1e1d8f225fb3027cde8756aad7eb9cbce056f35c1d6e240b0b65f0d2ad3597f5

Analysis

max time kernel
32s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c5c7794c6f15874500c823ee8121ee90.exe
Size

122KB
MD5

c5c7794c6f15874500c823ee8121ee90
SHA1

1b50f11d34fb2f422b00d5a878bd3ce0a539d485
SHA256

1e1d8f225fb3027cde8756aad7eb9cbce056f35c1d6e240b0b65f0d2ad3597f5
SHA512

3e8c43085b352e31d475c02949582ac450e152577954a16dbc0a92d65b36ddf9702e2873d6d2d80d38621d786f375582b07ee8b7a307092237d450c5b92567f4
SSDEEP

1536:lvm1Fu8AjYaFwjRUdW7fmyY7aZYJVmy0KQbj6vbjuKoauGi4p:6u8ANCUdgfmD7zey0KUj6TjR9i4p

Score

10^/10

dropper evasion persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/memory/2564-0-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x00280000000139fe-5.dat	family_berbew
behavioral1/files/0x00280000000139fe-7.dat	family_berbew
behavioral1/files/0x00280000000139fe-9.dat	family_berbew
behavioral1/files/0x00280000000139fe-11.dat	family_berbew
behavioral1/memory/2540-14-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x000700000001422e-17.dat	family_berbew
behavioral1/files/0x000700000001422e-19.dat	family_berbew
behavioral1/files/0x000700000001422e-23.dat	family_berbew
behavioral1/memory/2884-27-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x000900000001423f-28.dat	family_berbew
behavioral1/files/0x000900000001423f-31.dat	family_berbew
behavioral1/files/0x000900000001423f-32.dat	family_berbew
behavioral1/memory/2728-33-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x000900000001423f-34.dat	family_berbew
behavioral1/files/0x000900000001423f-35.dat	family_berbew
behavioral1/memory/2564-36-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x000900000001423f-38.dat	family_berbew
behavioral1/files/0x00070000000142d1-42.dat	family_berbew
behavioral1/files/0x00070000000142d1-44.dat	family_berbew
behavioral1/files/0x00070000000142d1-48.dat	family_berbew
behavioral1/memory/2724-50-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/memory/2564-49-0x00000000002B0000-0x00000000002D4000-memory.dmp	family_berbew
behavioral1/memory/2724-53-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x00080000000142ec-55.dat	family_berbew
behavioral1/files/0x00080000000142ec-57.dat	family_berbew
behavioral1/memory/2540-60-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x00080000000142ec-62.dat	family_berbew
behavioral1/memory/2564-63-0x00000000002B0000-0x00000000002D4000-memory.dmp	family_berbew
behavioral1/memory/2976-67-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x000800000001448e-68.dat	family_berbew
behavioral1/files/0x000800000001448e-70.dat	family_berbew
behavioral1/memory/2564-74-0x00000000002B0000-0x00000000002D4000-memory.dmp	family_berbew
behavioral1/files/0x000800000001448e-75.dat	family_berbew
behavioral1/memory/2768-78-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x00060000000146dc-80.dat	family_berbew
behavioral1/files/0x00060000000146dc-82.dat	family_berbew
behavioral1/files/0x00060000000146dc-86.dat	family_berbew
behavioral1/memory/2728-87-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/memory/2660-90-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x00280000000139fe-92.dat	family_berbew
behavioral1/files/0x0006000000014838-98.dat	family_berbew
behavioral1/files/0x0006000000014838-102.dat	family_berbew
behavioral1/files/0x0006000000014a4f-104.dat	family_berbew
behavioral1/files/0x0006000000014a4f-107.dat	family_berbew
behavioral1/memory/2564-112-0x00000000002B0000-0x00000000002D4000-memory.dmp	family_berbew
behavioral1/files/0x0006000000014a4f-111.dat	family_berbew
behavioral1/files/0x0006000000014a4f-115.dat	family_berbew
behavioral1/files/0x0006000000014b59-117.dat	family_berbew
behavioral1/memory/2936-124-0x0000000000300000-0x0000000000324000-memory.dmp	family_berbew
behavioral1/files/0x0006000000014b59-119.dat	family_berbew
behavioral1/files/0x0006000000014b59-123.dat	family_berbew
behavioral1/memory/320-129-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0006000000014c0a-132.dat	family_berbew
behavioral1/memory/2564-136-0x00000000002B0000-0x00000000002D4000-memory.dmp	family_berbew
behavioral1/memory/2532-138-0x0000000000510000-0x0000000000534000-memory.dmp	family_berbew
behavioral1/files/0x0006000000014c0a-130.dat	family_berbew
behavioral1/files/0x0006000000014c0a-137.dat	family_berbew
behavioral1/memory/2936-127-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/memory/2564-140-0x00000000002B0000-0x00000000002D4000-memory.dmp	family_berbew
behavioral1/memory/1564-142-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0006000000014c0a-145.dat	family_berbew
behavioral1/files/0x0007000000014b9a-147.dat	family_berbew
behavioral1/files/0x0007000000014b9a-149.dat	family_berbew

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.c5c7794c6f15874500c823ee8121ee90.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2540	backup.exe
2884	backup.exe
2728	update.exe
2724	System Restore.exe
2976	backup.exe
2768	backup.exe
2660	backup.exe
2532	backup.exe
2936	backup.exe
320	backup.exe
1564	backup.exe
2700	backup.exe
472	backup.exe
2352	backup.exe
1764	backup.exe
536	data.exe
1936	backup.exe
2496	backup.exe
836	backup.exe
2972	backup.exe
900	backup.exe
3016	backup.exe
844	backup.exe
2536	backup.exe
1740	backup.exe
1608	backup.exe
832	backup.exe
2780	backup.exe
2416	backup.exe
2980	backup.exe
2872	backup.exe
2020	backup.exe
2772	backup.exe
3056	data.exe
2580	backup.exe
2960	backup.exe
3060	backup.exe
2188	backup.exe
2280	backup.exe
1088	backup.exe
2840	backup.exe
1432	backup.exe
1408	backup.exe
472	backup.exe
2128	backup.exe
2424	backup.exe
1144	backup.exe
1200	backup.exe
772	System Restore.exe
680	backup.exe
1188	backup.exe
1100	backup.exe
1984	backup.exe
800	backup.exe
3016	backup.exe
2136	update.exe
2348	backup.exe
1724	backup.exe
1608	backup.exe
832	backup.exe
2344	backup.exe
2868	backup.exe
1708	backup.exe
1916	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe
2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe
2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe
2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe
2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe
2728	update.exe
2728	update.exe
2728	update.exe
2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe
2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe
2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe
2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe
2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe
2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe
2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe
2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe
2532	backup.exe
2532	backup.exe
2936	backup.exe
2936	backup.exe
2532	backup.exe
2532	backup.exe
1564	backup.exe
1564	backup.exe
2700	backup.exe
2700	backup.exe
1564	backup.exe
1564	backup.exe
2352	backup.exe
2352	backup.exe
1764	backup.exe
1764	backup.exe
1764	backup.exe
1764	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
1936	backup.exe
2416	backup.exe
2416	backup.exe
2416	backup.exe
2416	backup.exe
2416	backup.exe
2416	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe
2540	backup.exe
2884	backup.exe
2728	update.exe
2724	System Restore.exe
2976	backup.exe
2768	backup.exe
2660	backup.exe
2532	backup.exe
2936	backup.exe
320	backup.exe
1564	backup.exe
2700	backup.exe
472	backup.exe
2352	backup.exe
1764	backup.exe
536	data.exe
1936	backup.exe
2496	backup.exe
836	backup.exe
2972	backup.exe
900	backup.exe
3016	backup.exe
844	backup.exe
2536	backup.exe
1740	backup.exe
1608	backup.exe
832	backup.exe
2780	backup.exe
2416	backup.exe
2980	backup.exe
2872	backup.exe
2020	backup.exe
2772	backup.exe
3056	data.exe
2580	backup.exe
2960	backup.exe
3060	backup.exe
2188	backup.exe
2280	backup.exe
1088	backup.exe
2840	backup.exe
1432	backup.exe
1408	backup.exe
472	backup.exe
2128	backup.exe
2424	backup.exe
1144	backup.exe
1200	backup.exe
772	System Restore.exe
680	backup.exe
1188	backup.exe
1100	backup.exe
1984	backup.exe
800	backup.exe
3016	backup.exe
2136	update.exe
2348	backup.exe
1724	backup.exe
1608	backup.exe
832	backup.exe
2344	backup.exe
2868	backup.exe
1708	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2540	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	28
PID 2564 wrote to memory of 2540	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	28
PID 2564 wrote to memory of 2540	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	28
PID 2564 wrote to memory of 2540	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	28
PID 2564 wrote to memory of 2884	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	29
PID 2564 wrote to memory of 2884	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	29
PID 2564 wrote to memory of 2884	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	29
PID 2564 wrote to memory of 2884	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	29
PID 2564 wrote to memory of 2728	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	30
PID 2564 wrote to memory of 2728	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	30
PID 2564 wrote to memory of 2728	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	30
PID 2564 wrote to memory of 2728	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	30
PID 2564 wrote to memory of 2728	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	30
PID 2564 wrote to memory of 2728	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	30
PID 2564 wrote to memory of 2728	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	30
PID 2564 wrote to memory of 2724	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	31
PID 2564 wrote to memory of 2724	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	31
PID 2564 wrote to memory of 2724	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	31
PID 2564 wrote to memory of 2724	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	31
PID 2564 wrote to memory of 2976	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	32
PID 2564 wrote to memory of 2976	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	32
PID 2564 wrote to memory of 2976	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	32
PID 2564 wrote to memory of 2976	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	32
PID 2564 wrote to memory of 2768	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	33
PID 2564 wrote to memory of 2768	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	33
PID 2564 wrote to memory of 2768	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	33
PID 2564 wrote to memory of 2768	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	33
PID 2564 wrote to memory of 2660	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	34
PID 2564 wrote to memory of 2660	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	34
PID 2564 wrote to memory of 2660	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	34
PID 2564 wrote to memory of 2660	2564	NEAS.c5c7794c6f15874500c823ee8121ee90.exe	34
PID 2540 wrote to memory of 2532	2540	backup.exe	35
PID 2540 wrote to memory of 2532	2540	backup.exe	35
PID 2540 wrote to memory of 2532	2540	backup.exe	35
PID 2540 wrote to memory of 2532	2540	backup.exe	35
PID 2532 wrote to memory of 2936	2532	backup.exe	36
PID 2532 wrote to memory of 2936	2532	backup.exe	36
PID 2532 wrote to memory of 2936	2532	backup.exe	36
PID 2532 wrote to memory of 2936	2532	backup.exe	36
PID 2936 wrote to memory of 320	2936	backup.exe	37
PID 2936 wrote to memory of 320	2936	backup.exe	37
PID 2936 wrote to memory of 320	2936	backup.exe	37
PID 2936 wrote to memory of 320	2936	backup.exe	37
PID 2532 wrote to memory of 1564	2532	backup.exe	38
PID 2532 wrote to memory of 1564	2532	backup.exe	38
PID 2532 wrote to memory of 1564	2532	backup.exe	38
PID 2532 wrote to memory of 1564	2532	backup.exe	38
PID 1564 wrote to memory of 2700	1564	backup.exe	39
PID 1564 wrote to memory of 2700	1564	backup.exe	39
PID 1564 wrote to memory of 2700	1564	backup.exe	39
PID 1564 wrote to memory of 2700	1564	backup.exe	39
PID 2700 wrote to memory of 472	2700	backup.exe	40
PID 2700 wrote to memory of 472	2700	backup.exe	40
PID 2700 wrote to memory of 472	2700	backup.exe	40
PID 2700 wrote to memory of 472	2700	backup.exe	40
PID 1564 wrote to memory of 2352	1564	backup.exe	41
PID 1564 wrote to memory of 2352	1564	backup.exe	41
PID 1564 wrote to memory of 2352	1564	backup.exe	41
PID 1564 wrote to memory of 2352	1564	backup.exe	41
PID 2352 wrote to memory of 1764	2352	backup.exe	42
PID 2352 wrote to memory of 1764	2352	backup.exe	42
PID 2352 wrote to memory of 1764	2352	backup.exe	42
PID 2352 wrote to memory of 1764	2352	backup.exe	42
PID 1764 wrote to memory of 536	1764	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.c5c7794c6f15874500c823ee8121ee90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c5c7794c6f15874500c823ee8121ee90.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\3646030501\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3646030501\backup.exe C:\Users\Admin\AppData\Local\Temp\3646030501\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2540
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:320
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1564
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2700
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:472
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2352
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2496
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1740
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2416
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3060
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2188
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2280
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1088
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1432
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1408
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2424
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1200
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1100
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:800
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2348
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2344
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2760
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2652
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2508
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        System policy modification
        
        PID:1076
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2408
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:484
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        System policy modification
        
        PID:1428
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        System policy modification
        
        PID:1460
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1188
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2884
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:552
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:1428
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:2812
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:3064
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:3016
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2072
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2984
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\update.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1552
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2636
      - C:\Program Files\Common Files\SpeechEngines\System Restore.exe
        
        "C:\Program Files\Common Files\SpeechEngines\System Restore.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:584
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1200
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:1724
        
        C:\Program Files\Common Files\System\ado\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\System Restore.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:2308
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2016
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1080
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2840
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1248
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:536
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2536
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:2672
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1276
    - - C:\Program Files\Google\System Restore.exe
        
        "C:\Program Files\Google\System Restore.exe" C:\Program Files\Google\
        5⤵
        
        PID:1984
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:2900
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2400
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:300
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:828
      - C:\Program Files\Internet Explorer\es-ES\System Restore.exe
        
        "C:\Program Files\Internet Explorer\es-ES\System Restore.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2444
      - C:\Program Files\Internet Explorer\fr-FR\data.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\data.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2864
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1580
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2468
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1932
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:868
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1556
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1256
    - - C:\Program Files\VideoLAN\update.exe
        
        "C:\Program Files\VideoLAN\update.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1136
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:2952
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Program Files directory
      PID:2512
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        System policy modification
        
        PID:1028
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        System policy modification
        
        PID:1588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:2748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1080
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:772
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2148
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:3040
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:2600
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:924
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2924
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1140
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1100
      - C:\Program Files (x86)\Internet Explorer\en-US\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\System Restore.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1028
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:1280
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1220
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2680
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1900
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2060
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1444
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1188
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:888
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:3012
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1912
    - - C:\Users\Public\System Restore.exe
        
        "C:\Users\Public\System Restore.exe" C:\Users\Public\
        5⤵
        
        PID:560
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2632
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\Low\update.exe
  C:\Users\Admin\AppData\Local\Temp\Low\update.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2976
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
122KB

MD5
6f1a1c88e0193fe9a409aa7e56dddc5e

SHA1
0f31cef06e8755c1ac5fc4f27c746d3e406ac629

SHA256
609399c9be6706d537292e4ecdd13c4ae63914ca9ba713e72116ffac227ab872

SHA512
f2bd64353fb58c41cc947f204d32a20a65a0dd83f806d58be14ffa9c4056eaab0989b3f3f9d39f63bc8d68596b3c69dd31e902974700a641bc1bc217eb8ddd32

Download Submit
C:\PerfLogs\backup.exe

Filesize
122KB

MD5
b0f5a424ba5565ee49883f1ce90f9d48

SHA1
1ebf3f2865bd504e49e4babc0f4121ca169d4822

SHA256
38bf8ca19efb7e1a3babc8da1f4f98b9661939c1c00b09c8f65a22e9fca292c1

SHA512
229922058ebcdbac8c5f5376639feb935aad8a464cf6544e7c0f4285c41aca84a08d296738207ebfe6d726ef5f3873baf5f4186f9aec0728bbd1115cfaa938ff

Download Submit
C:\PerfLogs\backup.exe

Filesize
122KB

MD5
b0f5a424ba5565ee49883f1ce90f9d48

SHA1
1ebf3f2865bd504e49e4babc0f4121ca169d4822

SHA256
38bf8ca19efb7e1a3babc8da1f4f98b9661939c1c00b09c8f65a22e9fca292c1

SHA512
229922058ebcdbac8c5f5376639feb935aad8a464cf6544e7c0f4285c41aca84a08d296738207ebfe6d726ef5f3873baf5f4186f9aec0728bbd1115cfaa938ff

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
122KB

MD5
7a2d995952cddaf5255b2d4e8ad1b196

SHA1
aadec98f991fa906dde63a7e42381bfc55108f8c

SHA256
3b91cbff63b15629683ea1ca244f97a731954b647600075d91cb8668a29e2646

SHA512
6ec9d4e70e073974dac9ccc24e1c6e4995c8df732c471ac0e2fb48f801b9b3d4ad3b587f3a262397e796815dee10c5198797c0c377827e78cae86e6af2d5f699

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
6f1a1c88e0193fe9a409aa7e56dddc5e

SHA1
0f31cef06e8755c1ac5fc4f27c746d3e406ac629

SHA256
609399c9be6706d537292e4ecdd13c4ae63914ca9ba713e72116ffac227ab872

SHA512
f2bd64353fb58c41cc947f204d32a20a65a0dd83f806d58be14ffa9c4056eaab0989b3f3f9d39f63bc8d68596b3c69dd31e902974700a641bc1bc217eb8ddd32

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
6f1a1c88e0193fe9a409aa7e56dddc5e

SHA1
0f31cef06e8755c1ac5fc4f27c746d3e406ac629

SHA256
609399c9be6706d537292e4ecdd13c4ae63914ca9ba713e72116ffac227ab872

SHA512
f2bd64353fb58c41cc947f204d32a20a65a0dd83f806d58be14ffa9c4056eaab0989b3f3f9d39f63bc8d68596b3c69dd31e902974700a641bc1bc217eb8ddd32

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe

Filesize
122KB

MD5
63990eb141ac3dcbafce3ced79bd0999

SHA1
5c46c742cfd71822bbfae9d3ce07734a1407ac67

SHA256
b31fd0e8da3840059e02bb6c9db3fd32df7d8ec2b65bf653440b509a437891aa

SHA512
f4c8d644c62493719196ea7ebbc55416533de4a0a0256cd4da6916dc4a9105b84a6de2a6eb64f05232680cad3aeb58733d10b888f53d0c9e87180b2a8bd7778e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
122KB

MD5
7a2d995952cddaf5255b2d4e8ad1b196

SHA1
aadec98f991fa906dde63a7e42381bfc55108f8c

SHA256
3b91cbff63b15629683ea1ca244f97a731954b647600075d91cb8668a29e2646

SHA512
6ec9d4e70e073974dac9ccc24e1c6e4995c8df732c471ac0e2fb48f801b9b3d4ad3b587f3a262397e796815dee10c5198797c0c377827e78cae86e6af2d5f699

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
122KB

MD5
7a2d995952cddaf5255b2d4e8ad1b196

SHA1
aadec98f991fa906dde63a7e42381bfc55108f8c

SHA256
3b91cbff63b15629683ea1ca244f97a731954b647600075d91cb8668a29e2646

SHA512
6ec9d4e70e073974dac9ccc24e1c6e4995c8df732c471ac0e2fb48f801b9b3d4ad3b587f3a262397e796815dee10c5198797c0c377827e78cae86e6af2d5f699

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
122KB

MD5
a36902a87ad37558d1a9402f024ef0be

SHA1
612f9778f22f81615184eeb2d8419936b8348f96

SHA256
4150863a106c4e64bcdc2e2831dece32c28fc8b9de0ff618df0bb23712268de4

SHA512
c923adc420a14f91288e038764a752088cfb4dad66fc7d732e0ecf074216c537eb220e3616304b646f78586c57cd2eaeb4435d090a663358cf95cc83e072500b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
122KB

MD5
63990eb141ac3dcbafce3ced79bd0999

SHA1
5c46c742cfd71822bbfae9d3ce07734a1407ac67

SHA256
b31fd0e8da3840059e02bb6c9db3fd32df7d8ec2b65bf653440b509a437891aa

SHA512
f4c8d644c62493719196ea7ebbc55416533de4a0a0256cd4da6916dc4a9105b84a6de2a6eb64f05232680cad3aeb58733d10b888f53d0c9e87180b2a8bd7778e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
122KB

MD5
63990eb141ac3dcbafce3ced79bd0999

SHA1
5c46c742cfd71822bbfae9d3ce07734a1407ac67

SHA256
b31fd0e8da3840059e02bb6c9db3fd32df7d8ec2b65bf653440b509a437891aa

SHA512
f4c8d644c62493719196ea7ebbc55416533de4a0a0256cd4da6916dc4a9105b84a6de2a6eb64f05232680cad3aeb58733d10b888f53d0c9e87180b2a8bd7778e

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
6f1a1c88e0193fe9a409aa7e56dddc5e

SHA1
0f31cef06e8755c1ac5fc4f27c746d3e406ac629

SHA256
609399c9be6706d537292e4ecdd13c4ae63914ca9ba713e72116ffac227ab872

SHA512
f2bd64353fb58c41cc947f204d32a20a65a0dd83f806d58be14ffa9c4056eaab0989b3f3f9d39f63bc8d68596b3c69dd31e902974700a641bc1bc217eb8ddd32

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
6f1a1c88e0193fe9a409aa7e56dddc5e

SHA1
0f31cef06e8755c1ac5fc4f27c746d3e406ac629

SHA256
609399c9be6706d537292e4ecdd13c4ae63914ca9ba713e72116ffac227ab872

SHA512
f2bd64353fb58c41cc947f204d32a20a65a0dd83f806d58be14ffa9c4056eaab0989b3f3f9d39f63bc8d68596b3c69dd31e902974700a641bc1bc217eb8ddd32

Download Submit
C:\Program Files\backup.exe

Filesize
122KB

MD5
b0f5a424ba5565ee49883f1ce90f9d48

SHA1
1ebf3f2865bd504e49e4babc0f4121ca169d4822

SHA256
38bf8ca19efb7e1a3babc8da1f4f98b9661939c1c00b09c8f65a22e9fca292c1

SHA512
229922058ebcdbac8c5f5376639feb935aad8a464cf6544e7c0f4285c41aca84a08d296738207ebfe6d726ef5f3873baf5f4186f9aec0728bbd1115cfaa938ff

Download Submit
C:\Program Files\backup.exe

Filesize
122KB

MD5
b0f5a424ba5565ee49883f1ce90f9d48

SHA1
1ebf3f2865bd504e49e4babc0f4121ca169d4822

SHA256
38bf8ca19efb7e1a3babc8da1f4f98b9661939c1c00b09c8f65a22e9fca292c1

SHA512
229922058ebcdbac8c5f5376639feb935aad8a464cf6544e7c0f4285c41aca84a08d296738207ebfe6d726ef5f3873baf5f4186f9aec0728bbd1115cfaa938ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\3646030501\backup.exe

Filesize
122KB

MD5
7ff01a59f4e8ccc8033221400d0aef2f

SHA1
7ad8f98cc2e4adf62f771a439c69f7429a5e94f4

SHA256
3d44f3fec7d52d0ccbc196efd1a6da95583de4359fca5a5903ae784610ba780e

SHA512
439f4656a68ce80c2802d83f2896286e51de6c6048a7e76f93566ca68014fdb82d875ac8b9415df6bdeb4528a1c07d15c90501d1359e314f14d430782a1c0a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3646030501\backup.exe

Filesize
122KB

MD5
7ff01a59f4e8ccc8033221400d0aef2f

SHA1
7ad8f98cc2e4adf62f771a439c69f7429a5e94f4

SHA256
3d44f3fec7d52d0ccbc196efd1a6da95583de4359fca5a5903ae784610ba780e

SHA512
439f4656a68ce80c2802d83f2896286e51de6c6048a7e76f93566ca68014fdb82d875ac8b9415df6bdeb4528a1c07d15c90501d1359e314f14d430782a1c0a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3646030501\backup.exe

Filesize
122KB

MD5
7ff01a59f4e8ccc8033221400d0aef2f

SHA1
7ad8f98cc2e4adf62f771a439c69f7429a5e94f4

SHA256
3d44f3fec7d52d0ccbc196efd1a6da95583de4359fca5a5903ae784610ba780e

SHA512
439f4656a68ce80c2802d83f2896286e51de6c6048a7e76f93566ca68014fdb82d875ac8b9415df6bdeb4528a1c07d15c90501d1359e314f14d430782a1c0a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
122KB

MD5
7ff01a59f4e8ccc8033221400d0aef2f

SHA1
7ad8f98cc2e4adf62f771a439c69f7429a5e94f4

SHA256
3d44f3fec7d52d0ccbc196efd1a6da95583de4359fca5a5903ae784610ba780e

SHA512
439f4656a68ce80c2802d83f2896286e51de6c6048a7e76f93566ca68014fdb82d875ac8b9415df6bdeb4528a1c07d15c90501d1359e314f14d430782a1c0a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
122KB

MD5
7ff01a59f4e8ccc8033221400d0aef2f

SHA1
7ad8f98cc2e4adf62f771a439c69f7429a5e94f4

SHA256
3d44f3fec7d52d0ccbc196efd1a6da95583de4359fca5a5903ae784610ba780e

SHA512
439f4656a68ce80c2802d83f2896286e51de6c6048a7e76f93566ca68014fdb82d875ac8b9415df6bdeb4528a1c07d15c90501d1359e314f14d430782a1c0a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
122KB

MD5
78c28e83af0aa3adc999dd4c4126c50b

SHA1
e81c746e4b499993520598d2eed3e3eeb7ff7716

SHA256
c49a4b5641ed56b7d123268739ff9d2fa1014d56f5b5d88ef882353d54beee87

SHA512
b6319d84be2a0033c7d06bde1825004a1ef2999ece43bd0b063f1a040076aa4cc7058607adc7707e5db148f07f957f4909b01b624a971db29a9998495e4950bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
78c28e83af0aa3adc999dd4c4126c50b

SHA1
e81c746e4b499993520598d2eed3e3eeb7ff7716

SHA256
c49a4b5641ed56b7d123268739ff9d2fa1014d56f5b5d88ef882353d54beee87

SHA512
b6319d84be2a0033c7d06bde1825004a1ef2999ece43bd0b063f1a040076aa4cc7058607adc7707e5db148f07f957f4909b01b624a971db29a9998495e4950bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
122KB

MD5
78c28e83af0aa3adc999dd4c4126c50b

SHA1
e81c746e4b499993520598d2eed3e3eeb7ff7716

SHA256
c49a4b5641ed56b7d123268739ff9d2fa1014d56f5b5d88ef882353d54beee87

SHA512
b6319d84be2a0033c7d06bde1825004a1ef2999ece43bd0b063f1a040076aa4cc7058607adc7707e5db148f07f957f4909b01b624a971db29a9998495e4950bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
122KB

MD5
7ff01a59f4e8ccc8033221400d0aef2f

SHA1
7ad8f98cc2e4adf62f771a439c69f7429a5e94f4

SHA256
3d44f3fec7d52d0ccbc196efd1a6da95583de4359fca5a5903ae784610ba780e

SHA512
439f4656a68ce80c2802d83f2896286e51de6c6048a7e76f93566ca68014fdb82d875ac8b9415df6bdeb4528a1c07d15c90501d1359e314f14d430782a1c0a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
122KB

MD5
78c28e83af0aa3adc999dd4c4126c50b

SHA1
e81c746e4b499993520598d2eed3e3eeb7ff7716

SHA256
c49a4b5641ed56b7d123268739ff9d2fa1014d56f5b5d88ef882353d54beee87

SHA512
b6319d84be2a0033c7d06bde1825004a1ef2999ece43bd0b063f1a040076aa4cc7058607adc7707e5db148f07f957f4909b01b624a971db29a9998495e4950bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
40KB

MD5
1319351acfe763849392479e93c5d3b2

SHA1
49b234621ab73617d156758e063a3164a7229afc

SHA256
4773c9bf8f73a1bf636e098fd1a8943761ceb4b226e9fbf89f306a1cdd095890

SHA512
0ac39c63d6fb8b254d11ef52d00ca94e82b88e2999566d7bcf8403905a14e03a65f8d9f7c1fc742156afcd3dd412596b699c4ba179383bf022c31b3c16483860

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
122KB

MD5
7354d03cee105419d3752ba961a2e44b

SHA1
82447f6749cbab6aa282ce77378c133eaeb8e614

SHA256
5005c3024ee65971e51d1cc2153ef49c1bd0089b46416edb3ea80bf63361d817

SHA512
f9ee17a5ae8d72a1d0952889680b1246bd4463e59a823ed67889fb726e4205a59a8ec6a226ad7e4efdca6e1d788360014760ce342dc10ba655427bedfb8c05e2

Download Submit
C:\backup.exe

Filesize
122KB

MD5
7354d03cee105419d3752ba961a2e44b

SHA1
82447f6749cbab6aa282ce77378c133eaeb8e614

SHA256
5005c3024ee65971e51d1cc2153ef49c1bd0089b46416edb3ea80bf63361d817

SHA512
f9ee17a5ae8d72a1d0952889680b1246bd4463e59a823ed67889fb726e4205a59a8ec6a226ad7e4efdca6e1d788360014760ce342dc10ba655427bedfb8c05e2

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
122KB

MD5
6f1a1c88e0193fe9a409aa7e56dddc5e

SHA1
0f31cef06e8755c1ac5fc4f27c746d3e406ac629

SHA256
609399c9be6706d537292e4ecdd13c4ae63914ca9ba713e72116ffac227ab872

SHA512
f2bd64353fb58c41cc947f204d32a20a65a0dd83f806d58be14ffa9c4056eaab0989b3f3f9d39f63bc8d68596b3c69dd31e902974700a641bc1bc217eb8ddd32

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
122KB

MD5
6f1a1c88e0193fe9a409aa7e56dddc5e

SHA1
0f31cef06e8755c1ac5fc4f27c746d3e406ac629

SHA256
609399c9be6706d537292e4ecdd13c4ae63914ca9ba713e72116ffac227ab872

SHA512
f2bd64353fb58c41cc947f204d32a20a65a0dd83f806d58be14ffa9c4056eaab0989b3f3f9d39f63bc8d68596b3c69dd31e902974700a641bc1bc217eb8ddd32

Download Submit
\PerfLogs\backup.exe

Filesize
122KB

MD5
b0f5a424ba5565ee49883f1ce90f9d48

SHA1
1ebf3f2865bd504e49e4babc0f4121ca169d4822

SHA256
38bf8ca19efb7e1a3babc8da1f4f98b9661939c1c00b09c8f65a22e9fca292c1

SHA512
229922058ebcdbac8c5f5376639feb935aad8a464cf6544e7c0f4285c41aca84a08d296738207ebfe6d726ef5f3873baf5f4186f9aec0728bbd1115cfaa938ff

Download Submit
\PerfLogs\backup.exe

Filesize
122KB

MD5
b0f5a424ba5565ee49883f1ce90f9d48

SHA1
1ebf3f2865bd504e49e4babc0f4121ca169d4822

SHA256
38bf8ca19efb7e1a3babc8da1f4f98b9661939c1c00b09c8f65a22e9fca292c1

SHA512
229922058ebcdbac8c5f5376639feb935aad8a464cf6544e7c0f4285c41aca84a08d296738207ebfe6d726ef5f3873baf5f4186f9aec0728bbd1115cfaa938ff

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
122KB

MD5
7a2d995952cddaf5255b2d4e8ad1b196

SHA1
aadec98f991fa906dde63a7e42381bfc55108f8c

SHA256
3b91cbff63b15629683ea1ca244f97a731954b647600075d91cb8668a29e2646

SHA512
6ec9d4e70e073974dac9ccc24e1c6e4995c8df732c471ac0e2fb48f801b9b3d4ad3b587f3a262397e796815dee10c5198797c0c377827e78cae86e6af2d5f699

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
122KB

MD5
7a2d995952cddaf5255b2d4e8ad1b196

SHA1
aadec98f991fa906dde63a7e42381bfc55108f8c

SHA256
3b91cbff63b15629683ea1ca244f97a731954b647600075d91cb8668a29e2646

SHA512
6ec9d4e70e073974dac9ccc24e1c6e4995c8df732c471ac0e2fb48f801b9b3d4ad3b587f3a262397e796815dee10c5198797c0c377827e78cae86e6af2d5f699

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
6f1a1c88e0193fe9a409aa7e56dddc5e

SHA1
0f31cef06e8755c1ac5fc4f27c746d3e406ac629

SHA256
609399c9be6706d537292e4ecdd13c4ae63914ca9ba713e72116ffac227ab872

SHA512
f2bd64353fb58c41cc947f204d32a20a65a0dd83f806d58be14ffa9c4056eaab0989b3f3f9d39f63bc8d68596b3c69dd31e902974700a641bc1bc217eb8ddd32

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
6f1a1c88e0193fe9a409aa7e56dddc5e

SHA1
0f31cef06e8755c1ac5fc4f27c746d3e406ac629

SHA256
609399c9be6706d537292e4ecdd13c4ae63914ca9ba713e72116ffac227ab872

SHA512
f2bd64353fb58c41cc947f204d32a20a65a0dd83f806d58be14ffa9c4056eaab0989b3f3f9d39f63bc8d68596b3c69dd31e902974700a641bc1bc217eb8ddd32

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\data.exe

Filesize
122KB

MD5
63990eb141ac3dcbafce3ced79bd0999

SHA1
5c46c742cfd71822bbfae9d3ce07734a1407ac67

SHA256
b31fd0e8da3840059e02bb6c9db3fd32df7d8ec2b65bf653440b509a437891aa

SHA512
f4c8d644c62493719196ea7ebbc55416533de4a0a0256cd4da6916dc4a9105b84a6de2a6eb64f05232680cad3aeb58733d10b888f53d0c9e87180b2a8bd7778e

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\data.exe

Filesize
122KB

MD5
63990eb141ac3dcbafce3ced79bd0999

SHA1
5c46c742cfd71822bbfae9d3ce07734a1407ac67

SHA256
b31fd0e8da3840059e02bb6c9db3fd32df7d8ec2b65bf653440b509a437891aa

SHA512
f4c8d644c62493719196ea7ebbc55416533de4a0a0256cd4da6916dc4a9105b84a6de2a6eb64f05232680cad3aeb58733d10b888f53d0c9e87180b2a8bd7778e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
122KB

MD5
7a2d995952cddaf5255b2d4e8ad1b196

SHA1
aadec98f991fa906dde63a7e42381bfc55108f8c

SHA256
3b91cbff63b15629683ea1ca244f97a731954b647600075d91cb8668a29e2646

SHA512
6ec9d4e70e073974dac9ccc24e1c6e4995c8df732c471ac0e2fb48f801b9b3d4ad3b587f3a262397e796815dee10c5198797c0c377827e78cae86e6af2d5f699

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
122KB

MD5
7a2d995952cddaf5255b2d4e8ad1b196

SHA1
aadec98f991fa906dde63a7e42381bfc55108f8c

SHA256
3b91cbff63b15629683ea1ca244f97a731954b647600075d91cb8668a29e2646

SHA512
6ec9d4e70e073974dac9ccc24e1c6e4995c8df732c471ac0e2fb48f801b9b3d4ad3b587f3a262397e796815dee10c5198797c0c377827e78cae86e6af2d5f699

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
122KB

MD5
a36902a87ad37558d1a9402f024ef0be

SHA1
612f9778f22f81615184eeb2d8419936b8348f96

SHA256
4150863a106c4e64bcdc2e2831dece32c28fc8b9de0ff618df0bb23712268de4

SHA512
c923adc420a14f91288e038764a752088cfb4dad66fc7d732e0ecf074216c537eb220e3616304b646f78586c57cd2eaeb4435d090a663358cf95cc83e072500b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
122KB

MD5
a36902a87ad37558d1a9402f024ef0be

SHA1
612f9778f22f81615184eeb2d8419936b8348f96

SHA256
4150863a106c4e64bcdc2e2831dece32c28fc8b9de0ff618df0bb23712268de4

SHA512
c923adc420a14f91288e038764a752088cfb4dad66fc7d732e0ecf074216c537eb220e3616304b646f78586c57cd2eaeb4435d090a663358cf95cc83e072500b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
122KB

MD5
63990eb141ac3dcbafce3ced79bd0999

SHA1
5c46c742cfd71822bbfae9d3ce07734a1407ac67

SHA256
b31fd0e8da3840059e02bb6c9db3fd32df7d8ec2b65bf653440b509a437891aa

SHA512
f4c8d644c62493719196ea7ebbc55416533de4a0a0256cd4da6916dc4a9105b84a6de2a6eb64f05232680cad3aeb58733d10b888f53d0c9e87180b2a8bd7778e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
122KB

MD5
63990eb141ac3dcbafce3ced79bd0999

SHA1
5c46c742cfd71822bbfae9d3ce07734a1407ac67

SHA256
b31fd0e8da3840059e02bb6c9db3fd32df7d8ec2b65bf653440b509a437891aa

SHA512
f4c8d644c62493719196ea7ebbc55416533de4a0a0256cd4da6916dc4a9105b84a6de2a6eb64f05232680cad3aeb58733d10b888f53d0c9e87180b2a8bd7778e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
122KB

MD5
a36902a87ad37558d1a9402f024ef0be

SHA1
612f9778f22f81615184eeb2d8419936b8348f96

SHA256
4150863a106c4e64bcdc2e2831dece32c28fc8b9de0ff618df0bb23712268de4

SHA512
c923adc420a14f91288e038764a752088cfb4dad66fc7d732e0ecf074216c537eb220e3616304b646f78586c57cd2eaeb4435d090a663358cf95cc83e072500b

Download Submit
\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
6f1a1c88e0193fe9a409aa7e56dddc5e

SHA1
0f31cef06e8755c1ac5fc4f27c746d3e406ac629

SHA256
609399c9be6706d537292e4ecdd13c4ae63914ca9ba713e72116ffac227ab872

SHA512
f2bd64353fb58c41cc947f204d32a20a65a0dd83f806d58be14ffa9c4056eaab0989b3f3f9d39f63bc8d68596b3c69dd31e902974700a641bc1bc217eb8ddd32

Download Submit
\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
6f1a1c88e0193fe9a409aa7e56dddc5e

SHA1
0f31cef06e8755c1ac5fc4f27c746d3e406ac629

SHA256
609399c9be6706d537292e4ecdd13c4ae63914ca9ba713e72116ffac227ab872

SHA512
f2bd64353fb58c41cc947f204d32a20a65a0dd83f806d58be14ffa9c4056eaab0989b3f3f9d39f63bc8d68596b3c69dd31e902974700a641bc1bc217eb8ddd32

Download Submit
\Program Files\backup.exe

Filesize
122KB

MD5
b0f5a424ba5565ee49883f1ce90f9d48

SHA1
1ebf3f2865bd504e49e4babc0f4121ca169d4822

SHA256
38bf8ca19efb7e1a3babc8da1f4f98b9661939c1c00b09c8f65a22e9fca292c1

SHA512
229922058ebcdbac8c5f5376639feb935aad8a464cf6544e7c0f4285c41aca84a08d296738207ebfe6d726ef5f3873baf5f4186f9aec0728bbd1115cfaa938ff

Download Submit
\Program Files\backup.exe

Filesize
122KB

MD5
b0f5a424ba5565ee49883f1ce90f9d48

SHA1
1ebf3f2865bd504e49e4babc0f4121ca169d4822

SHA256
38bf8ca19efb7e1a3babc8da1f4f98b9661939c1c00b09c8f65a22e9fca292c1

SHA512
229922058ebcdbac8c5f5376639feb935aad8a464cf6544e7c0f4285c41aca84a08d296738207ebfe6d726ef5f3873baf5f4186f9aec0728bbd1115cfaa938ff

Download Submit
\Users\Admin\AppData\Local\Temp\3646030501\backup.exe

Filesize
122KB

MD5
7ff01a59f4e8ccc8033221400d0aef2f

SHA1
7ad8f98cc2e4adf62f771a439c69f7429a5e94f4

SHA256
3d44f3fec7d52d0ccbc196efd1a6da95583de4359fca5a5903ae784610ba780e

SHA512
439f4656a68ce80c2802d83f2896286e51de6c6048a7e76f93566ca68014fdb82d875ac8b9415df6bdeb4528a1c07d15c90501d1359e314f14d430782a1c0a8c

Download Submit
\Users\Admin\AppData\Local\Temp\3646030501\backup.exe

Filesize
122KB

MD5
7ff01a59f4e8ccc8033221400d0aef2f

SHA1
7ad8f98cc2e4adf62f771a439c69f7429a5e94f4

SHA256
3d44f3fec7d52d0ccbc196efd1a6da95583de4359fca5a5903ae784610ba780e

SHA512
439f4656a68ce80c2802d83f2896286e51de6c6048a7e76f93566ca68014fdb82d875ac8b9415df6bdeb4528a1c07d15c90501d1359e314f14d430782a1c0a8c

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
122KB

MD5
7ff01a59f4e8ccc8033221400d0aef2f

SHA1
7ad8f98cc2e4adf62f771a439c69f7429a5e94f4

SHA256
3d44f3fec7d52d0ccbc196efd1a6da95583de4359fca5a5903ae784610ba780e

SHA512
439f4656a68ce80c2802d83f2896286e51de6c6048a7e76f93566ca68014fdb82d875ac8b9415df6bdeb4528a1c07d15c90501d1359e314f14d430782a1c0a8c

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
122KB

MD5
7ff01a59f4e8ccc8033221400d0aef2f

SHA1
7ad8f98cc2e4adf62f771a439c69f7429a5e94f4

SHA256
3d44f3fec7d52d0ccbc196efd1a6da95583de4359fca5a5903ae784610ba780e

SHA512
439f4656a68ce80c2802d83f2896286e51de6c6048a7e76f93566ca68014fdb82d875ac8b9415df6bdeb4528a1c07d15c90501d1359e314f14d430782a1c0a8c

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
122KB

MD5
7ff01a59f4e8ccc8033221400d0aef2f

SHA1
7ad8f98cc2e4adf62f771a439c69f7429a5e94f4

SHA256
3d44f3fec7d52d0ccbc196efd1a6da95583de4359fca5a5903ae784610ba780e

SHA512
439f4656a68ce80c2802d83f2896286e51de6c6048a7e76f93566ca68014fdb82d875ac8b9415df6bdeb4528a1c07d15c90501d1359e314f14d430782a1c0a8c

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
122KB

MD5
7ff01a59f4e8ccc8033221400d0aef2f

SHA1
7ad8f98cc2e4adf62f771a439c69f7429a5e94f4

SHA256
3d44f3fec7d52d0ccbc196efd1a6da95583de4359fca5a5903ae784610ba780e

SHA512
439f4656a68ce80c2802d83f2896286e51de6c6048a7e76f93566ca68014fdb82d875ac8b9415df6bdeb4528a1c07d15c90501d1359e314f14d430782a1c0a8c

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
122KB

MD5
78c28e83af0aa3adc999dd4c4126c50b

SHA1
e81c746e4b499993520598d2eed3e3eeb7ff7716

SHA256
c49a4b5641ed56b7d123268739ff9d2fa1014d56f5b5d88ef882353d54beee87

SHA512
b6319d84be2a0033c7d06bde1825004a1ef2999ece43bd0b063f1a040076aa4cc7058607adc7707e5db148f07f957f4909b01b624a971db29a9998495e4950bd

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
122KB

MD5
78c28e83af0aa3adc999dd4c4126c50b

SHA1
e81c746e4b499993520598d2eed3e3eeb7ff7716

SHA256
c49a4b5641ed56b7d123268739ff9d2fa1014d56f5b5d88ef882353d54beee87

SHA512
b6319d84be2a0033c7d06bde1825004a1ef2999ece43bd0b063f1a040076aa4cc7058607adc7707e5db148f07f957f4909b01b624a971db29a9998495e4950bd

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
78c28e83af0aa3adc999dd4c4126c50b

SHA1
e81c746e4b499993520598d2eed3e3eeb7ff7716

SHA256
c49a4b5641ed56b7d123268739ff9d2fa1014d56f5b5d88ef882353d54beee87

SHA512
b6319d84be2a0033c7d06bde1825004a1ef2999ece43bd0b063f1a040076aa4cc7058607adc7707e5db148f07f957f4909b01b624a971db29a9998495e4950bd

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
78c28e83af0aa3adc999dd4c4126c50b

SHA1
e81c746e4b499993520598d2eed3e3eeb7ff7716

SHA256
c49a4b5641ed56b7d123268739ff9d2fa1014d56f5b5d88ef882353d54beee87

SHA512
b6319d84be2a0033c7d06bde1825004a1ef2999ece43bd0b063f1a040076aa4cc7058607adc7707e5db148f07f957f4909b01b624a971db29a9998495e4950bd

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
122KB

MD5
78c28e83af0aa3adc999dd4c4126c50b

SHA1
e81c746e4b499993520598d2eed3e3eeb7ff7716

SHA256
c49a4b5641ed56b7d123268739ff9d2fa1014d56f5b5d88ef882353d54beee87

SHA512
b6319d84be2a0033c7d06bde1825004a1ef2999ece43bd0b063f1a040076aa4cc7058607adc7707e5db148f07f957f4909b01b624a971db29a9998495e4950bd

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
122KB

MD5
78c28e83af0aa3adc999dd4c4126c50b

SHA1
e81c746e4b499993520598d2eed3e3eeb7ff7716

SHA256
c49a4b5641ed56b7d123268739ff9d2fa1014d56f5b5d88ef882353d54beee87

SHA512
b6319d84be2a0033c7d06bde1825004a1ef2999ece43bd0b063f1a040076aa4cc7058607adc7707e5db148f07f957f4909b01b624a971db29a9998495e4950bd

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
122KB

MD5
7ff01a59f4e8ccc8033221400d0aef2f

SHA1
7ad8f98cc2e4adf62f771a439c69f7429a5e94f4

SHA256
3d44f3fec7d52d0ccbc196efd1a6da95583de4359fca5a5903ae784610ba780e

SHA512
439f4656a68ce80c2802d83f2896286e51de6c6048a7e76f93566ca68014fdb82d875ac8b9415df6bdeb4528a1c07d15c90501d1359e314f14d430782a1c0a8c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
122KB

MD5
7ff01a59f4e8ccc8033221400d0aef2f

SHA1
7ad8f98cc2e4adf62f771a439c69f7429a5e94f4

SHA256
3d44f3fec7d52d0ccbc196efd1a6da95583de4359fca5a5903ae784610ba780e

SHA512
439f4656a68ce80c2802d83f2896286e51de6c6048a7e76f93566ca68014fdb82d875ac8b9415df6bdeb4528a1c07d15c90501d1359e314f14d430782a1c0a8c

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
122KB

MD5
78c28e83af0aa3adc999dd4c4126c50b

SHA1
e81c746e4b499993520598d2eed3e3eeb7ff7716

SHA256
c49a4b5641ed56b7d123268739ff9d2fa1014d56f5b5d88ef882353d54beee87

SHA512
b6319d84be2a0033c7d06bde1825004a1ef2999ece43bd0b063f1a040076aa4cc7058607adc7707e5db148f07f957f4909b01b624a971db29a9998495e4950bd

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
122KB

MD5
78c28e83af0aa3adc999dd4c4126c50b

SHA1
e81c746e4b499993520598d2eed3e3eeb7ff7716

SHA256
c49a4b5641ed56b7d123268739ff9d2fa1014d56f5b5d88ef882353d54beee87

SHA512
b6319d84be2a0033c7d06bde1825004a1ef2999ece43bd0b063f1a040076aa4cc7058607adc7707e5db148f07f957f4909b01b624a971db29a9998495e4950bd

Download Submit
memory/320-129-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/472-174-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/472-184-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/536-227-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/680-548-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/772-539-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/836-259-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/844-297-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/900-278-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1088-458-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1200-530-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1408-486-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1432-477-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1564-222-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1564-264-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/1564-234-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/1564-142-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1564-194-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/1564-223-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/1564-153-0x0000000000330000-0x0000000000354000-memory.dmp

Filesize
144KB

Download
memory/1608-627-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1608-323-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1708-660-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-314-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1764-284-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1764-285-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/1764-218-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/1764-220-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/1936-390-0x00000000025A0000-0x00000000025C4000-memory.dmp

Filesize
144KB

Download
memory/1936-465-0x00000000025A0000-0x00000000025C4000-memory.dmp

Filesize
144KB

Download
memory/1936-338-0x00000000025A0000-0x00000000025C4000-memory.dmp

Filesize
144KB

Download
memory/1936-473-0x00000000025A0000-0x00000000025C4000-memory.dmp

Filesize
144KB

Download
memory/1936-389-0x00000000025A0000-0x00000000025C4000-memory.dmp

Filesize
144KB

Download
memory/1936-325-0x00000000025A0000-0x00000000025C4000-memory.dmp

Filesize
144KB

Download
memory/1936-474-0x00000000025A0000-0x00000000025C4000-memory.dmp

Filesize
144KB

Download
memory/1936-362-0x00000000025A0000-0x00000000025C4000-memory.dmp

Filesize
144KB

Download
memory/1936-499-0x00000000025A0000-0x00000000025C4000-memory.dmp

Filesize
144KB

Download
memory/1936-337-0x00000000025A0000-0x00000000025C4000-memory.dmp

Filesize
144KB

Download
memory/1936-275-0x00000000025A0000-0x00000000025C4000-memory.dmp

Filesize
144KB

Download
memory/1936-302-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1936-368-0x00000000025A0000-0x00000000025C4000-memory.dmp

Filesize
144KB

Download
memory/1936-454-0x00000000025A0000-0x00000000025C4000-memory.dmp

Filesize
144KB

Download
memory/1936-665-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1936-319-0x00000000025A0000-0x00000000025C4000-memory.dmp

Filesize
144KB

Download
memory/1984-575-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2020-383-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2128-503-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2136-599-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2188-441-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2280-449-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2344-644-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2348-610-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2352-205-0x00000000002F0000-0x0000000000314000-memory.dmp

Filesize
144KB

Download
memory/2352-267-0x00000000002F0000-0x0000000000314000-memory.dmp

Filesize
144KB

Download
memory/2352-265-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2416-402-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2416-400-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2416-399-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2416-407-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2416-411-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2416-436-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2416-440-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2416-361-0x0000000000360000-0x0000000000384000-memory.dmp

Filesize
144KB

Download
memory/2424-513-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2496-248-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2532-138-0x0000000000510000-0x0000000000534000-memory.dmp

Filesize
144KB

Download
memory/2532-214-0x0000000000510000-0x0000000000534000-memory.dmp

Filesize
144KB

Download
memory/2532-166-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2532-183-0x0000000000510000-0x0000000000534000-memory.dmp

Filesize
144KB

Download
memory/2536-305-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-99-0x0000000000270000-0x0000000000294000-memory.dmp

Filesize
144KB

Download
memory/2540-688-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2564-136-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2564-12-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2564-140-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2564-255-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2564-182-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2564-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2564-511-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2564-74-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2564-112-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2564-106-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2564-36-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2564-63-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2564-49-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2580-415-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2660-90-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2700-168-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/2700-186-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2724-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2724-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2728-87-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2728-37-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2728-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2760-681-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2768-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2772-392-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2840-466-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2840-468-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2872-374-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2884-27-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2936-124-0x0000000000300000-0x0000000000324000-memory.dmp

Filesize
144KB

Download
memory/2936-127-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2960-423-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2972-270-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2976-67-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2980-365-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3016-288-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3056-405-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3060-431-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads