4554

SHA1
7fc44415244affc413d521bc73ff527e924502d8

SHA256
edad358e693b59b62440c2f0984475eeb12bd53fe3e8e66e14a49f37f1dd1238

SHA512
63f9e732f4c3313acfdbc461862f23c5e0c4b28cc9fa9b6f1248e943a16f071a3a8cd2f66caeb72b7d7f2f4e65b495cf9e5c50ba3c2330e559b58ffff55033ea

Download Submit
memory/308-589-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/532-590-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/672-294-0x0000000001D90000-0x0000000001DAB000-memory.dmp

Filesize
108KB

Download
memory/672-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/672-331-0x0000000001D90000-0x0000000001DAB000-memory.dmp

Filesize
108KB

Download
memory/748-174-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/748-168-0x00000000003D0000-0x00000000003EB000-memory.dmp

Filesize
108KB

Download
memory/876-591-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/900-642-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1084-636-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1112-265-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1112-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1224-293-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/1224-234-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1512-665-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1524-539-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1544-666-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1604-682-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1616-677-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1704-423-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1704-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1704-376-0x0000000000270000-0x000000000028B000-memory.dmp

Filesize
108KB

Download
memory/1728-95-0x0000000000420000-0x000000000043B000-memory.dmp

Filesize
108KB

Download
memory/1728-259-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1772-637-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1940-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1940-257-0x0000000000300000-0x000000000031B000-memory.dmp

Filesize
108KB

Download
memory/1940-231-0x0000000000300000-0x000000000031B000-memory.dmp

Filesize
108KB

Download
memory/1940-261-0x0000000000300000-0x000000000031B000-memory.dmp

Filesize
108KB

Download
memory/1940-233-0x0000000000300000-0x000000000031B000-memory.dmp

Filesize
108KB

Download
memory/1940-318-0x0000000000300000-0x000000000031B000-memory.dmp

Filesize
108KB

Download
memory/1940-354-0x0000000000300000-0x000000000031B000-memory.dmp

Filesize
108KB

Download
memory/2000-74-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2004-555-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2056-211-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2104-336-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2104-384-0x0000000000290000-0x00000000002AB000-memory.dmp

Filesize
108KB

Download
memory/2104-338-0x0000000000290000-0x00000000002AB000-memory.dmp

Filesize
108KB

Download
memory/2108-418-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2156-218-0x00000000002A0000-0x00000000002BB000-memory.dmp

Filesize
108KB

Download
memory/2156-316-0x00000000002A0000-0x00000000002BB000-memory.dmp

Filesize
108KB

Download
memory/2156-255-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2156-345-0x00000000002A0000-0x00000000002BB000-memory.dmp

Filesize
108KB

Download
memory/2156-206-0x00000000002A0000-0x00000000002BB000-memory.dmp

Filesize
108KB

Download
memory/2188-278-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/2188-156-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/2188-190-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2188-301-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/2188-194-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/2188-221-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/2224-356-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2224-355-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-578-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-238-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2276-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2276-357-0x00000000004A0000-0x00000000004BB000-memory.dmp

Filesize
108KB

Download
memory/2276-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2276-401-0x00000000004A0000-0x00000000004BB000-memory.dmp

Filesize
108KB

Download
memory/2352-690-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2440-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2472-173-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2480-449-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2500-436-0x0000000000570000-0x000000000058B000-memory.dmp

Filesize
108KB

Download
memory/2504-50-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2504-46-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-53-0x0000000000330000-0x000000000034B000-memory.dmp

Filesize
108KB

Download
memory/2576-123-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2576-96-0x0000000000330000-0x000000000034B000-memory.dmp

Filesize
108KB

Download
memory/2576-44-0x0000000000330000-0x000000000034B000-memory.dmp

Filesize
108KB

Download
memory/2576-39-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-181-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2576-82-0x0000000000330000-0x000000000034B000-memory.dmp

Filesize
108KB

Download
memory/2576-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-258-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2584-422-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2624-687-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2640-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2640-78-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2644-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2644-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-390-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2708-391-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2708-468-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2792-462-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2844-126-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2844-508-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2848-465-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2872-651-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2880-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2880-421-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2944-679-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2952-686-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2952-389-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/2952-388-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2956-505-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2976-434-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2976-427-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2976-432-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2992-372-0x00000000002A0000-0x00000000002BB000-memory.dmp

Filesize
108KB

Download
memory/2992-437-0x00000000002A0000-0x00000000002BB000-memory.dmp

Filesize
108KB

Download
memory/2992-365-0x00000000002A0000-0x00000000002BB000-memory.dmp

Filesize
108KB

Download
memory/2992-358-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2992-445-0x00000000002A0000-0x00000000002BB000-memory.dmp

Filesize
108KB

Download
memory/2992-450-0x00000000002A0000-0x00000000002BB000-memory.dmp

Filesize
108KB

Download
memory/2992-691-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3020-306-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3040-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads