8968bebdc8a4a219676d0f03e4b9aa967f66dffedea0f165e4d99efce81443f7

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ABTech.exe
Size

141.7MB
MD5

1434c3fbbc8aadd0bdbeb17188ecbb30
SHA1

87dd89f9645e0aad3a83a5e6a88fb32609811175
SHA256

8968bebdc8a4a219676d0f03e4b9aa967f66dffedea0f165e4d99efce81443f7
SHA512

18e0edff038df5b463081da229f7f426747759761d9aae75f1542cad1eadd12ab387bd0b978314259954919172bfb0881b59060ba15b765a936a9a0af4af7889
SSDEEP

3145728:i9J2fFh9HdLSysODYjBxpxYES+LqOI4MTzU4UcpaPbHn:PFh9HpOWUBxp7SiqtTzEcpQH

Score

7^/10

bootkit discovery persistence phishing privilege_escalation

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ABService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ABNotify = "C:\\Program Files (x86)\\AOMEI Backupper\\ABEventBackup.exe -auto"	ABService.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

ABService.exe

description ioc process

File opened for modification \??\PhysicalDrive0 ABService.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ABTech.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ABTech.tmp

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ABService.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ABTech.tmp

Drops file in System32 directory 6 IoCs

Processes:

ABTech.tmpValidCheck.exeABService.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winsevr.dat	ABTech.tmp
File created	C:\Windows\system32\is-LIE7R.tmp	ABTech.tmp
File created	C:\Windows\system32\is-O5JTD.tmp	ABTech.tmp
File created	C:\Windows\system32\is-U9FAE.tmp	ABTech.tmp
File opened for modification	C:\Windows\SysWOW64\winsevr.dat	ValidCheck.exe
File opened for modification	C:\Windows\SysWOW64\winsevr.dat	ABService.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

ABTech.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\Encrypt.dll	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\html\free_trial\is-FHI8D.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\is-FSA49.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x64\l1c62x64\is-A7701.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x64\msu30x64w8a\is-L7IKM.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x64\v1q63x64\is-78F1O.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\is-EQJDJ.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\is-94TJ6.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\plugins\pe_dll_8_10\is-E5U1R.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\Winpe64\is-3P0SC.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x86\rtu30x86w7\is-8EBLA.tmp	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x86\fei6232\nicco26.dll	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x64\ixt63x64\nicinixt.dll	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\is-6JOF4.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\Winpe64\is-9A1B1.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\Winpe64\is-1CGB8.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x64\e1e6232e\is-3R1NU.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x86\e1e6232.inf\is-VCLAK.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x64\ixn63x64\is-EJ95B.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x64\ixt63x64\is-H4E89.tmp	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\libssl-1_1.dll	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x64\e1e6232e\e1000msg.dll	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\Winpe64\is-9NO2I.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x64\ixn63x64\is-N33LR.tmp	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\Winpe64\Version.ini	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\ABUsbTips.exe	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\NotDPIAware.dll	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\Compress.dll	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x86\e1k6332\e1kmsg.dll	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\Image\is-HG8H4.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x64\e1q62x64\is-BCHIL.tmp	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\DiskMgr.dll	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x64\vxn63x64\vxnmsg.dll	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x64\netvfx64\is-RS1AU.tmp	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\Winpe64\Sync.dll	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\TFTP.dll	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\is-PDU24.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x64\msu64w8\is-A403P.tmp	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x86\rtu30x86w8\RtNicProp32.dll	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\Winpe64\DeviceMgr.dll	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x64\e1r63x64\nicine1r.dll	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x86\rt86win7\RtNicProp32.dll	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x86\fei6232\is-RNMLV.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\Winpe64\is-LFT76.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\msbios\is-RVKQO.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x64\netL1e64\is-CB8N5.tmp	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\libamcbdb.dll	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x64\e1q62x64\is-6C1N0.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x64\k57nd60a\is-1H954.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x86\ixt6332\is-IL2O8.tmp	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\Winpe64\libcrypto-1_1-x64.dll	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x64\e1s62x64\nicine1s.dll	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\is-4EOQ3.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\is-480C8.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\is-FQ3JD.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x64\netL1e64\is-L0TL0.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x86\b57nd60x\is-3743J.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\Image\is-BE337.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x86\e1e6232.inf\is-4EB9S.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x64\e1k63x64\is-CN2N3.tmp	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x86\e1k6332\is-GTP08.tmp	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\NTHelp.dll	ABTech.tmp
File opened for modification	C:\Program Files (x86)\AOMEI Backupper\Winpe64\libeay32.dll	ABTech.tmp
File created	C:\Program Files (x86)\AOMEI Backupper\lang\is-O85G3.tmp	ABTech.tmp

Executes dropped EXE 9 IoCs

Processes:

ABTech.tmpIUHelper.exeABService.exeABService.exeLoadDrv.exevsscom.exeValidCheck.exeIUHelper.exeABService.exe

pid	process
2060	ABTech.tmp
3980	IUHelper.exe
1892	ABService.exe
1028	ABService.exe
1844	LoadDrv.exe
1392	vsscom.exe
4884	ValidCheck.exe
5108	IUHelper.exe
3548	ABService.exe

Loads dropped DLL 64 IoCs

Processes:

ABTech.tmpABService.exe

pid	process
2060	ABTech.tmp
2060	ABTech.tmp
2060	ABTech.tmp
2060	ABTech.tmp
2060	ABTech.tmp
2060	ABTech.tmp
2060	ABTech.tmp
2060	ABTech.tmp
2060	ABTech.tmp
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe
1892	ABService.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IUHelper.execmd.exeValidCheck.exeABTech.tmpABService.exeABService.exeIUHelper.exeABService.exewmic.exewmic.exeABTech.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IUHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ValidCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ABTech.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ABService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ABService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IUHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ABService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ABTech.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 58 IoCs

Processes:

vsscom.exeABTech.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3FEFE27A-CCB6-4E43-810D-4F47D7CD1580}\TypeLib\Version = "1.0"	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOMEI Backupper Backup File\ = "AOMEI Backupper Backup File"	ABTech.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{121068A4-8BF5-4EBB-8E75-24ABAAA96688}\VersionIndependentProgID\ = "VSSCOM.VSS64"	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3FEFE27A-CCB6-4E43-810D-4F47D7CD1580}\ProxyStubClsid32	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{121068A4-8BF5-4EBB-8E75-24ABAAA96688}\ = "VSS64 Class"	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3FEFE27A-CCB6-4E43-810D-4F47D7CD1580}\ProxyStubClsid32	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VSSCOM.VSS64.1\CLSID\ = "{121068A4-8BF5-4EBB-8E75-24ABAAA96688}"	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{121068A4-8BF5-4EBB-8E75-24ABAAA96688}\Programmable	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{121068A4-8BF5-4EBB-8E75-24ABAAA96688}\ProgID	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3FEFE27A-CCB6-4E43-810D-4F47D7CD1580}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VSSCOM.VSS64\CurVer	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{121068A4-8BF5-4EBB-8E75-24ABAAA96688}	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{121068A4-8BF5-4EBB-8E75-24ABAAA96688}\VersionIndependentProgID	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{121068A4-8BF5-4EBB-8E75-24ABAAA96688}\AppID = "{B3E2C31B-A5EB-406C-890D-04D23EC4E315}"	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{70F6E3D2-BA30-4D76-A035-FCFBF12BD967}\1.0\0\win64\ = "C:\\Program Files (x86)\\AOMEI Backupper\\vsscom.exe"	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3FEFE27A-CCB6-4E43-810D-4F47D7CD1580}	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VSSCOM.VSS64	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VSSCOM.VSS64\CLSID\ = "{121068A4-8BF5-4EBB-8E75-24ABAAA96688}"	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{70F6E3D2-BA30-4D76-A035-FCFBF12BD967}\1.0\HELPDIR	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3FEFE27A-CCB6-4E43-810D-4F47D7CD1580}\TypeLib	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{70F6E3D2-BA30-4D76-A035-FCFBF12BD967}\1.0\ = "VSSCOM 1.0 Type Library"	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{70F6E3D2-BA30-4D76-A035-FCFBF12BD967}\1.0\HELPDIR\	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3FEFE27A-CCB6-4E43-810D-4F47D7CD1580}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOMEI Backupper Backup File	ABTech.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VSSCOM.VSS64\ = "VSS64 Class"	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B3E2C31B-A5EB-406C-890D-04D23EC4E315}	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VSSCOM.VSS64\CLSID	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{121068A4-8BF5-4EBB-8E75-24ABAAA96688}\TypeLib\ = "{70F6E3D2-BA30-4D76-A035-FCFBF12BD967}"	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\VSSCOM.EXE\AppID = "{B3E2C31B-A5EB-406C-890D-04D23EC4E315}"	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VSSCOM.VSS64.1\ = "VSS64 Class"	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{70F6E3D2-BA30-4D76-A035-FCFBF12BD967}\1.0\FLAGS\ = "0"	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{70F6E3D2-BA30-4D76-A035-FCFBF12BD967}\1.0\0\win64	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{121068A4-8BF5-4EBB-8E75-24ABAAA96688}\LocalServer32\ = "\"C:\\Program Files (x86)\\AOMEI Backupper\\vsscom.exe\""	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{70F6E3D2-BA30-4D76-A035-FCFBF12BD967}	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{70F6E3D2-BA30-4D76-A035-FCFBF12BD967}\1.0	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3FEFE27A-CCB6-4E43-810D-4F47D7CD1580}\ = "IVSS64"	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{121068A4-8BF5-4EBB-8E75-24ABAAA96688}\ProgID\ = "VSSCOM.VSS64.1"	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3FEFE27A-CCB6-4E43-810D-4F47D7CD1580}\TypeLib\Version = "1.0"	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AOMEI Backupper Backup File\DefaultIcon\ = "C:\\Program Files (x86)\\AOMEI Backupper\\adi.ico"	ABTech.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.afi\ = "AOMEI Backupper Backup File"	ABTech.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.afi	ABTech.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VSSCOM.VSS64.1\CLSID	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VSSCOM.VSS64.1	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VSSCOM.VSS64\CurVer\ = "VSSCOM.VSS64.1"	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3FEFE27A-CCB6-4E43-810D-4F47D7CD1580}	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3FEFE27A-CCB6-4E43-810D-4F47D7CD1580}\TypeLib	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.adi	ABTech.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.adi\ = "AOMEI Backupper Backup File"	ABTech.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3FEFE27A-CCB6-4E43-810D-4F47D7CD1580}\TypeLib\ = "{70F6E3D2-BA30-4D76-A035-FCFBF12BD967}"	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3FEFE27A-CCB6-4E43-810D-4F47D7CD1580}\TypeLib\ = "{70F6E3D2-BA30-4D76-A035-FCFBF12BD967}"	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{121068A4-8BF5-4EBB-8E75-24ABAAA96688}\LocalServer32	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{70F6E3D2-BA30-4D76-A035-FCFBF12BD967}\1.0\FLAGS	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\VSSCOM.EXE	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{121068A4-8BF5-4EBB-8E75-24ABAAA96688}\TypeLib	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{70F6E3D2-BA30-4D76-A035-FCFBF12BD967}\1.0\0	vsscom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3FEFE27A-CCB6-4E43-810D-4F47D7CD1580}\ = "IVSS64"	vsscom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOMEI Backupper Backup File\DefaultIcon	ABTech.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B3E2C31B-A5EB-406C-890D-04D23EC4E315}\ = "VSSCOM"	vsscom.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

ABTech.tmpmsedge.exemsedge.exeABService.exeidentity_helper.exe

pid	process
2060	ABTech.tmp
2060	ABTech.tmp
3308	msedge.exe
3308	msedge.exe
2340	msedge.exe
2340	msedge.exe
3548	ABService.exe
3548	ABService.exe
3548	ABService.exe
3548	ABService.exe
3548	ABService.exe
3548	ABService.exe
3164	identity_helper.exe
3164	identity_helper.exe
3548	ABService.exe
3548	ABService.exe

Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

656
656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe

pid	process
656
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ABTech.tmpABService.exeABService.exeABService.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2060	ABTech.tmp
Token: SeAuditPrivilege	2060	ABTech.tmp
Token: SeSecurityPrivilege	2060	ABTech.tmp
Token: SeTakeOwnershipPrivilege	2060	ABTech.tmp
Token: SeManageVolumePrivilege	2060	ABTech.tmp
Token: SeRestorePrivilege	2060	ABTech.tmp
Token: SeBackupPrivilege	2060	ABTech.tmp
Token: SeLoadDriverPrivilege	2060	ABTech.tmp
Token: SeSystemEnvironmentPrivilege	2060	ABTech.tmp
Token: SeDebugPrivilege	1892	ABService.exe
Token: SeAuditPrivilege	1892	ABService.exe
Token: SeSecurityPrivilege	1892	ABService.exe
Token: SeTakeOwnershipPrivilege	1892	ABService.exe
Token: SeManageVolumePrivilege	1892	ABService.exe
Token: SeRestorePrivilege	1892	ABService.exe
Token: SeBackupPrivilege	1892	ABService.exe
Token: SeLoadDriverPrivilege	1892	ABService.exe
Token: SeDebugPrivilege	1892	ABService.exe
Token: SeAuditPrivilege	1892	ABService.exe
Token: SeSecurityPrivilege	1892	ABService.exe
Token: SeTakeOwnershipPrivilege	1892	ABService.exe
Token: SeManageVolumePrivilege	1892	ABService.exe
Token: SeRestorePrivilege	1892	ABService.exe
Token: SeBackupPrivilege	1892	ABService.exe
Token: SeLoadDriverPrivilege	1892	ABService.exe
Token: SeDebugPrivilege	1028	ABService.exe
Token: SeAuditPrivilege	1028	ABService.exe
Token: SeSecurityPrivilege	1028	ABService.exe
Token: SeTakeOwnershipPrivilege	1028	ABService.exe
Token: SeManageVolumePrivilege	1028	ABService.exe
Token: SeRestorePrivilege	1028	ABService.exe
Token: SeBackupPrivilege	1028	ABService.exe
Token: SeLoadDriverPrivilege	1028	ABService.exe
Token: SeDebugPrivilege	1028	ABService.exe
Token: SeAuditPrivilege	1028	ABService.exe
Token: SeSecurityPrivilege	1028	ABService.exe
Token: SeTakeOwnershipPrivilege	1028	ABService.exe
Token: SeManageVolumePrivilege	1028	ABService.exe
Token: SeRestorePrivilege	1028	ABService.exe
Token: SeBackupPrivilege	1028	ABService.exe
Token: SeLoadDriverPrivilege	1028	ABService.exe
Token: SeDebugPrivilege	3548	ABService.exe
Token: SeAuditPrivilege	3548	ABService.exe
Token: SeSecurityPrivilege	3548	ABService.exe
Token: SeTakeOwnershipPrivilege	3548	ABService.exe
Token: SeManageVolumePrivilege	3548	ABService.exe
Token: SeRestorePrivilege	3548	ABService.exe
Token: SeBackupPrivilege	3548	ABService.exe
Token: SeLoadDriverPrivilege	3548	ABService.exe
Token: SeDebugPrivilege	3548	ABService.exe
Token: SeAuditPrivilege	3548	ABService.exe
Token: SeSecurityPrivilege	3548	ABService.exe
Token: SeTakeOwnershipPrivilege	3548	ABService.exe
Token: SeManageVolumePrivilege	3548	ABService.exe
Token: SeRestorePrivilege	3548	ABService.exe
Token: SeBackupPrivilege	3548	ABService.exe
Token: SeLoadDriverPrivilege	3548	ABService.exe
Token: SeAssignPrimaryTokenPrivilege	2544	wmic.exe
Token: SeIncreaseQuotaPrivilege	2544	wmic.exe
Token: SeSecurityPrivilege	2544	wmic.exe
Token: SeTakeOwnershipPrivilege	2544	wmic.exe
Token: SeLoadDriverPrivilege	2544	wmic.exe
Token: SeSystemtimePrivilege	2544	wmic.exe
Token: SeBackupPrivilege	2544	wmic.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

ABTech.tmpmsedge.exe

pid	process
2060	ABTech.tmp
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ABTech.exeABTech.tmpLoadDrv.exemsedge.exe

description	pid	process	target process
PID 4484 wrote to memory of 2060	4484	ABTech.exe	ABTech.tmp
PID 4484 wrote to memory of 2060	4484	ABTech.exe	ABTech.tmp
PID 4484 wrote to memory of 2060	4484	ABTech.exe	ABTech.tmp
PID 2060 wrote to memory of 3980	2060	ABTech.tmp	IUHelper.exe
PID 2060 wrote to memory of 3980	2060	ABTech.tmp	IUHelper.exe
PID 2060 wrote to memory of 3980	2060	ABTech.tmp	IUHelper.exe
PID 2060 wrote to memory of 1892	2060	ABTech.tmp	ABService.exe
PID 2060 wrote to memory of 1892	2060	ABTech.tmp	ABService.exe
PID 2060 wrote to memory of 1892	2060	ABTech.tmp	ABService.exe
PID 2060 wrote to memory of 1028	2060	ABTech.tmp	ABService.exe
PID 2060 wrote to memory of 1028	2060	ABTech.tmp	ABService.exe
PID 2060 wrote to memory of 1028	2060	ABTech.tmp	ABService.exe
PID 2060 wrote to memory of 1844	2060	ABTech.tmp	LoadDrv.exe
PID 2060 wrote to memory of 1844	2060	ABTech.tmp	LoadDrv.exe
PID 1844 wrote to memory of 1392	1844	LoadDrv.exe	vsscom.exe
PID 1844 wrote to memory of 1392	1844	LoadDrv.exe	vsscom.exe
PID 2060 wrote to memory of 1852	2060	ABTech.tmp	cmd.exe
PID 2060 wrote to memory of 1852	2060	ABTech.tmp	cmd.exe
PID 2060 wrote to memory of 1852	2060	ABTech.tmp	cmd.exe
PID 2060 wrote to memory of 2340	2060	ABTech.tmp	msedge.exe
PID 2060 wrote to memory of 2340	2060	ABTech.tmp	msedge.exe
PID 2340 wrote to memory of 4904	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4904	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4168	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3308	2340	msedge.exe	msedge.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

LoadDrv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	LoadDrv.exe

C:\Users\Admin\AppData\Local\Temp\ABTech.exe
"C:\Users\Admin\AppData\Local\Temp\ABTech.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\is-F12ND.tmp\ABTech.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-F12ND.tmp\ABTech.tmp" /SL5="$C0060,147912410,433664,C:\Users\Admin\AppData\Local\Temp\ABTech.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\is-GRO0G.tmp\IUHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\is-GRO0G.tmp\IUHelper.exe" UA-136152959-1 "tech trial/en" "Install/5.5.0/Microsoft Windows 10 Pro 64-bit/AOMEI/nil " "Run Installation"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3980
- - C:\Program Files (x86)\AOMEI Backupper\ABService.exe
    "C:\Program Files (x86)\AOMEI Backupper\ABService.exe" -install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- - C:\Program Files (x86)\AOMEI Backupper\ABService.exe
    "C:\Program Files (x86)\AOMEI Backupper\ABService.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Program Files (x86)\AOMEI Backupper\LoadDrv.exe
    "C:\Program Files (x86)\AOMEI Backupper\LoadDrv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1844
  - - C:\Program Files (x86)\AOMEI Backupper\vsscom.exe
      vsscom.exe /regserver
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" vsscom.exe /regserver
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ubackup.com/help/index.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8c9646f8,0x7ffd8c964708,0x7ffd8c964718
      4⤵
      PID:4904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1152901562847926912,11169166870796053097,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
      4⤵
      PID:4168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,1152901562847926912,11169166870796053097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,1152901562847926912,11169166870796053097,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
      4⤵
      PID:3820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1152901562847926912,11169166870796053097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      PID:628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1152901562847926912,11169166870796053097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      PID:4964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1152901562847926912,11169166870796053097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
      4⤵
      PID:2616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1152901562847926912,11169166870796053097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
      4⤵
      PID:3232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1152901562847926912,11169166870796053097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
      4⤵
      PID:4420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1152901562847926912,11169166870796053097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3968 /prefetch:8
      4⤵
      PID:1284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1152901562847926912,11169166870796053097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3968 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,1152901562847926912,11169166870796053097,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5632 /prefetch:8
      4⤵
      PID:3212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1152901562847926912,11169166870796053097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
      4⤵
      PID:2636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1152901562847926912,11169166870796053097,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
      4⤵
      PID:2060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1152901562847926912,11169166870796053097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
      4⤵
      PID:5276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1152901562847926912,11169166870796053097,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
      4⤵
      PID:5284
- - C:\Program Files (x86)\AOMEI Backupper\ValidCheck.exe
    "C:\Program Files (x86)\AOMEI Backupper\ValidCheck.exe" RegTestCode|666
    3⤵
    - Drops file in System32 directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4884
- - C:\Users\Admin\AppData\Local\Temp\is-GRO0G.tmp\IUHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\is-GRO0G.tmp\IUHelper.exe" UA-136152959-1 "tech trial/en" "Install/5.5.0/Microsoft Windows 10 Pro 64-bit/AOMEI/nil " "Complete Installation" "1"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

C:\Program Files (x86)\AOMEI Backupper\ABService.exe
"C:\Program Files (x86)\AOMEI Backupper\ABService.exe"
1⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3548
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic cpu get processorid
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic cpu get processorid
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3884

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e8 0x470
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AOMEI Backupper\ABService.exe

Filesize
853KB

MD5
500313beef0f8d89df937795c6ae2c73

SHA1
2e35ca3a10f39929418689f20379d427055ab9d8

SHA256
8c7d26903f2d7917d432a50e44dc469e5a5095fd495495bff25ed1d0036bb8ed

SHA512
c15072ca6c50664243f907731278cd292b5963cdbe22ed8b5bfa59fa01f19c211bdb24f1e88e32c388b7a20ce410dad6a57c21e82ef8f58391d4f5b433c78a4e

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Microsoft.VC80.CRT.manifest

Filesize
1KB

MD5
541423a06efdcd4e4554c719061f82cf

SHA1
2e12c6df7352c3ed3c61a45baf68eace1cc9546e

SHA256
17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5

SHA512
11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Microsoft.VC80.MFC.manifest

Filesize
2KB

MD5
97b859f11538bbe20f17dfb9c0979a1c

SHA1
2593ad721d7be3821fd0b40611a467db97be8547

SHA256
4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36

SHA512
905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Microsoft.VC80.OpenMP.manifest

Filesize
468B

MD5
d1240d97b0e1f80d82ad12782dfe8ebe

SHA1
59601898276ff76b40c97d493d4b9ca2de6fccac

SHA256
be8327c8d71b61893d455130c2b5a8635e451a7d95bbfaf29432b3844a7ac109

SHA512
6c64a46715949c36e26045fcf12dc468c6d39782eb0165f966d251dfff40af2b065283b8f9391dddc66c98a5c3db7b92844e784355d73e1adbad1f37abf384de

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Microsoft.VC90.CRT.manifest

Filesize
1KB

MD5
ef6a2dfbd914169a3209137ab7b97e05

SHA1
18962d50dfecdf4486b326e3fbe427ee9715f440

SHA256
382115a60ec7e48894e1c3ba311ec31636443350e11184ce8bf88b738588ce52

SHA512
7d744e58499644cb1fac3a62534d2b242d9101fc8e63191bc0722cd41fd09d4cfb2c8bfed132f25cdd070ec160aee021b0d21047e4ddd6fe70b1c43a848ee7e6

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\QtCore4.dll

Filesize
2.3MB

MD5
4013a6cd307941166c90d066776c80f3

SHA1
93bd3b9219478fc4327b217a2af6d2751b7ec446

SHA256
506a47936355afd33f6a5e72d4dcb2301343845ee5f997c7931a804c6cefa247

SHA512
1d290f5789eb86ea8f08857692e789f3b2abc0ba78b12688454080fcb6434b708bff7ec41d5c3304592ac780a3db10dd44137d6b0118bebada35348440f271fb

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\QtGui4.dll

Filesize
8.2MB

MD5
8cdccfedbad642f41cd3deec259dae0f

SHA1
cfc0f1a74497f6fe225e596ecf954890c258c2da

SHA256
6d4b6497f776180e4950e05617dac622ef9d71402856b8b192c4e7205fc11bf2

SHA512
c933e88067b8bb26a17c05958bee913f5b1d07eccd7dd62855c46bcb4bad3cfd6407795f4afa62a06a4a44dc0dfcd3c4ff55422cb794cbed130ec877b4bf970b

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\QtNetwork4.dll

Filesize
808KB

MD5
e04e388f4e01c5b8540f3e09642dad08

SHA1
275d4a24f1cb495fc07100d0f7a531f3ff28d8c3

SHA256
db3cd30ab374ec584cad523145ffe7cf02da02dc57115133b852f21d5920c7c8

SHA512
10b8cfbca49c7d631760f1452f1322b49ba4fd85bd841a15a9446453a84ba6a6dca7a5803990a567e16bee6b8abc73629192d3564ee6d96905d7efccd2a85901

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\QtWebKit4.dll

Filesize
11.2MB

MD5
23dbd23bb306be139f49f0a935b83c79

SHA1
ce1158a1328356d0084067928f9c70c6aea821c1

SHA256
b867bc932427f83f342858dc988c8beac653646a93e95dab7cbfc17058a0b485

SHA512
fb442e39b84b42772a0193873c720a2dfb5ac05c6294e4e92f9f60c74edf5ad5a3a87c746b465bfb72319bae1385fc8684dca9dab0bbe2ac84c4998f907549aa

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\QtXml4.dll

Filesize
363KB

MD5
f620b2089576c077bfed4f31ef75a009

SHA1
bac53746cbe59bd5eeaa12950f479d8adefdd5ac

SHA256
d04d88aaaa4e5aaa1c1d03335b71b27b6b486eda67d133e66251df899593bd17

SHA512
a33662eb89817f91ea5e2394673af2f85d6ad9e03785ede5918b356742281ab38d17d4e298508e4d67985c2ea95dab1059724e01ec762789a0d94259e30b2b2a

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\Microsoft.VC80.CRT.manifest

Filesize
1KB

MD5
a72dde00d763aeef1eb04534f8672967

SHA1
a5ee1c878a5e7aa10890b48aca5a1d2a49ccea19

SHA256
bc6ba66a1e93c8fae1c36a29a8e3b2500f3ee1950a99214f219f6d11058cf55c

SHA512
4f3f3be1c4ded7f930474b16367191b947fcdec55bab23b80049a8e892bac6eb7fcb5cafa3289175139aaffabbd3c8592927515f92e5dc4681d2ff18911c0fd6

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\Microsoft.VC80.MFC.manifest

Filesize
2KB

MD5
7dc52d085a05db8a72fed96bb342412b

SHA1
3063e9f5228279586e2d3f6bb9a098d35a0cf8d7

SHA256
593a736c99d0feb70690528d5c005395719e3b6b2e66c1f93803cb094083e1a3

SHA512
f527a133656d21d12853b95aa2340f78bccab46fbdacef97c86e1b89e911b2ea22894b830f65bb4bd5641132323a994c0259c232d1dcc4887e74d9ca252b5ccf

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\Microsoft.VC80.OpenMP.manifest

Filesize
470B

MD5
256f5eb3b875c971aaf9b722f47c4eb0

SHA1
d2c70c02b18f9ef30e30315bc2a0033c62d74b12

SHA256
25b0b65eac9af5c2035b4a819a6749f408b6b7f6fd10a1c74a97f91c88c300b6

SHA512
5ef1165a38a692f389587b7b23e44fac2ffe6ce51c6d3a2b4f01ac1e55278a5565e5f67f3cba0a737035008182def597b764bab901ca2fea6c668652e7ddb687

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\Microsoft.VC90.CRT.manifest

Filesize
526B

MD5
e194d0211efacefe4b45a1fff7b0ee68

SHA1
df29e3e3bd04779616fd3e84734d8a329e44dd20

SHA256
58fc4416331672c7b7a413ce071c01ddfdf91ed1c0604ce014250b38dfc78787

SHA512
c4310c1cab0db0e0f5aed4cbcbf1d7643d3b4be2df6a753f520f741aa73f50ced3b7681bd8c59f971f1c5ff5e240287da65c47043526402c74bbf1b167cc665e

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\QtCore4.dll

Filesize
2.8MB

MD5
04581d1b408815c6cf0a559483f78c13

SHA1
af8fe123b1579f98da5c15442c37b64e1482f046

SHA256
a74f12a888c87ee5e4ba70a397c258af5439f9065d52ee4c9094d5a525af467d

SHA512
e64c255ab2d49e5ac0234cc056d0c26043cb697bf26e69186f7c6ba9140fe49e626a75a55a1fb638a081d891fcdad600b4238147c895b1ca71e460625e373f07

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\QtGui4.dll

Filesize
10.1MB

MD5
37ec57e0e847ac88119c7152827fdf53

SHA1
696f6dc6adf8c4e0a5158bb5da8b8ef299e6184c

SHA256
92848cfa67b549742129511416e6aee323b301472af10ae9ed014865c2b83523

SHA512
987278133325d9a1ebb4903ece41930604bac0b72add170d0eef3e00580f379c9c207fb0df5a211e2af6123c1df18d872eb11aa34a6b477608687f508b5ceb5c

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\QtNetwork4.dll

Filesize
1.2MB

MD5
3635adf8c0d82619baa264976c3a0d77

SHA1
76d99f62fc0798c504512c26f836f2f48afaae6a

SHA256
3641e2be3d94a7ca98f56dfcb2f88a25338a0ae7ca690b084862fa9bc7de002d

SHA512
7c5c3dff804c9bbe298138ea742ce06a81b3c9e7d3946df27ba6b3111affa48ca0694d7be65a3877cee3c92aa80bff3f2c50001c3bd1f484f96694f28243bfef

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\QtWebKit4.dll

Filesize
14.0MB

MD5
3e4f52ef59d49f77b2ce0002ce96bead

SHA1
f98bed2fa11ba8e461a5c33759e30d583d036e25

SHA256
637efbc64d9b28f2447535cc662bd3c7e54e4e5cc20650ec7e6beccb6e9d5ec4

SHA512
2a6e7c34632837b04cdfd9289d72a56a2235061afa65068b8dc2ae5097ca3f7801543eaaf10a4966830800227483a58ebaf91756b9ec6c7bd1c314acd5aac013

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\QtXml4.dll

Filesize
447KB

MD5
89608ef0dce110795f1b4e7607571f0c

SHA1
b6b360c375132e2a4d9aa57cc71114bef36c99f1

SHA256
171d0b9525e26ed9a113e4280fefb492f10959d2e25575878ff369d76857076c

SHA512
4d0b379d678f66ca2597f824eeff86890c2e020f702073f3ac02485d72bd733c8ce97cbd9d34aaa96ffc91312511b6281071ddafcd7f105d77f253b688fc673d

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\mfc80.dll

Filesize
1.6MB

MD5
9173f70af60c0a864eecdfb3342dc789

SHA1
75c12a5b4b28f4b7b52698ea7d8c12b5010d1cef

SHA256
c52fef7cc96a573d35ade1af0067ec4f0bd01291289eaffe814a5c257d22ebf8

SHA512
04aa6cc6eda2d8045ac28d22dbe945015250693e36e70eba045bfce33a9f4f651a48952db87a7ef53820b6a213017cab935f57febddc9d146bf723b04ac8852d

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\mfc80u.dll

Filesize
1.6MB

MD5
21ee912784a013dc44071ecc4f932388

SHA1
ff65af878c56c1a8770c42fa0d9b4ee0410c6cee

SHA256
a52418bbb36e76beb042b2ee1201057b4740232c619fa477bd6922f69677fc18

SHA512
273344d530c38c993d5798face90c0c590311f6f2fea30355d16047fc4b34916785cd79a7dbec8afe192daf14724a4cbea9d966d23c27034fe253c71ffe6d3a6

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\mfcm80.dll

Filesize
64KB

MD5
4ff468c640debc678d6e57617d523806

SHA1
70686bfdb9234ccf86254a73be0c2fc4e2d08ca3

SHA256
8e23719b6790c27e69bcdbf6f9809fd8a1d0d03a1a9d5c08bcbb21f15baf0d36

SHA512
5e2a5eb60cbfdce56f90aa760f4feff7c63a14767c7ed5142007d7d68d83c87d62aaf022fbaf68b20b13dbd94789835794b50814693d962970dc9536ee4ee0bd

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\mfcm80u.dll

Filesize
62KB

MD5
47acd0aea4a32ef2b446b01076c62d28

SHA1
9c5f30a97c941724cb25a483476825bc0c79dcd7

SHA256
21090da489ab5c21860c95cd581528921a1a8e38852606601afdc6a322ce0222

SHA512
15d6560030c09c72ec08f371750a8e971ab3d8fe04e5ac120a4a214b52f87d660b45d1a2db86f77f674802b7eb63ec8343ea40d14c8254bb0b4710f04630d7de

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\msvcm80.dll

Filesize
504KB

MD5
60a6de55aa50d57a01b7148b0a7ea139

SHA1
da30628428724cd281151a60a361b27617b26508

SHA256
2fa2a2a4a0511493c5a360e66c7d62f0ea5891925636eac61cd9db09dbed5637

SHA512
376758a45744d2d3b9ef2d81387cffc1abc44753a1299550b1ccee47cbecf137c897510eb361693e518aac3348424ccb3cac3493d938a503a767eef96f5a3cc0

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\msvcm90.dll

Filesize
239KB

MD5
aa6698ec95f726f6931f701047426bc3

SHA1
00cd963ec834cc13d94b67a4f1872716486b010a

SHA256
450dbcf05db9e23c4cf96707d729a61fcde8b80690f7e9a3685652eff30161a3

SHA512
74a2ef668c8a45be3352114332ab46a4281995602efb84505a686fde1ab7b0d653e83365ae9fbf6179d4cc358d92c37cb0a5bcdbd7442ae794a481a53f596aa1

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\msvcp80.dll

Filesize
1.0MB

MD5
c332db81197e6e5d4a67d3789dbeb02a

SHA1
d691130e4808910ed5ca0640150b9badc8124243

SHA256
d3ed3fef0f3fd9d547d7ef60d5f532d6aab5bd45966abcb24bdf61dec60c813e

SHA512
660462070a3a4d4dff52e1d20c22dff1c6caab48f0d039a43e7f322099068ff0eb80dfc6dbb9bea7a2923e8986b36fbe6048ee147ae44be8696d6d93214cc6b9

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\msvcp90.dll

Filesize
831KB

MD5
f7cd95a47f9c2291db184c6c4ad7e120

SHA1
67cba6f7fe2dd19b2640a7217cd968177bf100aa

SHA256
10859f06f41144fa32cf5da223511f85fe349b1d76471ef65f0395dac606ef63

SHA512
c96e17345d5b893a56d1004227e37a6906ae6da53e7cb33679e00bb807c28f4016dd6f91a2c038fe843fea56d08a55cf54ec3ea54b3a77f6ea0a08979ab7c965

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\msvcr80.dll

Filesize
778KB

MD5
4d89f6191db56cfa659388378f3dd688

SHA1
c5f28857b4d3a9d182b9c25f3d599bb84ccb8acb

SHA256
2219e15b66aba301909128e6775e0b4f8b28b529b3ec087161edae55e2676c65

SHA512
7a6b735bb80154e913e2d95e9e475cdfdec84cca410f4c05175aa7cc6d84adcb1726072f4b7b69acb88f9178ae67b9bf0c28d341a9a1dae3d32b4a36762eeb53

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\msvcr90.dll

Filesize
612KB

MD5
23b134891c08c7f04c1747f6bcec06ea

SHA1
26a77ccf0e62faa436255e47a0c3c8a818733193

SHA256
e11ce4b90db815359b2d76f95f623fc26924c5a254f0540224fa6feb623817e5

SHA512
30c89f058b3b9ddd39ed7a3e3c470c2df08940dbc3ea0cf72cf271fa76ee19d956ee503a3fa2839458fbd2a61658ff3aa7f8326e6eccae9c11ac78b4c2b84c14

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\Winpe64\vcomp.dll

Filesize
88KB

MD5
9b090ec2b64ff2eba794a57ef208e796

SHA1
3d7de4c1397e12eadd3f85ad18b828efd5d4f782

SHA256
a4929d3b64ccb12e30d7ce7b86529f8ace632bcaeee9c50425198a35eda69465

SHA512
e4a177783dc50b52d24cef00c4d8698cb7b7d66b1fe01640f1a11eeda28c2fdc25c3703406e2287b6720991ad660f88c8e1e8e546caf8a4e791bf61f8cdf9d1c

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\driver\amd64\is-35MH0.tmp

Filesize
49KB

MD5
d03124a92936b3b1d38ac31d9b5582f8

SHA1
23f8b3ca1501bc6b5436ccf4959d5078977062aa

SHA256
f47146dbcba9cca89425405cf8cf2894bd4fee5b9e650bfa9be1e19b6405188a

SHA512
2aea20d82142ca641401679919960e64c86441fa12acaad7f261089c967af6254fae20262fa851f3efd655b68281b00f742d3d58319859b90e51d479e56b6732

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\driver\amd64\is-G1U75.tmp

Filesize
167KB

MD5
98b78382c46541f2ffbffb4cb3c709a2

SHA1
4a9e2b057e1e7c8f04b74b47311e53a35962ca2e

SHA256
ad9b8baa2c129154419f780d76d3948e334e7bfbc0a1b521c18dbe57b089b445

SHA512
a4bebd3a980a5f37bae5fd758edd6e68fddf2ada3328a418aad1bf393b69b8670b8042bd810d0b10b9ea6d805eb15b943cf0401de0c7eccc84efca8ed6951654

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\driver\amd64\is-LV778.tmp

Filesize
37KB

MD5
301167e69bde24ce24fb53376c422b3b

SHA1
5540fefaf9bc05dc882afe1711abcd95c453151c

SHA256
b244d86866db7e79609a161dc6d3a5c04bf3a806c670d5d3024fe50dffc0c2ce

SHA512
7e65eaff265fa4fac394696ca208170bdba80959935501f0a9cdd41bc16ea2dfbd77542f8e3a2f62f2ffe00f5df0712f1629d9e2a3de1d3545a4bcd599cb7ae4

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\mfc80.dll

Filesize
1.1MB

MD5
1b7524806d0270b81360c63a2fa047cb

SHA1
d688d77f0caa897e6ec2ed2c789e77b48304701f

SHA256
ceef5aa7f9e6504bce15b72b29dbee6430370baa6a52f82cf4f2857568d11709

SHA512
b34539fbda2a2162efa2f6bb5a513d1bb002073fa63b3ff85aa3ade84a6b275e396893df5ab3a0a215cade1f068e2a0a1bbd8895595e31d5a0708b65acec8c73

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\mfc80u.dll

Filesize
1.0MB

MD5
ccc2e312486ae6b80970211da472268b

SHA1
025b52ff11627760f7006510e9a521b554230fee

SHA256
18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a

SHA512
d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\mfcm80.dll

Filesize
68KB

MD5
c84e4ece0d210489738b2f0adb2723e8

SHA1
63c1fa652f7f5bd1fccbe3618163b119a79a391c

SHA256
ed1dcdd98dac80716b2246d7760f0608c59e566424ac1a562090a3342c22b0a7

SHA512
3ee1da854e7d615fa4072140e823a3451df5d8bebf8064cc9a399dec1fb35588f2a17c0620389441ca9edd1944c9649002fe4e897c743fe8069b79a5aa079fe2

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\mfcm80u.dll

Filesize
56KB

MD5
ddad68e160c58d22b49ff039bb9b6751

SHA1
c6c3b3af37f202025ee3b9cc477611c6c5fb47c2

SHA256
f3a65bfc7fce2d93fdf57cf88f083f690bc84b9a7706699d4098d18f79f87aaa

SHA512
47665672627e34ad9ea3fd21814697d083eeeafc873407e07b9697c8ab3c18743d9fcb76e0a08a57652ea5fb4396d891e82c7fde2146fc8b636d202e68843cf4

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\msbios\FONTS\is-6NSAK.tmp

Filesize
2.3MB

MD5
ff8a5a6cff6938bda0cc5be7eb5a5a21

SHA1
01d0005feb7da50a93a324ad72ac725ceca3fbab

SHA256
eca256d8c52f00120b809c1106ffc243ec8f847d8e6dae63049445efbd8a41db

SHA512
54b1835d6a8712448b8a66e95aa8f358c5daaeabe00dd4032228bb0b0e9569e5d3371de361eb50fdd1b101a69fde21f7b1988629c91ce1f6300f0513e1dfed57

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\msvcm80.dll

Filesize
468KB

MD5
cae6861b19a2a7e5d42fefc4dfdf5ccf

SHA1
609b81fbd3acda8c56e2663eda80bfafc9480991

SHA256
c4c8c2d251b90d77d1ac75cbd39c3f0b18fc170d5a95d1c13a0266f7260b479d

SHA512
c01d27f5a295b684c44105fcb62fb5f540a69d70a653ac9d14f2e5ef01295ef1df136ae936273101739eb32eff35185098a15f11d6c3293bbdcd9fcb98cb00a9

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\msvcm90.dll

Filesize
220KB

MD5
7b37f8ec25c9ad853e8126c1d0992201

SHA1
fd87d19fb51010dcdd31ea0c1f14e075132239b0

SHA256
866f51d4416b6a0bfbe8442cc8c1716152e4c3ee3137c375d05185e8171096a7

SHA512
5d3455fdd261c689bc77fd603c09f5272c04a3438449dce7adf816b69686fea03abc2139404be4b21aa62247a479a6968be976b88fd7eb301ee923b92bcf02c8

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\msvcp80.dll

Filesize
536KB

MD5
4c8a880eabc0b4d462cc4b2472116ea1

SHA1
d0a27f553c0fe0e507c7df079485b601d5b592e6

SHA256
2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08

SHA512
6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\msvcp90.dll

Filesize
559KB

MD5
871f979d70414c900b35e56222932daf

SHA1
dd683e4ad54cab6ba1c7b3ce9c0925db0e1d0e66

SHA256
91fd46d7335c9990a20f215b9f6f53bc59551420a9c99ad8110ae2f9ff7598f0

SHA512
87e1e585a8a5ffc1bbe87d58e4d8de2831d1589526143ca0cf7fb919b4842c81e50b656cb6a44975d707753063171801cb538d6755a573f8a91cc8be996f7fc0

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\msvcr80.dll

Filesize
612KB

MD5
e4fece18310e23b1d8fee993e35e7a6f

SHA1
9fd3a7f0522d36c2bf0e64fc510c6eea3603b564

SHA256
02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9

SHA512
2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\msvcr90.dll

Filesize
640KB

MD5
4d03ca609e68f4c90cf66515218017f8

SHA1
545e440940073d5ec49d47fefd421730f8b33efb

SHA256
cf420aced0d810e1d75f6811dd986f2d9fded2fbb8d61fc9a7024520c475febb

SHA512
1b52d09f94bd37850d098ae7222e85e16a4f6df14cfdfc28526cd98b81fb009865fa75774ee4feaa2e5d5861bea27759fe4fb979c902f8ea60afa8c3e1f723fe

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x64\e1d62x64\is-85FA8.tmp

Filesize
35KB

MD5
4aa441f4ad7491bdb2162f87a1da6a3a

SHA1
e48e237e886738de29d03a754cbee9bbfebc91dd

SHA256
56954c185a7d8ccd391c08fa998b59b13765688cd53bbcfc56e4fe2079b5e4bb

SHA512
0853115d14ab683c7e0c49cf3ac2e57ac64a36c7387c6dc777c17f8cfd03186244f0b8ee4a71afaf6f514f696096e0a6c5f413c0fc079f44829cd46adb78b23a

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x86\e1e6232.inf\is-9HS5A.tmp

Filesize
118KB

MD5
6fa366dade7bfcff6ef1cdc623330954

SHA1
16bb1a57e2b3290f398f7515bbba0eeb581fae0c

SHA256
93a6a7f4f4a47188b64a1206365ee2c282f18b077e34eb413ae2b3900eb605b9

SHA512
8bb37348d5897dafafdb88d727a969b71d2fb90e8f0e7f48c9de198b75dd0081e0f1d282705661ce5b301e6075ac78cf4b4c2c5cb5131221460a40f8db83fa50

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win7x86\e1e6232.inf\is-QGQBB.tmp

Filesize
28KB

MD5
4192468fb10d604673bc46ac50afa22f

SHA1
a4d2b9c40a827d5060528908f6c3278092d01601

SHA256
b2dde7a23dba97724b5b0d95666a4ff333909d45a85553a9a30ec0b6f64668a3

SHA512
edb2a095927ba50d53d88c95ff1bb1d562b2f6739742ef549af98e81a619f22a90ac17a0fcf48ce40143ee7aa10da05e50305d0c178eaca50b973f9ae3d2289a

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x64\e1c63x64\is-3AEAI.tmp

Filesize
71KB

MD5
3a029dd59ad708c7b4fa8aefd78ea803

SHA1
6b26097d6b471009f1c0951bec2a6b6e0bf1aa27

SHA256
ddde0c57f7f1a59b3bacbda2337845f6b7de6405c33ba428a08c71e518436909

SHA512
ad1b6be7ef9cf1c45130cb4277d3391ad160910f51920902276387c30999a566686ffc5fd777648d167608e136464c7a5a2e7cf89a7a83e0ec8851f848d6d504

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x64\e1d63x64\is-TNRP7.tmp

Filesize
71KB

MD5
253c81f3f95a592fa370607fce65c26e

SHA1
41e4f0697209e5b4d5baa78aead52fc93f2b1e32

SHA256
7ea54fdaf9c4d254f321a083efe08f8c7692d52405b93ba0f74ec34c32019a54

SHA512
11fdb87c19e29cf9cc53107c1266458c10c63024bc8ac07d9e6ca2cd67285a214801411fbd4766fd013859a278ac0e53ac049e9a118464b592fd52265dd1f7dc

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x64\e1k63x64\is-L5M57.tmp

Filesize
71KB

MD5
c4f70145ad24c32f4ff92c0544cbb0cd

SHA1
35716aa596dc82060240f36e1d28fd7009c8f556

SHA256
52c24e68582d19be9a5761311126cc12687e41e413c02d1e0f271c0dccabe88b

SHA512
4a85f273b42dcdcf81f43b89257f62f7c37a2f47b87f14df8b6c13a1d38c857b0f6cc13efcc6231cbc366ed400b904adab0024bdcb066e70404eaa62e6ec5ae4

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x64\e1q63x64\is-564T0.tmp

Filesize
71KB

MD5
ca37014c8b2e6a16e808cf95f7be18fb

SHA1
821c41b1bc1310bee4b886eeeaaa1029e7d82a78

SHA256
a46ca0dbc72f710558476ff307d2e5d12ea4385700f556baffa8b9c2ff08c160

SHA512
48651a02246d4f86e9a609f97e086a8ca0ae8503a92c89af4966812a3e611ba86085a0bf306204e1ebf6f54bcff8c666a94d5bf4802ebac0b4448ab20b5357dd

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\netdrv\win8x64\e1r63x64\is-GN1OB.tmp

Filesize
71KB

MD5
eef70a57ccab395007452afd0bb66cd8

SHA1
0fe65fa1153d58cd44af9722f622312e4eec8902

SHA256
ba048f1aed98b2a4a230c40805537163d228df5bbc5610264273b370624aa180

SHA512
e4f226ce7ab9ae543bc42e4458baa44d2d29c2e23e5ae3aa8f3dd5338f6bba0f418dd5e2c60e8353de5083997f3268b93aff5028530584c050c7d0ad065708e6

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AOMEI Image Deploy\vcomp.dll

Filesize
67KB

MD5
2a6eecefac79fdc8665d519efec96cb7

SHA1
ce145a99d5a071c469e9b840400880d2513f48bc

SHA256
268edfcad1b3d5531a5821f7c9272027f5f4468a304ae9b55c24769c1d815499

SHA512
595051051228bc15fe63d1d0064a0610c8ee404d822e1e9b57b445d87417008226bad65e9b6f3bb5452e40e1d456256d35d21b3588befb110d108386c482fbbe

Download Submit
C:\Program Files (x86)\AOMEI Backupper\AmCore.dll

Filesize
150B

MD5
9fd7c9c523f2bc97fbaf75f150b5c435

SHA1
642d56438fb2034df8240e29eaedaf49e62a5ded

SHA256
3fc21320384d689cb551184cc89795a6d79a607142052b7ddf0be577a9d90a7f

SHA512
f3f7650bf3bc92922d39405083463909f8ea56041b0aa3f96fce451874b0ad532c10f20cabb13a914127b902cc592349be4a5a22ff77d96429763c62122b4def

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Amnet.dll

Filesize
113KB

MD5
55d6a98aa4303703f9c41b49af6c8fd3

SHA1
15c8f65e3f7e8ac03f199618a78d7cc8ac244eb1

SHA256
6410087448ea09b7d70211d6b7fddb931ca7775194419f57886ea9bdf9bdf0b3

SHA512
c21f3dc5450611fbde18afc7a38d29ab15aaced97ccee1b0cbfdc568b68052ae3cea921e6479e072a6d7c837a14fc4dc34aa9e61ea521c2c4dcfaabde4e8803d

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Backupper.exe

Filesize
14.6MB

MD5
826c1f75380827e07bfcda1d1213e253

SHA1
383cd0421b22c353162e8f62cc8d64a106c69ccf

SHA256
2373230b804a06f3a2872107603e46e038a5672d2fbfee4f0c49282d3b9299b8

SHA512
3747a1f38ed2760dc62bc3ef47f0f60c46fa7467e816a17014f92d7ee128fff59b156e5903f906e0f054250abc1b72e2480e538e50519bf3ed2355925251c8c4

Download Submit
C:\Program Files (x86)\AOMEI Backupper\BrFat.dll

Filesize
285KB

MD5
c27d86de0ff90fcb14d15bcad013f2c7

SHA1
0bf59389dd6d8ddd14811c0377735ffd6f196f1d

SHA256
929ea56e65e49aa8f566433a3ddacd731599370e824416aac963b26b176ead99

SHA512
de9fc10fa2b74380bf199b5136dfa5bae0910a1b4a7c256bb7457654e74d21c4365641b46116e5bf87ec730b233d6b62a0871f49dea86e42bcb29fd06e681edb

Download Submit
C:\Program Files (x86)\AOMEI Backupper\BrLog.dll

Filesize
109KB

MD5
5184c153e51ebeb82c0567f7019c3c75

SHA1
a8562a708346f20241d32790a1b8fdc00a833fec

SHA256
273a03e8f07b903d6c0c5813ef7c9cdbd6c94edda7f8edc6f8630ddc3fb1a860

SHA512
e735284e8b2426ad09dd4ad33e9d0c8b69cf23c3d3a12fdbacefc30b03e9d8a83986df2286cae6e3399dbe5b9d15954bb9c1da32aaabc0d43c33b4e2a5b54f01

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Comn.dll

Filesize
329KB

MD5
c3d6ecdf60f4d3d6fe13847694461ef9

SHA1
b633942aa75227709fcb21fcced9194599bcc8bc

SHA256
e7a1cb9887e7b0732381a1e7596640f758d627b1a9ed6d355d585ea0abe5d386

SHA512
ef53f469f0e4dda9144cabeed845b3c2cae28bd5cf79c0edb898174bfe88c8a05e458bde664fd26b64586017b38e4c191990d9f21b642d99159af9a409401753

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Compress.dll

Filesize
77KB

MD5
6b755327accd2d59f8a2e4d3a0711086

SHA1
4f238348a9655d055c4230fc2b150dee9fc8db7d

SHA256
d0e2d182bc107e87298e543a958baa52f06ad59edfbcb69810fd5ccba37b6d78

SHA512
73818f6c8f34a72bbdcaa03abc132754eaeca8197ce9d57f6584160e9fc1595e1b6edc0ccc42ee113ee6d9b4e29150efcdcdf124369be7a7cd409579f9818498

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Device.dll

Filesize
69KB

MD5
a81631037c91d39295fe2fca129ec3e6

SHA1
cfcc38ef7bbb4c2cf5280ffee71fe74540bce3c2

SHA256
3f43c7f96c65ecd624c8b2e4c2fbea9591f15bbb78363a1789661ba3068257d9

SHA512
3b3d1fd5907e4879af9b0b9982b2fc07dd3b3659b09ffcf191a50bdd5e9c3c60fcb4557b3d18d101cb1887fd5af5f83bc69da78ed1ffa6bb65bcd00ff5180e9d

Download Submit
C:\Program Files (x86)\AOMEI Backupper\DiskMgr.dll

Filesize
257KB

MD5
f6a7be669b9ba451bf5cc9b77d3ef531

SHA1
9749a110d667b21cf68eff44b7d4b8fd06b004ef

SHA256
feb0c2d1415aeb8e442a964278c1d6b0d1899eb3a91d45090442d09ff414123c

SHA512
aa5cb2f9f467b2cc855ba0d0db9a21ccd2761e16cccf0db4581a1b667bca57636e0ff9a799aac621ea84d0b578e92c45191f9d7de210eefd5bebe99738f34494

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Encrypt.dll

Filesize
37KB

MD5
d782895fb1050fe907d44766d532b57b

SHA1
8e8d3f87c199f5733be320caef1f2779937d5e4e

SHA256
0497ffec8474a6b5166b0cba458bf4f3188ee9a8941e225b9909cd616c7f33c4

SHA512
93cdff95cce744bf7b5c5c31e368ae206e0d222b967dbdedf7d9ff9e6c37067d2fc6f7ebd5f98d995c8cc94246e60cc68bf98d59870d13b8ecf5b4782a642a60

Download Submit
C:\Program Files (x86)\AOMEI Backupper\EnumFolder.dll

Filesize
485KB

MD5
cac125e3cc71ccf1016260db2afda299

SHA1
b8c4b9e85a23a8a329da0c35c146a01ce2068956

SHA256
01aad49fce382c31d4420fb8e9cee9b226743e96d1be724942548f12006ae437

SHA512
f27a21459b1c03ff38428024b3b550f8a99dcd66036e95adee0cc42ebe16c0126a331e9bca634d0d31c6c8283dcc84cf2806e7f9ad95e9a01543d9824b90895a

Download Submit
C:\Program Files (x86)\AOMEI Backupper\FuncLogic.dll

Filesize
133KB

MD5
d176a87f77a9bc03eea69fd2cb653044

SHA1
3832ae0334c8874910ca38e1126b08ac62fbb430

SHA256
06e94ec3712fb5e4114824d918d792348dedce909af428e5b4685ff59061fe6f

SHA512
9937061fa740f55d1a7191cd9acac43d05aaaa67067ff951ebe9d377fa4f1141581bf0b8112c38a08420191ba26bd782874e86b3e9b014c520383b1690972bf6

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Image\is-DTP5C.tmp

Filesize
86B

MD5
23d09962070f873e33464283ed89a56f

SHA1
cd8997c14fd2ffc4b8e78e6e7fb1e3d9b80f2993

SHA256
2542d5680f4ba3ee60b62d15c61ea44013633daf11ad66e439fdf8002dbb6518

SHA512
cde3d41371c01f7ce26580c8a6c7feb2b7a65ed6be1e61c81102596b43ec15d2e9cd30d43297409ea20480a845ac4619a5c436a92514d919befbfebceb43bdcb

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Image\is-KODBN.tmp

Filesize
290KB

MD5
bb07b36c1c7af0863f57e30f2897f1c8

SHA1
2ccb842184398559bd36aa9dbdbb54058a4ba6e2

SHA256
95dd19f791d003ca38dda755ad396334172338a8718f235dd7d660fee1e596d6

SHA512
701fa3a20f2cbd001d45dbed7901de06550e1ce943d5f44c0ee55efc1fb2845935c4770501e434b55728067119b3b322b83a76841f52bce755659f2a1d3487fa

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Image\is-NRL6D.tmp

Filesize
1KB

MD5
76a8c7c31b33d4175c6804613b4bb5aa

SHA1
e6f3614d72a0ba1a987c83f6d796cdfe11dfa961

SHA256
710f9d92e632f685fedc72d411b586d8a557359f21351badc9aba4601edb1b0e

SHA512
81741c6974d6fc908b76356c9a62fa242cf7a11b33e141eda8cb17f2cc302d2a6467d6e2ac811588b9b0a90e4ee49ea2b8ac7e29e783473d4d80c0786ba62997

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Image\is-O99AP.tmp

Filesize
149KB

MD5
318aeac852e49cadc72be9cf7e908c0b

SHA1
bc5cc9c449e662d77e90bf6df57e3818e9ed34d2

SHA256
c8b129578221dffb9a1355285e845e389d3a38b1e0e4561aa744f24c6c324566

SHA512
19b786c322d0f071419ea2554ff3036ac5e929d846e7baed8e5bf80ece6b5b65bfca96a53a14136ad2442dbd015cd02f797862ec1658a64aadbfc3a7417cbfd2

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Image\is-SQ3UJ.tmp

Filesize
1KB

MD5
151db542e18783801896517e5c11148e

SHA1
1631105625b1a39dca0ce71304a5abb3bd1aa2e5

SHA256
8aa479a05c5254d5b747a90f1019bccbfc0c843256e614fd6965ac3bbd4ec4ed

SHA512
4170b6c23cd976a0b6716cafd61cda2043f8873abb4da1d1a94b1bab9419d6c9bc70e9ef147dd127153c67150397ba1e7d0cb8d58a830d1004eb9bb7f188a2ce

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Image\is-UUEK2.tmp

Filesize
86B

MD5
de0cf41ade8c4a8dcdd64096913ffcfd

SHA1
8886d9104d846e3e7b4975c21af358a275dbba56

SHA256
e67eacbc98ff6cd7735a1ae493031611bb9f9d7c14434cf4032b1b4242b03329

SHA512
3691f2fd54025618d12e056757fa2f9a45124b22e5797f1b9bb85abc2b16219e775bd2d6ca73dc526af23f23e8f6ea2573a23b1aaa84f3fe08d1c6ce7d36be2e

Download Submit
C:\Program Files (x86)\AOMEI Backupper\ImgFile.dll

Filesize
333KB

MD5
a0f985c068893fcf5757f6adda99f09b

SHA1
e2a7cabfab7cee71903a098bddaf0ad121093734

SHA256
482052caaebc07b20d6dfdacbf51ca053eb7d86b0e964e8add73c445bb35cb65

SHA512
da639e6de295792eae03c31d0c0ea2d6f9cabbd9b92fe0570d1adda0b796c53b5fb7bb1357e56c530e3e5374b398337d4b835bee74ee0f27aa379776347ea79c

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Ldm.dll

Filesize
85KB

MD5
a908c9ecc1f12884a04c5c670a218662

SHA1
6eaa36b3963b1cc9abff2e289d3b148baebc72ca

SHA256
343ebc2e78415ff12daf29e56081a12855ba6a22adc1d72c870da4c12bcd189a

SHA512
7280524a96cfc15bc7a5ce0a33d772f9b0a915b9a333c8235ce8956547e6bea7f437f50669360d729d22e84436c1c09e47293490f67f2ab7dc645aac47cac1bf

Download Submit
C:\Program Files (x86)\AOMEI Backupper\LoadDrv.exe

Filesize
128KB

MD5
f2c04bc244d32c373b0a849f85b7fa17

SHA1
fade694d1717f7f341a4b648e38c6869fc29b9e2

SHA256
2e36a762a543007c89c46b280b4367a1e4c26a23e9c4514f158c2f1825062eea

SHA512
a4bdc3fcc56eb186b8373c81d620c50b744855820f9b2eede2444a99efcb164e6551689bfe97dafdf10f672611d1b8604ae31c8b31d2569acef29da355bdf932

Download Submit
C:\Program Files (x86)\AOMEI Backupper\NTHelp.dll

Filesize
65KB

MD5
1946f2d3eb675046d5a0faf8a5f90958

SHA1
6c086d51dd02a6acf912aa1d2b38829d4fd7f04e

SHA256
d951c1a80750fa187162952fc30286d484ad68d5bffcceb1657d4da927c0b0bf

SHA512
a5a6d729c0a0dc151fa6cb45778f6cec240f437a94325b5c60e731b885f2b26613de8fb581e1eec575bb2ea1af3f3f4ff6d082ae031afa33b45fb07a5f9ab59f

Download Submit
C:\Program Files (x86)\AOMEI Backupper\NTLog.dll

Filesize
70KB

MD5
b061122b0fe0695bdb82fb550a36a51c

SHA1
2b9147dde99148422eebd83cc11d6366bf42f1d6

SHA256
363c5467c4412522d576dbf6f3efe5393e1b01580a688094b767f20080058b92

SHA512
26315389992176542ad60d1c51f76e1eacd5e29d7f693ffc6e0daad3850f3f2c68fc798aa0ce27f367a21aabca562d5ce410980a21d262bde2b77715614928c6

Download Submit
C:\Program Files (x86)\AOMEI Backupper\UiLogic.dll

Filesize
1.1MB

MD5
c636ef9c948ba325e59b6deddc1ceb1a

SHA1
9916ae799eda92dc2868f9465bbf1ac11ceb22a4

SHA256
4a670e79936949a791de8b7ce03aec84b16fb293bff36688afa5d2bed9504d09

SHA512
e8156cc68e74b85a4b5ae2a3ace22f2a8b62137dc2167d34bcf8a84c10e95324cff065405836d38fc2695e2ae0259a8e77372d8285d85ca9da2f0a39d3f10d1b

Download Submit
C:\Program Files (x86)\AOMEI Backupper\UsbDetect.dll

Filesize
70KB

MD5
fdeeadda8d4840e084749c6491d203c6

SHA1
7ca679a1c089ba1c9f9b9317a8aad47f9cac680e

SHA256
51c586c6334ddbed31a1af7526a6d13526718a73372b72eca4ae35f6bdb51aab

SHA512
5bcaf258d4777c51603ff616fae15ea57cf7e5bd91f4c470bad58b856112fcdb6fba8d5c98e11bdd3984a4017c62f8e0ca73433effe3b8d5ff561968b744d2a1

Download Submit
C:\Program Files (x86)\AOMEI Backupper\ValidCheck.exe

Filesize
150KB

MD5
ce59eb640418349d902662bb87a2f1cb

SHA1
94936e5b170293d2c3e5ce494058721ed24508c1

SHA256
9f3d9f6ba15fbf98991a4c5c156ef6564ef7ed9f4db8d266c63382d322f5b114

SHA512
d0b9804eb0ea95111ea9572b7ec79fe7e2337243edc40698053d80b8b2773818a2916e60f0b352d68315ff57ae5e66216aa2bba3275b3af562f1524294fe9bec

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Version.ini

Filesize
80B

MD5
a4eff6c378adbfe0165c00c3322f91d4

SHA1
06e1978ab2e7182acc33528650f6d7bdfb9349fe

SHA256
d47931023c0ee165abaa278a6d62db3cd0c34814ac5b909cd05032bea8cfc791

SHA512
8ceed22437e99df6eda94ea4b7ad9723b6b3d589205da4691bbb4b51aa7be995233da39d9cd95d430b7a8c0b0eed57e0e6f9090bc7262a9d7fe66a99bc33cef4

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Winpe64\Dev.dat

Filesize
15.1MB

MD5
8f4a9a8e3629f0d8a4327005fc325777

SHA1
22fa22fe7d0b5b5aa6046ae514cb5a4a4fd2c93c

SHA256
7d94b9b7ec5e287e8e3f6e0bc16780c3349d303d0342f1f25ddb4f3679efbf5d

SHA512
9f8f2350a598b0bef5edda5b97fe1978ef82b0a0cb624be96d19c44c57506ff40b009382b3a745ed3dc5ba652d87670d27c527c830cd535f1778dab8f363aae8

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Winpe64\lang\de.txt

Filesize
389KB

MD5
eb59425f5ccf91aabc9b3dbdf194d0f5

SHA1
5079499055fb1a183e60705a0ac18533d0c51035

SHA256
e1f6a3e7cb5aece8b6a6bcd9f5f216bf6db34beedd305bd1d24dd17965a21f1d

SHA512
6abbaae4b1ea533781353db707ee737a4462b2ddc07f9d32fc8e188031dfd958361be60da4d720ecb9dd3e849ff84619a65cd7e78266c3f63ca624b00d0f160c

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Winpe64\lang\en.txt

Filesize
334KB

MD5
86af29f58b952ddb591c28dded8b080a

SHA1
89253f5e6daf4d227a8a1d900b4bf2e870dcd734

SHA256
38395c82d21200c1fb65cd525d978212c530f1a8820a0ba845e2dcc2b0b5a62d

SHA512
8f0070036f318def7a89323ecfe2b8962738707fab5d937ff42d6a4b7eaf652bd2b4ce735eec499138b943a00f0124b0b8b89ab3db6a054dcfd54d9453255728

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Winpe64\lang\es.txt

Filesize
389KB

MD5
a9a31ac09b57dffa21920bfab55188b1

SHA1
2dd640edd16f22a63a6f9ac5a0276bd31521da23

SHA256
1507391c06cf3fc2a930f13b7b7dabe7da7f0f4cad53abfdba41c015f3af2299

SHA512
020cec34ad17a3648425ec35ad2d2f12f9ad2622071223acfc6a18b427d8e7b9993fc161a4b8e40886314be4986a370a11eeb8de56586f959925ccd49ce3b6a8

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Winpe64\lang\fr.txt

Filesize
388KB

MD5
b65a106e373be0ca4d7ec82b4f301184

SHA1
1d727bf53be646d780b8ee51b59d80c38c7897ed

SHA256
0d5824f09431aac2a8572a1e78dca9275877442efa8931fbc99685dd3941f7b7

SHA512
abf23072cf8ceff062b19a76808ed0f4f0f57d60668c1d7f1317874406e1e48ef7ad50a5fc68b9ccd182f05a05ad8627c5eb656c08bfbc57377b12b2b539098c

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Winpe64\lang\it.txt

Filesize
377KB

MD5
eea6de268a4fdfd28884ef895f95afbf

SHA1
cb140632ca19b391272e38465c1f56c434bbcb56

SHA256
eeff073316ac5a5d9e6df6a9309ea2b04c729ba48fc509f528c3755f3b8c8147

SHA512
46c2fd5b63412c837aad3b400a933e44a5b59e2c894e05a35fed6e30fc059bfd47943508ef334627e5677d73fb8189a78cadf850d3eecfa665e0cc58828ea051

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Winpe64\lang\jp.txt

Filesize
228KB

MD5
4d749cac10b74c24d0b561b0fe6a2337

SHA1
c2287743a86613ab7de63342b7c1f44b0c41e636

SHA256
896ed0dd36aa572944902a9d233cff1c004e35100a22f4ecc3e4f8df02edebf8

SHA512
6da9dbbd5c65892bc4d656295cce1e17eda7fed8496b3753786b8ba470c7d62601c91c394d7d45589336b68ef13facad74afc2acfc88eda27dbc583a916653cc

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Winpe64\lang\nl-be.txt

Filesize
340KB

MD5
7c96396bf18639cd6d1290c52b136e53

SHA1
98b0762c08e30265e048dba52de901be008da05c

SHA256
bc27f4565907cfcd6f01938a5694c5f9e8d40b808b94c34d1e13df88c598774b

SHA512
d6fbb296b03bf62336dbf29b5ce01b21c8f8b2025c9da5060e8878581eb018236a5c799b64cfa954ad84df025138674c9f0cb5d865a4f53ef0ba9879ccd0bf67

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Winpe64\lang\nl.txt

Filesize
346KB

MD5
e11146e262875aeddc6cef358dff9590

SHA1
7d784a79dfa251ce27b10dd8a2916c375a8b846f

SHA256
ece62e67d7158e0b12f6418e022ac8de2a3e94081fb52c2b31bd1fd8bf33dd9a

SHA512
843330cf3bd6040e0b568d8093b341c0fb2476db71678d44405cc48f66b648472338936ea229c15658c38ea376a60746a768e5544cc91265bd491477b3c532c0

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Winpe64\lang\pt.txt

Filesize
361KB

MD5
bd050941b3f1b1ead1aee08bcb5561ac

SHA1
26a31eb2d71ab622ad5f0e7b9838d4eaa1c263b1

SHA256
d9e62bd0d8de2e52e4288640ff9637d28ad33652c20efa18f490e2d6c3c182e1

SHA512
b14f203f274b9f5901f72fc9b634597edcaf6334e00c66ad18764f133f8bb2a98fe645538606dfd30b3716d743668906fdc73cb9a4d58aea292631a8f56f9a1c

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Winpe64\lang\tr.txt

Filesize
334KB

MD5
855369bf64e3d5f420b72921828459dc

SHA1
8208b055e78d7b5c3c93e2964d5bb989f22fe487

SHA256
8db9c00a8d199b6123c6e4f1bbdc024c4607958b3a9a8f6fe20d89a735ccca18

SHA512
b0a0ccee8f6b959ae40f336b1e8ec738b9545d17c9425b24038a2726b9c113f899d85e130e18a045ec0a2104d3be427412f6d98111af08cb60ac143e96154160

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Winpe64\lang\zh-CN.txt

Filesize
164KB

MD5
862b4987dfddc00ec63ba5b9d872a5ab

SHA1
ac06d1bed5a5736667a1575a7cb76e6b6e46b212

SHA256
a39709f9f092d27f38ae4dab4726ebfaf2010168fa178b42a25f53fbf944442c

SHA512
f5829073ee478c9da0a58933f875028467bbba635fec28d3151b373a2aa103db5542ee4bdc8615ed57649dd3590760acd7669a66baa56e9f82570cb8765e7641

Download Submit
C:\Program Files (x86)\AOMEI Backupper\Winpe64\lang\zh-TW.txt

Filesize
190KB

MD5
59d4b9c72f2e8b02a9c46ada09640717

SHA1
6b5ea97a870e70a7c8e8efb89e1659e8dd52352e

SHA256
4b11942196572c7719f480baea4e20ccc03e7540f6d02817a9e117f98af57c79

SHA512
0d2e69dd784055c1c0729ae192766713d52297adcaefc96d61e3b28fe241d669df099cb73b4c4507bbbc0261d8ba7893be2e0ab233d46e2eb1404036a4d68db8

Download Submit
C:\Program Files (x86)\AOMEI Backupper\adi.ico

Filesize
290KB

MD5
97a9c8d57968b3f116544e3c89e490d5

SHA1
750b148421a3a71ad6c585abc465c735e81998e8

SHA256
48e488206059fd319b745c0c55a0a3fe5d4e03681e871b15c001a10ec4869a98

SHA512
118ee2f991d19402110013b4d3105da8096c585767f213bd12c2c911f7852a8e09291d0c06aeda6f94d15d6d7e9765d93adbec9147ea58ff5744f187c44c8b32

Download Submit
C:\Program Files (x86)\AOMEI Backupper\libamcbconsole.dll

Filesize
27KB

MD5
05cab998b49bb3a3418fed9ba66f6759

SHA1
22c50ba0bb9f9da68b6e3214b420a4f808efb040

SHA256
fa0fd1cc20722ab485d9e294f9aeb38d9f1cf3cd97bc9df6b0af92e149e15005

SHA512
59693f7e1e1822887432eaad66618ccad275f6fecc5a3064045d3517abe04e5865b4d7eeab511f3f590a23213c2314ee0843c3ecc1701d803493c08fa11ddd2e

Download Submit
C:\Program Files (x86)\AOMEI Backupper\libssl-1_1.dll

Filesize
389KB

MD5
9c1493ea5b94e3d8b606bbe935feed92

SHA1
8eda901983379dd6665d7f440be606afb8d8effd

SHA256
53e5bb84f8b1225984ecdb05839bb338b86df4b9aa3022e30cd3ed74e544f54c

SHA512
0e1e5eb1f52b1b8c98a62f416ec7012d032a28d87d96912716bf5b4a4e22019d5100696672bec27301d25eacad1c23bcf2f85da7021ce415b63d6495162b3dbd

Download Submit
C:\Program Files (x86)\AOMEI Backupper\log\Reg.log

Filesize
239B

MD5
a56c8ad76df2841c6f241fe12f19a5fa

SHA1
676118df4afb2efa301cc699d146f416c03d51ae

SHA256
c8c04344ef7f41bad1ab5cd9eabeda302534a0857a8411b17617888c9bb16ab1

SHA512
0c014e095c6ab0b2ad5300a2637814e7b10c276f2766ebbc1bb300f9316284039bf83dd25b3acba51ec4f8e0117af59dd1834fdf08b466f51477e46f5e4b6f22

Download Submit
C:\Program Files (x86)\AOMEI Backupper\msefi64\microsoft\boot\is-KMVAF.tmp

Filesize
3.0MB

MD5
22d9945b4aae36dd59620a918f2e65f4

SHA1
bb025cedca07887916c4b7e5fa7a641ed3e30c14

SHA256
cd2c00ce027687ce4a8bdc967f26a8ab82f651c9becd703658ba282ec49702bd

SHA512
dd2d0ea7d5cf98064838ce0b74711f77534e1a2a14c7f74d44ed4b83acdb6f413d74671d2c6a8574aee88afb456b53a6b8452419a3bdddf2f7e9095c9d1d272e

Download Submit
C:\Program Files (x86)\AOMEI Backupper\vsscom.exe

Filesize
146KB

MD5
c1cf202d79aaabc17e28571aee59694b

SHA1
204e6c6ca642770411351972dde7fcb342a710f0

SHA256
929d8e087c61d9be1fbb439e50eeddcdbf08fa61a3bab2f550ea6a7e6343b05a

SHA512
4884c6f5de7f947278ed5bf58cf4ff3b867f00697ca2f90b7b88320390ba8897f056043aebf112be442b2ce5cf767eb09341b869891ca2c7c39b00a446d61ac5

Download Submit
C:\Program Files (x86)\AOMEI Backupper\winpeshl.ini

Filesize
132B

MD5
0f525ef932ceb91647d4131cb91a9be8

SHA1
15390a150660d1d6264729d1976f35347ba7b975

SHA256
ca9e38b443e75312ce07ce487b48aaea3a734840e941e60a03f2b6aa633e0b3e

SHA512
ef69425daa3e4d45de886ba1048bbfdb42650045eb7ab327df01c070e827f706161ebf1180b98282b10569ad6eed84c7e7da5c2fcdabb253216c2f4b7cac0ec6

Download Submit
C:\ProgramData\AomeiBR\net\Global.ini

Filesize
141B

MD5
80b49a8ecb38e9bf0da4afd1b7edf0c9

SHA1
3e552ac008f601c6dfecb18290ae3f7a7efab292

SHA256
3e1b2a9412a6faa119a0b5a59db09a2e02a0b5935624c6504fd297e4effaaccc

SHA512
4c07c9449366610998b1fc9a8ad20d2821924a5075da285390152ad3bb1984aab83c2045c4648e502649e8074b221eb06cef9c851590e71cbe51be7474a8e4bd

Download Submit
C:\ProgramData\AomeiBR\tasks2.2.xml

Filesize
121B

MD5
6fff5ff83860b5dd33f05a61142d87e3

SHA1
6d60c5f72d30bd660a662bb0a02537478c6a8e35

SHA256
2f710a632a086f5ed5ed521aebbd8e1a7165b53defbfa03c7eea7e39eb3466de

SHA512
b4f5d6fecab2a2ba6b0ff4a80beb347c6bb2df1ae7c7478295b3d5c47af14d4eb151ee8fe502c121b2da9acef02ffffc2546f520e4966251723ee5cfaf1ac764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
aa191d1ba2f2fa7ae74d4ae13aae03d5

SHA1
b710aa238149167ae083b747c14994dd09c4be5d

SHA256
8d832f6937cbbde5e771c564981922574ab4b6266f21b12ee4c2ce27fdcca95f

SHA512
47fe33b9670b6957f0fd4304f7476ca35be7a393e71cfd36385d206c06ee98c1a765b52fa74a5136d151cd1e4b0a79c1d88b9dac927880c42389308db5625c70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
97f0b3cffbfe0778bbb574a19c4eeaa2

SHA1
ed757b33646fa81d6b6b1161691646a024f875d9

SHA256
df678efb041a8b6ac25a5b29a95ce14b5b387576cfe1affa3332737c777065eb

SHA512
9a5a51cb22ef3c6de6b925f461a440eb073774734d59b38148593bee44c987e8fdc2219ff633a9884bbdb74867b0d1572dc481e52c36c87b2da87b4d61fc8aa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ea6c132dfa64c14ce232198835c343de

SHA1
7b4529277179e8e28a60989ee9325497d3fd15a8

SHA256
53ed383b07ca4a937e795e65a94e38ebf708e73a43298d599b2724c970fff85c

SHA512
a09d93ef2bfc5450f73eae93fd4f3b1d2a38fb32c772853d1d0d67320e10d149b976c6da0a53133b0ab8a0059721749313b77c0c1c2393f9afd3b4b299f078be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5bcce13262ae320ab78dfb59b62d4366

SHA1
148cdff710e4d51f142108327e6e6e0b6293a573

SHA256
a5acb97742500cb30deef4c6fb11cbc43325d767dd795df07d20e76835e70cfc

SHA512
c99cb702b185aba506f02f33dfff2cad2569a9f6fdfa613bf5930969af99fab0c73f155679942bc8f7306ccd66d66b66eaecac827ee723d701b27ce5a5d5dbf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
60ebf035001a91a6430b2d23c0c5a013

SHA1
ed4c7b0ff5da729386b8580f33347477384de98b

SHA256
ca9fa485aff152bd7764a0fcae9fad7b832a2d20e892749709e5725b81fcfefc

SHA512
9a2ecbb15cc18272ac60da5501cfe015f078f851c5db5e392d07107f21672d700ac07c33facf89a4bc68d996fd7de1a3f0b5a2643bd5f7a4e669813d1801d7fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58a488.TMP

Filesize
48B

MD5
a97976b277c895b93be85a8b45f7af0a

SHA1
7d6af3f6c8bb01e67b6430d95b42cacd3c559759

SHA256
6f8e365882fc9b92380b482e36564050b769312388fc8eed2d0d0bd99292744b

SHA512
3930d39462322cf2057c2086a084e37242dcbb36d0983b7512291b3accbac08b82d98b48efc6260bfc076363a7b6735b9f672c2551848c99ec26e970cd4a52e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
da88115c28af8e232ae23ab248e97cb9

SHA1
7e673bd79c225e83907c446aa5312fe921ad4818

SHA256
47f4c026802cf9e27dd07a6cdb508ebfec8042d84da204d4b51dbc5ebffaa0fa

SHA512
341ff0cce7851eb5f9008806fe4695a2720f249ecb6b366f2147fbe2d380d9a297ab45602a1bf49c47ca3bd56f8a6416f62226ef4fd7c7d49b84237e9aaf921e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F12ND.tmp\ABTech.tmp

Filesize
1.7MB

MD5
079e12a0aaf2d84c349155469db4d425

SHA1
2759e612710cbf618680100c5ef03a6cdfa81f64

SHA256
4c635334e4d8539f4aa90fb3e5f3786f8e5ee5864dde5db094f3810d4f6df7eb

SHA512
b837f47696b5e4a059b7c9c2d289bf66b150bf73938062c2fe9fe25ea5e145ed61a9382b8aa74d3b579f0a1b99973d975a7efced61709ce6178bdcbd76632dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GRO0G.tmp\BrVersion.dll

Filesize
228KB

MD5
cb6bd02e294ab467df8822b910e00fc8

SHA1
2c4611a9db8dd4081cbe00423dc6ed475139fcd0

SHA256
89d733a2d31a2fa12377f7717be0c0ab8b3da6ffa32589bc98fe1c146aa69491

SHA512
db84a63329a5acabd21c85c8b32806515d72ae987c13bd482c891cb6ebf7476d34e374d353f630dba787f1117e2d5e849d470fe43ead391e7e1dbbe20f02680a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GRO0G.tmp\CallbackCtrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GRO0G.tmp\Checkblue.png

Filesize
694B

MD5
a8b6c2a1eb48b2be0f941f3ab8f7e238

SHA1
b78df675d44df51d64b55c8f2c511cd180d5cf73

SHA256
4ef202de5bf06745f20ef82ab0680cb4b1d882025a4503639ccdb6435e029dd0

SHA512
b181985244dbd6dc0bc456f822cc8011cb76ce334a680928a8c2aa12a9f0c4a066c3e6745f738ffc480e39b907a0499e59b3865fed040a5a43310803de61c0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GRO0G.tmp\IUHelper.exe

Filesize
161KB

MD5
5006036c19ab7e2d55bdd9ee6c109a57

SHA1
86bd2f91bb69cb6fb98d49c50d1989a450329ddb

SHA256
fd55d7b92c0e11e66442ffd06e0e1831920c6082da58b48e4b95fa4cef48ef7d

SHA512
6d297cbef7eb7e1443bd881dae4ed1846cfb9b45ac009a814832e54e54951b0fa5d8ec79ae804781a215df954659520059770313045c6b08ff3bc8db891066c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GRO0G.tmp\MFCButton.dll

Filesize
233KB

MD5
508b334f7a1c539adde48a55f71f2041

SHA1
3c746bc215bce5cc42822f30252082956850612b

SHA256
ea43da95dc1d4f814b6399cc2cd92e2c606fcb1e8ec0b60bbd89269c22d7313c

SHA512
e9d29127cbeb4d660290bb330e0410a86e6e29ab87b9a41c886d1d5414201868f0b9d12521cf00cb05302789e04518a8880763a3782b99fe892a7d4f87bd6ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GRO0G.tmp\PathFormat.dll

Filesize
188KB

MD5
7e70de8a68422051884937ebbeb446dc

SHA1
d149ad4dcb886555c57b4fafa4e2256bb4b2e159

SHA256
b06b78e3cd3b6e9c2bbe236ab846b46e757002ad7bbb7b842996ce0adc42e731

SHA512
65ab4779e8736af0071d28ceab6025e0cd39a8a5cd1c48c5bfc0341071d6cfff9a87f737c865a3d77e14b1b33827e1e610fc3050d8d82dc58321704da571b8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GRO0G.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GRO0G.tmp\btopen.png

Filesize
2KB

MD5
90eb121bf0ae802f3ad12bc6582ca691

SHA1
8647260945740e2cd97a97b7cee6e5016688166f

SHA256
85a908620121820c1c40303d6e268bac586c469cbfbfe864143a2c96d171f56c

SHA512
881bdec3c122b7baaf81c01f91b24409377602c0d9398b09aa3ad7cb965d347bcee5e631ca87636edfad693d5666b8339ee45e8877500f78f823817d449ec8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GRO0G.tmp\iconclose.png

Filesize
274B

MD5
3a58934b887aab94f6b08f937379cd27

SHA1
1b56a9405cc8b818c4c2584372d30ff2e3f07173

SHA256
2412f5c1a826c923b6afbf41aa700066f8845227bc6c0732f1917f4671e16015

SHA512
f5232174b1c4c3871fbc0fbcab403d2281f8d2c207127466d215de44b23d4472e5dee32210e3adf2294a9be31b334e0dae14f0421ee05318ed419239bcb983d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GRO0G.tmp\iconminimize.png

Filesize
375B

MD5
5577c4f4a5b74020337c273b94744d25

SHA1
46c46b1d15a07319d7396e9ab1bd686764abf785

SHA256
8e9e7818db8b22e2d7e836ae72712eb402b4e94fc43aa1b2a6b1217dfb90e9ac

SHA512
3cd31fc686103a83ce8779fc94771b51afbf1343f5ab4e36f3f2d1ede013feb6eb4b0d66c48c5f00217eefb9c407071fd30188dc0a16244d86899116c6fc4f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GRO0G.tmp\textbg.png

Filesize
106B

MD5
142686cd6c1ef8f7b61a0f3f7c1bc067

SHA1
54acb0e6aa746714ae4494c4c8ba945d21d8052d

SHA256
4d4e11ad55f23d3e6584183ade93cd01189380687a44821cf5f5749b0e26c4ca

SHA512
c3090b16dfe1488ccb48d06eb49ebf42491778a6ee35d9398819ad65222ec3dc313a9d783a82f4d2851eaea86d3e487736b739fb594eb10e38b0dfcf4d1cd011

Download Submit
memory/1028-2028-0x0000000001B70000-0x0000000001BC2000-memory.dmp

Filesize
328KB

Download
memory/1028-2030-0x0000000001BE0000-0x0000000001BF0000-memory.dmp

Filesize
64KB

Download
memory/1028-2018-0x0000000000F50000-0x0000000000F8E000-memory.dmp

Filesize
248KB

Download
memory/1028-2016-0x0000000000180000-0x00000000001D0000-memory.dmp

Filesize
320KB

Download
memory/1028-2024-0x0000000001AC0000-0x0000000001B3A000-memory.dmp

Filesize
488KB

Download
memory/1028-2026-0x0000000001B40000-0x0000000001B5F000-memory.dmp

Filesize
124KB

Download
memory/1028-2023-0x0000000001000000-0x0000000001010000-memory.dmp

Filesize
64KB

Download
memory/1028-2020-0x0000000000F90000-0x0000000000FB7000-memory.dmp

Filesize
156KB

Download
memory/1028-2031-0x0000000001C00000-0x0000000001C18000-memory.dmp

Filesize
96KB

Download
memory/1028-2032-0x0000000001C60000-0x0000000001CBF000-memory.dmp

Filesize
380KB

Download
memory/1028-2033-0x0000000001CC0000-0x0000000001CD2000-memory.dmp

Filesize
72KB

Download
memory/1028-2034-0x0000000001CF0000-0x0000000001CFE000-memory.dmp

Filesize
56KB

Download
memory/1028-2041-0x0000000061C00000-0x0000000061CB2000-memory.dmp

Filesize
712KB

Download
memory/1028-2021-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

Filesize
64KB

Download
memory/1028-2035-0x0000000001D10000-0x0000000001D55000-memory.dmp

Filesize
276KB

Download
memory/1028-2022-0x0000000000FE0000-0x0000000000FED000-memory.dmp

Filesize
52KB

Download
memory/1892-1985-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/1892-2012-0x00000000026E0000-0x0000000002725000-memory.dmp

Filesize
276KB

Download
memory/1892-1990-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/1892-1997-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/1892-1987-0x0000000002470000-0x000000000248F000-memory.dmp

Filesize
124KB

Download
memory/1892-1995-0x0000000002510000-0x000000000258A000-memory.dmp

Filesize
488KB

Download
memory/1892-2000-0x00000000025C0000-0x00000000025D8000-memory.dmp

Filesize
96KB

Download
memory/1892-1981-0x00000000023E0000-0x0000000002407000-memory.dmp

Filesize
156KB

Download
memory/1892-2009-0x0000000002630000-0x000000000268F000-memory.dmp

Filesize
380KB

Download
memory/1892-1978-0x0000000002390000-0x00000000023CE000-memory.dmp

Filesize
248KB

Download
memory/1892-1992-0x00000000024A0000-0x00000000024F2000-memory.dmp

Filesize
328KB

Download
memory/1892-2015-0x0000000061C00000-0x0000000061CB2000-memory.dmp

Filesize
712KB

Download
memory/1892-1974-0x0000000002320000-0x0000000002370000-memory.dmp

Filesize
320KB

Download
memory/1892-2010-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/1892-1983-0x0000000002430000-0x000000000243D000-memory.dmp

Filesize
52KB

Download
memory/1892-2013-0x0000000002A30000-0x0000000002C37000-memory.dmp

Filesize
2.0MB

Download
memory/1892-2011-0x00000000026C0000-0x00000000026CE000-memory.dmp

Filesize
56KB

Download
memory/2060-74-0x00000000084B0000-0x00000000084EA000-memory.dmp

Filesize
232KB

Download
memory/2060-59-0x0000000008410000-0x000000000841E000-memory.dmp

Filesize
56KB

Download
memory/2060-117-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2060-716-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2060-109-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2060-699-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2060-700-0x0000000008410000-0x000000000841E000-memory.dmp

Filesize
56KB

Download
memory/2060-110-0x0000000008410000-0x000000000841E000-memory.dmp

Filesize
56KB

Download
memory/2060-1721-0x0000000008410000-0x000000000841E000-memory.dmp

Filesize
56KB

Download
memory/2060-7-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2060-2177-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2060-41-0x0000000003400000-0x000000000344F000-memory.dmp

Filesize
316KB

Download
memory/2060-1720-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/3548-2087-0x0000000000F10000-0x0000000000F60000-memory.dmp

Filesize
320KB

Download
memory/4484-1-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/4484-108-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4484-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download