e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2

Analysis

max time kernel
77s
max time network
11s
platform
windows7_x64
resource
win7v20210410
submitted
13-05-2021 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
Size

2.1MB
MD5

cafe69a59c0c3c646ea7f114180d4d8b
SHA1

70961e60e1e279bd2882c4693ca7de7c9c96981b
SHA256

e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2
SHA512

40eda1da28f5fe0aa6bab25b6c6dcdca226a6dcd3385d9c8870b33c48f0398269643e887d6c1f390547fa97a31c817241c090da37830bcf67f6f44ceb2ea36d0

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 22 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exe

pid	process
436	backup.exe
1716	backup.exe
1160	backup.exe
1484	backup.exe
1616	backup.exe
2176	backup.exe
2188	data.exe
2476	backup.exe
2656	update.exe
2832	backup.exe
2964	backup.exe
1688	backup.exe
1592	backup.exe
860	backup.exe
2088	backup.exe
2292	backup.exe
972	backup.exe
924	backup.exe
2800	backup.exe
836	System Restore.exe
2284	backup.exe
1680	backup.exe

Checks BIOS information in registry 2 TTPs 42 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

backup.exebackup.exee8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exebackup.exebackup.exeupdate.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	System Restore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	data.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	data.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	System Restore.exe

Identifies Wine through registry keys 2 TTPs 23 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exee8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exedata.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	data.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	update.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	System Restore.exe
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	backup.exe

Loads dropped DLL 42 IoCs

Processes:

e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
1160	backup.exe
1160	backup.exe
1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
1616	backup.exe
1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
1616	backup.exe
1160	backup.exe
1160	backup.exe
1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
2656	update.exe
2656	update.exe
2656	update.exe
1160	backup.exe
1160	backup.exe
2476	backup.exe
2476	backup.exe
1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
2832	backup.exe
2832	backup.exe
1160	backup.exe
1160	backup.exe
2476	backup.exe
2476	backup.exe
2964	backup.exe
2964	backup.exe
2832	backup.exe
2832	backup.exe
2476	backup.exe
2476	backup.exe
860	backup.exe
860	backup.exe
1592	backup.exe
1592	backup.exe
2832	backup.exe
2832	backup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

Processes:

e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
436	backup.exe
1716	backup.exe
1160	backup.exe
1484	backup.exe
1616	backup.exe
2188	data.exe
2176	backup.exe
2476	backup.exe
2656	update.exe
2832	backup.exe
2964	backup.exe
1688	backup.exe
860	backup.exe
1592	backup.exe
2088	backup.exe
2292	backup.exe
924	backup.exe
972	backup.exe

Drops file in Program Files directory 10 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

Processes:

backup.exe

description ioc process

File opened for modification C:\Windows\backup.exe backup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\backup.exe	backup.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

pid	process
1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
436	backup.exe
1716	backup.exe
1160	backup.exe
1484	backup.exe
1616	backup.exe
2188	data.exe
2176	backup.exe
2476	backup.exe
2656	update.exe
2832	backup.exe
2964	backup.exe
1688	backup.exe
860	backup.exe
1592	backup.exe
2088	backup.exe
2292	backup.exe
924	backup.exe
972	backup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe

pid process

1084 e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

pid	process
1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
436	backup.exe
1716	backup.exe
1160	backup.exe
1616	backup.exe
1484	backup.exe
2188	data.exe
2176	backup.exe
2476	backup.exe
2656	update.exe
2832	backup.exe
2964	backup.exe
860	backup.exe
1688	backup.exe
1592	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	pid	process	target process
PID 1084 wrote to memory of 436	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 436	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 436	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 436	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 1716	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 1716	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 1716	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 1716	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 436 wrote to memory of 1160	436	backup.exe	backup.exe
PID 436 wrote to memory of 1160	436	backup.exe	backup.exe
PID 436 wrote to memory of 1160	436	backup.exe	backup.exe
PID 436 wrote to memory of 1160	436	backup.exe	backup.exe
PID 1084 wrote to memory of 1484	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 1484	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 1484	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 1484	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1160 wrote to memory of 1616	1160	backup.exe	backup.exe
PID 1160 wrote to memory of 1616	1160	backup.exe	backup.exe
PID 1160 wrote to memory of 1616	1160	backup.exe	backup.exe
PID 1160 wrote to memory of 1616	1160	backup.exe	backup.exe
PID 1084 wrote to memory of 2176	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 2176	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 2176	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 2176	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1616 wrote to memory of 2188	1616	backup.exe	data.exe
PID 1616 wrote to memory of 2188	1616	backup.exe	data.exe
PID 1616 wrote to memory of 2188	1616	backup.exe	data.exe
PID 1616 wrote to memory of 2188	1616	backup.exe	data.exe
PID 1160 wrote to memory of 2476	1160	backup.exe	backup.exe
PID 1160 wrote to memory of 2476	1160	backup.exe	backup.exe
PID 1160 wrote to memory of 2476	1160	backup.exe	backup.exe
PID 1160 wrote to memory of 2476	1160	backup.exe	backup.exe
PID 1084 wrote to memory of 2656	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	update.exe
PID 1084 wrote to memory of 2656	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	update.exe
PID 1084 wrote to memory of 2656	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	update.exe
PID 1084 wrote to memory of 2656	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	update.exe
PID 1084 wrote to memory of 2656	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	update.exe
PID 1084 wrote to memory of 2656	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	update.exe
PID 1084 wrote to memory of 2656	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	update.exe
PID 1160 wrote to memory of 2832	1160	backup.exe	backup.exe
PID 1160 wrote to memory of 2832	1160	backup.exe	backup.exe
PID 1160 wrote to memory of 2832	1160	backup.exe	backup.exe
PID 1160 wrote to memory of 2832	1160	backup.exe	backup.exe
PID 2476 wrote to memory of 2964	2476	backup.exe	backup.exe
PID 2476 wrote to memory of 2964	2476	backup.exe	backup.exe
PID 2476 wrote to memory of 2964	2476	backup.exe	backup.exe
PID 2476 wrote to memory of 2964	2476	backup.exe	backup.exe
PID 1084 wrote to memory of 1688	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 1688	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 1688	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 1084 wrote to memory of 1688	1084	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe	backup.exe
PID 2832 wrote to memory of 1592	2832	backup.exe	backup.exe
PID 2832 wrote to memory of 1592	2832	backup.exe	backup.exe
PID 2832 wrote to memory of 1592	2832	backup.exe	backup.exe
PID 2832 wrote to memory of 1592	2832	backup.exe	backup.exe
PID 1160 wrote to memory of 860	1160	backup.exe	backup.exe
PID 1160 wrote to memory of 860	1160	backup.exe	backup.exe
PID 1160 wrote to memory of 860	1160	backup.exe	backup.exe
PID 1160 wrote to memory of 860	1160	backup.exe	backup.exe
PID 2476 wrote to memory of 2088	2476	backup.exe	backup.exe
PID 2476 wrote to memory of 2088	2476	backup.exe	backup.exe
PID 2476 wrote to memory of 2088	2476	backup.exe	backup.exe
PID 2476 wrote to memory of 2088	2476	backup.exe	backup.exe
PID 2964 wrote to memory of 2292	2964	backup.exe	backup.exe

System policy modification 1 TTPs 28 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exeupdate.exebackup.exedata.exebackup.exebackup.exee8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe
"C:\Users\Admin\AppData\Local\Temp\e8dfed8e5cf7d8f65690d21b1b1db8df7e2ca855e1b3cb963392c6e112a4d0e2.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1084

C:\Users\Admin\AppData\Local\Temp\326382455\backup.exe
C:\Users\Admin\AppData\Local\Temp\326382455\backup.exe C:\Users\Admin\AppData\Local\Temp\326382455\
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:436

C:\backup.exe
\backup.exe \
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1160

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1616

C:\PerfLogs\Admin\data.exe
C:\PerfLogs\Admin\data.exe C:\PerfLogs\Admin\
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2188

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2476

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2964

C:\Program Files\7-Zip\Lang\backup.exe
"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2292

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2088

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
6⤵
PID:2436

C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
7⤵
PID:4128

C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
7⤵
PID:5176

C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
7⤵
PID:6092

C:\Program Files\Common Files\Services\backup.exe
"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
6⤵
PID:3128

C:\Program Files\Common Files\SpeechEngines\backup.exe
"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
6⤵
PID:3816

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
6⤵
PID:4580

C:\Program Files\DVD Maker\backup.exe
"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
PID:2800

C:\Program Files\DVD Maker\en-US\backup.exe
"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
6⤵
PID:3448

C:\Program Files\DVD Maker\Shared\System Restore.exe
"C:\Program Files\DVD Maker\Shared\System Restore.exe" C:\Program Files\DVD Maker\Shared\
6⤵
PID:4156

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
5⤵
PID:3068

C:\Program Files\Google\Chrome\backup.exe
"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
6⤵
PID:4436

C:\Program Files\Internet Explorer\System Restore.exe
"C:\Program Files\Internet Explorer\System Restore.exe" C:\Program Files\Internet Explorer\
5⤵
PID:3104

C:\Program Files\Internet Explorer\en-US\update.exe
"C:\Program Files\Internet Explorer\en-US\update.exe" C:\Program Files\Internet Explorer\en-US\
6⤵
PID:6512

C:\Program Files\Java\backup.exe
"C:\Program Files\Java\backup.exe" C:\Program Files\Java\
5⤵
PID:3800

C:\Program Files\Microsoft Office\backup.exe
"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
5⤵
PID:4464

C:\Program Files\Mozilla Firefox\backup.exe
"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
5⤵
PID:5392

C:\Program Files\MSBuild\backup.exe
"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
5⤵
PID:2336

C:\Program Files (x86)\backup.exe
"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2832

C:\Program Files (x86)\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1592

C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
6⤵
- Executes dropped EXE
- Identifies Wine through registry keys
PID:2284

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
7⤵
PID:3584

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
7⤵
PID:4448

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
7⤵
PID:5720

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
7⤵
PID:6228

C:\Program Files (x86)\Common Files\backup.exe
"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:972

C:\Program Files (x86)\Common Files\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
6⤵
PID:3116

C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
6⤵
PID:3920

C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
"C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
6⤵
PID:4640

C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
6⤵
PID:5856

C:\Program Files (x86)\Common Files\Services\backup.exe
"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
6⤵
PID:6400

C:\Program Files (x86)\Google\backup.exe
"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
5⤵
- Executes dropped EXE
- Identifies Wine through registry keys
PID:1680

C:\Program Files (x86)\Google\CrashReports\backup.exe
"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
6⤵
PID:3500

C:\Program Files (x86)\Google\Policies\backup.exe
"C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
6⤵
PID:4284

C:\Program Files (x86)\Google\Temp\data.exe
"C:\Program Files (x86)\Google\Temp\data.exe" C:\Program Files (x86)\Google\Temp\
6⤵
PID:5112

C:\Program Files (x86)\Google\Update\backup.exe
"C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
6⤵
PID:5968

C:\Program Files (x86)\Internet Explorer\backup.exe
"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
5⤵
PID:1120

C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
6⤵
PID:5380

C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
6⤵
PID:6080

C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
5⤵
PID:3572

C:\Program Files (x86)\Microsoft Office\backup.exe
"C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
5⤵
PID:4412

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
5⤵
PID:5636

C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
"C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
5⤵
PID:2644

C:\Users\backup.exe
C:\Users\backup.exe C:\Users\
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:860

C:\Users\Admin\System Restore.exe
"C:\Users\Admin\System Restore.exe" C:\Users\Admin\
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
PID:836

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
6⤵
PID:3436

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
6⤵
PID:4116

C:\Users\Admin\Documents\backup.exe
C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
6⤵
PID:4752

C:\Users\Admin\Downloads\backup.exe
C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
6⤵
PID:5832

C:\Users\Admin\Favorites\backup.exe
C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
6⤵
PID:2636

C:\Users\Public\backup.exe
C:\Users\Public\backup.exe C:\Users\Public\
5⤵
PID:1984

C:\Users\Public\Documents\backup.exe
C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
6⤵
PID:4588

C:\Users\Public\Downloads\backup.exe
C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
6⤵
PID:5844

C:\Users\Public\Music\backup.exe
C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
6⤵
PID:6408

C:\Windows\backup.exe
C:\Windows\backup.exe C:\Windows\
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:924

C:\Windows\addins\backup.exe
C:\Windows\addins\backup.exe C:\Windows\addins\
5⤵
PID:3076

C:\Windows\AppCompat\data.exe
C:\Windows\AppCompat\data.exe C:\Windows\AppCompat\
5⤵
PID:3668

C:\Windows\AppPatch\backup.exe
C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
5⤵
PID:4424

C:\Windows\assembly\backup.exe
C:\Windows\assembly\backup.exe C:\Windows\assembly\
5⤵
PID:5648

C:\Windows\Branding\backup.exe
C:\Windows\Branding\backup.exe C:\Windows\Branding\
5⤵
PID:6188

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1716

C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2176

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2656

C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1688

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\data.exe
MD5
f621e1e1e3a4f4d618de6a9d6a3e6e89

SHA1
0069412820e5aa0fbd83b4fd4353903bfa214299

SHA256
f42dc886515b7bc8c05a182e7ddd012bca58608517a6b76cdb269f4cc7b780f4

SHA512
3459941befad5425ccfeed547a423de4a41c1e1344dde5bf388c3fa2b82644e652af6863b3f69fd14b6355c95965c31884e6eb507129a69ac00aaa6fd627576a

Download Submit
C:\PerfLogs\backup.exe
MD5
59949bf153c36f7f8c6ac51413100c37

SHA1
d3f5395fcff23cf6e9a692d9c6e95752e999d1a7

SHA256
219aa0852e62ae20936767419de033a0c4fa207dcf1a337f3ba2ab5b197b0ed6

SHA512
f8d3095a9283bcdde91fbb93a7135287e7084449f6efed3d9fe132a4c2db890f0dbb23437bb9dc2acc961b20cb57e0c635c2085cde90a4587a595fdb134d0e13

Download Submit
C:\PerfLogs\backup.exe
MD5
59949bf153c36f7f8c6ac51413100c37

SHA1
d3f5395fcff23cf6e9a692d9c6e95752e999d1a7

SHA256
219aa0852e62ae20936767419de033a0c4fa207dcf1a337f3ba2ab5b197b0ed6

SHA512
f8d3095a9283bcdde91fbb93a7135287e7084449f6efed3d9fe132a4c2db890f0dbb23437bb9dc2acc961b20cb57e0c635c2085cde90a4587a595fdb134d0e13

Download Submit
C:\Program Files (x86)\Adobe\backup.exe
MD5
f6c9778bab6138068d95f594eca34362

SHA1
24bf52314d936548507f777e169abc04802645ff

SHA256
d8c958da14e3da65fb72074d11acb5d945ddc06d7c674d7c057acd63abe39b6d

SHA512
726d56ae8e44ea7ea80eb3ce5b59007e6da5825d9212a37da2acc4c29ec32868cc6983b049d31f2c9aa2bf8b20490d195fa31f0ee9427fd0e055109353c695dc

Download Submit
C:\Program Files (x86)\Common Files\backup.exe
MD5
e99b235d16237849aa3c54d84dbae3c6

SHA1
bf38921aa736d9f8893419efa66fcaf8aa423ed2

SHA256
e20ccefe8523ec8af7ce342192cc0b523df5221506d93c841e31dfb9706f44aa

SHA512
b6d7d6415a5d1f7975511485ab32d0ec4cfb890cee6661a1d6507675dac2f410153efb057d01397961cfe839e978ea98273efc3753870037ef1a9471cc3eaa46

Download Submit
C:\Program Files (x86)\backup.exe
MD5
c9e3a67fdc46583f494fcc92d58f5736

SHA1
de1b5e83603947cb0f05fb5ab8a6d313ce933e63

SHA256
5a26b138a8436186e1e2f36ad6ec2f89a56a7fc452a0b22a37fdd52ce45e462a

SHA512
3e7f6d54b00e68f86e62226d728266f7042b2a543f48ad9fc6ace6d090d501900437f7e544fd5b44935be01f3732664d66bb1ee87759323634840983462b2322

Download Submit
C:\Program Files (x86)\backup.exe
MD5
c9e3a67fdc46583f494fcc92d58f5736

SHA1
de1b5e83603947cb0f05fb5ab8a6d313ce933e63

SHA256
5a26b138a8436186e1e2f36ad6ec2f89a56a7fc452a0b22a37fdd52ce45e462a

SHA512
3e7f6d54b00e68f86e62226d728266f7042b2a543f48ad9fc6ace6d090d501900437f7e544fd5b44935be01f3732664d66bb1ee87759323634840983462b2322

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe
MD5
196b46475f58c1221ff333b5263d1c67

SHA1
6b4381b6479cae75f8fb27f8bc91e792fec69645

SHA256
104a8f774c523c9dda8cb4f73305cc97f47ffef3081a928d9d0494883d382665

SHA512
8771eb2de8b8bbd164509b7e47ac9ffa84129b1f74a99569d1cf0e1056d4972565fbbf39b7403c94d2bf77fc45ea03ef2e1dd7ec5704aa421b881ad016bd8fdc

Download Submit
C:\Program Files\7-Zip\backup.exe
MD5
e5c8c79bebf72794ecc62cc5fa133478

SHA1
ff36504e66e268fb27193149b39a55bad2b79a6c

SHA256
bbfcb916ba227ba1bb97f934e41d27c6a5ac0a4cad8caf49d16c3d78362fd09f

SHA512
a0edca947e1ab20c02f43d233f298bf65eb743cfaebadf7d8e1ce63396be7be141c28a58ddd72fc77025e7ef4cd33debd09fbfbb4d260e30f5d248b2baf2d9c6

Download Submit
C:\Program Files\7-Zip\backup.exe
MD5
e5c8c79bebf72794ecc62cc5fa133478

SHA1
ff36504e66e268fb27193149b39a55bad2b79a6c

SHA256
bbfcb916ba227ba1bb97f934e41d27c6a5ac0a4cad8caf49d16c3d78362fd09f

SHA512
a0edca947e1ab20c02f43d233f298bf65eb743cfaebadf7d8e1ce63396be7be141c28a58ddd72fc77025e7ef4cd33debd09fbfbb4d260e30f5d248b2baf2d9c6

Download Submit
C:\Program Files\Common Files\backup.exe
MD5
5c43d5b885de1a5c56a19fd817257967

SHA1
8c73312835e3c6b8825eb267765882418ecc9a4d

SHA256
444bdc23857633e1b447fd8b523428ef02aab3448653f97474b67b223a31855d

SHA512
7aa0792b7aa109cdeb31d74a191ae3efbed7e8e6116a1a65bb288b9203074eb605fe2dd6a0791f94d6e742200261f2ce51d595492bdd864a76c8e98c7ac18ec4

Download Submit
C:\Program Files\DVD Maker\backup.exe
MD5
4418e09e57ece8ebe41e0c65b75b6e31

SHA1
33170a257832674b4d0c087708daae99c123afac

SHA256
302ef4714b32574d8d5c96a8b58e666903d75684903218aed71a91de58d898ab

SHA512
6c3067e5c211c83655c775ddb0706b1fa7efe83539269a0ddfde6bd9413854cae60f394ac6dd9771aeb0323820113166f07494b8dd9a0374dc662def333a176a

Download Submit
C:\Program Files\backup.exe
MD5
867c9c1d5657987debc689a4450553cf

SHA1
6a59d0deb224d999b13c39f6c8c55c7a43b7bff5

SHA256
942845f4ee89cb7204ba7af79f3cb8182486cfc2fa33679cc44d25381e11fb7c

SHA512
e44e6e5ab72d6f5b424457456388d294de08795b14a75aa80020844bd3e9d2d59a3ffb5daf0472509ab650fc6dad156906e0d73f0f00f20428d2643af30e3c39

Download Submit
C:\Program Files\backup.exe
MD5
867c9c1d5657987debc689a4450553cf

SHA1
6a59d0deb224d999b13c39f6c8c55c7a43b7bff5

SHA256
942845f4ee89cb7204ba7af79f3cb8182486cfc2fa33679cc44d25381e11fb7c

SHA512
e44e6e5ab72d6f5b424457456388d294de08795b14a75aa80020844bd3e9d2d59a3ffb5daf0472509ab650fc6dad156906e0d73f0f00f20428d2643af30e3c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\326382455\backup.exe
MD5
92b7b3f225f48c24c225f1dc84a41b75

SHA1
7f88bf2df945aec36ae99074585fb680d34c4cbd

SHA256
73628e04dff0f1033c4112d227eb38bce209d8ea60952309d9254b20a9235e03

SHA512
ee247915fb315d5a0e57cfb80150128b2cb69e614492ceaa55c79e9b07bb52bc2715515fce2c36ba771e1d93bd42423c9984ff3e4bb2ffe3717d7a5ec0415dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\326382455\backup.exe
MD5
92b7b3f225f48c24c225f1dc84a41b75

SHA1
7f88bf2df945aec36ae99074585fb680d34c4cbd

SHA256
73628e04dff0f1033c4112d227eb38bce209d8ea60952309d9254b20a9235e03

SHA512
ee247915fb315d5a0e57cfb80150128b2cb69e614492ceaa55c79e9b07bb52bc2715515fce2c36ba771e1d93bd42423c9984ff3e4bb2ffe3717d7a5ec0415dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
MD5
9c96cf89e4098f05cac1e4747a4ef933

SHA1
e67ff44e03204fb6d4d76169a900bd7773a4dd57

SHA256
ddd85fa5330b7652c020391ddd31729d4dea9b608566b2d11eade4aca76504d3

SHA512
47a17ed7f8308efdacb127baf76a30d0abefaa814bcd505a7df46ff4fee02aa0930f123a38382b9e1fc90879ca74b8d59f38e7d14b274cbc019a186c493ea1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
MD5
a6b2ba7dafeff5940f17af6605df9b31

SHA1
358014584660255fac0d1d9e1df51c5d976cb078

SHA256
4f16f67a2cca33e2432587f2c86dcf9fdc8ccc7bbb6c4af24da15cdd4970738a

SHA512
20a4695ac07c153350367698b8e243d21f80ec65d70b54cb196867df0231b08663001f0e8a487e06827fb3077aa1d159b92ffc2b1da06095eba3d3464230838e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
MD5
f90c2df1a49af20540e6f3b196f047ee

SHA1
e4b46517b3dbf74ef3a7424effff1668b3bea86b

SHA256
69fccff99b39523082c0b2bb794c3e2de7bf8df7715a14b91160729c986ff17f

SHA512
beee21d2d0979493f2d0878cd821bbd07a62af76d44f59cd94171da885306100ffa640aefe76b71eace7f31b2b5944a77171068d7d954e692e836055cdbafe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
MD5
922d34dbe0f50ccc16bf557aff237c9a

SHA1
ec39a3a3c86c1b28b9782c9390b3535c401b884b

SHA256
6b0994e664328fed0837e79e72c44fb2f1893786305849a6b6e2c19717a270f0

SHA512
6010dd8eb1abd29574ed4568d7504be2ce49d84a28c0b9be396e1411a72704bb96065a21ac1d227557e9fd19a7837bc9bdfa76fe13d19f8648292a8add77b2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
MD5
873e24ca587c9988f75be25b59ab3441

SHA1
c8337616159df3d04d45d88d6224bc7aef030e82

SHA256
6987202cb21c781954ae25d21dac36dcdfdc05dd97e6ed551db9904b0afea640

SHA512
6ac47bb2b7000b622b675a2c93ad7c36148163b079adc24a5218d81f37c50455fe08aaac9e5d302b0b63fa0dd40be5dbbec28fb83d4cb346bda07e305cd12dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
MD5
873e24ca587c9988f75be25b59ab3441

SHA1
c8337616159df3d04d45d88d6224bc7aef030e82

SHA256
6987202cb21c781954ae25d21dac36dcdfdc05dd97e6ed551db9904b0afea640

SHA512
6ac47bb2b7000b622b675a2c93ad7c36148163b079adc24a5218d81f37c50455fe08aaac9e5d302b0b63fa0dd40be5dbbec28fb83d4cb346bda07e305cd12dc6

Download Submit
C:\Users\backup.exe
MD5
b8166b2c29a7d1e15a5c9d449fa69f90

SHA1
88dff9cafed65284ed4996e0bb00e7860c6c52d6

SHA256
1d97d3d51004935c1d8fab1558996b2759b799f73b4f2e1ad762bd7ee440d10e

SHA512
a91516aa64909d2799f763d01aa0d703b46173fdae815172228aa4b159801e16885dcae13c916a25104c98e0d582e13be127b42ce413f0e22a1a62322f37e51a

Download Submit
C:\Users\backup.exe
MD5
b8166b2c29a7d1e15a5c9d449fa69f90

SHA1
88dff9cafed65284ed4996e0bb00e7860c6c52d6

SHA256
1d97d3d51004935c1d8fab1558996b2759b799f73b4f2e1ad762bd7ee440d10e

SHA512
a91516aa64909d2799f763d01aa0d703b46173fdae815172228aa4b159801e16885dcae13c916a25104c98e0d582e13be127b42ce413f0e22a1a62322f37e51a

Download Submit
C:\Windows\backup.exe
MD5
264cfc9277cbfb9ea760ab5841a1d26c

SHA1
7e5795ddc79a233f187d863863e68c2a27bbdd4d

SHA256
0acc34b47453228abf0ccd66845563ad9f4f4f98886e5409092f0f471f43b7b0

SHA512
8105b0b64b29870e51ea7df84865efc2d9315e76280b0af10846d483b8c0ec9a97d8da537fc6fc044dc561153333f9a8cadacf3f12d137866273180460a9cff6

Download Submit
C:\backup.exe
MD5
57d85f6fca034dbe82318196c9c8c869

SHA1
7ab75ae31aa65fcd016c8631524423ba33a54d2f

SHA256
868fe4e8994e62355c8cb9f1c982bcd25521c3f8af74be549751dec5a0ee120e

SHA512
03a58bd0666f31b3eec679366457c25b44f7d985ef1096994f67c923128e26ca48b309c8f2951f4589eb913e9c3e7561de8d50ccab5bd7e74780b81387898236

Download Submit
C:\backup.exe
MD5
57d85f6fca034dbe82318196c9c8c869

SHA1
7ab75ae31aa65fcd016c8631524423ba33a54d2f

SHA256
868fe4e8994e62355c8cb9f1c982bcd25521c3f8af74be549751dec5a0ee120e

SHA512
03a58bd0666f31b3eec679366457c25b44f7d985ef1096994f67c923128e26ca48b309c8f2951f4589eb913e9c3e7561de8d50ccab5bd7e74780b81387898236

Download Submit
\PerfLogs\Admin\data.exe
MD5
f621e1e1e3a4f4d618de6a9d6a3e6e89

SHA1
0069412820e5aa0fbd83b4fd4353903bfa214299

SHA256
f42dc886515b7bc8c05a182e7ddd012bca58608517a6b76cdb269f4cc7b780f4

SHA512
3459941befad5425ccfeed547a423de4a41c1e1344dde5bf388c3fa2b82644e652af6863b3f69fd14b6355c95965c31884e6eb507129a69ac00aaa6fd627576a

Download Submit
\PerfLogs\Admin\data.exe
MD5
f621e1e1e3a4f4d618de6a9d6a3e6e89

SHA1
0069412820e5aa0fbd83b4fd4353903bfa214299

SHA256
f42dc886515b7bc8c05a182e7ddd012bca58608517a6b76cdb269f4cc7b780f4

SHA512
3459941befad5425ccfeed547a423de4a41c1e1344dde5bf388c3fa2b82644e652af6863b3f69fd14b6355c95965c31884e6eb507129a69ac00aaa6fd627576a

Download Submit
\PerfLogs\backup.exe
MD5
59949bf153c36f7f8c6ac51413100c37

SHA1
d3f5395fcff23cf6e9a692d9c6e95752e999d1a7

SHA256
219aa0852e62ae20936767419de033a0c4fa207dcf1a337f3ba2ab5b197b0ed6

SHA512
f8d3095a9283bcdde91fbb93a7135287e7084449f6efed3d9fe132a4c2db890f0dbb23437bb9dc2acc961b20cb57e0c635c2085cde90a4587a595fdb134d0e13

Download Submit
\PerfLogs\backup.exe
MD5
59949bf153c36f7f8c6ac51413100c37

SHA1
d3f5395fcff23cf6e9a692d9c6e95752e999d1a7

SHA256
219aa0852e62ae20936767419de033a0c4fa207dcf1a337f3ba2ab5b197b0ed6

SHA512
f8d3095a9283bcdde91fbb93a7135287e7084449f6efed3d9fe132a4c2db890f0dbb23437bb9dc2acc961b20cb57e0c635c2085cde90a4587a595fdb134d0e13

Download Submit
\Program Files (x86)\Adobe\backup.exe
MD5
f6c9778bab6138068d95f594eca34362

SHA1
24bf52314d936548507f777e169abc04802645ff

SHA256
d8c958da14e3da65fb72074d11acb5d945ddc06d7c674d7c057acd63abe39b6d

SHA512
726d56ae8e44ea7ea80eb3ce5b59007e6da5825d9212a37da2acc4c29ec32868cc6983b049d31f2c9aa2bf8b20490d195fa31f0ee9427fd0e055109353c695dc

Download Submit
\Program Files (x86)\Adobe\backup.exe
MD5
f6c9778bab6138068d95f594eca34362

SHA1
24bf52314d936548507f777e169abc04802645ff

SHA256
d8c958da14e3da65fb72074d11acb5d945ddc06d7c674d7c057acd63abe39b6d

SHA512
726d56ae8e44ea7ea80eb3ce5b59007e6da5825d9212a37da2acc4c29ec32868cc6983b049d31f2c9aa2bf8b20490d195fa31f0ee9427fd0e055109353c695dc

Download Submit
\Program Files (x86)\Common Files\backup.exe
MD5
e99b235d16237849aa3c54d84dbae3c6

SHA1
bf38921aa736d9f8893419efa66fcaf8aa423ed2

SHA256
e20ccefe8523ec8af7ce342192cc0b523df5221506d93c841e31dfb9706f44aa

SHA512
b6d7d6415a5d1f7975511485ab32d0ec4cfb890cee6661a1d6507675dac2f410153efb057d01397961cfe839e978ea98273efc3753870037ef1a9471cc3eaa46

Download Submit
\Program Files (x86)\Common Files\backup.exe
MD5
e99b235d16237849aa3c54d84dbae3c6

SHA1
bf38921aa736d9f8893419efa66fcaf8aa423ed2

SHA256
e20ccefe8523ec8af7ce342192cc0b523df5221506d93c841e31dfb9706f44aa

SHA512
b6d7d6415a5d1f7975511485ab32d0ec4cfb890cee6661a1d6507675dac2f410153efb057d01397961cfe839e978ea98273efc3753870037ef1a9471cc3eaa46

Download Submit
\Program Files (x86)\backup.exe
MD5
c9e3a67fdc46583f494fcc92d58f5736

SHA1
de1b5e83603947cb0f05fb5ab8a6d313ce933e63

SHA256
5a26b138a8436186e1e2f36ad6ec2f89a56a7fc452a0b22a37fdd52ce45e462a

SHA512
3e7f6d54b00e68f86e62226d728266f7042b2a543f48ad9fc6ace6d090d501900437f7e544fd5b44935be01f3732664d66bb1ee87759323634840983462b2322

Download Submit
\Program Files (x86)\backup.exe
MD5
c9e3a67fdc46583f494fcc92d58f5736

SHA1
de1b5e83603947cb0f05fb5ab8a6d313ce933e63

SHA256
5a26b138a8436186e1e2f36ad6ec2f89a56a7fc452a0b22a37fdd52ce45e462a

SHA512
3e7f6d54b00e68f86e62226d728266f7042b2a543f48ad9fc6ace6d090d501900437f7e544fd5b44935be01f3732664d66bb1ee87759323634840983462b2322

Download Submit
\Program Files\7-Zip\Lang\backup.exe
MD5
196b46475f58c1221ff333b5263d1c67

SHA1
6b4381b6479cae75f8fb27f8bc91e792fec69645

SHA256
104a8f774c523c9dda8cb4f73305cc97f47ffef3081a928d9d0494883d382665

SHA512
8771eb2de8b8bbd164509b7e47ac9ffa84129b1f74a99569d1cf0e1056d4972565fbbf39b7403c94d2bf77fc45ea03ef2e1dd7ec5704aa421b881ad016bd8fdc

Download Submit
\Program Files\7-Zip\Lang\backup.exe
MD5
196b46475f58c1221ff333b5263d1c67

SHA1
6b4381b6479cae75f8fb27f8bc91e792fec69645

SHA256
104a8f774c523c9dda8cb4f73305cc97f47ffef3081a928d9d0494883d382665

SHA512
8771eb2de8b8bbd164509b7e47ac9ffa84129b1f74a99569d1cf0e1056d4972565fbbf39b7403c94d2bf77fc45ea03ef2e1dd7ec5704aa421b881ad016bd8fdc

Download Submit
\Program Files\7-Zip\backup.exe
MD5
e5c8c79bebf72794ecc62cc5fa133478

SHA1
ff36504e66e268fb27193149b39a55bad2b79a6c

SHA256
bbfcb916ba227ba1bb97f934e41d27c6a5ac0a4cad8caf49d16c3d78362fd09f

SHA512
a0edca947e1ab20c02f43d233f298bf65eb743cfaebadf7d8e1ce63396be7be141c28a58ddd72fc77025e7ef4cd33debd09fbfbb4d260e30f5d248b2baf2d9c6

Download Submit
\Program Files\7-Zip\backup.exe
MD5
e5c8c79bebf72794ecc62cc5fa133478

SHA1
ff36504e66e268fb27193149b39a55bad2b79a6c

SHA256
bbfcb916ba227ba1bb97f934e41d27c6a5ac0a4cad8caf49d16c3d78362fd09f

SHA512
a0edca947e1ab20c02f43d233f298bf65eb743cfaebadf7d8e1ce63396be7be141c28a58ddd72fc77025e7ef4cd33debd09fbfbb4d260e30f5d248b2baf2d9c6

Download Submit
\Program Files\Common Files\backup.exe
MD5
5c43d5b885de1a5c56a19fd817257967

SHA1
8c73312835e3c6b8825eb267765882418ecc9a4d

SHA256
444bdc23857633e1b447fd8b523428ef02aab3448653f97474b67b223a31855d

SHA512
7aa0792b7aa109cdeb31d74a191ae3efbed7e8e6116a1a65bb288b9203074eb605fe2dd6a0791f94d6e742200261f2ce51d595492bdd864a76c8e98c7ac18ec4

Download Submit
\Program Files\Common Files\backup.exe
MD5
5c43d5b885de1a5c56a19fd817257967

SHA1
8c73312835e3c6b8825eb267765882418ecc9a4d

SHA256
444bdc23857633e1b447fd8b523428ef02aab3448653f97474b67b223a31855d

SHA512
7aa0792b7aa109cdeb31d74a191ae3efbed7e8e6116a1a65bb288b9203074eb605fe2dd6a0791f94d6e742200261f2ce51d595492bdd864a76c8e98c7ac18ec4

Download Submit
\Program Files\DVD Maker\backup.exe
MD5
4418e09e57ece8ebe41e0c65b75b6e31

SHA1
33170a257832674b4d0c087708daae99c123afac

SHA256
302ef4714b32574d8d5c96a8b58e666903d75684903218aed71a91de58d898ab

SHA512
6c3067e5c211c83655c775ddb0706b1fa7efe83539269a0ddfde6bd9413854cae60f394ac6dd9771aeb0323820113166f07494b8dd9a0374dc662def333a176a

Download Submit
\Program Files\DVD Maker\backup.exe
MD5
4418e09e57ece8ebe41e0c65b75b6e31

SHA1
33170a257832674b4d0c087708daae99c123afac

SHA256
302ef4714b32574d8d5c96a8b58e666903d75684903218aed71a91de58d898ab

SHA512
6c3067e5c211c83655c775ddb0706b1fa7efe83539269a0ddfde6bd9413854cae60f394ac6dd9771aeb0323820113166f07494b8dd9a0374dc662def333a176a

Download Submit
\Program Files\backup.exe
MD5
867c9c1d5657987debc689a4450553cf

SHA1
6a59d0deb224d999b13c39f6c8c55c7a43b7bff5

SHA256
942845f4ee89cb7204ba7af79f3cb8182486cfc2fa33679cc44d25381e11fb7c

SHA512
e44e6e5ab72d6f5b424457456388d294de08795b14a75aa80020844bd3e9d2d59a3ffb5daf0472509ab650fc6dad156906e0d73f0f00f20428d2643af30e3c39

Download Submit
\Program Files\backup.exe
MD5
867c9c1d5657987debc689a4450553cf

SHA1
6a59d0deb224d999b13c39f6c8c55c7a43b7bff5

SHA256
942845f4ee89cb7204ba7af79f3cb8182486cfc2fa33679cc44d25381e11fb7c

SHA512
e44e6e5ab72d6f5b424457456388d294de08795b14a75aa80020844bd3e9d2d59a3ffb5daf0472509ab650fc6dad156906e0d73f0f00f20428d2643af30e3c39

Download Submit
\Users\Admin\AppData\Local\Temp\326382455\backup.exe
MD5
92b7b3f225f48c24c225f1dc84a41b75

SHA1
7f88bf2df945aec36ae99074585fb680d34c4cbd

SHA256
73628e04dff0f1033c4112d227eb38bce209d8ea60952309d9254b20a9235e03

SHA512
ee247915fb315d5a0e57cfb80150128b2cb69e614492ceaa55c79e9b07bb52bc2715515fce2c36ba771e1d93bd42423c9984ff3e4bb2ffe3717d7a5ec0415dbf

Download Submit
\Users\Admin\AppData\Local\Temp\326382455\backup.exe
MD5
92b7b3f225f48c24c225f1dc84a41b75

SHA1
7f88bf2df945aec36ae99074585fb680d34c4cbd

SHA256
73628e04dff0f1033c4112d227eb38bce209d8ea60952309d9254b20a9235e03

SHA512
ee247915fb315d5a0e57cfb80150128b2cb69e614492ceaa55c79e9b07bb52bc2715515fce2c36ba771e1d93bd42423c9984ff3e4bb2ffe3717d7a5ec0415dbf

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe
MD5
9c96cf89e4098f05cac1e4747a4ef933

SHA1
e67ff44e03204fb6d4d76169a900bd7773a4dd57

SHA256
ddd85fa5330b7652c020391ddd31729d4dea9b608566b2d11eade4aca76504d3

SHA512
47a17ed7f8308efdacb127baf76a30d0abefaa814bcd505a7df46ff4fee02aa0930f123a38382b9e1fc90879ca74b8d59f38e7d14b274cbc019a186c493ea1f9

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe
MD5
9c96cf89e4098f05cac1e4747a4ef933

SHA1
e67ff44e03204fb6d4d76169a900bd7773a4dd57

SHA256
ddd85fa5330b7652c020391ddd31729d4dea9b608566b2d11eade4aca76504d3

SHA512
47a17ed7f8308efdacb127baf76a30d0abefaa814bcd505a7df46ff4fee02aa0930f123a38382b9e1fc90879ca74b8d59f38e7d14b274cbc019a186c493ea1f9

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
MD5
a6b2ba7dafeff5940f17af6605df9b31

SHA1
358014584660255fac0d1d9e1df51c5d976cb078

SHA256
4f16f67a2cca33e2432587f2c86dcf9fdc8ccc7bbb6c4af24da15cdd4970738a

SHA512
20a4695ac07c153350367698b8e243d21f80ec65d70b54cb196867df0231b08663001f0e8a487e06827fb3077aa1d159b92ffc2b1da06095eba3d3464230838e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
MD5
a6b2ba7dafeff5940f17af6605df9b31

SHA1
358014584660255fac0d1d9e1df51c5d976cb078

SHA256
4f16f67a2cca33e2432587f2c86dcf9fdc8ccc7bbb6c4af24da15cdd4970738a

SHA512
20a4695ac07c153350367698b8e243d21f80ec65d70b54cb196867df0231b08663001f0e8a487e06827fb3077aa1d159b92ffc2b1da06095eba3d3464230838e

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
MD5
f90c2df1a49af20540e6f3b196f047ee

SHA1
e4b46517b3dbf74ef3a7424effff1668b3bea86b

SHA256
69fccff99b39523082c0b2bb794c3e2de7bf8df7715a14b91160729c986ff17f

SHA512
beee21d2d0979493f2d0878cd821bbd07a62af76d44f59cd94171da885306100ffa640aefe76b71eace7f31b2b5944a77171068d7d954e692e836055cdbafe32

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
MD5
f90c2df1a49af20540e6f3b196f047ee

SHA1
e4b46517b3dbf74ef3a7424effff1668b3bea86b

SHA256
69fccff99b39523082c0b2bb794c3e2de7bf8df7715a14b91160729c986ff17f

SHA512
beee21d2d0979493f2d0878cd821bbd07a62af76d44f59cd94171da885306100ffa640aefe76b71eace7f31b2b5944a77171068d7d954e692e836055cdbafe32

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
MD5
922d34dbe0f50ccc16bf557aff237c9a

SHA1
ec39a3a3c86c1b28b9782c9390b3535c401b884b

SHA256
6b0994e664328fed0837e79e72c44fb2f1893786305849a6b6e2c19717a270f0

SHA512
6010dd8eb1abd29574ed4568d7504be2ce49d84a28c0b9be396e1411a72704bb96065a21ac1d227557e9fd19a7837bc9bdfa76fe13d19f8648292a8add77b2c4

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
MD5
922d34dbe0f50ccc16bf557aff237c9a

SHA1
ec39a3a3c86c1b28b9782c9390b3535c401b884b

SHA256
6b0994e664328fed0837e79e72c44fb2f1893786305849a6b6e2c19717a270f0

SHA512
6010dd8eb1abd29574ed4568d7504be2ce49d84a28c0b9be396e1411a72704bb96065a21ac1d227557e9fd19a7837bc9bdfa76fe13d19f8648292a8add77b2c4

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
MD5
873e24ca587c9988f75be25b59ab3441

SHA1
c8337616159df3d04d45d88d6224bc7aef030e82

SHA256
6987202cb21c781954ae25d21dac36dcdfdc05dd97e6ed551db9904b0afea640

SHA512
6ac47bb2b7000b622b675a2c93ad7c36148163b079adc24a5218d81f37c50455fe08aaac9e5d302b0b63fa0dd40be5dbbec28fb83d4cb346bda07e305cd12dc6

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
MD5
873e24ca587c9988f75be25b59ab3441

SHA1
c8337616159df3d04d45d88d6224bc7aef030e82

SHA256
6987202cb21c781954ae25d21dac36dcdfdc05dd97e6ed551db9904b0afea640

SHA512
6ac47bb2b7000b622b675a2c93ad7c36148163b079adc24a5218d81f37c50455fe08aaac9e5d302b0b63fa0dd40be5dbbec28fb83d4cb346bda07e305cd12dc6

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
MD5
873e24ca587c9988f75be25b59ab3441

SHA1
c8337616159df3d04d45d88d6224bc7aef030e82

SHA256
6987202cb21c781954ae25d21dac36dcdfdc05dd97e6ed551db9904b0afea640

SHA512
6ac47bb2b7000b622b675a2c93ad7c36148163b079adc24a5218d81f37c50455fe08aaac9e5d302b0b63fa0dd40be5dbbec28fb83d4cb346bda07e305cd12dc6

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
MD5
873e24ca587c9988f75be25b59ab3441

SHA1
c8337616159df3d04d45d88d6224bc7aef030e82

SHA256
6987202cb21c781954ae25d21dac36dcdfdc05dd97e6ed551db9904b0afea640

SHA512
6ac47bb2b7000b622b675a2c93ad7c36148163b079adc24a5218d81f37c50455fe08aaac9e5d302b0b63fa0dd40be5dbbec28fb83d4cb346bda07e305cd12dc6

Download Submit
\Users\Admin\System Restore.exe
MD5
457b400c66192b46f3b58b49b69006fb

SHA1
11eb36038ad693685ad4951400f965341d1591f6

SHA256
dd03a78edc1a34e000391dccb44f99803cc229fdbddeaa82eb539fac5d761e74

SHA512
f432480eb1b6d16953e1675fa237750291f91bc2017bd37f66eb59cd41db1eefe675f29589a5b8712541709ce4f0bbd941c460a547b35e0dfc7f91f6642b7337

Download Submit
\Users\backup.exe
MD5
b8166b2c29a7d1e15a5c9d449fa69f90

SHA1
88dff9cafed65284ed4996e0bb00e7860c6c52d6

SHA256
1d97d3d51004935c1d8fab1558996b2759b799f73b4f2e1ad762bd7ee440d10e

SHA512
a91516aa64909d2799f763d01aa0d703b46173fdae815172228aa4b159801e16885dcae13c916a25104c98e0d582e13be127b42ce413f0e22a1a62322f37e51a

Download Submit
\Users\backup.exe
MD5
b8166b2c29a7d1e15a5c9d449fa69f90

SHA1
88dff9cafed65284ed4996e0bb00e7860c6c52d6

SHA256
1d97d3d51004935c1d8fab1558996b2759b799f73b4f2e1ad762bd7ee440d10e

SHA512
a91516aa64909d2799f763d01aa0d703b46173fdae815172228aa4b159801e16885dcae13c916a25104c98e0d582e13be127b42ce413f0e22a1a62322f37e51a

Download Submit
memory/436-84-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/436-65-0x0000000000000000-mapping.dmp

Download
memory/436-88-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/436-89-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/436-87-0x00000000048B0000-0x00000000048B3000-memory.dmp

Filesize
12KB

Download
memory/436-86-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/436-85-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/436-96-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/436-95-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/436-90-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/436-91-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/836-253-0x0000000000000000-mapping.dmp

Download
memory/860-217-0x0000000000000000-mapping.dmp

Download
memory/924-238-0x0000000000000000-mapping.dmp

Download
memory/972-236-0x0000000000000000-mapping.dmp

Download
memory/1084-76-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/1084-72-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1084-73-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/1084-74-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/1084-75-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1084-70-0x00000000048A0000-0x00000000048A2000-memory.dmp

Filesize
8KB

Download
memory/1084-68-0x0000000004850000-0x0000000004852000-memory.dmp

Filesize
8KB

Download
memory/1084-71-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1084-69-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/1084-67-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/1084-60-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/1120-272-0x0000000000000000-mapping.dmp

Download
memory/1160-123-0x00000000048B0000-0x00000000048B2000-memory.dmp

Filesize
8KB

Download
memory/1160-111-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/1160-129-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1160-128-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/1160-93-0x0000000000000000-mapping.dmp

Download
memory/1160-127-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/1160-108-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/1160-126-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1160-122-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/1160-124-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/1160-125-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/1484-146-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/1484-103-0x0000000000000000-mapping.dmp

Download
memory/1484-148-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/1484-149-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/1592-254-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/1592-213-0x0000000000000000-mapping.dmp

Download
memory/1616-155-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/1616-156-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/1616-113-0x0000000000000000-mapping.dmp

Download
memory/1616-154-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/1616-157-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1616-153-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1616-152-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1616-151-0x00000000048A0000-0x00000000048A2000-memory.dmp

Filesize
8KB

Download
memory/1616-150-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/1616-145-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/1616-147-0x0000000004850000-0x0000000004852000-memory.dmp

Filesize
8KB

Download
memory/1680-259-0x0000000000000000-mapping.dmp

Download
memory/1688-205-0x0000000000000000-mapping.dmp

Download
memory/1716-117-0x0000000004770000-0x0000000004772000-memory.dmp

Filesize
8KB

Download
memory/1716-121-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/1716-82-0x0000000000000000-mapping.dmp

Download
memory/1716-99-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/1716-107-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/1716-115-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/1716-114-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/1716-118-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/1716-119-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1716-120-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/1984-267-0x0000000000000000-mapping.dmp

Download
memory/2088-222-0x0000000000000000-mapping.dmp

Download
memory/2176-187-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/2176-188-0x00000000048C0000-0x00000000048C2000-memory.dmp

Filesize
8KB

Download
memory/2176-140-0x0000000000000000-mapping.dmp

Download
memory/2176-181-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/2176-189-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/2176-186-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/2188-167-0x0000000000400000-0x00000000008B8000-memory.dmp

Filesize
4.7MB

Download
memory/2188-168-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/2188-169-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/2188-142-0x0000000000000000-mapping.dmp

Download
memory/2188-174-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/2188-170-0x0000000004870000-0x0000000004873000-memory.dmp

Filesize
12KB

Download
memory/2188-172-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/2188-173-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/2188-171-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/2284-256-0x0000000000000000-mapping.dmp

Download
memory/2292-231-0x0000000000000000-mapping.dmp

Download
memory/2436-266-0x0000000000000000-mapping.dmp

Download
memory/2476-162-0x0000000000000000-mapping.dmp

Download
memory/2656-176-0x0000000000000000-mapping.dmp

Download
memory/2800-243-0x0000000000000000-mapping.dmp

Download
memory/2832-192-0x0000000000000000-mapping.dmp

Download
memory/2964-199-0x0000000000000000-mapping.dmp

Download
memory/3068-263-0x0000000000000000-mapping.dmp

Download
memory/3076-274-0x0000000000000000-mapping.dmp

Download
memory/3104-279-0x0000000000000000-mapping.dmp

Download
memory/3116-280-0x0000000000000000-mapping.dmp

Download
memory/3128-281-0x0000000000000000-mapping.dmp

Download
memory/3436-282-0x0000000000000000-mapping.dmp

Download
memory/3448-283-0x0000000000000000-mapping.dmp

Download
memory/3500-284-0x0000000000000000-mapping.dmp

Download
memory/3572-285-0x0000000000000000-mapping.dmp

Download
memory/3584-286-0x0000000000000000-mapping.dmp

Download
memory/3668-287-0x0000000000000000-mapping.dmp

Download
memory/3800-288-0x0000000000000000-mapping.dmp

Download
memory/3816-289-0x0000000000000000-mapping.dmp

Download
memory/3920-290-0x0000000000000000-mapping.dmp

Download
memory/4116-291-0x0000000000000000-mapping.dmp

Download
memory/4128-292-0x0000000000000000-mapping.dmp

Download
memory/4156-293-0x0000000000000000-mapping.dmp

Download
memory/4284-294-0x0000000000000000-mapping.dmp

Download
memory/4412-295-0x0000000000000000-mapping.dmp

Download
memory/4424-296-0x0000000000000000-mapping.dmp

Download
memory/4436-297-0x0000000000000000-mapping.dmp

Download
memory/4448-298-0x0000000000000000-mapping.dmp

Download
memory/4464-299-0x0000000000000000-mapping.dmp

Download
memory/4580-301-0x0000000000000000-mapping.dmp

Download
memory/4588-300-0x0000000000000000-mapping.dmp

Download
memory/4640-302-0x0000000000000000-mapping.dmp

Download
memory/4752-303-0x0000000000000000-mapping.dmp

Download
memory/5112-304-0x0000000000000000-mapping.dmp

Download
memory/5176-305-0x0000000000000000-mapping.dmp

Download
memory/5380-306-0x0000000000000000-mapping.dmp

Download
memory/5392-307-0x0000000000000000-mapping.dmp

Download
memory/5636-308-0x0000000000000000-mapping.dmp

Download
memory/5648-309-0x0000000000000000-mapping.dmp

Download
memory/5720-310-0x0000000000000000-mapping.dmp

Download
memory/5832-311-0x0000000000000000-mapping.dmp

Download
memory/5844-312-0x0000000000000000-mapping.dmp

Download
memory/5856-313-0x0000000000000000-mapping.dmp

Download
memory/5968-314-0x0000000000000000-mapping.dmp

Download
memory/6080-315-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads