caf7a22bb51d5f123098330adffc4788af1dc27b56dfdcb614ae5300c51f510f

Analysis

max time kernel
41s
max time network
136s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
Size

88KB
MD5

7f26d78dda2b4921b23c3bf20d778120
SHA1

4c16f162376df0ebf3ef9f41cc9e578766eb4e19
SHA256

caf7a22bb51d5f123098330adffc4788af1dc27b56dfdcb614ae5300c51f510f
SHA512

f2ece9fdd0df6b20a740846a6371af744ea6e4678e1b3bcce682932fc311bd789664743edb261ce09231e16bf5b3c1b48145717710ee1c5046035d721a5d7d26
SSDEEP

768:/pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEmZ:BeT7BVwxfvEFwjRZ

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 35 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 41 IoCs

pid	Process
2200	backup.exe
2252	backup.exe
2696	backup.exe
2592	backup.exe
2744	backup.exe
2652	backup.exe
2508	backup.exe
2148	backup.exe
2780	backup.exe
584	backup.exe
2860	backup.exe
1668	backup.exe
1732	backup.exe
2944	System Restore.exe
1748	backup.exe
1904	backup.exe
2320	backup.exe
772	backup.exe
1292	backup.exe
276	backup.exe
684	backup.exe
1604	backup.exe
816	backup.exe
1484	backup.exe
2924	backup.exe
1344	backup.exe
2216	backup.exe
1052	backup.exe
3044	backup.exe
2728	backup.exe
2604	backup.exe
2724	backup.exe
3004	backup.exe
2504	backup.exe
2532	backup.exe
1968	backup.exe
692	backup.exe
2168	backup.exe
1856	backup.exe
2400	backup.exe
1044	data.exe

Loads dropped DLL 64 IoCs

pid	Process
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
2148	backup.exe
2148	backup.exe
2780	backup.exe
2780	backup.exe
2148	backup.exe
2148	backup.exe
2860	backup.exe
2860	backup.exe
1668	backup.exe
1668	backup.exe
2860	backup.exe
2860	backup.exe
2860	backup.exe
2860	backup.exe
2148	backup.exe
2148	backup.exe
2944	System Restore.exe
2944	System Restore.exe
2860	backup.exe
2860	backup.exe
2148	backup.exe
2148	backup.exe
1748	backup.exe
1748	backup.exe
772	backup.exe
2320	backup.exe
772	backup.exe
2320	backup.exe
1904	backup.exe
1904	backup.exe
684	backup.exe
684	backup.exe
276	backup.exe
276	backup.exe
1748	backup.exe
1748	backup.exe
816	backup.exe
816	backup.exe
2924	backup.exe
2320	backup.exe
2320	backup.exe
2924	backup.exe
2944	System Restore.exe
2944	System Restore.exe
1484	backup.exe
1484	backup.exe
1748	backup.exe
1748	backup.exe
2860	backup.exe
2860	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2088-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015c56-5.dat	upx
behavioral1/files/0x0008000000015c56-7.dat	upx
behavioral1/files/0x0008000000015c56-11.dat	upx
behavioral1/files/0x0008000000015c56-9.dat	upx
behavioral1/files/0x0007000000015c66-15.dat	upx
behavioral1/files/0x0007000000015c66-17.dat	upx
behavioral1/files/0x0007000000015c66-21.dat	upx
behavioral1/memory/2252-25-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015c88-26.dat	upx
behavioral1/files/0x0007000000015c88-28.dat	upx
behavioral1/files/0x0007000000015c88-32.dat	upx
behavioral1/memory/2696-34-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015c7d-38.dat	upx
behavioral1/files/0x0008000000015c7d-41.dat	upx
behavioral1/memory/2088-39-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015c7d-46.dat	upx
behavioral1/memory/2592-50-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2200-53-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015e04-54.dat	upx
behavioral1/files/0x0008000000015e04-58.dat	upx
behavioral1/files/0x0008000000015e04-51.dat	upx
behavioral1/memory/2744-61-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015e34-63.dat	upx
behavioral1/files/0x0006000000015e34-65.dat	upx
behavioral1/files/0x0006000000015e34-69.dat	upx
behavioral1/memory/2652-73-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2696-76-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0028000000015c09-77.dat	upx
behavioral1/files/0x0028000000015c09-81.dat	upx
behavioral1/files/0x0028000000015c09-74.dat	upx
behavioral1/files/0x0008000000015c56-84.dat	upx
behavioral1/memory/2508-86-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015ea7-91.dat	upx
behavioral1/files/0x0006000000015ea7-95.dat	upx
behavioral1/files/0x000600000001604e-97.dat	upx
behavioral1/files/0x000600000001604e-99.dat	upx
behavioral1/files/0x000600000001604e-104.dat	upx
behavioral1/memory/2088-103-0x0000000000380000-0x000000000039C000-memory.dmp	upx
behavioral1/files/0x000600000001604e-107.dat	upx
behavioral1/files/0x000600000001625a-109.dat	upx
behavioral1/files/0x000600000001625a-111.dat	upx
behavioral1/files/0x000600000001625a-115.dat	upx
behavioral1/memory/2780-118-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/584-119-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016057-121.dat	upx
behavioral1/files/0x0007000000016057-123.dat	upx
behavioral1/files/0x0007000000016057-128.dat	upx
behavioral1/files/0x0007000000016057-131.dat	upx
behavioral1/files/0x000600000001644c-133.dat	upx
behavioral1/memory/2148-135-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000600000001644c-137.dat	upx
behavioral1/files/0x000600000001644c-141.dat	upx
behavioral1/files/0x000600000001644c-146.dat	upx
behavioral1/files/0x0006000000016611-148.dat	upx
behavioral1/files/0x0006000000016611-153.dat	upx
behavioral1/files/0x0006000000016611-157.dat	upx
behavioral1/memory/1732-171-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016adb-178.dat	upx
behavioral1/files/0x0007000000016adb-174.dat	upx
behavioral1/files/0x0007000000016adb-172.dat	upx
behavioral1/memory/1668-170-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2860-182-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016ba2-197.dat	upx

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
2200	backup.exe
2252	backup.exe
2696	backup.exe
2592	backup.exe
2744	backup.exe
2652	backup.exe
2508	backup.exe
2148	backup.exe
2780	backup.exe
584	backup.exe
2860	backup.exe
1668	backup.exe
1732	backup.exe
2944	System Restore.exe
1748	backup.exe
1904	backup.exe
2320	backup.exe
772	backup.exe
276	backup.exe
1292	backup.exe
684	backup.exe
1604	backup.exe
816	backup.exe
2924	backup.exe
1484	backup.exe
1344	backup.exe
2216	backup.exe
3044	backup.exe
1052	backup.exe
2604	backup.exe
2728	backup.exe
2724	backup.exe
3004	backup.exe
2532	backup.exe
1968	backup.exe
2504	backup.exe
692	backup.exe
2400	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2200	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	28
PID 2088 wrote to memory of 2200	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	28
PID 2088 wrote to memory of 2200	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	28
PID 2088 wrote to memory of 2200	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	28
PID 2088 wrote to memory of 2252	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	29
PID 2088 wrote to memory of 2252	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	29
PID 2088 wrote to memory of 2252	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	29
PID 2088 wrote to memory of 2252	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	29
PID 2088 wrote to memory of 2696	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	30
PID 2088 wrote to memory of 2696	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	30
PID 2088 wrote to memory of 2696	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	30
PID 2088 wrote to memory of 2696	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	30
PID 2088 wrote to memory of 2592	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	31
PID 2088 wrote to memory of 2592	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	31
PID 2088 wrote to memory of 2592	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	31
PID 2088 wrote to memory of 2592	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	31
PID 2088 wrote to memory of 2744	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	32
PID 2088 wrote to memory of 2744	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	32
PID 2088 wrote to memory of 2744	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	32
PID 2088 wrote to memory of 2744	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	32
PID 2088 wrote to memory of 2652	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	33
PID 2088 wrote to memory of 2652	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	33
PID 2088 wrote to memory of 2652	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	33
PID 2088 wrote to memory of 2652	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	33
PID 2088 wrote to memory of 2508	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	34
PID 2088 wrote to memory of 2508	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	34
PID 2088 wrote to memory of 2508	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	34
PID 2088 wrote to memory of 2508	2088	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe	34
PID 2200 wrote to memory of 2148	2200	backup.exe	35
PID 2200 wrote to memory of 2148	2200	backup.exe	35
PID 2200 wrote to memory of 2148	2200	backup.exe	35
PID 2200 wrote to memory of 2148	2200	backup.exe	35
PID 2148 wrote to memory of 2780	2148	backup.exe	36
PID 2148 wrote to memory of 2780	2148	backup.exe	36
PID 2148 wrote to memory of 2780	2148	backup.exe	36
PID 2148 wrote to memory of 2780	2148	backup.exe	36
PID 2780 wrote to memory of 584	2780	backup.exe	37
PID 2780 wrote to memory of 584	2780	backup.exe	37
PID 2780 wrote to memory of 584	2780	backup.exe	37
PID 2780 wrote to memory of 584	2780	backup.exe	37
PID 2148 wrote to memory of 2860	2148	backup.exe	38
PID 2148 wrote to memory of 2860	2148	backup.exe	38
PID 2148 wrote to memory of 2860	2148	backup.exe	38
PID 2148 wrote to memory of 2860	2148	backup.exe	38
PID 2860 wrote to memory of 1668	2860	backup.exe	39
PID 2860 wrote to memory of 1668	2860	backup.exe	39
PID 2860 wrote to memory of 1668	2860	backup.exe	39
PID 2860 wrote to memory of 1668	2860	backup.exe	39
PID 1668 wrote to memory of 1732	1668	backup.exe	40
PID 1668 wrote to memory of 1732	1668	backup.exe	40
PID 1668 wrote to memory of 1732	1668	backup.exe	40
PID 1668 wrote to memory of 1732	1668	backup.exe	40
PID 2860 wrote to memory of 2944	2860	backup.exe	41
PID 2860 wrote to memory of 2944	2860	backup.exe	41
PID 2860 wrote to memory of 2944	2860	backup.exe	41
PID 2860 wrote to memory of 2944	2860	backup.exe	41
PID 2860 wrote to memory of 1748	2860	backup.exe	43
PID 2860 wrote to memory of 1748	2860	backup.exe	43
PID 2860 wrote to memory of 1748	2860	backup.exe	43
PID 2860 wrote to memory of 1748	2860	backup.exe	43
PID 2148 wrote to memory of 1904	2148	backup.exe	42
PID 2148 wrote to memory of 1904	2148	backup.exe	42
PID 2148 wrote to memory of 1904	2148	backup.exe	42
PID 2148 wrote to memory of 1904	2148	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.7f26d78dda2b4921b23c3bf20d778120.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7f26d78dda2b4921b23c3bf20d778120.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2088
- C:\Users\Admin\AppData\Local\Temp\3566806331\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3566806331\backup.exe C:\Users\Admin\AppData\Local\Temp\3566806331\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2200
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2148
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2780
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:584
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2860
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1668
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1732
    - - C:\Program Files\Common Files\System Restore.exe
        
        "C:\Program Files\Common Files\System Restore.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2944
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2320
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1052
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        
        PID:2856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        
        PID:2768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        
        PID:1188
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:2152
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:1260
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:2336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        
        PID:2408
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:476
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:1100
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1340
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:2332
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2644
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2896
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1548
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2728
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:2008
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:2312
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:2640
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2352
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1532
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:2392
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:992
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2380
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1748
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1292
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1344
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3004
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2400
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1548
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1524
      - C:\Program Files\DVD Maker\Shared\update.exe
        
        "C:\Program Files\DVD Maker\Shared\update.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1292
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:2756
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1560
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1412
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:1896
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1652
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:544
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:772
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:684
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2924
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3044
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2532
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        
        PID:1404
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\update.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\update.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:2936
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        
        PID:2992
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        
        PID:1864
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        
        PID:2948
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\update.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\update.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        
        PID:2692
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\data.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\data.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:2976
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2724
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:692
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2792
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:928
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2508
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2096
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:2008
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:1620
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:1220
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:528
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2908
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:3000
    - - C:\Program Files\Mozilla Firefox\System Restore.exe
        
        "C:\Program Files\Mozilla Firefox\System Restore.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1916
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:1704
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:1748
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2636
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2240
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1904
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:816
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2216
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:832
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:1868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1628
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:2340
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:792
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:2296
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1952
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1448
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:2128
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2828
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:2484
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2488
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:2396
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1088
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:2876
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1336
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:700
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2656
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1640
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1348
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2516
    - - C:\Program Files (x86)\Microsoft Office\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Office\System Restore.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1672
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:3008
      - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
        6⤵
        
        PID:2476
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2944
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2224
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:276
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1484
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2604
      - C:\Users\Admin\Desktop\data.exe
        
        C:\Users\Admin\Desktop\data.exe C:\Users\Admin\Desktop\
        6⤵
        Executes dropped EXE
        
        PID:1044
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1496
      - C:\Users\Admin\Downloads\System Restore.exe
        
        "C:\Users\Admin\Downloads\System Restore.exe" C:\Users\Admin\Downloads\
        6⤵
        
        PID:896
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1192
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2792
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:3028
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2916
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:2720
      - C:\Users\Admin\Searches\update.exe
        
        C:\Users\Admin\Searches\update.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:1072
    - - C:\Users\Public\update.exe
        
        C:\Users\Public\update.exe C:\Users\Public\
        5⤵
        
        PID:2500
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2272
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1292
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:2244
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2796
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2504
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1228
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1872
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:2984
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        
        PID:2716
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        
        PID:2560
      - C:\Windows\AppPatch\de-DE\data.exe
        
        C:\Windows\AppPatch\de-DE\data.exe C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:1400
      - C:\Windows\AppPatch\en-US\backup.exe
        
        C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:2024
      - C:\Windows\AppPatch\es-ES\backup.exe
        
        C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
        6⤵
        
        PID:2784
      - C:\Windows\AppPatch\fr-FR\backup.exe
        
        C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
        6⤵
        
        PID:1076
      - C:\Windows\AppPatch\it-IT\backup.exe
        
        C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\
        6⤵
        
        PID:1692
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:2764
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        
        PID:552
      - C:\Windows\assembly\GAC_32\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\System Restore.exe" C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:3012
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:2032
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:2704
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        
        PID:1996
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:1352
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:1816
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        
        PID:2832
    - - C:\Windows\de-DE\backup.exe
        
        C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
        5⤵
        
        PID:3016
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2252
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
88KB

MD5
0f454fe679aef951ae3a6cbabcbae0e4

SHA1
59373af4496e7d10cde326e755b81a5a7b84d840

SHA256
2a8ee1b48538ac8780f168d99b1a0a4857fe617b271c4fc8fe46c8ea38558f15

SHA512
51bd7eb752ded86fce56eb28eeffd36ea1e7d8e8424d0daf7f8604a1a09349c2229d96386c216af55abe0f1eefbe9313efa867e09f127d22f318eaa491da96bc

Download Submit
C:\PerfLogs\backup.exe

Filesize
88KB

MD5
d3d0179021cdbfe0954206dfa9c4df07

SHA1
2dfaa1e746df01de4061b3fc63ac96641f293cda

SHA256
ca4f114eeef53376c592f2e1570f8400f29e3ea569b517c0bda398cdab4cd4eb

SHA512
15cf15c2d1b6d1d5ab2d2093380cacb9ac317db1e677983638c9957c052ce325ec2b6147a4218397c82c0975ac84beb4a996b170b1165f83f3942109c837e571

Download Submit
C:\PerfLogs\backup.exe

Filesize
88KB

MD5
d3d0179021cdbfe0954206dfa9c4df07

SHA1
2dfaa1e746df01de4061b3fc63ac96641f293cda

SHA256
ca4f114eeef53376c592f2e1570f8400f29e3ea569b517c0bda398cdab4cd4eb

SHA512
15cf15c2d1b6d1d5ab2d2093380cacb9ac317db1e677983638c9957c052ce325ec2b6147a4218397c82c0975ac84beb4a996b170b1165f83f3942109c837e571

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
88KB

MD5
43a0c7909511e1960ae209df1553deda

SHA1
95b1df2c93ea602b6b0a64f1d0df2ea340994fb0

SHA256
09dffdb52761350d379a48b83d5de3e2a2c59902a7345454573ea4110f16bc4b

SHA512
b0cc2acdbf81fa71f93a8ec147d151e3cc3c9e98be2bd26b9ce26e4a29ef68b00d011c443170d72a2803094dfc565ad60480bad93d87904a05b4af460edc1fc7

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
88KB

MD5
43a0c7909511e1960ae209df1553deda

SHA1
95b1df2c93ea602b6b0a64f1d0df2ea340994fb0

SHA256
09dffdb52761350d379a48b83d5de3e2a2c59902a7345454573ea4110f16bc4b

SHA512
b0cc2acdbf81fa71f93a8ec147d151e3cc3c9e98be2bd26b9ce26e4a29ef68b00d011c443170d72a2803094dfc565ad60480bad93d87904a05b4af460edc1fc7

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
88KB

MD5
ed642c47259f5f0b7f870b598d7442ac

SHA1
1fd5a7ab2e41877a0465a379e3bf522b7d5ef384

SHA256
85a0264a7c925df433e962665602772578a9ae82d185d1078085f9c5a10d99e9

SHA512
aa707adfd07cc2a27151e93a3742d84af5085671e39e3d36988e4335f6002f742c2dbab5360f353eb992c567bc8790fb2fd653d14b2b1ef0388cea75b0019ccb

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
88KB

MD5
0f454fe679aef951ae3a6cbabcbae0e4

SHA1
59373af4496e7d10cde326e755b81a5a7b84d840

SHA256
2a8ee1b48538ac8780f168d99b1a0a4857fe617b271c4fc8fe46c8ea38558f15

SHA512
51bd7eb752ded86fce56eb28eeffd36ea1e7d8e8424d0daf7f8604a1a09349c2229d96386c216af55abe0f1eefbe9313efa867e09f127d22f318eaa491da96bc

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
88KB

MD5
0f454fe679aef951ae3a6cbabcbae0e4

SHA1
59373af4496e7d10cde326e755b81a5a7b84d840

SHA256
2a8ee1b48538ac8780f168d99b1a0a4857fe617b271c4fc8fe46c8ea38558f15

SHA512
51bd7eb752ded86fce56eb28eeffd36ea1e7d8e8424d0daf7f8604a1a09349c2229d96386c216af55abe0f1eefbe9313efa867e09f127d22f318eaa491da96bc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
88KB

MD5
fe495e08b881bb23922e835f8c7e2e92

SHA1
185c65e8f573a22c3ce401e1d9cc67ae9569450e

SHA256
94f408c41d249d6e2785885586b27f5f942cf9573b908ed6e7dba19386bca982

SHA512
a59dc1c6db049f8ddeee11eba8987eedbbdc754c45f97b7e0574ef838dcd3f3f106bf04e260b64b3f27b516eb82af26d74a173258937906b8282fe23a0acdefe

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
88KB

MD5
395383e130bf5f07079d416d8e95f0c6

SHA1
be3d8026a71fe7d4cdfc6add6bd8851d04fa9e50

SHA256
60bfdac4924320e725791a08d8c8d7ffe3d9da68800c4ea0e3b5a443cb684cb5

SHA512
0061e0424af6b0fa9cfc623ffeece39d3270a0a049e6942eba7a57cfd0a0c93bf41ac8ee8ba39447718704844d9b2b1366faed16e7d067d6df89429ef57cab41

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
88KB

MD5
395383e130bf5f07079d416d8e95f0c6

SHA1
be3d8026a71fe7d4cdfc6add6bd8851d04fa9e50

SHA256
60bfdac4924320e725791a08d8c8d7ffe3d9da68800c4ea0e3b5a443cb684cb5

SHA512
0061e0424af6b0fa9cfc623ffeece39d3270a0a049e6942eba7a57cfd0a0c93bf41ac8ee8ba39447718704844d9b2b1366faed16e7d067d6df89429ef57cab41

Download Submit
C:\Program Files\DVD Maker\backup.exe

Filesize
88KB

MD5
a930cf6532877f81ae462ceb86433b7d

SHA1
5749024740c20363fd9433fb5f62ed12222f83e1

SHA256
444263a68e7e3345f2d7d9f0795727a696c77660bc992a7af97eb0e81fed7593

SHA512
79e4fcade3b550ea1d45f4206bbfa7dea969aa428a8362921ebd84df0a44938822bdf7e5794d9673bd365a960212f6a143de9ed0aae1547397665ef4fac1c63b

Download Submit
C:\Program Files\DVD Maker\backup.exe

Filesize
88KB

MD5
a930cf6532877f81ae462ceb86433b7d

SHA1
5749024740c20363fd9433fb5f62ed12222f83e1

SHA256
444263a68e7e3345f2d7d9f0795727a696c77660bc992a7af97eb0e81fed7593

SHA512
79e4fcade3b550ea1d45f4206bbfa7dea969aa428a8362921ebd84df0a44938822bdf7e5794d9673bd365a960212f6a143de9ed0aae1547397665ef4fac1c63b

Download Submit
C:\Program Files\Google\backup.exe

Filesize
88KB

MD5
611bed4f7f73f5d83fd3dbc9c06ccb1e

SHA1
56420a444ac114fd99217f6f44a2e96897005293

SHA256
5bd8410c889fafb41b2750f3fb515eb9bdbdf72a3a7108e4947e4977e1ff10b1

SHA512
fc84ac874b1013a7fd323d1d1ce0782ae7d57726e9c3673ed7927075102f369850a3a0b308e7738074fba31229118384b67973706d9d124e50f3c4c41704a0f6

Download Submit
C:\Program Files\backup.exe

Filesize
88KB

MD5
d3d0179021cdbfe0954206dfa9c4df07

SHA1
2dfaa1e746df01de4061b3fc63ac96641f293cda

SHA256
ca4f114eeef53376c592f2e1570f8400f29e3ea569b517c0bda398cdab4cd4eb

SHA512
15cf15c2d1b6d1d5ab2d2093380cacb9ac317db1e677983638c9957c052ce325ec2b6147a4218397c82c0975ac84beb4a996b170b1165f83f3942109c837e571

Download Submit
C:\Program Files\backup.exe

Filesize
88KB

MD5
d3d0179021cdbfe0954206dfa9c4df07

SHA1
2dfaa1e746df01de4061b3fc63ac96641f293cda

SHA256
ca4f114eeef53376c592f2e1570f8400f29e3ea569b517c0bda398cdab4cd4eb

SHA512
15cf15c2d1b6d1d5ab2d2093380cacb9ac317db1e677983638c9957c052ce325ec2b6147a4218397c82c0975ac84beb4a996b170b1165f83f3942109c837e571

Download Submit
C:\Users\Admin\AppData\Local\Temp\3566806331\backup.exe

Filesize
88KB

MD5
e5b25b18192c323160b65e647d71d7d0

SHA1
fd97b81d449ab4a4e6e11e3b26780cb8988b736c

SHA256
63af19b1fdff27d115232c2fe125bf89cde732ffc5f2f929c6a0e2d56ead531b

SHA512
39e591b28de2b422adaf48ebc9f531c527b809449a9c13630421288532c6d927ff4bbdd7dd1f8b2cae3024b5f71f8cf3de1ea80858267c921fe895d85455d0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3566806331\backup.exe

Filesize
88KB

MD5
e5b25b18192c323160b65e647d71d7d0

SHA1
fd97b81d449ab4a4e6e11e3b26780cb8988b736c

SHA256
63af19b1fdff27d115232c2fe125bf89cde732ffc5f2f929c6a0e2d56ead531b

SHA512
39e591b28de2b422adaf48ebc9f531c527b809449a9c13630421288532c6d927ff4bbdd7dd1f8b2cae3024b5f71f8cf3de1ea80858267c921fe895d85455d0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3566806331\backup.exe

Filesize
88KB

MD5
e5b25b18192c323160b65e647d71d7d0

SHA1
fd97b81d449ab4a4e6e11e3b26780cb8988b736c

SHA256
63af19b1fdff27d115232c2fe125bf89cde732ffc5f2f929c6a0e2d56ead531b

SHA512
39e591b28de2b422adaf48ebc9f531c527b809449a9c13630421288532c6d927ff4bbdd7dd1f8b2cae3024b5f71f8cf3de1ea80858267c921fe895d85455d0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
30KB

MD5
2b0e05f6c928b2569de85c5138e7c25a

SHA1
ae1095f233ab663cfaad9743f358ec5efca552a5

SHA256
d5c9c7646aa882038bfcdda0b26788252f5c828be03a5a57b3d9ca9ac6e7d4fc

SHA512
1597b15e434cda2e82a063884ae1d2b1f463faa61d1029a66f8de8034cf8106edf0d1ca619a36520dd8ab080eccc37fbe21da2b1b690eeaf516e9308ea394b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
88KB

MD5
0b0e8e091d308277be4b888307c73167

SHA1
c0288b39bc66a035702ecd494b232d1cf41559b5

SHA256
40540aeab9745345d54a3afe4ad3ad867b3762cd417ba3601acefaf176379d5e

SHA512
60eaa941d3152f028b8fcf527450a0165b989e51b37a0498f86e708694dece6e80a98ac0bc4f0d48fe7d82f0e0b181df320b3e47f0c88be3f72634b127ccbc56

Download Submit
C:\backup.exe

Filesize
88KB

MD5
0b0e8e091d308277be4b888307c73167

SHA1
c0288b39bc66a035702ecd494b232d1cf41559b5

SHA256
40540aeab9745345d54a3afe4ad3ad867b3762cd417ba3601acefaf176379d5e

SHA512
60eaa941d3152f028b8fcf527450a0165b989e51b37a0498f86e708694dece6e80a98ac0bc4f0d48fe7d82f0e0b181df320b3e47f0c88be3f72634b127ccbc56

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
88KB

MD5
0f454fe679aef951ae3a6cbabcbae0e4

SHA1
59373af4496e7d10cde326e755b81a5a7b84d840

SHA256
2a8ee1b48538ac8780f168d99b1a0a4857fe617b271c4fc8fe46c8ea38558f15

SHA512
51bd7eb752ded86fce56eb28eeffd36ea1e7d8e8424d0daf7f8604a1a09349c2229d96386c216af55abe0f1eefbe9313efa867e09f127d22f318eaa491da96bc

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
88KB

MD5
0f454fe679aef951ae3a6cbabcbae0e4

SHA1
59373af4496e7d10cde326e755b81a5a7b84d840

SHA256
2a8ee1b48538ac8780f168d99b1a0a4857fe617b271c4fc8fe46c8ea38558f15

SHA512
51bd7eb752ded86fce56eb28eeffd36ea1e7d8e8424d0daf7f8604a1a09349c2229d96386c216af55abe0f1eefbe9313efa867e09f127d22f318eaa491da96bc

Download Submit
\PerfLogs\backup.exe

Filesize
88KB

MD5
d3d0179021cdbfe0954206dfa9c4df07

SHA1
2dfaa1e746df01de4061b3fc63ac96641f293cda

SHA256
ca4f114eeef53376c592f2e1570f8400f29e3ea569b517c0bda398cdab4cd4eb

SHA512
15cf15c2d1b6d1d5ab2d2093380cacb9ac317db1e677983638c9957c052ce325ec2b6147a4218397c82c0975ac84beb4a996b170b1165f83f3942109c837e571

Download Submit
\PerfLogs\backup.exe

Filesize
88KB

MD5
d3d0179021cdbfe0954206dfa9c4df07

SHA1
2dfaa1e746df01de4061b3fc63ac96641f293cda

SHA256
ca4f114eeef53376c592f2e1570f8400f29e3ea569b517c0bda398cdab4cd4eb

SHA512
15cf15c2d1b6d1d5ab2d2093380cacb9ac317db1e677983638c9957c052ce325ec2b6147a4218397c82c0975ac84beb4a996b170b1165f83f3942109c837e571

Download Submit
\Program Files (x86)\backup.exe

Filesize
88KB

MD5
43a0c7909511e1960ae209df1553deda

SHA1
95b1df2c93ea602b6b0a64f1d0df2ea340994fb0

SHA256
09dffdb52761350d379a48b83d5de3e2a2c59902a7345454573ea4110f16bc4b

SHA512
b0cc2acdbf81fa71f93a8ec147d151e3cc3c9e98be2bd26b9ce26e4a29ef68b00d011c443170d72a2803094dfc565ad60480bad93d87904a05b4af460edc1fc7

Download Submit
\Program Files (x86)\backup.exe

Filesize
88KB

MD5
43a0c7909511e1960ae209df1553deda

SHA1
95b1df2c93ea602b6b0a64f1d0df2ea340994fb0

SHA256
09dffdb52761350d379a48b83d5de3e2a2c59902a7345454573ea4110f16bc4b

SHA512
b0cc2acdbf81fa71f93a8ec147d151e3cc3c9e98be2bd26b9ce26e4a29ef68b00d011c443170d72a2803094dfc565ad60480bad93d87904a05b4af460edc1fc7

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
88KB

MD5
ed642c47259f5f0b7f870b598d7442ac

SHA1
1fd5a7ab2e41877a0465a379e3bf522b7d5ef384

SHA256
85a0264a7c925df433e962665602772578a9ae82d185d1078085f9c5a10d99e9

SHA512
aa707adfd07cc2a27151e93a3742d84af5085671e39e3d36988e4335f6002f742c2dbab5360f353eb992c567bc8790fb2fd653d14b2b1ef0388cea75b0019ccb

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
88KB

MD5
ed642c47259f5f0b7f870b598d7442ac

SHA1
1fd5a7ab2e41877a0465a379e3bf522b7d5ef384

SHA256
85a0264a7c925df433e962665602772578a9ae82d185d1078085f9c5a10d99e9

SHA512
aa707adfd07cc2a27151e93a3742d84af5085671e39e3d36988e4335f6002f742c2dbab5360f353eb992c567bc8790fb2fd653d14b2b1ef0388cea75b0019ccb

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
88KB

MD5
0f454fe679aef951ae3a6cbabcbae0e4

SHA1
59373af4496e7d10cde326e755b81a5a7b84d840

SHA256
2a8ee1b48538ac8780f168d99b1a0a4857fe617b271c4fc8fe46c8ea38558f15

SHA512
51bd7eb752ded86fce56eb28eeffd36ea1e7d8e8424d0daf7f8604a1a09349c2229d96386c216af55abe0f1eefbe9313efa867e09f127d22f318eaa491da96bc

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
88KB

MD5
0f454fe679aef951ae3a6cbabcbae0e4

SHA1
59373af4496e7d10cde326e755b81a5a7b84d840

SHA256
2a8ee1b48538ac8780f168d99b1a0a4857fe617b271c4fc8fe46c8ea38558f15

SHA512
51bd7eb752ded86fce56eb28eeffd36ea1e7d8e8424d0daf7f8604a1a09349c2229d96386c216af55abe0f1eefbe9313efa867e09f127d22f318eaa491da96bc

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
88KB

MD5
fe495e08b881bb23922e835f8c7e2e92

SHA1
185c65e8f573a22c3ce401e1d9cc67ae9569450e

SHA256
94f408c41d249d6e2785885586b27f5f942cf9573b908ed6e7dba19386bca982

SHA512
a59dc1c6db049f8ddeee11eba8987eedbbdc754c45f97b7e0574ef838dcd3f3f106bf04e260b64b3f27b516eb82af26d74a173258937906b8282fe23a0acdefe

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
88KB

MD5
fe495e08b881bb23922e835f8c7e2e92

SHA1
185c65e8f573a22c3ce401e1d9cc67ae9569450e

SHA256
94f408c41d249d6e2785885586b27f5f942cf9573b908ed6e7dba19386bca982

SHA512
a59dc1c6db049f8ddeee11eba8987eedbbdc754c45f97b7e0574ef838dcd3f3f106bf04e260b64b3f27b516eb82af26d74a173258937906b8282fe23a0acdefe

Download Submit
\Program Files\Common Files\System Restore.exe

Filesize
88KB

MD5
395383e130bf5f07079d416d8e95f0c6

SHA1
be3d8026a71fe7d4cdfc6add6bd8851d04fa9e50

SHA256
60bfdac4924320e725791a08d8c8d7ffe3d9da68800c4ea0e3b5a443cb684cb5

SHA512
0061e0424af6b0fa9cfc623ffeece39d3270a0a049e6942eba7a57cfd0a0c93bf41ac8ee8ba39447718704844d9b2b1366faed16e7d067d6df89429ef57cab41

Download Submit
\Program Files\Common Files\System Restore.exe

Filesize
88KB

MD5
395383e130bf5f07079d416d8e95f0c6

SHA1
be3d8026a71fe7d4cdfc6add6bd8851d04fa9e50

SHA256
60bfdac4924320e725791a08d8c8d7ffe3d9da68800c4ea0e3b5a443cb684cb5

SHA512
0061e0424af6b0fa9cfc623ffeece39d3270a0a049e6942eba7a57cfd0a0c93bf41ac8ee8ba39447718704844d9b2b1366faed16e7d067d6df89429ef57cab41

Download Submit
\Program Files\DVD Maker\backup.exe

Filesize
88KB

MD5
a930cf6532877f81ae462ceb86433b7d

SHA1
5749024740c20363fd9433fb5f62ed12222f83e1

SHA256
444263a68e7e3345f2d7d9f0795727a696c77660bc992a7af97eb0e81fed7593

SHA512
79e4fcade3b550ea1d45f4206bbfa7dea969aa428a8362921ebd84df0a44938822bdf7e5794d9673bd365a960212f6a143de9ed0aae1547397665ef4fac1c63b

Download Submit
\Program Files\DVD Maker\backup.exe

Filesize
88KB

MD5
a930cf6532877f81ae462ceb86433b7d

SHA1
5749024740c20363fd9433fb5f62ed12222f83e1

SHA256
444263a68e7e3345f2d7d9f0795727a696c77660bc992a7af97eb0e81fed7593

SHA512
79e4fcade3b550ea1d45f4206bbfa7dea969aa428a8362921ebd84df0a44938822bdf7e5794d9673bd365a960212f6a143de9ed0aae1547397665ef4fac1c63b

Download Submit
\Program Files\DVD Maker\de-DE\backup.exe

Filesize
88KB

MD5
8e93f21f77ba1d42c06fe3c92aa88672

SHA1
19d3accba5fdd150e93c60936dbc283b58815fda

SHA256
262d40439998b8c8e0351c4254d11c74b66564684f2767d562627084376d0036

SHA512
a659ec730770db870b267d48dfcb74d812d45878d1b2c1eaa1205182bd07e9d502e2676bf5a08821d883433fee6efb03914392f9f99e54b0b3bed574ba462f5b

Download Submit
\Program Files\DVD Maker\de-DE\backup.exe

Filesize
88KB

MD5
8e93f21f77ba1d42c06fe3c92aa88672

SHA1
19d3accba5fdd150e93c60936dbc283b58815fda

SHA256
262d40439998b8c8e0351c4254d11c74b66564684f2767d562627084376d0036

SHA512
a659ec730770db870b267d48dfcb74d812d45878d1b2c1eaa1205182bd07e9d502e2676bf5a08821d883433fee6efb03914392f9f99e54b0b3bed574ba462f5b

Download Submit
\Program Files\Google\backup.exe

Filesize
88KB

MD5
611bed4f7f73f5d83fd3dbc9c06ccb1e

SHA1
56420a444ac114fd99217f6f44a2e96897005293

SHA256
5bd8410c889fafb41b2750f3fb515eb9bdbdf72a3a7108e4947e4977e1ff10b1

SHA512
fc84ac874b1013a7fd323d1d1ce0782ae7d57726e9c3673ed7927075102f369850a3a0b308e7738074fba31229118384b67973706d9d124e50f3c4c41704a0f6

Download Submit
\Program Files\Google\backup.exe

Filesize
88KB

MD5
611bed4f7f73f5d83fd3dbc9c06ccb1e

SHA1
56420a444ac114fd99217f6f44a2e96897005293

SHA256
5bd8410c889fafb41b2750f3fb515eb9bdbdf72a3a7108e4947e4977e1ff10b1

SHA512
fc84ac874b1013a7fd323d1d1ce0782ae7d57726e9c3673ed7927075102f369850a3a0b308e7738074fba31229118384b67973706d9d124e50f3c4c41704a0f6

Download Submit
\Program Files\backup.exe

Filesize
88KB

MD5
d3d0179021cdbfe0954206dfa9c4df07

SHA1
2dfaa1e746df01de4061b3fc63ac96641f293cda

SHA256
ca4f114eeef53376c592f2e1570f8400f29e3ea569b517c0bda398cdab4cd4eb

SHA512
15cf15c2d1b6d1d5ab2d2093380cacb9ac317db1e677983638c9957c052ce325ec2b6147a4218397c82c0975ac84beb4a996b170b1165f83f3942109c837e571

Download Submit
\Program Files\backup.exe

Filesize
88KB

MD5
d3d0179021cdbfe0954206dfa9c4df07

SHA1
2dfaa1e746df01de4061b3fc63ac96641f293cda

SHA256
ca4f114eeef53376c592f2e1570f8400f29e3ea569b517c0bda398cdab4cd4eb

SHA512
15cf15c2d1b6d1d5ab2d2093380cacb9ac317db1e677983638c9957c052ce325ec2b6147a4218397c82c0975ac84beb4a996b170b1165f83f3942109c837e571

Download Submit
\Users\Admin\AppData\Local\Temp\3566806331\backup.exe

Filesize
88KB

MD5
e5b25b18192c323160b65e647d71d7d0

SHA1
fd97b81d449ab4a4e6e11e3b26780cb8988b736c

SHA256
63af19b1fdff27d115232c2fe125bf89cde732ffc5f2f929c6a0e2d56ead531b

SHA512
39e591b28de2b422adaf48ebc9f531c527b809449a9c13630421288532c6d927ff4bbdd7dd1f8b2cae3024b5f71f8cf3de1ea80858267c921fe895d85455d0fb

Download Submit
\Users\Admin\AppData\Local\Temp\3566806331\backup.exe

Filesize
88KB

MD5
e5b25b18192c323160b65e647d71d7d0

SHA1
fd97b81d449ab4a4e6e11e3b26780cb8988b736c

SHA256
63af19b1fdff27d115232c2fe125bf89cde732ffc5f2f929c6a0e2d56ead531b

SHA512
39e591b28de2b422adaf48ebc9f531c527b809449a9c13630421288532c6d927ff4bbdd7dd1f8b2cae3024b5f71f8cf3de1ea80858267c921fe895d85455d0fb

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
88KB

MD5
3a4a25136c810bc17dddccb646f77f71

SHA1
a3abc9145e723c8f7324bc81c29c0615931a681b

SHA256
3a8f5a087484dddeac4f8ce3361792223dd3ed7c01177f49ef90d4175e87f5a4

SHA512
c52be26b9c5ae9cf396a8e8ba3b49258f8b0edf90014a163cf58a10b167bb8f00b76e8d0141314af602aee586eb5138eb760d47ea7c4bea684f1b51b2867eac0

Download Submit
\Users\backup.exe

Filesize
88KB

MD5
89b3f242e869485ebef48354fadadcd3

SHA1
258332e3f8b62ec293033b6691e2964a8bc35fda

SHA256
7ac8607be409d3af8e63d7d016dae7c8733bf18cd20244ff463c2aa59033d93e

SHA512
65e84de99b48dfae343491f4e9aec8a283bc2b4547d5d1de046d137e39865c5b858cc8a5f2b6f7e10d53e4d6c9333ed4d49ef115eb551a7e0574b3ffe916c704

Download Submit
\Users\backup.exe

Filesize
88KB

MD5
89b3f242e869485ebef48354fadadcd3

SHA1
258332e3f8b62ec293033b6691e2964a8bc35fda

SHA256
7ac8607be409d3af8e63d7d016dae7c8733bf18cd20244ff463c2aa59033d93e

SHA512
65e84de99b48dfae343491f4e9aec8a283bc2b4547d5d1de046d137e39865c5b858cc8a5f2b6f7e10d53e4d6c9333ed4d49ef115eb551a7e0574b3ffe916c704

Download Submit
memory/276-378-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/276-269-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/276-303-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/276-304-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/276-379-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/584-119-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/684-302-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/772-283-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/772-359-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/772-267-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/816-334-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/816-340-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/816-376-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1292-316-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1292-281-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1344-363-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1484-387-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1604-337-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1668-170-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1732-171-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1748-259-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1748-219-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1748-388-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1748-268-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1904-220-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2088-103-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2088-183-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2088-39-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2088-45-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2088-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2088-218-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2088-152-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2088-33-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2148-127-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2148-135-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2200-53-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2216-343-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2252-25-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2320-360-0x0000000000320000-0x000000000033C000-memory.dmp

Filesize
112KB

Download
memory/2320-265-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2320-289-0x0000000000320000-0x000000000033C000-memory.dmp

Filesize
112KB

Download
memory/2320-306-0x0000000000320000-0x000000000033C000-memory.dmp

Filesize
112KB

Download
memory/2508-86-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2592-50-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2652-73-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2696-34-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2696-76-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2696-196-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2744-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2780-118-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2860-375-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2860-238-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2860-266-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2860-179-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2860-136-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2860-205-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2860-182-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2924-342-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2924-344-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2924-390-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2944-208-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2944-264-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2944-232-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2944-233-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads