2ba5c12a9b142f1228887f7ee358252ed8c29fce851cd39efa50df7bc4bbfae2

Analysis

max time kernel
29s
max time network
123s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.37accee2b59715b6e9de70ee3029ad20.exe
Size

84KB
MD5

37accee2b59715b6e9de70ee3029ad20
SHA1

af5bfb3f010fa54fd0b449333e462e71a099c15f
SHA256

2ba5c12a9b142f1228887f7ee358252ed8c29fce851cd39efa50df7bc4bbfae2
SHA512

43f8eda08377d4ce472e51c2506f4cc23b6da453dff93157fed0f2f8c6721e4440b286e4cb18ec58139ad1f03433aebbc6c9a1897d6e2658e597a8bcc18c85b9
SSDEEP

768:/pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEmU:BeT7BVwxfvEFwjRU

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 36 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 42 IoCs

pid	Process
2296	backup.exe
2156	backup.exe
2704	update.exe
1724	data.exe
2108	backup.exe
2676	backup.exe
2556	backup.exe
3036	backup.exe
3048	backup.exe
2840	backup.exe
2884	backup.exe
1200	System Restore.exe
1752	backup.exe
1888	backup.exe
1968	backup.exe
828	backup.exe
1080	backup.exe
1144	backup.exe
2364	backup.exe
1808	backup.exe
896	backup.exe
2952	backup.exe
1948	backup.exe
1952	backup.exe
1504	backup.exe
1996	backup.exe
1212	data.exe
2068	backup.exe
2648	backup.exe
2744	backup.exe
2688	backup.exe
2900	backup.exe
2680	backup.exe
2536	backup.exe
3004	backup.exe
2484	backup.exe
3052	backup.exe
1628	backup.exe
2728	backup.exe
3056	backup.exe
760	backup.exe
2880	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
2704	update.exe
2704	update.exe
2704	update.exe
2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
3036	backup.exe
3036	backup.exe
3048	backup.exe
3048	backup.exe
3036	backup.exe
3036	backup.exe
2884	backup.exe
2884	backup.exe
3036	backup.exe
3036	backup.exe
1752	backup.exe
1752	backup.exe
2884	backup.exe
2884	backup.exe
1888	backup.exe
1888	backup.exe
1968	backup.exe
1968	backup.exe
828	backup.exe
828	backup.exe
1080	backup.exe
1080	backup.exe
828	backup.exe
828	backup.exe
1808	backup.exe
1808	backup.exe
1080	backup.exe
1080	backup.exe
896	backup.exe
896	backup.exe
1808	backup.exe
1808	backup.exe
1808	backup.exe
1808	backup.exe
896	backup.exe
896	backup.exe
1808	backup.exe
1808	backup.exe
896	backup.exe
896	backup.exe
1808	backup.exe
1808	backup.exe
896	backup.exe
896	backup.exe
2744	backup.exe
2744	backup.exe
1808	backup.exe
1808	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2340-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x001b000000015c5f-5.dat	upx
behavioral1/files/0x001b000000015c5f-9.dat	upx
behavioral1/files/0x001b000000015c5f-7.dat	upx
behavioral1/files/0x001b000000015c5f-12.dat	upx
behavioral1/memory/2296-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015cc9-17.dat	upx
behavioral1/files/0x0007000000015cc9-19.dat	upx
behavioral1/files/0x0007000000015cc9-24.dat	upx
behavioral1/memory/2156-28-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0009000000015e03-29.dat	upx
behavioral1/files/0x0009000000015e03-32.dat	upx
behavioral1/files/0x0009000000015e03-33.dat	upx
behavioral1/files/0x0009000000015e03-34.dat	upx
behavioral1/files/0x0009000000015e03-35.dat	upx
behavioral1/files/0x0009000000015e03-36.dat	upx
behavioral1/memory/2340-38-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2296-50-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015dac-45.dat	upx
behavioral1/files/0x0008000000015dac-49.dat	upx
behavioral1/files/0x0008000000015dac-42.dat	upx
behavioral1/memory/1724-54-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016058-55.dat	upx
behavioral1/files/0x0006000000016058-57.dat	upx
behavioral1/files/0x0006000000016058-62.dat	upx
behavioral1/memory/2108-66-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2704-73-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x001d000000015c68-69.dat	upx
behavioral1/files/0x001d000000015c68-74.dat	upx
behavioral1/files/0x001d000000015c68-67.dat	upx
behavioral1/memory/2676-78-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000600000001625c-79.dat	upx
behavioral1/files/0x000600000001625c-81.dat	upx
behavioral1/files/0x000600000001625c-85.dat	upx
behavioral1/memory/2556-89-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x001b000000015c5f-90.dat	upx
behavioral1/files/0x00060000000162d5-97.dat	upx
behavioral1/files/0x00060000000162d5-101.dat	upx
behavioral1/files/0x0006000000016594-103.dat	upx
behavioral1/files/0x0006000000016594-105.dat	upx
behavioral1/files/0x0006000000016594-109.dat	upx
behavioral1/files/0x0006000000016594-112.dat	upx
behavioral1/files/0x00060000000167f0-114.dat	upx
behavioral1/files/0x00060000000167f0-116.dat	upx
behavioral1/files/0x00060000000167f0-121.dat	upx
behavioral1/files/0x0007000000016613-131.dat	upx
behavioral1/files/0x0007000000016613-129.dat	upx
behavioral1/files/0x0007000000016613-135.dat	upx
behavioral1/memory/2840-128-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/3048-127-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016613-138.dat	upx
behavioral1/files/0x0006000000016ba2-140.dat	upx
behavioral1/files/0x0006000000016ba2-142.dat	upx
behavioral1/files/0x0006000000016ba2-146.dat	upx
behavioral1/memory/2884-161-0x00000000002F0000-0x000000000030C000-memory.dmp	upx
behavioral1/memory/3036-162-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2340-170-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2884-172-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000a000000012024-175.dat	upx
behavioral1/files/0x000a000000012024-182.dat	upx
behavioral1/files/0x000a000000012024-177.dat	upx
behavioral1/files/0x000a000000012024-185.dat	upx
behavioral1/files/0x0007000000016c1e-190.dat	upx
behavioral1/files/0x0006000000016c2f-196.dat	upx

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
2296	backup.exe
2156	backup.exe
2704	update.exe
1724	data.exe
2108	backup.exe
2676	backup.exe
2556	backup.exe
3036	backup.exe
3048	backup.exe
2840	backup.exe
2884	backup.exe
1752	backup.exe
1968	backup.exe
1888	backup.exe
828	backup.exe
1144	backup.exe
1080	backup.exe
2364	backup.exe
1808	backup.exe
896	backup.exe
2952	backup.exe
1952	backup.exe
1948	backup.exe
1504	backup.exe
1996	backup.exe
1212	data.exe
2068	backup.exe
2744	backup.exe
2648	backup.exe
2900	backup.exe
2688	backup.exe
2680	backup.exe
2536	backup.exe
3004	backup.exe
1628	backup.exe
3056	backup.exe
2484	backup.exe
3052	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2296	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	28
PID 2340 wrote to memory of 2296	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	28
PID 2340 wrote to memory of 2296	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	28
PID 2340 wrote to memory of 2296	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	28
PID 2340 wrote to memory of 2156	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	29
PID 2340 wrote to memory of 2156	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	29
PID 2340 wrote to memory of 2156	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	29
PID 2340 wrote to memory of 2156	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	29
PID 2340 wrote to memory of 2704	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	30
PID 2340 wrote to memory of 2704	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	30
PID 2340 wrote to memory of 2704	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	30
PID 2340 wrote to memory of 2704	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	30
PID 2340 wrote to memory of 2704	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	30
PID 2340 wrote to memory of 2704	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	30
PID 2340 wrote to memory of 2704	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	30
PID 2340 wrote to memory of 1724	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	31
PID 2340 wrote to memory of 1724	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	31
PID 2340 wrote to memory of 1724	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	31
PID 2340 wrote to memory of 1724	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	31
PID 2340 wrote to memory of 2108	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	32
PID 2340 wrote to memory of 2108	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	32
PID 2340 wrote to memory of 2108	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	32
PID 2340 wrote to memory of 2108	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	32
PID 2340 wrote to memory of 2676	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	33
PID 2340 wrote to memory of 2676	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	33
PID 2340 wrote to memory of 2676	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	33
PID 2340 wrote to memory of 2676	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	33
PID 2340 wrote to memory of 2556	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	34
PID 2340 wrote to memory of 2556	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	34
PID 2340 wrote to memory of 2556	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	34
PID 2340 wrote to memory of 2556	2340	NEAS.37accee2b59715b6e9de70ee3029ad20.exe	34
PID 2296 wrote to memory of 3036	2296	backup.exe	35
PID 2296 wrote to memory of 3036	2296	backup.exe	35
PID 2296 wrote to memory of 3036	2296	backup.exe	35
PID 2296 wrote to memory of 3036	2296	backup.exe	35
PID 3036 wrote to memory of 3048	3036	backup.exe	36
PID 3036 wrote to memory of 3048	3036	backup.exe	36
PID 3036 wrote to memory of 3048	3036	backup.exe	36
PID 3036 wrote to memory of 3048	3036	backup.exe	36
PID 3048 wrote to memory of 2840	3048	backup.exe	37
PID 3048 wrote to memory of 2840	3048	backup.exe	37
PID 3048 wrote to memory of 2840	3048	backup.exe	37
PID 3048 wrote to memory of 2840	3048	backup.exe	37
PID 3036 wrote to memory of 2884	3036	backup.exe	38
PID 3036 wrote to memory of 2884	3036	backup.exe	38
PID 3036 wrote to memory of 2884	3036	backup.exe	38
PID 3036 wrote to memory of 2884	3036	backup.exe	38
PID 2884 wrote to memory of 1200	2884	backup.exe	39
PID 2884 wrote to memory of 1200	2884	backup.exe	39
PID 2884 wrote to memory of 1200	2884	backup.exe	39
PID 2884 wrote to memory of 1200	2884	backup.exe	39
PID 3036 wrote to memory of 1752	3036	backup.exe	40
PID 3036 wrote to memory of 1752	3036	backup.exe	40
PID 3036 wrote to memory of 1752	3036	backup.exe	40
PID 3036 wrote to memory of 1752	3036	backup.exe	40
PID 1752 wrote to memory of 1968	1752	backup.exe	41
PID 1752 wrote to memory of 1968	1752	backup.exe	41
PID 1752 wrote to memory of 1968	1752	backup.exe	41
PID 1752 wrote to memory of 1968	1752	backup.exe	41
PID 2884 wrote to memory of 1888	2884	backup.exe	42
PID 2884 wrote to memory of 1888	2884	backup.exe	42
PID 2884 wrote to memory of 1888	2884	backup.exe	42
PID 2884 wrote to memory of 1888	2884	backup.exe	42
PID 1888 wrote to memory of 828	1888	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.37accee2b59715b6e9de70ee3029ad20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.37accee2b59715b6e9de70ee3029ad20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.37accee2b59715b6e9de70ee3029ad20.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340
- C:\Users\Admin\AppData\Local\Temp\3388283127\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3388283127\backup.exe C:\Users\Admin\AppData\Local\Temp\3388283127\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2296
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3036
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3048
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2840
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2884
    - - C:\Program Files\7-Zip\System Restore.exe
        
        "C:\Program Files\7-Zip\System Restore.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        
        PID:1200
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1888
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1504
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1212
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        
        PID:2352
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:2892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1164
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:1928
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:1636
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:2600
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:756
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1628
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:2920
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:2364
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2724
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2852
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2096
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2972
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:3020
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2988
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:924
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        
        PID:1628
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:1524
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1764
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:1064
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        
        PID:2728
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:2336
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2040
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1644
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1456
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:580
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2516
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2204
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2400
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:848
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1752
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1968
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1080
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2364
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:896
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1996
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2068
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2744
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:1656
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:2408
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1712
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1248
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1144
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:2416
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1380
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:932
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1392
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:2548
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3056
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\update.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:2464
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:2540
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:2996
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:2816
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1744
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:2660
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2552
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1688
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1120
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2288
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2000
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:532
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2752
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1676
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:672
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:2136
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:2568
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1212
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1148
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:2736
      - C:\Program Files (x86)\Internet Explorer\es-ES\update.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\update.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:2184
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:2940
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:2640
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:1588
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2848
    - - C:\Program Files (x86)\Microsoft Office\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Office\System Restore.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2248
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2212
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2672
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1692
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1784
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:2560
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3004
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Executes dropped EXE
        
        PID:760
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:2320
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1472
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:604
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:572
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:752
    - - C:\Windows\AppCompat\System Restore.exe
        
        "C:\Windows\AppCompat\System Restore.exe" C:\Windows\AppCompat\
        5⤵
        
        PID:2668
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:3008
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        
        PID:2716
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        
        PID:2208
      - C:\Windows\AppPatch\de-DE\backup.exe
        
        C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:1292
      - C:\Windows\AppPatch\en-US\backup.exe
        
        C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:1272
      - C:\Windows\AppPatch\es-ES\data.exe
        
        C:\Windows\AppPatch\es-ES\data.exe C:\Windows\AppPatch\es-ES\
        6⤵
        
        PID:2556
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:2080
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:2328
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:2576
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:1980
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        
        PID:1564
    - - C:\Windows\de-DE\backup.exe
        
        C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
        5⤵
        
        PID:3068
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\Low\update.exe
  C:\Users\Admin\AppData\Local\Temp\Low\update.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2108
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
82eed75b5a68b11b50d65ebeed3f9fcf

SHA1
07e61044d93d997d47e3cc2e64ef3a14ef602129

SHA256
0654e3efb43ff03c208f63afe76b9d52d3cb541c1983fe578e0e5d7a28f87e33

SHA512
3a4b20ae1e24fb7c33d1fb0df295fec321b0690edd28d0a5a0474f0c2ef0fcd8c0c09982e51eb9f7ea49dc0393e3604cc95b6cc396fdae2f08f2214a84a63215

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
6747aa7807cd0301eaaf0fa4ac4029df

SHA1
36f5f2f10dd20d0ccecc7e96aaf844479a0a1347

SHA256
6c186d2c6065a613b12d91d414273be89430f931ee69189e66c10cc37cfbcf25

SHA512
7e8ce931a1e5156553b952a672db704234f9b4592aad9ca15d7f5367001bc996facbc04c534ce4edb323e562e75d3faf34821e42cbbc91944e79397677ebe298

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
6747aa7807cd0301eaaf0fa4ac4029df

SHA1
36f5f2f10dd20d0ccecc7e96aaf844479a0a1347

SHA256
6c186d2c6065a613b12d91d414273be89430f931ee69189e66c10cc37cfbcf25

SHA512
7e8ce931a1e5156553b952a672db704234f9b4592aad9ca15d7f5367001bc996facbc04c534ce4edb323e562e75d3faf34821e42cbbc91944e79397677ebe298

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe

Filesize
84KB

MD5
7bb0db54f0c454f580e9702f1536bed9

SHA1
a06eed6453e12d572581253a72e13a9f7cc15670

SHA256
9c803b89e993e0a9829fba50ee0bf36b3abe8d558808e36577150ffa10d10c96

SHA512
248bdef80a8ef27f849f6689f2b4e030d09c04e1e70f543ae4d893bf84c0d101705591e41a425d56351239b0c641e5e157e4a6fd27abfcdba2d4a899c2fafb59

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe

Filesize
84KB

MD5
7bb0db54f0c454f580e9702f1536bed9

SHA1
a06eed6453e12d572581253a72e13a9f7cc15670

SHA256
9c803b89e993e0a9829fba50ee0bf36b3abe8d558808e36577150ffa10d10c96

SHA512
248bdef80a8ef27f849f6689f2b4e030d09c04e1e70f543ae4d893bf84c0d101705591e41a425d56351239b0c641e5e157e4a6fd27abfcdba2d4a899c2fafb59

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
84KB

MD5
3908df2c57309bd22228a9e3a6a4dab8

SHA1
2b2391aa84a7c717488199747ecde4db840dcac3

SHA256
d1aea90406e9e1f9dd82dd25a023fc205730d98cb6ce77f0296f2b5e8bd58a1d

SHA512
97ecb0b876e541be976a06a722627bdf5b4c4da54b0ae80effb812060d2bf3e63983e5e04e985b2c9f622f9f39723c3af2e7d15515b1eaed9238118af01dba10

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
84KB

MD5
3908df2c57309bd22228a9e3a6a4dab8

SHA1
2b2391aa84a7c717488199747ecde4db840dcac3

SHA256
d1aea90406e9e1f9dd82dd25a023fc205730d98cb6ce77f0296f2b5e8bd58a1d

SHA512
97ecb0b876e541be976a06a722627bdf5b4c4da54b0ae80effb812060d2bf3e63983e5e04e985b2c9f622f9f39723c3af2e7d15515b1eaed9238118af01dba10

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
84KB

MD5
7baae73124933e30f22f374dac7cfc0d

SHA1
0b7ae0c5714f5de4c6296b93d4e6c85020255838

SHA256
657ddc06cc512df557eb81896374ad5838b2a061086b4361c8272c9c123c17ed

SHA512
8cfde26002c560f671227d17df5ac0f74a2d1f372f8f3eb1285231cb089c152c60c5e189d17a8681070370226331d15acd6bd4827623fbfe875a8fc9ee86ddec

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
84KB

MD5
7baae73124933e30f22f374dac7cfc0d

SHA1
0b7ae0c5714f5de4c6296b93d4e6c85020255838

SHA256
657ddc06cc512df557eb81896374ad5838b2a061086b4361c8272c9c123c17ed

SHA512
8cfde26002c560f671227d17df5ac0f74a2d1f372f8f3eb1285231cb089c152c60c5e189d17a8681070370226331d15acd6bd4827623fbfe875a8fc9ee86ddec

Download Submit
C:\Program Files\7-Zip\System Restore.exe

Filesize
84KB

MD5
76b734a276fdd081cf5d0cd95dddc1ee

SHA1
4f39bc63a8e60f54b0b0b80a66e70ab6e095af98

SHA256
eb21b5a1affacc933d55e41ace63b801f8315fdb8c603ec5dacabaed55d1edd5

SHA512
fb6eeeaea1e7bd10842538f40ea0de6f2bd33a2d419dd27724b61ba1f5d380a34f679a4fd4631fd83bf38a2897917362076b5595c8ee5fb4ddbb8fa6c1398e1a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
84KB

MD5
32b80bb367d5ae6971b2b49cb449c7da

SHA1
9028754f1a8a607e6bf3146cb6092409d3b993e9

SHA256
c4c457ede8ca5b290d3a3835a3e791dceb15f9240117dbd0724f83c4ccbad872

SHA512
b64c44ecdab58e40166ee61a2d65a0d567d0a007d81e5e9cff9aae939b5861a87bb991ae1de8b21fee3a390574ad55f517bf1e020620ec7c3c2b959377391096

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
b0cb7c4f4356ff53d415e5998faa3b64

SHA1
8eea9bdbbbc80071115b8ef0d2a45968c37b1a9f

SHA256
381c2110806a50b541a2190b6641e74a621b3ab1ce392430171c2aa16f787269

SHA512
6eb326ea6cdd2a53593d92551d065704b3b8531ee868a0352358d6c8cd19fe7ec6be7c74924ffd0783a392f4cf4c8920d7fa96385e5a1f25a98bc64cf3a2f693

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
b0cb7c4f4356ff53d415e5998faa3b64

SHA1
8eea9bdbbbc80071115b8ef0d2a45968c37b1a9f

SHA256
381c2110806a50b541a2190b6641e74a621b3ab1ce392430171c2aa16f787269

SHA512
6eb326ea6cdd2a53593d92551d065704b3b8531ee868a0352358d6c8cd19fe7ec6be7c74924ffd0783a392f4cf4c8920d7fa96385e5a1f25a98bc64cf3a2f693

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
460ec7ab0dfca486fc68fa5a147af6b0

SHA1
66c359e3bbdcad6f6cbcd13707a653f2193f72c7

SHA256
b0447134659912f8ab87bb689421e0f9e12d81912c4aef60674f2a50b744c090

SHA512
9fd6e4a6ee697c1dc2a8e28259f7c5a2d0a2b0eb8b8cf988810cc7bbf50063d3dbb9af46467ce4aca271836a500bcaff558a0175a4170c1bd364dd221ece20e9

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
460ec7ab0dfca486fc68fa5a147af6b0

SHA1
66c359e3bbdcad6f6cbcd13707a653f2193f72c7

SHA256
b0447134659912f8ab87bb689421e0f9e12d81912c4aef60674f2a50b744c090

SHA512
9fd6e4a6ee697c1dc2a8e28259f7c5a2d0a2b0eb8b8cf988810cc7bbf50063d3dbb9af46467ce4aca271836a500bcaff558a0175a4170c1bd364dd221ece20e9

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
6747aa7807cd0301eaaf0fa4ac4029df

SHA1
36f5f2f10dd20d0ccecc7e96aaf844479a0a1347

SHA256
6c186d2c6065a613b12d91d414273be89430f931ee69189e66c10cc37cfbcf25

SHA512
7e8ce931a1e5156553b952a672db704234f9b4592aad9ca15d7f5367001bc996facbc04c534ce4edb323e562e75d3faf34821e42cbbc91944e79397677ebe298

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
6747aa7807cd0301eaaf0fa4ac4029df

SHA1
36f5f2f10dd20d0ccecc7e96aaf844479a0a1347

SHA256
6c186d2c6065a613b12d91d414273be89430f931ee69189e66c10cc37cfbcf25

SHA512
7e8ce931a1e5156553b952a672db704234f9b4592aad9ca15d7f5367001bc996facbc04c534ce4edb323e562e75d3faf34821e42cbbc91944e79397677ebe298

Download Submit
C:\Users\Admin\AppData\Local\Temp\3388283127\backup.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3388283127\backup.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3388283127\backup.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
84KB

MD5
35075ee9af9c8c50c4ea88f66fbc46e4

SHA1
4f753e5f7899d7097ee1b10fc9d4ea3cdafa2a3e

SHA256
bf50a21469ede19fb1b7bc4822ae120bce1a9fe4570bade8428cb022fae71ad4

SHA512
c97865dbf04440546e139216e5ec5f0195fc584bd5b7027fb0599bc5051e5b578bc1bc3395f1ec3be3f16c819386bfbd07427001dfcc2982d608b1fec13b84d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
35075ee9af9c8c50c4ea88f66fbc46e4

SHA1
4f753e5f7899d7097ee1b10fc9d4ea3cdafa2a3e

SHA256
bf50a21469ede19fb1b7bc4822ae120bce1a9fe4570bade8428cb022fae71ad4

SHA512
c97865dbf04440546e139216e5ec5f0195fc584bd5b7027fb0599bc5051e5b578bc1bc3395f1ec3be3f16c819386bfbd07427001dfcc2982d608b1fec13b84d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
30KB

MD5
7db2c9572b261657ee5ae96c5a96069d

SHA1
94ee451277c7700405952a75245562831f1992e8

SHA256
a0bb556fadd6ed07894ab35fdd4ac885008ded081e52a7e5c67b104af0854410

SHA512
4e096c3dd9cd736d9b55c45293cb505c683a018604b82874a22fa22be70b02f47cebc3cc75d873204fa68eb98dee4e3405601b9c965b93a76f013de7b8a3ce14

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
84KB

MD5
e96ba2f957b7ba74cc5f0849f3d4f6f2

SHA1
da56f2bb259afb024677c6e3a4e8b9e1f8b9e6d5

SHA256
74902eec1c455307e66f407254b9fa7d7cfc22a9ddc9b625076b8a75d81e6b1c

SHA512
7efff825569cfab7a9adf9062df517a77d45538da74386e2aa4099c18582be8d5e4b5a1c65f89a1ae1f0adec39883282281b79c642392022c9c358c0abe41137

Download Submit
C:\backup.exe

Filesize
84KB

MD5
e96ba2f957b7ba74cc5f0849f3d4f6f2

SHA1
da56f2bb259afb024677c6e3a4e8b9e1f8b9e6d5

SHA256
74902eec1c455307e66f407254b9fa7d7cfc22a9ddc9b625076b8a75d81e6b1c

SHA512
7efff825569cfab7a9adf9062df517a77d45538da74386e2aa4099c18582be8d5e4b5a1c65f89a1ae1f0adec39883282281b79c642392022c9c358c0abe41137

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
82eed75b5a68b11b50d65ebeed3f9fcf

SHA1
07e61044d93d997d47e3cc2e64ef3a14ef602129

SHA256
0654e3efb43ff03c208f63afe76b9d52d3cb541c1983fe578e0e5d7a28f87e33

SHA512
3a4b20ae1e24fb7c33d1fb0df295fec321b0690edd28d0a5a0474f0c2ef0fcd8c0c09982e51eb9f7ea49dc0393e3604cc95b6cc396fdae2f08f2214a84a63215

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
82eed75b5a68b11b50d65ebeed3f9fcf

SHA1
07e61044d93d997d47e3cc2e64ef3a14ef602129

SHA256
0654e3efb43ff03c208f63afe76b9d52d3cb541c1983fe578e0e5d7a28f87e33

SHA512
3a4b20ae1e24fb7c33d1fb0df295fec321b0690edd28d0a5a0474f0c2ef0fcd8c0c09982e51eb9f7ea49dc0393e3604cc95b6cc396fdae2f08f2214a84a63215

Download Submit
\PerfLogs\backup.exe

Filesize
84KB

MD5
6747aa7807cd0301eaaf0fa4ac4029df

SHA1
36f5f2f10dd20d0ccecc7e96aaf844479a0a1347

SHA256
6c186d2c6065a613b12d91d414273be89430f931ee69189e66c10cc37cfbcf25

SHA512
7e8ce931a1e5156553b952a672db704234f9b4592aad9ca15d7f5367001bc996facbc04c534ce4edb323e562e75d3faf34821e42cbbc91944e79397677ebe298

Download Submit
\PerfLogs\backup.exe

Filesize
84KB

MD5
6747aa7807cd0301eaaf0fa4ac4029df

SHA1
36f5f2f10dd20d0ccecc7e96aaf844479a0a1347

SHA256
6c186d2c6065a613b12d91d414273be89430f931ee69189e66c10cc37cfbcf25

SHA512
7e8ce931a1e5156553b952a672db704234f9b4592aad9ca15d7f5367001bc996facbc04c534ce4edb323e562e75d3faf34821e42cbbc91944e79397677ebe298

Download Submit
\Program Files (x86)\Adobe\Reader 9.0\backup.exe

Filesize
84KB

MD5
7bb0db54f0c454f580e9702f1536bed9

SHA1
a06eed6453e12d572581253a72e13a9f7cc15670

SHA256
9c803b89e993e0a9829fba50ee0bf36b3abe8d558808e36577150ffa10d10c96

SHA512
248bdef80a8ef27f849f6689f2b4e030d09c04e1e70f543ae4d893bf84c0d101705591e41a425d56351239b0c641e5e157e4a6fd27abfcdba2d4a899c2fafb59

Download Submit
\Program Files (x86)\Adobe\Reader 9.0\backup.exe

Filesize
84KB

MD5
7bb0db54f0c454f580e9702f1536bed9

SHA1
a06eed6453e12d572581253a72e13a9f7cc15670

SHA256
9c803b89e993e0a9829fba50ee0bf36b3abe8d558808e36577150ffa10d10c96

SHA512
248bdef80a8ef27f849f6689f2b4e030d09c04e1e70f543ae4d893bf84c0d101705591e41a425d56351239b0c641e5e157e4a6fd27abfcdba2d4a899c2fafb59

Download Submit
\Program Files (x86)\Adobe\backup.exe

Filesize
84KB

MD5
3908df2c57309bd22228a9e3a6a4dab8

SHA1
2b2391aa84a7c717488199747ecde4db840dcac3

SHA256
d1aea90406e9e1f9dd82dd25a023fc205730d98cb6ce77f0296f2b5e8bd58a1d

SHA512
97ecb0b876e541be976a06a722627bdf5b4c4da54b0ae80effb812060d2bf3e63983e5e04e985b2c9f622f9f39723c3af2e7d15515b1eaed9238118af01dba10

Download Submit
\Program Files (x86)\Adobe\backup.exe

Filesize
84KB

MD5
3908df2c57309bd22228a9e3a6a4dab8

SHA1
2b2391aa84a7c717488199747ecde4db840dcac3

SHA256
d1aea90406e9e1f9dd82dd25a023fc205730d98cb6ce77f0296f2b5e8bd58a1d

SHA512
97ecb0b876e541be976a06a722627bdf5b4c4da54b0ae80effb812060d2bf3e63983e5e04e985b2c9f622f9f39723c3af2e7d15515b1eaed9238118af01dba10

Download Submit
\Program Files (x86)\backup.exe

Filesize
84KB

MD5
7baae73124933e30f22f374dac7cfc0d

SHA1
0b7ae0c5714f5de4c6296b93d4e6c85020255838

SHA256
657ddc06cc512df557eb81896374ad5838b2a061086b4361c8272c9c123c17ed

SHA512
8cfde26002c560f671227d17df5ac0f74a2d1f372f8f3eb1285231cb089c152c60c5e189d17a8681070370226331d15acd6bd4827623fbfe875a8fc9ee86ddec

Download Submit
\Program Files (x86)\backup.exe

Filesize
84KB

MD5
7baae73124933e30f22f374dac7cfc0d

SHA1
0b7ae0c5714f5de4c6296b93d4e6c85020255838

SHA256
657ddc06cc512df557eb81896374ad5838b2a061086b4361c8272c9c123c17ed

SHA512
8cfde26002c560f671227d17df5ac0f74a2d1f372f8f3eb1285231cb089c152c60c5e189d17a8681070370226331d15acd6bd4827623fbfe875a8fc9ee86ddec

Download Submit
\Program Files\7-Zip\System Restore.exe

Filesize
84KB

MD5
76b734a276fdd081cf5d0cd95dddc1ee

SHA1
4f39bc63a8e60f54b0b0b80a66e70ab6e095af98

SHA256
eb21b5a1affacc933d55e41ace63b801f8315fdb8c603ec5dacabaed55d1edd5

SHA512
fb6eeeaea1e7bd10842538f40ea0de6f2bd33a2d419dd27724b61ba1f5d380a34f679a4fd4631fd83bf38a2897917362076b5595c8ee5fb4ddbb8fa6c1398e1a

Download Submit
\Program Files\7-Zip\System Restore.exe

Filesize
84KB

MD5
76b734a276fdd081cf5d0cd95dddc1ee

SHA1
4f39bc63a8e60f54b0b0b80a66e70ab6e095af98

SHA256
eb21b5a1affacc933d55e41ace63b801f8315fdb8c603ec5dacabaed55d1edd5

SHA512
fb6eeeaea1e7bd10842538f40ea0de6f2bd33a2d419dd27724b61ba1f5d380a34f679a4fd4631fd83bf38a2897917362076b5595c8ee5fb4ddbb8fa6c1398e1a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
84KB

MD5
32b80bb367d5ae6971b2b49cb449c7da

SHA1
9028754f1a8a607e6bf3146cb6092409d3b993e9

SHA256
c4c457ede8ca5b290d3a3835a3e791dceb15f9240117dbd0724f83c4ccbad872

SHA512
b64c44ecdab58e40166ee61a2d65a0d567d0a007d81e5e9cff9aae939b5861a87bb991ae1de8b21fee3a390574ad55f517bf1e020620ec7c3c2b959377391096

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
84KB

MD5
32b80bb367d5ae6971b2b49cb449c7da

SHA1
9028754f1a8a607e6bf3146cb6092409d3b993e9

SHA256
c4c457ede8ca5b290d3a3835a3e791dceb15f9240117dbd0724f83c4ccbad872

SHA512
b64c44ecdab58e40166ee61a2d65a0d567d0a007d81e5e9cff9aae939b5861a87bb991ae1de8b21fee3a390574ad55f517bf1e020620ec7c3c2b959377391096

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
b0cb7c4f4356ff53d415e5998faa3b64

SHA1
8eea9bdbbbc80071115b8ef0d2a45968c37b1a9f

SHA256
381c2110806a50b541a2190b6641e74a621b3ab1ce392430171c2aa16f787269

SHA512
6eb326ea6cdd2a53593d92551d065704b3b8531ee868a0352358d6c8cd19fe7ec6be7c74924ffd0783a392f4cf4c8920d7fa96385e5a1f25a98bc64cf3a2f693

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
b0cb7c4f4356ff53d415e5998faa3b64

SHA1
8eea9bdbbbc80071115b8ef0d2a45968c37b1a9f

SHA256
381c2110806a50b541a2190b6641e74a621b3ab1ce392430171c2aa16f787269

SHA512
6eb326ea6cdd2a53593d92551d065704b3b8531ee868a0352358d6c8cd19fe7ec6be7c74924ffd0783a392f4cf4c8920d7fa96385e5a1f25a98bc64cf3a2f693

Download Submit
\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
460ec7ab0dfca486fc68fa5a147af6b0

SHA1
66c359e3bbdcad6f6cbcd13707a653f2193f72c7

SHA256
b0447134659912f8ab87bb689421e0f9e12d81912c4aef60674f2a50b744c090

SHA512
9fd6e4a6ee697c1dc2a8e28259f7c5a2d0a2b0eb8b8cf988810cc7bbf50063d3dbb9af46467ce4aca271836a500bcaff558a0175a4170c1bd364dd221ece20e9

Download Submit
\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
460ec7ab0dfca486fc68fa5a147af6b0

SHA1
66c359e3bbdcad6f6cbcd13707a653f2193f72c7

SHA256
b0447134659912f8ab87bb689421e0f9e12d81912c4aef60674f2a50b744c090

SHA512
9fd6e4a6ee697c1dc2a8e28259f7c5a2d0a2b0eb8b8cf988810cc7bbf50063d3dbb9af46467ce4aca271836a500bcaff558a0175a4170c1bd364dd221ece20e9

Download Submit
\Program Files\backup.exe

Filesize
84KB

MD5
6747aa7807cd0301eaaf0fa4ac4029df

SHA1
36f5f2f10dd20d0ccecc7e96aaf844479a0a1347

SHA256
6c186d2c6065a613b12d91d414273be89430f931ee69189e66c10cc37cfbcf25

SHA512
7e8ce931a1e5156553b952a672db704234f9b4592aad9ca15d7f5367001bc996facbc04c534ce4edb323e562e75d3faf34821e42cbbc91944e79397677ebe298

Download Submit
\Program Files\backup.exe

Filesize
84KB

MD5
6747aa7807cd0301eaaf0fa4ac4029df

SHA1
36f5f2f10dd20d0ccecc7e96aaf844479a0a1347

SHA256
6c186d2c6065a613b12d91d414273be89430f931ee69189e66c10cc37cfbcf25

SHA512
7e8ce931a1e5156553b952a672db704234f9b4592aad9ca15d7f5367001bc996facbc04c534ce4edb323e562e75d3faf34821e42cbbc91944e79397677ebe298

Download Submit
\Users\Admin\AppData\Local\Temp\3388283127\backup.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
\Users\Admin\AppData\Local\Temp\3388283127\backup.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
84KB

MD5
35075ee9af9c8c50c4ea88f66fbc46e4

SHA1
4f753e5f7899d7097ee1b10fc9d4ea3cdafa2a3e

SHA256
bf50a21469ede19fb1b7bc4822ae120bce1a9fe4570bade8428cb022fae71ad4

SHA512
c97865dbf04440546e139216e5ec5f0195fc584bd5b7027fb0599bc5051e5b578bc1bc3395f1ec3be3f16c819386bfbd07427001dfcc2982d608b1fec13b84d0

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
84KB

MD5
35075ee9af9c8c50c4ea88f66fbc46e4

SHA1
4f753e5f7899d7097ee1b10fc9d4ea3cdafa2a3e

SHA256
bf50a21469ede19fb1b7bc4822ae120bce1a9fe4570bade8428cb022fae71ad4

SHA512
c97865dbf04440546e139216e5ec5f0195fc584bd5b7027fb0599bc5051e5b578bc1bc3395f1ec3be3f16c819386bfbd07427001dfcc2982d608b1fec13b84d0

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
a8c371bf8ee801c5389e8db2b3cb00f2

SHA1
cc3038a13c3d32f9556902d1f968fffb7fb8e87b

SHA256
446c0b0720ad68e2a6c659276b94bf1742aafb3f8763bb2448cd76dbd646481b

SHA512
6fb8590c9b5fdb923e5ad678faffb73cae0eb2dc11a0440d660543168d2cb04015e9a548f3a224da965fe618bc080d2fda16c8fb3e1767cec1986d233bfc59dc

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
35075ee9af9c8c50c4ea88f66fbc46e4

SHA1
4f753e5f7899d7097ee1b10fc9d4ea3cdafa2a3e

SHA256
bf50a21469ede19fb1b7bc4822ae120bce1a9fe4570bade8428cb022fae71ad4

SHA512
c97865dbf04440546e139216e5ec5f0195fc584bd5b7027fb0599bc5051e5b578bc1bc3395f1ec3be3f16c819386bfbd07427001dfcc2982d608b1fec13b84d0

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
35075ee9af9c8c50c4ea88f66fbc46e4

SHA1
4f753e5f7899d7097ee1b10fc9d4ea3cdafa2a3e

SHA256
bf50a21469ede19fb1b7bc4822ae120bce1a9fe4570bade8428cb022fae71ad4

SHA512
c97865dbf04440546e139216e5ec5f0195fc584bd5b7027fb0599bc5051e5b578bc1bc3395f1ec3be3f16c819386bfbd07427001dfcc2982d608b1fec13b84d0

Download Submit
memory/828-300-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/828-311-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/828-241-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/828-321-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/828-262-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/828-230-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/896-342-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/896-339-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/1080-278-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1080-293-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1144-250-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1212-345-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1504-330-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1724-54-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1752-254-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1752-265-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1808-264-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1808-284-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/1808-325-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1808-331-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/1808-302-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/1808-299-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/1808-313-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/1888-220-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/1888-218-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/1888-280-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1948-316-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1952-305-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1968-282-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1996-340-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2108-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2156-28-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2296-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2296-96-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2296-50-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2340-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2340-11-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2340-23-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2340-152-0x0000000001C30000-0x0000000001C31000-memory.dmp

Filesize
4KB

Download
memory/2340-38-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2340-44-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2340-98-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2340-61-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2340-170-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2364-277-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2556-89-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2676-78-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2704-73-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2704-37-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2704-244-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2840-128-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2884-173-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/2884-202-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/2884-147-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/2884-161-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/2884-181-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/2884-203-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/2884-172-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2884-269-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/2952-297-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3036-162-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3036-171-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/3048-120-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/3048-127-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads