03732afaa2b22140be9bdae111254e450862d9e269f49e00f79ec007e6136bde

Analysis

max time kernel
148s
max time network
136s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
Size

168KB
MD5

fc1f8b3a6221a03bddafa9ab66050970
SHA1

13792f08abd3272e35b92a2aa448481b2e4fa4ec
SHA256

03732afaa2b22140be9bdae111254e450862d9e269f49e00f79ec007e6136bde
SHA512

3d12c0e895a913cfee9b81b262342ccd918fb22a48c993f38a3a4cc21d24d31582274112dee275cf213464d91f626938a616eb74567fedba516c048892af3ffd
SSDEEP

1536:9eT7BVwxfvEFwjRbe+X9nw0lRxNm1V2UrEN7gJMVrh:9mVwRKCbe+X5lR302U4kA

Score

10^/10

dropper evasion persistence trojan upx

Malware Config

Signatures

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/memory/2060-0-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x00080000000165f8-5.dat	family_berbew
behavioral1/files/0x00080000000165f8-7.dat	family_berbew
behavioral1/files/0x00080000000165f8-9.dat	family_berbew
behavioral1/memory/1904-13-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x00080000000165f8-12.dat	family_berbew
behavioral1/files/0x0007000000016ba9-23.dat	family_berbew
behavioral1/files/0x0007000000016ba9-19.dat	family_berbew
behavioral1/files/0x0007000000016ba9-17.dat	family_berbew
behavioral1/memory/2404-28-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x0009000000016c34-29.dat	family_berbew
behavioral1/files/0x0009000000016c34-31.dat	family_berbew
behavioral1/files/0x0009000000016c34-35.dat	family_berbew
behavioral1/files/0x0008000000016c25-46.dat	family_berbew
behavioral1/files/0x0008000000016c25-42.dat	family_berbew
behavioral1/memory/2060-41-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x0008000000016c25-39.dat	family_berbew
behavioral1/memory/2060-47-0x0000000000290000-0x00000000002BA000-memory.dmp	family_berbew
behavioral1/files/0x000a000000016ce7-51.dat	family_berbew
behavioral1/memory/2868-57-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/memory/1904-58-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x000a000000016ce7-59.dat	family_berbew
behavioral1/files/0x000a000000016ce7-53.dat	family_berbew
behavioral1/memory/2812-63-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x001b00000001626b-64.dat	family_berbew
behavioral1/files/0x001b00000001626b-67.dat	family_berbew
behavioral1/files/0x001b00000001626b-68.dat	family_berbew
behavioral1/files/0x001b00000001626b-69.dat	family_berbew
behavioral1/files/0x001b00000001626b-70.dat	family_berbew
behavioral1/files/0x001b00000001626b-71.dat	family_berbew
behavioral1/memory/2152-72-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/memory/628-77-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d01-78.dat	family_berbew
behavioral1/files/0x0006000000016d01-80.dat	family_berbew
behavioral1/files/0x0006000000016d01-84.dat	family_berbew
behavioral1/memory/2728-87-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x00080000000165f8-89.dat	family_berbew
behavioral1/files/0x0006000000016d05-95.dat	family_berbew
behavioral1/files/0x0006000000016d05-98.dat	family_berbew
behavioral1/files/0x0006000000016d26-102.dat	family_berbew
behavioral1/files/0x0006000000016d26-100.dat	family_berbew
behavioral1/files/0x0006000000016d26-106.dat	family_berbew
behavioral1/files/0x0006000000016d26-111.dat	family_berbew
behavioral1/files/0x0006000000016d4d-115.dat	family_berbew
behavioral1/memory/2596-120-0x0000000000430000-0x000000000045A000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d4d-119.dat	family_berbew
behavioral1/files/0x0006000000016d4d-113.dat	family_berbew
behavioral1/memory/2596-130-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x0007000000016d64-137.dat	family_berbew
behavioral1/memory/3040-138-0x0000000000390000-0x00000000003BA000-memory.dmp	family_berbew
behavioral1/files/0x0007000000016d64-131.dat	family_berbew
behavioral1/memory/3040-139-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x0007000000016d64-133.dat	family_berbew
behavioral1/memory/972-128-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x0007000000016d64-149.dat	family_berbew
behavioral1/files/0x0008000000016d39-151.dat	family_berbew
behavioral1/memory/1164-158-0x0000000002A60000-0x0000000002A8A000-memory.dmp	family_berbew
behavioral1/files/0x0008000000016d39-157.dat	family_berbew
behavioral1/files/0x0008000000016d39-153.dat	family_berbew
behavioral1/files/0x0006000000016d80-165.dat	family_berbew
behavioral1/files/0x0006000000016d80-163.dat	family_berbew
behavioral1/memory/1488-169-0x00000000002E0000-0x000000000030A000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d80-170.dat	family_berbew
behavioral1/files/0x0008000000016d39-161.dat	family_berbew

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1904	backup.exe
2404	backup.exe
2152	backup.exe
2868	backup.exe
2812	data.exe
628	update.exe
2728	backup.exe
3040	backup.exe
2596	backup.exe
972	backup.exe
1164	backup.exe
1488	backup.exe
2016	backup.exe
2940	backup.exe
2428	backup.exe
2372	update.exe
2300	backup.exe
2260	data.exe
1192	backup.exe
1236	backup.exe
1016	backup.exe
1840	backup.exe
2092	backup.exe
2104	backup.exe
1124	backup.exe
1068	backup.exe
2172	backup.exe
1112	backup.exe
2848	backup.exe
2740	backup.exe
2956	backup.exe
2788	backup.exe
2880	backup.exe
2340	backup.exe
3036	backup.exe
1764	backup.exe
2184	backup.exe
1648	backup.exe
1440	backup.exe
1960	backup.exe
1132	backup.exe
1920	backup.exe
772	backup.exe
2308	backup.exe
2836	backup.exe
2912	backup.exe
2824	System Restore.exe
2336	backup.exe
2920	backup.exe
1064	backup.exe
1540	backup.exe
2200	data.exe
2736	backup.exe
1172	backup.exe
1948	backup.exe
2492	backup.exe
1840	backup.exe
1528	backup.exe
828	backup.exe
864	backup.exe
1724	backup.exe
1608	backup.exe
1604	update.exe
2168	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
628	update.exe
628	update.exe
628	update.exe
2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
3040	backup.exe
3040	backup.exe
2596	backup.exe
2596	backup.exe
3040	backup.exe
3040	backup.exe
1164	backup.exe
1164	backup.exe
1488	backup.exe
1488	backup.exe
1164	backup.exe
1164	backup.exe
3040	backup.exe
3040	backup.exe
2940	backup.exe
2372	update.exe
2372	update.exe
2372	update.exe
2372	update.exe
2428	backup.exe
2372	update.exe
2428	backup.exe
2300	backup.exe
2300	backup.exe
2300	backup.exe
2260	data.exe
2260	data.exe
2372	update.exe
2372	update.exe
1192	backup.exe
1192	backup.exe
1192	backup.exe
1192	backup.exe
1236	backup.exe
1236	backup.exe
1192	backup.exe
1840	backup.exe
1840	backup.exe
1840	backup.exe
1236	backup.exe
1236	backup.exe
1192	backup.exe
1192	backup.exe
2104	backup.exe
2104	backup.exe
2104	backup.exe
1192	backup.exe
1192	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2060-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x00080000000165f8-5.dat	upx
behavioral1/files/0x00080000000165f8-7.dat	upx
behavioral1/files/0x00080000000165f8-9.dat	upx
behavioral1/memory/1904-13-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x00080000000165f8-12.dat	upx
behavioral1/files/0x0007000000016ba9-23.dat	upx
behavioral1/files/0x0007000000016ba9-19.dat	upx
behavioral1/files/0x0007000000016ba9-17.dat	upx
behavioral1/memory/2404-28-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0009000000016c34-29.dat	upx
behavioral1/files/0x0009000000016c34-31.dat	upx
behavioral1/files/0x0009000000016c34-35.dat	upx
behavioral1/files/0x0008000000016c25-46.dat	upx
behavioral1/files/0x0008000000016c25-42.dat	upx
behavioral1/memory/2060-41-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0008000000016c25-39.dat	upx
behavioral1/files/0x000a000000016ce7-51.dat	upx
behavioral1/memory/2868-57-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1904-58-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x000a000000016ce7-59.dat	upx
behavioral1/files/0x000a000000016ce7-53.dat	upx
behavioral1/memory/2812-63-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x001b00000001626b-64.dat	upx
behavioral1/files/0x001b00000001626b-67.dat	upx
behavioral1/files/0x001b00000001626b-68.dat	upx
behavioral1/files/0x001b00000001626b-69.dat	upx
behavioral1/files/0x001b00000001626b-70.dat	upx
behavioral1/files/0x001b00000001626b-71.dat	upx
behavioral1/memory/2152-72-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/628-77-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0006000000016d01-78.dat	upx
behavioral1/files/0x0006000000016d01-80.dat	upx
behavioral1/files/0x0006000000016d01-84.dat	upx
behavioral1/memory/2728-87-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x00080000000165f8-89.dat	upx
behavioral1/files/0x0006000000016d05-95.dat	upx
behavioral1/files/0x0006000000016d05-98.dat	upx
behavioral1/files/0x0006000000016d26-102.dat	upx
behavioral1/files/0x0006000000016d26-100.dat	upx
behavioral1/files/0x0006000000016d26-106.dat	upx
behavioral1/files/0x0006000000016d26-111.dat	upx
behavioral1/files/0x0006000000016d4d-115.dat	upx
behavioral1/files/0x0006000000016d4d-119.dat	upx
behavioral1/files/0x0006000000016d4d-113.dat	upx
behavioral1/memory/2596-130-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0007000000016d64-137.dat	upx
behavioral1/files/0x0007000000016d64-131.dat	upx
behavioral1/memory/3040-139-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0007000000016d64-133.dat	upx
behavioral1/memory/972-128-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0007000000016d64-149.dat	upx
behavioral1/files/0x0008000000016d39-151.dat	upx
behavioral1/files/0x0008000000016d39-157.dat	upx
behavioral1/files/0x0008000000016d39-153.dat	upx
behavioral1/files/0x0006000000016d80-165.dat	upx
behavioral1/files/0x0006000000016d80-163.dat	upx
behavioral1/files/0x0006000000016d80-170.dat	upx
behavioral1/files/0x0008000000016d39-161.dat	upx
behavioral1/memory/1488-173-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2016-174-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/3040-176-0x0000000000390000-0x00000000003BA000-memory.dmp	upx
behavioral1/memory/1164-177-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2152-181-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\update.exe	update.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
1904	backup.exe
2404	backup.exe
2152	backup.exe
2868	backup.exe
2812	data.exe
628	update.exe
2728	backup.exe
3040	backup.exe
2596	backup.exe
972	backup.exe
1164	backup.exe
1488	backup.exe
2016	backup.exe
2940	backup.exe
2428	backup.exe
2372	update.exe
2260	data.exe
2300	backup.exe
1192	backup.exe
1236	backup.exe
1016	backup.exe
1840	backup.exe
2092	backup.exe
2104	backup.exe
1124	backup.exe
1068	backup.exe
2172	backup.exe
1112	backup.exe
2848	backup.exe
2740	backup.exe
2956	backup.exe
2788	backup.exe
2880	backup.exe
3036	backup.exe
2340	backup.exe
2184	backup.exe
1648	backup.exe
1440	backup.exe
1960	backup.exe
1132	backup.exe
1920	backup.exe
772	backup.exe
2836	backup.exe
2308	backup.exe
2824	System Restore.exe
2912	backup.exe
2736	backup.exe
1540	backup.exe
2920	backup.exe
2336	backup.exe
1840	backup.exe
1948	backup.exe
1064	backup.exe
1528	backup.exe
2168	backup.exe
1604	update.exe
1724	backup.exe
2768	backup.exe
2492	backup.exe
1172	backup.exe
3036	backup.exe
2956	data.exe
3048	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1904	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	28
PID 2060 wrote to memory of 1904	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	28
PID 2060 wrote to memory of 1904	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	28
PID 2060 wrote to memory of 1904	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	28
PID 2060 wrote to memory of 2404	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	29
PID 2060 wrote to memory of 2404	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	29
PID 2060 wrote to memory of 2404	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	29
PID 2060 wrote to memory of 2404	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	29
PID 2060 wrote to memory of 2152	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	30
PID 2060 wrote to memory of 2152	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	30
PID 2060 wrote to memory of 2152	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	30
PID 2060 wrote to memory of 2152	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	30
PID 2060 wrote to memory of 2868	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	31
PID 2060 wrote to memory of 2868	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	31
PID 2060 wrote to memory of 2868	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	31
PID 2060 wrote to memory of 2868	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	31
PID 2060 wrote to memory of 2812	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	32
PID 2060 wrote to memory of 2812	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	32
PID 2060 wrote to memory of 2812	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	32
PID 2060 wrote to memory of 2812	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	32
PID 2060 wrote to memory of 628	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	33
PID 2060 wrote to memory of 628	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	33
PID 2060 wrote to memory of 628	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	33
PID 2060 wrote to memory of 628	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	33
PID 2060 wrote to memory of 628	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	33
PID 2060 wrote to memory of 628	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	33
PID 2060 wrote to memory of 628	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	33
PID 2060 wrote to memory of 2728	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	34
PID 2060 wrote to memory of 2728	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	34
PID 2060 wrote to memory of 2728	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	34
PID 2060 wrote to memory of 2728	2060	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe	34
PID 1904 wrote to memory of 3040	1904	backup.exe	35
PID 1904 wrote to memory of 3040	1904	backup.exe	35
PID 1904 wrote to memory of 3040	1904	backup.exe	35
PID 1904 wrote to memory of 3040	1904	backup.exe	35
PID 3040 wrote to memory of 2596	3040	backup.exe	36
PID 3040 wrote to memory of 2596	3040	backup.exe	36
PID 3040 wrote to memory of 2596	3040	backup.exe	36
PID 3040 wrote to memory of 2596	3040	backup.exe	36
PID 2596 wrote to memory of 972	2596	backup.exe	37
PID 2596 wrote to memory of 972	2596	backup.exe	37
PID 2596 wrote to memory of 972	2596	backup.exe	37
PID 2596 wrote to memory of 972	2596	backup.exe	37
PID 3040 wrote to memory of 1164	3040	backup.exe	38
PID 3040 wrote to memory of 1164	3040	backup.exe	38
PID 3040 wrote to memory of 1164	3040	backup.exe	38
PID 3040 wrote to memory of 1164	3040	backup.exe	38
PID 1164 wrote to memory of 1488	1164	backup.exe	39
PID 1164 wrote to memory of 1488	1164	backup.exe	39
PID 1164 wrote to memory of 1488	1164	backup.exe	39
PID 1164 wrote to memory of 1488	1164	backup.exe	39
PID 1488 wrote to memory of 2016	1488	backup.exe	40
PID 1488 wrote to memory of 2016	1488	backup.exe	40
PID 1488 wrote to memory of 2016	1488	backup.exe	40
PID 1488 wrote to memory of 2016	1488	backup.exe	40
PID 1164 wrote to memory of 2940	1164	backup.exe	41
PID 1164 wrote to memory of 2940	1164	backup.exe	41
PID 1164 wrote to memory of 2940	1164	backup.exe	41
PID 1164 wrote to memory of 2940	1164	backup.exe	41
PID 3040 wrote to memory of 2428	3040	backup.exe	42
PID 3040 wrote to memory of 2428	3040	backup.exe	42
PID 3040 wrote to memory of 2428	3040	backup.exe	42
PID 3040 wrote to memory of 2428	3040	backup.exe	42
PID 2940 wrote to memory of 2372	2940	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fc1f8b3a6221a03bddafa9ab66050970.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2060
- C:\Users\Admin\AppData\Local\Temp\2163887246\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2163887246\backup.exe C:\Users\Admin\AppData\Local\Temp\2163887246\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3040
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2596
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:972
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1164
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1488
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2940
      - C:\Program Files\Common Files\Microsoft Shared\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\update.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2372
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2104
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1124
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2340
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2184
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1440
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1132
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3048
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:2980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:2276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:2312
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:2720
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:772
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2892
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2148
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1016
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:672
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\update.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1268
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:2932
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:3008
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2352
      - C:\Program Files\Common Files\Services\System Restore.exe
        
        "C:\Program Files\Common Files\Services\System Restore.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2824
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1172
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:2692
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1960
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2736
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1840
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:2724
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:2456
      - C:\Program Files\DVD Maker\it-IT\data.exe
        
        "C:\Program Files\DVD Maker\it-IT\data.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2632
      - C:\Program Files\DVD Maker\ja-JP\System Restore.exe
        
        "C:\Program Files\DVD Maker\ja-JP\System Restore.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1620
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:2796
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Executes dropped EXE
        
        PID:1608
    - - C:\Program Files\Java\data.exe
        
        "C:\Program Files\Java\data.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2956
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2332
        
        C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        7⤵
        
        PID:2736
        
        C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        7⤵
        
        PID:2184
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:2348
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1972
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2264
      - C:\Program Files\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        
        PID:1204
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2840
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:1540
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:1908
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1976
    - - C:\Program Files\Reference Assemblies\data.exe
        
        "C:\Program Files\Reference Assemblies\data.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2164
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1940
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2428
    - - C:\Program Files (x86)\Adobe\data.exe
        
        "C:\Program Files (x86)\Adobe\data.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2260
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1236
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1016
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2092
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1068
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2740
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2788
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1600
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:2032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2288
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1444
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2244
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1920
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2168
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:2460
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:2860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2528
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:2904
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:996
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2308
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1724
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1456
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2712
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2944
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:2676
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:2204
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2780
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2928
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1580
      - C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        6⤵
        
        PID:868
      - C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
        6⤵
        
        PID:2536
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1392
      - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
        6⤵
        
        PID:564
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2060
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:284
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2920
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1948
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:2776
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2272
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1708
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1084
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1832
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:240
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2516
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2268
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1116
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:2036
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2180
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2152
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:628
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
168KB

MD5
f2010dd614855cb0b77e10cdc8c187af

SHA1
06ac324cee608ded0af0411f86723916aa5d6bb2

SHA256
017033b3fc21ed2199dad57aee9f655c486a024c2a455e564afca7fcb01c9a9d

SHA512
1768378537358d63967ea5042befedac02c2dc612a3e7373873ea6f2d076ba40aa77195519038ca98ba65a7384a10a33ee9a11cd6790443978e2963a8c8468e0

Download Submit
C:\PerfLogs\backup.exe

Filesize
168KB

MD5
5196898f1623615b1dbcab484e84c19a

SHA1
acb67ae5b286399d3d0ce9594bc9b6d99064c9dc

SHA256
221bc7343ac8f8179dd4e105e38bd7509916f1ebe7a4d95f279ca701cb948040

SHA512
0c114fa99447f07c158f0f42763f4b389f97a481954bdebc0ea3be2ec447504f3a7bcf2fc2a30941bfa2841d2fe5dfb7a9daba951279796fb33ed26a14d876f7

Download Submit
C:\PerfLogs\backup.exe

Filesize
168KB

MD5
5196898f1623615b1dbcab484e84c19a

SHA1
acb67ae5b286399d3d0ce9594bc9b6d99064c9dc

SHA256
221bc7343ac8f8179dd4e105e38bd7509916f1ebe7a4d95f279ca701cb948040

SHA512
0c114fa99447f07c158f0f42763f4b389f97a481954bdebc0ea3be2ec447504f3a7bcf2fc2a30941bfa2841d2fe5dfb7a9daba951279796fb33ed26a14d876f7

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
168KB

MD5
594b3d281d765f3342beb286dd1b05ef

SHA1
d839bcecf4b90c24bb02d77fbab8bd49b33ec9a9

SHA256
cf851be96e5629f8f596a5f1145440c600acaae3a01a2de233330f6cf0da0820

SHA512
90189b907c98f14a22ffa6d1efd4b2fff5e754d66da1fb4664fb8d2e577cb26e67354ab27d4c515eb9752ce4311bdb7233c765bfd734c315ed1982023d4e5ca9

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
168KB

MD5
594b3d281d765f3342beb286dd1b05ef

SHA1
d839bcecf4b90c24bb02d77fbab8bd49b33ec9a9

SHA256
cf851be96e5629f8f596a5f1145440c600acaae3a01a2de233330f6cf0da0820

SHA512
90189b907c98f14a22ffa6d1efd4b2fff5e754d66da1fb4664fb8d2e577cb26e67354ab27d4c515eb9752ce4311bdb7233c765bfd734c315ed1982023d4e5ca9

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
168KB

MD5
a2ad66071e436ba8bcf214985de2bd9c

SHA1
d4329307cbb4741e4870b4c0b65be9d13911eed0

SHA256
c5acd63f154f63af3ae3b3ca7ba040715991fa37c338788a0a755457b03a3119

SHA512
d0629d13f5faf5ac4c4308db44e575d2d84a14189610ce5a807cd0d2ef84b0078b54a3694bc28e39a832040c0ab43690bc741d1d8138c4265b65a586f967cb31

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
168KB

MD5
f2010dd614855cb0b77e10cdc8c187af

SHA1
06ac324cee608ded0af0411f86723916aa5d6bb2

SHA256
017033b3fc21ed2199dad57aee9f655c486a024c2a455e564afca7fcb01c9a9d

SHA512
1768378537358d63967ea5042befedac02c2dc612a3e7373873ea6f2d076ba40aa77195519038ca98ba65a7384a10a33ee9a11cd6790443978e2963a8c8468e0

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
168KB

MD5
f2010dd614855cb0b77e10cdc8c187af

SHA1
06ac324cee608ded0af0411f86723916aa5d6bb2

SHA256
017033b3fc21ed2199dad57aee9f655c486a024c2a455e564afca7fcb01c9a9d

SHA512
1768378537358d63967ea5042befedac02c2dc612a3e7373873ea6f2d076ba40aa77195519038ca98ba65a7384a10a33ee9a11cd6790443978e2963a8c8468e0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
168KB

MD5
c1c1c127700ffbc267f14a9c0a0b329b

SHA1
53f6fb9a1d1ccf145561bdc971542efea1b50a6b

SHA256
f7649b818c27c5c6673045689e49448bd8ff78fe0db8cce71f83aae22792e49e

SHA512
61597384f0a974fc654d9cc7df1215b07bcf1e466db6d8a3f0731b10ec8a45339c54bd20f0c5c92dd1fcfe279d0308d365dcf2824ce7ef01e8b524fdb76bb01f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
168KB

MD5
cfb95321bce5e92968350bb2bf8b2b74

SHA1
125cf5fb42b45992cdd96da62a629c3615493daa

SHA256
3c89eb899c1585e5693250cb32602395845fb5de9b2b348b30513e3473e8710d

SHA512
ce2d1649cdf3d5466de970bfd12767d968d726ed706038a7c20051414e33187247cff06411ee31aaa01110a8f06977bee85c5b84ee94f097beb3cba788e481a0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
168KB

MD5
cfb95321bce5e92968350bb2bf8b2b74

SHA1
125cf5fb42b45992cdd96da62a629c3615493daa

SHA256
3c89eb899c1585e5693250cb32602395845fb5de9b2b348b30513e3473e8710d

SHA512
ce2d1649cdf3d5466de970bfd12767d968d726ed706038a7c20051414e33187247cff06411ee31aaa01110a8f06977bee85c5b84ee94f097beb3cba788e481a0

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
168KB

MD5
488112f054c444b2d1151b03ab69ed5e

SHA1
cc611752cd4d3746b1efb94a6d246cee983da8ab

SHA256
dce1838f23177a623b839720a1e2687258b4d296358171ec752dd100840d1a35

SHA512
ba645f424236a4c30d014d4c8782e30c9e0f3b64b0728947e7ae5f6bec0dbb76a58dc9b851eadd9f52e6192c8b5263b027b6236906191e81cbec24352f0491ba

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
168KB

MD5
488112f054c444b2d1151b03ab69ed5e

SHA1
cc611752cd4d3746b1efb94a6d246cee983da8ab

SHA256
dce1838f23177a623b839720a1e2687258b4d296358171ec752dd100840d1a35

SHA512
ba645f424236a4c30d014d4c8782e30c9e0f3b64b0728947e7ae5f6bec0dbb76a58dc9b851eadd9f52e6192c8b5263b027b6236906191e81cbec24352f0491ba

Download Submit
C:\Program Files\backup.exe

Filesize
168KB

MD5
5196898f1623615b1dbcab484e84c19a

SHA1
acb67ae5b286399d3d0ce9594bc9b6d99064c9dc

SHA256
221bc7343ac8f8179dd4e105e38bd7509916f1ebe7a4d95f279ca701cb948040

SHA512
0c114fa99447f07c158f0f42763f4b389f97a481954bdebc0ea3be2ec447504f3a7bcf2fc2a30941bfa2841d2fe5dfb7a9daba951279796fb33ed26a14d876f7

Download Submit
C:\Program Files\backup.exe

Filesize
168KB

MD5
5196898f1623615b1dbcab484e84c19a

SHA1
acb67ae5b286399d3d0ce9594bc9b6d99064c9dc

SHA256
221bc7343ac8f8179dd4e105e38bd7509916f1ebe7a4d95f279ca701cb948040

SHA512
0c114fa99447f07c158f0f42763f4b389f97a481954bdebc0ea3be2ec447504f3a7bcf2fc2a30941bfa2841d2fe5dfb7a9daba951279796fb33ed26a14d876f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2163887246\backup.exe

Filesize
168KB

MD5
fd91286242a75b17f24fceb1f4e2422d

SHA1
f200ffb9a9c0bf49c1a391f1098eb6089243a110

SHA256
5eb791f13113234fc06204010b9328659a6518240508d2136d97ff620acc6fc2

SHA512
e397d440b552aab5a95579f014f277a117cacc70c8be7024d32ba978b4845f899ec0b840b8d5379cdb5716846146a36b3a8335a62c72a3e2e18d01201803fc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2163887246\backup.exe

Filesize
168KB

MD5
fd91286242a75b17f24fceb1f4e2422d

SHA1
f200ffb9a9c0bf49c1a391f1098eb6089243a110

SHA256
5eb791f13113234fc06204010b9328659a6518240508d2136d97ff620acc6fc2

SHA512
e397d440b552aab5a95579f014f277a117cacc70c8be7024d32ba978b4845f899ec0b840b8d5379cdb5716846146a36b3a8335a62c72a3e2e18d01201803fc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2163887246\backup.exe

Filesize
168KB

MD5
fd91286242a75b17f24fceb1f4e2422d

SHA1
f200ffb9a9c0bf49c1a391f1098eb6089243a110

SHA256
5eb791f13113234fc06204010b9328659a6518240508d2136d97ff620acc6fc2

SHA512
e397d440b552aab5a95579f014f277a117cacc70c8be7024d32ba978b4845f899ec0b840b8d5379cdb5716846146a36b3a8335a62c72a3e2e18d01201803fc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
48KB

MD5
d0bf9deb07204ff923d568d6263928bb

SHA1
a9d05af2faec6f6eadd8fe2516c5236936dd982a

SHA256
6a2a2837707d35fbb0e5fadb13b805a0a71d4a698bb8363e6bee4c1e2df267d8

SHA512
6414d4dc7e078c64568dd2c19072d8d1af68f4c60d52c3bed646960919c89af8f593840a356022b180a7c77abc2a44085b382b6e077ddba77cbd7a447e677ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
168KB

MD5
fc855664b087e5474f480fc8ebdb0b4c

SHA1
c6a29d19dca87546da3c94d05586dfcc62aa52a8

SHA256
0cb868b037cfd2d606acec9bcd7f4259f2148a79a2b66a3fc7510e68ca33da37

SHA512
46f466b69661babefca4ede03dc15232a273b19060afa425d49eda1399eb71e8c47ce99206f0e671e65a0d7bcba05fdee759cdd661b988368958e9e5fc3fad63

Download Submit
C:\backup.exe

Filesize
168KB

MD5
fc855664b087e5474f480fc8ebdb0b4c

SHA1
c6a29d19dca87546da3c94d05586dfcc62aa52a8

SHA256
0cb868b037cfd2d606acec9bcd7f4259f2148a79a2b66a3fc7510e68ca33da37

SHA512
46f466b69661babefca4ede03dc15232a273b19060afa425d49eda1399eb71e8c47ce99206f0e671e65a0d7bcba05fdee759cdd661b988368958e9e5fc3fad63

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
168KB

MD5
f2010dd614855cb0b77e10cdc8c187af

SHA1
06ac324cee608ded0af0411f86723916aa5d6bb2

SHA256
017033b3fc21ed2199dad57aee9f655c486a024c2a455e564afca7fcb01c9a9d

SHA512
1768378537358d63967ea5042befedac02c2dc612a3e7373873ea6f2d076ba40aa77195519038ca98ba65a7384a10a33ee9a11cd6790443978e2963a8c8468e0

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
168KB

MD5
f2010dd614855cb0b77e10cdc8c187af

SHA1
06ac324cee608ded0af0411f86723916aa5d6bb2

SHA256
017033b3fc21ed2199dad57aee9f655c486a024c2a455e564afca7fcb01c9a9d

SHA512
1768378537358d63967ea5042befedac02c2dc612a3e7373873ea6f2d076ba40aa77195519038ca98ba65a7384a10a33ee9a11cd6790443978e2963a8c8468e0

Download Submit
\PerfLogs\backup.exe

Filesize
168KB

MD5
5196898f1623615b1dbcab484e84c19a

SHA1
acb67ae5b286399d3d0ce9594bc9b6d99064c9dc

SHA256
221bc7343ac8f8179dd4e105e38bd7509916f1ebe7a4d95f279ca701cb948040

SHA512
0c114fa99447f07c158f0f42763f4b389f97a481954bdebc0ea3be2ec447504f3a7bcf2fc2a30941bfa2841d2fe5dfb7a9daba951279796fb33ed26a14d876f7

Download Submit
\PerfLogs\backup.exe

Filesize
168KB

MD5
5196898f1623615b1dbcab484e84c19a

SHA1
acb67ae5b286399d3d0ce9594bc9b6d99064c9dc

SHA256
221bc7343ac8f8179dd4e105e38bd7509916f1ebe7a4d95f279ca701cb948040

SHA512
0c114fa99447f07c158f0f42763f4b389f97a481954bdebc0ea3be2ec447504f3a7bcf2fc2a30941bfa2841d2fe5dfb7a9daba951279796fb33ed26a14d876f7

Download Submit
\Program Files (x86)\Adobe\data.exe

Filesize
168KB

MD5
024048cc1a3507c6cb616c144d9482ce

SHA1
1e4ecf2d14274ddb56be27c34cbba0940c4f4f85

SHA256
5cc7721d59def1f80d57f9f369cd00effb5f8bb4995e8ed50bb06884705a0f43

SHA512
aee3d6213760820714428848084af0482534cda41cd5db232346f12a1e135b0805c17d235bd1f4ec086b2d3a5a01993b2e4ec0720f17466b9370cdad6b08ffea

Download Submit
\Program Files (x86)\Adobe\data.exe

Filesize
168KB

MD5
024048cc1a3507c6cb616c144d9482ce

SHA1
1e4ecf2d14274ddb56be27c34cbba0940c4f4f85

SHA256
5cc7721d59def1f80d57f9f369cd00effb5f8bb4995e8ed50bb06884705a0f43

SHA512
aee3d6213760820714428848084af0482534cda41cd5db232346f12a1e135b0805c17d235bd1f4ec086b2d3a5a01993b2e4ec0720f17466b9370cdad6b08ffea

Download Submit
\Program Files (x86)\backup.exe

Filesize
168KB

MD5
594b3d281d765f3342beb286dd1b05ef

SHA1
d839bcecf4b90c24bb02d77fbab8bd49b33ec9a9

SHA256
cf851be96e5629f8f596a5f1145440c600acaae3a01a2de233330f6cf0da0820

SHA512
90189b907c98f14a22ffa6d1efd4b2fff5e754d66da1fb4664fb8d2e577cb26e67354ab27d4c515eb9752ce4311bdb7233c765bfd734c315ed1982023d4e5ca9

Download Submit
\Program Files (x86)\backup.exe

Filesize
168KB

MD5
594b3d281d765f3342beb286dd1b05ef

SHA1
d839bcecf4b90c24bb02d77fbab8bd49b33ec9a9

SHA256
cf851be96e5629f8f596a5f1145440c600acaae3a01a2de233330f6cf0da0820

SHA512
90189b907c98f14a22ffa6d1efd4b2fff5e754d66da1fb4664fb8d2e577cb26e67354ab27d4c515eb9752ce4311bdb7233c765bfd734c315ed1982023d4e5ca9

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
168KB

MD5
a2ad66071e436ba8bcf214985de2bd9c

SHA1
d4329307cbb4741e4870b4c0b65be9d13911eed0

SHA256
c5acd63f154f63af3ae3b3ca7ba040715991fa37c338788a0a755457b03a3119

SHA512
d0629d13f5faf5ac4c4308db44e575d2d84a14189610ce5a807cd0d2ef84b0078b54a3694bc28e39a832040c0ab43690bc741d1d8138c4265b65a586f967cb31

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
168KB

MD5
a2ad66071e436ba8bcf214985de2bd9c

SHA1
d4329307cbb4741e4870b4c0b65be9d13911eed0

SHA256
c5acd63f154f63af3ae3b3ca7ba040715991fa37c338788a0a755457b03a3119

SHA512
d0629d13f5faf5ac4c4308db44e575d2d84a14189610ce5a807cd0d2ef84b0078b54a3694bc28e39a832040c0ab43690bc741d1d8138c4265b65a586f967cb31

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
168KB

MD5
f2010dd614855cb0b77e10cdc8c187af

SHA1
06ac324cee608ded0af0411f86723916aa5d6bb2

SHA256
017033b3fc21ed2199dad57aee9f655c486a024c2a455e564afca7fcb01c9a9d

SHA512
1768378537358d63967ea5042befedac02c2dc612a3e7373873ea6f2d076ba40aa77195519038ca98ba65a7384a10a33ee9a11cd6790443978e2963a8c8468e0

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
168KB

MD5
f2010dd614855cb0b77e10cdc8c187af

SHA1
06ac324cee608ded0af0411f86723916aa5d6bb2

SHA256
017033b3fc21ed2199dad57aee9f655c486a024c2a455e564afca7fcb01c9a9d

SHA512
1768378537358d63967ea5042befedac02c2dc612a3e7373873ea6f2d076ba40aa77195519038ca98ba65a7384a10a33ee9a11cd6790443978e2963a8c8468e0

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
168KB

MD5
c1c1c127700ffbc267f14a9c0a0b329b

SHA1
53f6fb9a1d1ccf145561bdc971542efea1b50a6b

SHA256
f7649b818c27c5c6673045689e49448bd8ff78fe0db8cce71f83aae22792e49e

SHA512
61597384f0a974fc654d9cc7df1215b07bcf1e466db6d8a3f0731b10ec8a45339c54bd20f0c5c92dd1fcfe279d0308d365dcf2824ce7ef01e8b524fdb76bb01f

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
168KB

MD5
c1c1c127700ffbc267f14a9c0a0b329b

SHA1
53f6fb9a1d1ccf145561bdc971542efea1b50a6b

SHA256
f7649b818c27c5c6673045689e49448bd8ff78fe0db8cce71f83aae22792e49e

SHA512
61597384f0a974fc654d9cc7df1215b07bcf1e466db6d8a3f0731b10ec8a45339c54bd20f0c5c92dd1fcfe279d0308d365dcf2824ce7ef01e8b524fdb76bb01f

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
168KB

MD5
cfb95321bce5e92968350bb2bf8b2b74

SHA1
125cf5fb42b45992cdd96da62a629c3615493daa

SHA256
3c89eb899c1585e5693250cb32602395845fb5de9b2b348b30513e3473e8710d

SHA512
ce2d1649cdf3d5466de970bfd12767d968d726ed706038a7c20051414e33187247cff06411ee31aaa01110a8f06977bee85c5b84ee94f097beb3cba788e481a0

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
168KB

MD5
cfb95321bce5e92968350bb2bf8b2b74

SHA1
125cf5fb42b45992cdd96da62a629c3615493daa

SHA256
3c89eb899c1585e5693250cb32602395845fb5de9b2b348b30513e3473e8710d

SHA512
ce2d1649cdf3d5466de970bfd12767d968d726ed706038a7c20051414e33187247cff06411ee31aaa01110a8f06977bee85c5b84ee94f097beb3cba788e481a0

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
168KB

MD5
cfb95321bce5e92968350bb2bf8b2b74

SHA1
125cf5fb42b45992cdd96da62a629c3615493daa

SHA256
3c89eb899c1585e5693250cb32602395845fb5de9b2b348b30513e3473e8710d

SHA512
ce2d1649cdf3d5466de970bfd12767d968d726ed706038a7c20051414e33187247cff06411ee31aaa01110a8f06977bee85c5b84ee94f097beb3cba788e481a0

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
168KB

MD5
cfb95321bce5e92968350bb2bf8b2b74

SHA1
125cf5fb42b45992cdd96da62a629c3615493daa

SHA256
3c89eb899c1585e5693250cb32602395845fb5de9b2b348b30513e3473e8710d

SHA512
ce2d1649cdf3d5466de970bfd12767d968d726ed706038a7c20051414e33187247cff06411ee31aaa01110a8f06977bee85c5b84ee94f097beb3cba788e481a0

Download Submit
\Program Files\Common Files\backup.exe

Filesize
168KB

MD5
488112f054c444b2d1151b03ab69ed5e

SHA1
cc611752cd4d3746b1efb94a6d246cee983da8ab

SHA256
dce1838f23177a623b839720a1e2687258b4d296358171ec752dd100840d1a35

SHA512
ba645f424236a4c30d014d4c8782e30c9e0f3b64b0728947e7ae5f6bec0dbb76a58dc9b851eadd9f52e6192c8b5263b027b6236906191e81cbec24352f0491ba

Download Submit
\Program Files\Common Files\backup.exe

Filesize
168KB

MD5
488112f054c444b2d1151b03ab69ed5e

SHA1
cc611752cd4d3746b1efb94a6d246cee983da8ab

SHA256
dce1838f23177a623b839720a1e2687258b4d296358171ec752dd100840d1a35

SHA512
ba645f424236a4c30d014d4c8782e30c9e0f3b64b0728947e7ae5f6bec0dbb76a58dc9b851eadd9f52e6192c8b5263b027b6236906191e81cbec24352f0491ba

Download Submit
\Program Files\backup.exe

Filesize
168KB

MD5
5196898f1623615b1dbcab484e84c19a

SHA1
acb67ae5b286399d3d0ce9594bc9b6d99064c9dc

SHA256
221bc7343ac8f8179dd4e105e38bd7509916f1ebe7a4d95f279ca701cb948040

SHA512
0c114fa99447f07c158f0f42763f4b389f97a481954bdebc0ea3be2ec447504f3a7bcf2fc2a30941bfa2841d2fe5dfb7a9daba951279796fb33ed26a14d876f7

Download Submit
\Program Files\backup.exe

Filesize
168KB

MD5
5196898f1623615b1dbcab484e84c19a

SHA1
acb67ae5b286399d3d0ce9594bc9b6d99064c9dc

SHA256
221bc7343ac8f8179dd4e105e38bd7509916f1ebe7a4d95f279ca701cb948040

SHA512
0c114fa99447f07c158f0f42763f4b389f97a481954bdebc0ea3be2ec447504f3a7bcf2fc2a30941bfa2841d2fe5dfb7a9daba951279796fb33ed26a14d876f7

Download Submit
\Users\Admin\AppData\Local\Temp\2163887246\backup.exe

Filesize
168KB

MD5
fd91286242a75b17f24fceb1f4e2422d

SHA1
f200ffb9a9c0bf49c1a391f1098eb6089243a110

SHA256
5eb791f13113234fc06204010b9328659a6518240508d2136d97ff620acc6fc2

SHA512
e397d440b552aab5a95579f014f277a117cacc70c8be7024d32ba978b4845f899ec0b840b8d5379cdb5716846146a36b3a8335a62c72a3e2e18d01201803fc0e

Download Submit
\Users\Admin\AppData\Local\Temp\2163887246\backup.exe

Filesize
168KB

MD5
fd91286242a75b17f24fceb1f4e2422d

SHA1
f200ffb9a9c0bf49c1a391f1098eb6089243a110

SHA256
5eb791f13113234fc06204010b9328659a6518240508d2136d97ff620acc6fc2

SHA512
e397d440b552aab5a95579f014f277a117cacc70c8be7024d32ba978b4845f899ec0b840b8d5379cdb5716846146a36b3a8335a62c72a3e2e18d01201803fc0e

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
168KB

MD5
6ccd6b2fa063b21b72d98133084742b2

SHA1
e797f4fffbfe4662b5c90e7c2d60cfdcc3e491f9

SHA256
3cc261512e1ce331ecf43fd08b1faaef037f80387ab6505457895200f904ac09

SHA512
a975705cf70829b9898133fa7295010e79d6f5ce35ce25fa94f9920f0da679c9cce1cb79e8c06f5159b6cfa1a977ad3f0133ac3a2c4d6cb62e23706ba88a087e

Download Submit
memory/628-77-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/628-76-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/972-128-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1016-282-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1016-278-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1068-335-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1124-322-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1124-329-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1164-223-0x0000000002A60000-0x0000000002A8A000-memory.dmp

Filesize
168KB

Download
memory/1164-178-0x0000000002A60000-0x0000000002A8A000-memory.dmp

Filesize
168KB

Download
memory/1164-177-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1164-158-0x0000000002A60000-0x0000000002A8A000-memory.dmp

Filesize
168KB

Download
memory/1192-333-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/1192-302-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/1192-331-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1192-274-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/1192-318-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/1236-334-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1236-276-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/1236-289-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/1488-169-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/1488-173-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1840-293-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1904-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1904-58-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2016-174-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2060-123-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2060-175-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2060-225-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2060-47-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/2060-41-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2060-11-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/2060-24-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/2060-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2092-300-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2104-316-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2104-303-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2152-72-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2152-181-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2172-337-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2260-245-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2260-258-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/2260-328-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/2260-320-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2300-259-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2372-290-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/2372-221-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/2372-288-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/2372-286-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2404-28-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2428-254-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2428-242-0x0000000000360000-0x000000000038A000-memory.dmp

Filesize
168KB

Download
memory/2428-311-0x0000000000360000-0x000000000038A000-memory.dmp

Filesize
168KB

Download
memory/2596-130-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2596-120-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/2728-87-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2812-63-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2868-57-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2940-227-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2940-216-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/3040-206-0x0000000000390000-0x00000000003BA000-memory.dmp

Filesize
168KB

Download
memory/3040-138-0x0000000000390000-0x00000000003BA000-memory.dmp

Filesize
168KB

Download
memory/3040-139-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3040-176-0x0000000000390000-0x00000000003BA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads