2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9

Analysis

max time kernel
188s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
Size

72KB
MD5

04efb00054ebc700f6f2c09663b5f78c
SHA1

d2518cbf3b6915910fbe53dbea1471c60f8c700d
SHA256

2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9
SHA512

1108cc021a2ae609cc18442cfff5e7d97bdebe5011a2ee2ab09e09fb05e1c9de4fe7fd4f48d86f17ef0132fb08464a6a17ddf314b125e847d718eea5158d65b8
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr3DZA:teThavEjDWguK1A

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 30 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 36 IoCs

pid	Process
1248	backup.exe
1792	backup.exe
1172	backup.exe
668	backup.exe
1468	backup.exe
768	backup.exe
324	backup.exe
1716	backup.exe
824	backup.exe
1748	backup.exe
1332	update.exe
108	backup.exe
1988	backup.exe
1416	backup.exe
1784	backup.exe
1324	backup.exe
1456	data.exe
1632	backup.exe
668	backup.exe
1488	backup.exe
756	backup.exe
1644	System Restore.exe
324	backup.exe
1068	backup.exe
1724	backup.exe
680	backup.exe
1924	data.exe
1756	backup.exe
1180	backup.exe
1612	backup.exe
1336	backup.exe
1276	backup.exe
1344	backup.exe
540	backup.exe
1928	backup.exe
384	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
768	backup.exe
768	backup.exe
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
1716	backup.exe
1716	backup.exe
768	backup.exe
1332	update.exe
1332	update.exe
1332	update.exe
1332	update.exe
1332	update.exe
108	backup.exe
108	backup.exe
108	backup.exe
108	backup.exe
108	backup.exe
1988	backup.exe
1988	backup.exe
1988	backup.exe
1332	update.exe
1332	update.exe
1416	backup.exe
1416	backup.exe
1416	backup.exe
1416	backup.exe
1416	backup.exe
1784	backup.exe
1784	backup.exe
1784	backup.exe
1784	backup.exe
1784	backup.exe
1324	backup.exe
1324	backup.exe
1324	backup.exe
1784	backup.exe
1784	backup.exe
1456	data.exe
1456	data.exe
1456	data.exe
1456	data.exe
1456	data.exe
1632	backup.exe
1632	backup.exe
1632	backup.exe
1456	data.exe
1456	data.exe
668	backup.exe
668	backup.exe
668	backup.exe
1456	data.exe
1456	data.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	data.exe
File opened for modification	C:\Program Files\Google\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	data.exe
File opened for modification	C:\Program Files\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\System Restore.exe	data.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
1248	backup.exe
1792	backup.exe
1172	backup.exe
668	backup.exe
1468	backup.exe
768	backup.exe
324	backup.exe
1716	backup.exe
824	backup.exe
1748	backup.exe
1332	update.exe
108	backup.exe
1988	backup.exe
1416	backup.exe
1784	backup.exe
1324	backup.exe
1456	data.exe
1632	backup.exe
668	backup.exe
1488	backup.exe
756	backup.exe
1644	System Restore.exe
324	backup.exe
1068	backup.exe
1724	backup.exe
1756	backup.exe
1924	data.exe
1180	backup.exe
1612	backup.exe
1928	backup.exe
1344	backup.exe
540	backup.exe
384	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1248	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	28
PID 1648 wrote to memory of 1248	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	28
PID 1648 wrote to memory of 1248	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	28
PID 1648 wrote to memory of 1248	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	28
PID 1648 wrote to memory of 1792	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	29
PID 1648 wrote to memory of 1792	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	29
PID 1648 wrote to memory of 1792	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	29
PID 1648 wrote to memory of 1792	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	29
PID 1648 wrote to memory of 1172	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	30
PID 1648 wrote to memory of 1172	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	30
PID 1648 wrote to memory of 1172	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	30
PID 1648 wrote to memory of 1172	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	30
PID 1648 wrote to memory of 668	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	31
PID 1648 wrote to memory of 668	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	31
PID 1648 wrote to memory of 668	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	31
PID 1648 wrote to memory of 668	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	31
PID 1648 wrote to memory of 1468	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	32
PID 1648 wrote to memory of 1468	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	32
PID 1648 wrote to memory of 1468	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	32
PID 1648 wrote to memory of 1468	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	32
PID 1248 wrote to memory of 768	1248	backup.exe	33
PID 1248 wrote to memory of 768	1248	backup.exe	33
PID 1248 wrote to memory of 768	1248	backup.exe	33
PID 1248 wrote to memory of 768	1248	backup.exe	33
PID 1648 wrote to memory of 324	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	34
PID 1648 wrote to memory of 324	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	34
PID 1648 wrote to memory of 324	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	34
PID 1648 wrote to memory of 324	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	34
PID 768 wrote to memory of 1716	768	backup.exe	35
PID 768 wrote to memory of 1716	768	backup.exe	35
PID 768 wrote to memory of 1716	768	backup.exe	35
PID 768 wrote to memory of 1716	768	backup.exe	35
PID 1648 wrote to memory of 824	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	36
PID 1648 wrote to memory of 824	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	36
PID 1648 wrote to memory of 824	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	36
PID 1648 wrote to memory of 824	1648	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe	36
PID 1716 wrote to memory of 1748	1716	backup.exe	37
PID 1716 wrote to memory of 1748	1716	backup.exe	37
PID 1716 wrote to memory of 1748	1716	backup.exe	37
PID 1716 wrote to memory of 1748	1716	backup.exe	37
PID 768 wrote to memory of 1332	768	backup.exe	38
PID 768 wrote to memory of 1332	768	backup.exe	38
PID 768 wrote to memory of 1332	768	backup.exe	38
PID 768 wrote to memory of 1332	768	backup.exe	38
PID 768 wrote to memory of 1332	768	backup.exe	38
PID 768 wrote to memory of 1332	768	backup.exe	38
PID 768 wrote to memory of 1332	768	backup.exe	38
PID 1332 wrote to memory of 108	1332	update.exe	39
PID 1332 wrote to memory of 108	1332	update.exe	39
PID 1332 wrote to memory of 108	1332	update.exe	39
PID 1332 wrote to memory of 108	1332	update.exe	39
PID 1332 wrote to memory of 108	1332	update.exe	39
PID 1332 wrote to memory of 108	1332	update.exe	39
PID 1332 wrote to memory of 108	1332	update.exe	39
PID 108 wrote to memory of 1988	108	backup.exe	40
PID 108 wrote to memory of 1988	108	backup.exe	40
PID 108 wrote to memory of 1988	108	backup.exe	40
PID 108 wrote to memory of 1988	108	backup.exe	40
PID 108 wrote to memory of 1988	108	backup.exe	40
PID 108 wrote to memory of 1988	108	backup.exe	40
PID 108 wrote to memory of 1988	108	backup.exe	40
PID 1332 wrote to memory of 1416	1332	update.exe	41
PID 1332 wrote to memory of 1416	1332	update.exe	41
PID 1332 wrote to memory of 1416	1332	update.exe	41

System policy modification 1 TTPs 60 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe
"C:\Users\Admin\AppData\Local\Temp\2db00a8d2de4b80168e1398364106bc0dd2b8d8c8cb1fd63f25f4307fb4d48b9.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1648
- C:\Users\Admin\AppData\Local\Temp\3227049327\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3227049327\backup.exe C:\Users\Admin\AppData\Local\Temp\3227049327\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1248
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:768
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1716
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1748
  - - C:\Program Files\update.exe
      "C:\Program Files\update.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1332
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:108
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1988
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1416
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        
        PID:1152
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:1316
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:2184
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Executes dropped EXE
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1344
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2192
      - C:\Program Files\Common Files\Services\data.exe
        
        "C:\Program Files\Common Files\Services\data.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1924
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1432
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:748
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:824
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1468
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:928
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:2116
        
        C:\Program Files\Common Files\System\de-DE\data.exe
        
        "C:\Program Files\Common Files\System\de-DE\data.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1180
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1096
        
        C:\Program Files\Common Files\System\es-ES\data.exe
        
        "C:\Program Files\Common Files\System\es-ES\data.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:108
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:2132
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        
        PID:680
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:384
      - C:\Program Files\Google\Chrome\update.exe
        
        "C:\Program Files\Google\Chrome\update.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:844
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1464
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        
        PID:828
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:692
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1664
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1744
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1992
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:752
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:1008
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1488
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1528
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2140
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1756
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1612
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        
        PID:948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1316
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:324
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2080
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1928
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1580
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:560
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:1764
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1652
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1300
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1548
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1064
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1092
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:744
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2108
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1228
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1432
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:632
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1624
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2176
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:540
    - - C:\Users\Admin\update.exe
        
        C:\Users\Admin\update.exe C:\Users\Admin\
        5⤵
        
        PID:1504
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:2200
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:756
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:1076
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:972
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:604
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2124
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1564
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1172
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:668
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:324
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4ab2ba70aef73768b8d7ff12eb3c4ba4

SHA1
d06f331790d55381c2a83eb7c0eba3140e525125

SHA256
7463ebd6730ea30ef81fb691e421056f51cf3b57edcd3521b5a949f741e9811c

SHA512
f367d525e8b1ba707336097a241b3afe20380b9c76246b8da85ff16e08473c835c511383e8d1dce562be7f0596559ac23fa06d3c1e7f5d77d5ed317c093a70af

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
86907a8976b710480c4848556b72d6c2

SHA1
5b144b3276584459af47f7eda2f92bc42f33cbcc

SHA256
1ace4ab96d8ae39171544f5a5d8a5119f48b5ef136d833fbc0f7cd40df604a38

SHA512
1ff2078cf5820dfd994abbf54f0fd93378461744cc2affc72615102f66da01eb7f622a825d24f594536282e9186e0399196dbf2f03a65272c90e2f41617e22d9

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
86907a8976b710480c4848556b72d6c2

SHA1
5b144b3276584459af47f7eda2f92bc42f33cbcc

SHA256
1ace4ab96d8ae39171544f5a5d8a5119f48b5ef136d833fbc0f7cd40df604a38

SHA512
1ff2078cf5820dfd994abbf54f0fd93378461744cc2affc72615102f66da01eb7f622a825d24f594536282e9186e0399196dbf2f03a65272c90e2f41617e22d9

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a77600498b9e185fc09de142050f78f7

SHA1
2331a986be63822493389b79cd911d569001669d

SHA256
1bdfa6d71edef5e591518fb6aa8510b528a8f391254483646494cf2cc03a960e

SHA512
ab7df69da861d96404216acb026a742e6710a659b95f18f7e367fc707ac0ed385ae1cd8bd9ec543d08138630a93d2f789801d1dc08b77834ec17a37b6568e119

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a77600498b9e185fc09de142050f78f7

SHA1
2331a986be63822493389b79cd911d569001669d

SHA256
1bdfa6d71edef5e591518fb6aa8510b528a8f391254483646494cf2cc03a960e

SHA512
ab7df69da861d96404216acb026a742e6710a659b95f18f7e367fc707ac0ed385ae1cd8bd9ec543d08138630a93d2f789801d1dc08b77834ec17a37b6568e119

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
70f0f236078589427bbdce00f0a987dc

SHA1
6b3efe3ef26942ccff39258731c3d9c8f17e3b82

SHA256
ad4bff2dce08b52234063df1b016510b7878416d1693dc6dd530bf054429c3a2

SHA512
0ff2c4c466429d6cb4b54ed9e226abb2c3d16dd4914b41a4ae32abbaa0a1f68b334cc1284f80a98b6ea0c53fa0a0b20296d05cf9bd8b61787b4bba581dd7040b

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
70f0f236078589427bbdce00f0a987dc

SHA1
6b3efe3ef26942ccff39258731c3d9c8f17e3b82

SHA256
ad4bff2dce08b52234063df1b016510b7878416d1693dc6dd530bf054429c3a2

SHA512
0ff2c4c466429d6cb4b54ed9e226abb2c3d16dd4914b41a4ae32abbaa0a1f68b334cc1284f80a98b6ea0c53fa0a0b20296d05cf9bd8b61787b4bba581dd7040b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
da3678e2ec5d0fb85f3133866e061555

SHA1
7dbb1d50dd1bee945c20598b68fa753730920089

SHA256
7bed14a43f6a10c791f2a680f123d6697d8d504102fe3c96d9e28bdd1da3e363

SHA512
4d16e54e148445f53354b0034c5a4dd96aea0ecce647c87cba6cd161fa1a46d2cc633b355cafc4666aca7613d642d2cfdd1486696fefd2a56a0e73afb2ffa0bc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
da3678e2ec5d0fb85f3133866e061555

SHA1
7dbb1d50dd1bee945c20598b68fa753730920089

SHA256
7bed14a43f6a10c791f2a680f123d6697d8d504102fe3c96d9e28bdd1da3e363

SHA512
4d16e54e148445f53354b0034c5a4dd96aea0ecce647c87cba6cd161fa1a46d2cc633b355cafc4666aca7613d642d2cfdd1486696fefd2a56a0e73afb2ffa0bc

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
70f0f236078589427bbdce00f0a987dc

SHA1
6b3efe3ef26942ccff39258731c3d9c8f17e3b82

SHA256
ad4bff2dce08b52234063df1b016510b7878416d1693dc6dd530bf054429c3a2

SHA512
0ff2c4c466429d6cb4b54ed9e226abb2c3d16dd4914b41a4ae32abbaa0a1f68b334cc1284f80a98b6ea0c53fa0a0b20296d05cf9bd8b61787b4bba581dd7040b

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
70f0f236078589427bbdce00f0a987dc

SHA1
6b3efe3ef26942ccff39258731c3d9c8f17e3b82

SHA256
ad4bff2dce08b52234063df1b016510b7878416d1693dc6dd530bf054429c3a2

SHA512
0ff2c4c466429d6cb4b54ed9e226abb2c3d16dd4914b41a4ae32abbaa0a1f68b334cc1284f80a98b6ea0c53fa0a0b20296d05cf9bd8b61787b4bba581dd7040b

Download Submit
C:\Program Files\update.exe

Filesize
72KB

MD5
2f21c045723ab0a39dabb0f9fee3f0c0

SHA1
edd62fdc5e61b395effa34b2cf84f3d38085740d

SHA256
c62d78d245966c2c61bd82cbe32abbbecff2431ef47e6c7d42cc09f577f06253

SHA512
e427249160725bbbd3ccb788b9fa757fe955c916edd6f6346164706c598fd0c76e22b339a9a4271e9a7a9bce9f70db7e57c74c0eaf1219069fb0789bbea90636

Download Submit
C:\Program Files\update.exe

Filesize
72KB

MD5
2f21c045723ab0a39dabb0f9fee3f0c0

SHA1
edd62fdc5e61b395effa34b2cf84f3d38085740d

SHA256
c62d78d245966c2c61bd82cbe32abbbecff2431ef47e6c7d42cc09f577f06253

SHA512
e427249160725bbbd3ccb788b9fa757fe955c916edd6f6346164706c598fd0c76e22b339a9a4271e9a7a9bce9f70db7e57c74c0eaf1219069fb0789bbea90636

Download Submit
C:\Users\Admin\AppData\Local\Temp\3227049327\backup.exe

Filesize
72KB

MD5
85f3ac996b724bea03601b67cfb453f3

SHA1
6a8bb9caa83cc45b34e091cf22dec8a083f33bcb

SHA256
f36820ba816555d5e5f28e1b28549da52dd41f8e721d12626a2d8c16c4cf8639

SHA512
579e85b709c57e04782ce6c896dd4c681e9680888774e028ff5d8e28ed660733cc24b411a82de9b7e3dd9854ebf901772020c6ce4c3955d763f4936103ebd896

Download Submit
C:\Users\Admin\AppData\Local\Temp\3227049327\backup.exe

Filesize
72KB

MD5
85f3ac996b724bea03601b67cfb453f3

SHA1
6a8bb9caa83cc45b34e091cf22dec8a083f33bcb

SHA256
f36820ba816555d5e5f28e1b28549da52dd41f8e721d12626a2d8c16c4cf8639

SHA512
579e85b709c57e04782ce6c896dd4c681e9680888774e028ff5d8e28ed660733cc24b411a82de9b7e3dd9854ebf901772020c6ce4c3955d763f4936103ebd896

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
85f3ac996b724bea03601b67cfb453f3

SHA1
6a8bb9caa83cc45b34e091cf22dec8a083f33bcb

SHA256
f36820ba816555d5e5f28e1b28549da52dd41f8e721d12626a2d8c16c4cf8639

SHA512
579e85b709c57e04782ce6c896dd4c681e9680888774e028ff5d8e28ed660733cc24b411a82de9b7e3dd9854ebf901772020c6ce4c3955d763f4936103ebd896

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
85f3ac996b724bea03601b67cfb453f3

SHA1
6a8bb9caa83cc45b34e091cf22dec8a083f33bcb

SHA256
f36820ba816555d5e5f28e1b28549da52dd41f8e721d12626a2d8c16c4cf8639

SHA512
579e85b709c57e04782ce6c896dd4c681e9680888774e028ff5d8e28ed660733cc24b411a82de9b7e3dd9854ebf901772020c6ce4c3955d763f4936103ebd896

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
34f5b7d344ffe36df163c8fa13968040

SHA1
8772f47a3b5d93791ea02d7e306eb641e3004aba

SHA256
f59be0b34edcd0b8c0a188ac2cf1cdcb69797ca80d8553b30a173e08a3cce5e2

SHA512
81109541165b18443a9eda678975aafa63f766196eddb47ced7f3e82c9111b181e071aa8369e41dc5c86dbba31b3826ec4f0115777f48a90245a8db86d09a692

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
34f5b7d344ffe36df163c8fa13968040

SHA1
8772f47a3b5d93791ea02d7e306eb641e3004aba

SHA256
f59be0b34edcd0b8c0a188ac2cf1cdcb69797ca80d8553b30a173e08a3cce5e2

SHA512
81109541165b18443a9eda678975aafa63f766196eddb47ced7f3e82c9111b181e071aa8369e41dc5c86dbba31b3826ec4f0115777f48a90245a8db86d09a692

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
85f3ac996b724bea03601b67cfb453f3

SHA1
6a8bb9caa83cc45b34e091cf22dec8a083f33bcb

SHA256
f36820ba816555d5e5f28e1b28549da52dd41f8e721d12626a2d8c16c4cf8639

SHA512
579e85b709c57e04782ce6c896dd4c681e9680888774e028ff5d8e28ed660733cc24b411a82de9b7e3dd9854ebf901772020c6ce4c3955d763f4936103ebd896

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
34f5b7d344ffe36df163c8fa13968040

SHA1
8772f47a3b5d93791ea02d7e306eb641e3004aba

SHA256
f59be0b34edcd0b8c0a188ac2cf1cdcb69797ca80d8553b30a173e08a3cce5e2

SHA512
81109541165b18443a9eda678975aafa63f766196eddb47ced7f3e82c9111b181e071aa8369e41dc5c86dbba31b3826ec4f0115777f48a90245a8db86d09a692

Download Submit
C:\backup.exe

Filesize
72KB

MD5
f2ada964ba341320bcb62df5a98fa6e9

SHA1
e869bda103b682016017d78aa425f930ad1f56c0

SHA256
8ac96123c28c4b4743edd9f232b4a6f746768e3f7265d02f25e903e38f8316f8

SHA512
8fcf3661c02b7c9e89125eabcb80a7f4afe9a5adb94ba34f2a008c7850677c3656aef2e4331f4a7b94ff9a8f8187bd488ec379eb48c9451dbfdfa75e7d9d52b8

Download Submit
C:\backup.exe

Filesize
72KB

MD5
f2ada964ba341320bcb62df5a98fa6e9

SHA1
e869bda103b682016017d78aa425f930ad1f56c0

SHA256
8ac96123c28c4b4743edd9f232b4a6f746768e3f7265d02f25e903e38f8316f8

SHA512
8fcf3661c02b7c9e89125eabcb80a7f4afe9a5adb94ba34f2a008c7850677c3656aef2e4331f4a7b94ff9a8f8187bd488ec379eb48c9451dbfdfa75e7d9d52b8

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4ab2ba70aef73768b8d7ff12eb3c4ba4

SHA1
d06f331790d55381c2a83eb7c0eba3140e525125

SHA256
7463ebd6730ea30ef81fb691e421056f51cf3b57edcd3521b5a949f741e9811c

SHA512
f367d525e8b1ba707336097a241b3afe20380b9c76246b8da85ff16e08473c835c511383e8d1dce562be7f0596559ac23fa06d3c1e7f5d77d5ed317c093a70af

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4ab2ba70aef73768b8d7ff12eb3c4ba4

SHA1
d06f331790d55381c2a83eb7c0eba3140e525125

SHA256
7463ebd6730ea30ef81fb691e421056f51cf3b57edcd3521b5a949f741e9811c

SHA512
f367d525e8b1ba707336097a241b3afe20380b9c76246b8da85ff16e08473c835c511383e8d1dce562be7f0596559ac23fa06d3c1e7f5d77d5ed317c093a70af

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
86907a8976b710480c4848556b72d6c2

SHA1
5b144b3276584459af47f7eda2f92bc42f33cbcc

SHA256
1ace4ab96d8ae39171544f5a5d8a5119f48b5ef136d833fbc0f7cd40df604a38

SHA512
1ff2078cf5820dfd994abbf54f0fd93378461744cc2affc72615102f66da01eb7f622a825d24f594536282e9186e0399196dbf2f03a65272c90e2f41617e22d9

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
86907a8976b710480c4848556b72d6c2

SHA1
5b144b3276584459af47f7eda2f92bc42f33cbcc

SHA256
1ace4ab96d8ae39171544f5a5d8a5119f48b5ef136d833fbc0f7cd40df604a38

SHA512
1ff2078cf5820dfd994abbf54f0fd93378461744cc2affc72615102f66da01eb7f622a825d24f594536282e9186e0399196dbf2f03a65272c90e2f41617e22d9

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a77600498b9e185fc09de142050f78f7

SHA1
2331a986be63822493389b79cd911d569001669d

SHA256
1bdfa6d71edef5e591518fb6aa8510b528a8f391254483646494cf2cc03a960e

SHA512
ab7df69da861d96404216acb026a742e6710a659b95f18f7e367fc707ac0ed385ae1cd8bd9ec543d08138630a93d2f789801d1dc08b77834ec17a37b6568e119

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a77600498b9e185fc09de142050f78f7

SHA1
2331a986be63822493389b79cd911d569001669d

SHA256
1bdfa6d71edef5e591518fb6aa8510b528a8f391254483646494cf2cc03a960e

SHA512
ab7df69da861d96404216acb026a742e6710a659b95f18f7e367fc707ac0ed385ae1cd8bd9ec543d08138630a93d2f789801d1dc08b77834ec17a37b6568e119

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a77600498b9e185fc09de142050f78f7

SHA1
2331a986be63822493389b79cd911d569001669d

SHA256
1bdfa6d71edef5e591518fb6aa8510b528a8f391254483646494cf2cc03a960e

SHA512
ab7df69da861d96404216acb026a742e6710a659b95f18f7e367fc707ac0ed385ae1cd8bd9ec543d08138630a93d2f789801d1dc08b77834ec17a37b6568e119

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a77600498b9e185fc09de142050f78f7

SHA1
2331a986be63822493389b79cd911d569001669d

SHA256
1bdfa6d71edef5e591518fb6aa8510b528a8f391254483646494cf2cc03a960e

SHA512
ab7df69da861d96404216acb026a742e6710a659b95f18f7e367fc707ac0ed385ae1cd8bd9ec543d08138630a93d2f789801d1dc08b77834ec17a37b6568e119

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a77600498b9e185fc09de142050f78f7

SHA1
2331a986be63822493389b79cd911d569001669d

SHA256
1bdfa6d71edef5e591518fb6aa8510b528a8f391254483646494cf2cc03a960e

SHA512
ab7df69da861d96404216acb026a742e6710a659b95f18f7e367fc707ac0ed385ae1cd8bd9ec543d08138630a93d2f789801d1dc08b77834ec17a37b6568e119

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
70f0f236078589427bbdce00f0a987dc

SHA1
6b3efe3ef26942ccff39258731c3d9c8f17e3b82

SHA256
ad4bff2dce08b52234063df1b016510b7878416d1693dc6dd530bf054429c3a2

SHA512
0ff2c4c466429d6cb4b54ed9e226abb2c3d16dd4914b41a4ae32abbaa0a1f68b334cc1284f80a98b6ea0c53fa0a0b20296d05cf9bd8b61787b4bba581dd7040b

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
70f0f236078589427bbdce00f0a987dc

SHA1
6b3efe3ef26942ccff39258731c3d9c8f17e3b82

SHA256
ad4bff2dce08b52234063df1b016510b7878416d1693dc6dd530bf054429c3a2

SHA512
0ff2c4c466429d6cb4b54ed9e226abb2c3d16dd4914b41a4ae32abbaa0a1f68b334cc1284f80a98b6ea0c53fa0a0b20296d05cf9bd8b61787b4bba581dd7040b

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
70f0f236078589427bbdce00f0a987dc

SHA1
6b3efe3ef26942ccff39258731c3d9c8f17e3b82

SHA256
ad4bff2dce08b52234063df1b016510b7878416d1693dc6dd530bf054429c3a2

SHA512
0ff2c4c466429d6cb4b54ed9e226abb2c3d16dd4914b41a4ae32abbaa0a1f68b334cc1284f80a98b6ea0c53fa0a0b20296d05cf9bd8b61787b4bba581dd7040b

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
70f0f236078589427bbdce00f0a987dc

SHA1
6b3efe3ef26942ccff39258731c3d9c8f17e3b82

SHA256
ad4bff2dce08b52234063df1b016510b7878416d1693dc6dd530bf054429c3a2

SHA512
0ff2c4c466429d6cb4b54ed9e226abb2c3d16dd4914b41a4ae32abbaa0a1f68b334cc1284f80a98b6ea0c53fa0a0b20296d05cf9bd8b61787b4bba581dd7040b

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
70f0f236078589427bbdce00f0a987dc

SHA1
6b3efe3ef26942ccff39258731c3d9c8f17e3b82

SHA256
ad4bff2dce08b52234063df1b016510b7878416d1693dc6dd530bf054429c3a2

SHA512
0ff2c4c466429d6cb4b54ed9e226abb2c3d16dd4914b41a4ae32abbaa0a1f68b334cc1284f80a98b6ea0c53fa0a0b20296d05cf9bd8b61787b4bba581dd7040b

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
da3678e2ec5d0fb85f3133866e061555

SHA1
7dbb1d50dd1bee945c20598b68fa753730920089

SHA256
7bed14a43f6a10c791f2a680f123d6697d8d504102fe3c96d9e28bdd1da3e363

SHA512
4d16e54e148445f53354b0034c5a4dd96aea0ecce647c87cba6cd161fa1a46d2cc633b355cafc4666aca7613d642d2cfdd1486696fefd2a56a0e73afb2ffa0bc

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
da3678e2ec5d0fb85f3133866e061555

SHA1
7dbb1d50dd1bee945c20598b68fa753730920089

SHA256
7bed14a43f6a10c791f2a680f123d6697d8d504102fe3c96d9e28bdd1da3e363

SHA512
4d16e54e148445f53354b0034c5a4dd96aea0ecce647c87cba6cd161fa1a46d2cc633b355cafc4666aca7613d642d2cfdd1486696fefd2a56a0e73afb2ffa0bc

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
da3678e2ec5d0fb85f3133866e061555

SHA1
7dbb1d50dd1bee945c20598b68fa753730920089

SHA256
7bed14a43f6a10c791f2a680f123d6697d8d504102fe3c96d9e28bdd1da3e363

SHA512
4d16e54e148445f53354b0034c5a4dd96aea0ecce647c87cba6cd161fa1a46d2cc633b355cafc4666aca7613d642d2cfdd1486696fefd2a56a0e73afb2ffa0bc

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
da3678e2ec5d0fb85f3133866e061555

SHA1
7dbb1d50dd1bee945c20598b68fa753730920089

SHA256
7bed14a43f6a10c791f2a680f123d6697d8d504102fe3c96d9e28bdd1da3e363

SHA512
4d16e54e148445f53354b0034c5a4dd96aea0ecce647c87cba6cd161fa1a46d2cc633b355cafc4666aca7613d642d2cfdd1486696fefd2a56a0e73afb2ffa0bc

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
70f0f236078589427bbdce00f0a987dc

SHA1
6b3efe3ef26942ccff39258731c3d9c8f17e3b82

SHA256
ad4bff2dce08b52234063df1b016510b7878416d1693dc6dd530bf054429c3a2

SHA512
0ff2c4c466429d6cb4b54ed9e226abb2c3d16dd4914b41a4ae32abbaa0a1f68b334cc1284f80a98b6ea0c53fa0a0b20296d05cf9bd8b61787b4bba581dd7040b

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
70f0f236078589427bbdce00f0a987dc

SHA1
6b3efe3ef26942ccff39258731c3d9c8f17e3b82

SHA256
ad4bff2dce08b52234063df1b016510b7878416d1693dc6dd530bf054429c3a2

SHA512
0ff2c4c466429d6cb4b54ed9e226abb2c3d16dd4914b41a4ae32abbaa0a1f68b334cc1284f80a98b6ea0c53fa0a0b20296d05cf9bd8b61787b4bba581dd7040b

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
70f0f236078589427bbdce00f0a987dc

SHA1
6b3efe3ef26942ccff39258731c3d9c8f17e3b82

SHA256
ad4bff2dce08b52234063df1b016510b7878416d1693dc6dd530bf054429c3a2

SHA512
0ff2c4c466429d6cb4b54ed9e226abb2c3d16dd4914b41a4ae32abbaa0a1f68b334cc1284f80a98b6ea0c53fa0a0b20296d05cf9bd8b61787b4bba581dd7040b

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
70f0f236078589427bbdce00f0a987dc

SHA1
6b3efe3ef26942ccff39258731c3d9c8f17e3b82

SHA256
ad4bff2dce08b52234063df1b016510b7878416d1693dc6dd530bf054429c3a2

SHA512
0ff2c4c466429d6cb4b54ed9e226abb2c3d16dd4914b41a4ae32abbaa0a1f68b334cc1284f80a98b6ea0c53fa0a0b20296d05cf9bd8b61787b4bba581dd7040b

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
70f0f236078589427bbdce00f0a987dc

SHA1
6b3efe3ef26942ccff39258731c3d9c8f17e3b82

SHA256
ad4bff2dce08b52234063df1b016510b7878416d1693dc6dd530bf054429c3a2

SHA512
0ff2c4c466429d6cb4b54ed9e226abb2c3d16dd4914b41a4ae32abbaa0a1f68b334cc1284f80a98b6ea0c53fa0a0b20296d05cf9bd8b61787b4bba581dd7040b

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
2f21c045723ab0a39dabb0f9fee3f0c0

SHA1
edd62fdc5e61b395effa34b2cf84f3d38085740d

SHA256
c62d78d245966c2c61bd82cbe32abbbecff2431ef47e6c7d42cc09f577f06253

SHA512
e427249160725bbbd3ccb788b9fa757fe955c916edd6f6346164706c598fd0c76e22b339a9a4271e9a7a9bce9f70db7e57c74c0eaf1219069fb0789bbea90636

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
2f21c045723ab0a39dabb0f9fee3f0c0

SHA1
edd62fdc5e61b395effa34b2cf84f3d38085740d

SHA256
c62d78d245966c2c61bd82cbe32abbbecff2431ef47e6c7d42cc09f577f06253

SHA512
e427249160725bbbd3ccb788b9fa757fe955c916edd6f6346164706c598fd0c76e22b339a9a4271e9a7a9bce9f70db7e57c74c0eaf1219069fb0789bbea90636

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
2f21c045723ab0a39dabb0f9fee3f0c0

SHA1
edd62fdc5e61b395effa34b2cf84f3d38085740d

SHA256
c62d78d245966c2c61bd82cbe32abbbecff2431ef47e6c7d42cc09f577f06253

SHA512
e427249160725bbbd3ccb788b9fa757fe955c916edd6f6346164706c598fd0c76e22b339a9a4271e9a7a9bce9f70db7e57c74c0eaf1219069fb0789bbea90636

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
2f21c045723ab0a39dabb0f9fee3f0c0

SHA1
edd62fdc5e61b395effa34b2cf84f3d38085740d

SHA256
c62d78d245966c2c61bd82cbe32abbbecff2431ef47e6c7d42cc09f577f06253

SHA512
e427249160725bbbd3ccb788b9fa757fe955c916edd6f6346164706c598fd0c76e22b339a9a4271e9a7a9bce9f70db7e57c74c0eaf1219069fb0789bbea90636

Download Submit
\Users\Admin\AppData\Local\Temp\3227049327\backup.exe

Filesize
72KB

MD5
85f3ac996b724bea03601b67cfb453f3

SHA1
6a8bb9caa83cc45b34e091cf22dec8a083f33bcb

SHA256
f36820ba816555d5e5f28e1b28549da52dd41f8e721d12626a2d8c16c4cf8639

SHA512
579e85b709c57e04782ce6c896dd4c681e9680888774e028ff5d8e28ed660733cc24b411a82de9b7e3dd9854ebf901772020c6ce4c3955d763f4936103ebd896

Download Submit
\Users\Admin\AppData\Local\Temp\3227049327\backup.exe

Filesize
72KB

MD5
85f3ac996b724bea03601b67cfb453f3

SHA1
6a8bb9caa83cc45b34e091cf22dec8a083f33bcb

SHA256
f36820ba816555d5e5f28e1b28549da52dd41f8e721d12626a2d8c16c4cf8639

SHA512
579e85b709c57e04782ce6c896dd4c681e9680888774e028ff5d8e28ed660733cc24b411a82de9b7e3dd9854ebf901772020c6ce4c3955d763f4936103ebd896

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
85f3ac996b724bea03601b67cfb453f3

SHA1
6a8bb9caa83cc45b34e091cf22dec8a083f33bcb

SHA256
f36820ba816555d5e5f28e1b28549da52dd41f8e721d12626a2d8c16c4cf8639

SHA512
579e85b709c57e04782ce6c896dd4c681e9680888774e028ff5d8e28ed660733cc24b411a82de9b7e3dd9854ebf901772020c6ce4c3955d763f4936103ebd896

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
85f3ac996b724bea03601b67cfb453f3

SHA1
6a8bb9caa83cc45b34e091cf22dec8a083f33bcb

SHA256
f36820ba816555d5e5f28e1b28549da52dd41f8e721d12626a2d8c16c4cf8639

SHA512
579e85b709c57e04782ce6c896dd4c681e9680888774e028ff5d8e28ed660733cc24b411a82de9b7e3dd9854ebf901772020c6ce4c3955d763f4936103ebd896

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
85f3ac996b724bea03601b67cfb453f3

SHA1
6a8bb9caa83cc45b34e091cf22dec8a083f33bcb

SHA256
f36820ba816555d5e5f28e1b28549da52dd41f8e721d12626a2d8c16c4cf8639

SHA512
579e85b709c57e04782ce6c896dd4c681e9680888774e028ff5d8e28ed660733cc24b411a82de9b7e3dd9854ebf901772020c6ce4c3955d763f4936103ebd896

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
85f3ac996b724bea03601b67cfb453f3

SHA1
6a8bb9caa83cc45b34e091cf22dec8a083f33bcb

SHA256
f36820ba816555d5e5f28e1b28549da52dd41f8e721d12626a2d8c16c4cf8639

SHA512
579e85b709c57e04782ce6c896dd4c681e9680888774e028ff5d8e28ed660733cc24b411a82de9b7e3dd9854ebf901772020c6ce4c3955d763f4936103ebd896

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
34f5b7d344ffe36df163c8fa13968040

SHA1
8772f47a3b5d93791ea02d7e306eb641e3004aba

SHA256
f59be0b34edcd0b8c0a188ac2cf1cdcb69797ca80d8553b30a173e08a3cce5e2

SHA512
81109541165b18443a9eda678975aafa63f766196eddb47ced7f3e82c9111b181e071aa8369e41dc5c86dbba31b3826ec4f0115777f48a90245a8db86d09a692

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
34f5b7d344ffe36df163c8fa13968040

SHA1
8772f47a3b5d93791ea02d7e306eb641e3004aba

SHA256
f59be0b34edcd0b8c0a188ac2cf1cdcb69797ca80d8553b30a173e08a3cce5e2

SHA512
81109541165b18443a9eda678975aafa63f766196eddb47ced7f3e82c9111b181e071aa8369e41dc5c86dbba31b3826ec4f0115777f48a90245a8db86d09a692

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
34f5b7d344ffe36df163c8fa13968040

SHA1
8772f47a3b5d93791ea02d7e306eb641e3004aba

SHA256
f59be0b34edcd0b8c0a188ac2cf1cdcb69797ca80d8553b30a173e08a3cce5e2

SHA512
81109541165b18443a9eda678975aafa63f766196eddb47ced7f3e82c9111b181e071aa8369e41dc5c86dbba31b3826ec4f0115777f48a90245a8db86d09a692

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
34f5b7d344ffe36df163c8fa13968040

SHA1
8772f47a3b5d93791ea02d7e306eb641e3004aba

SHA256
f59be0b34edcd0b8c0a188ac2cf1cdcb69797ca80d8553b30a173e08a3cce5e2

SHA512
81109541165b18443a9eda678975aafa63f766196eddb47ced7f3e82c9111b181e071aa8369e41dc5c86dbba31b3826ec4f0115777f48a90245a8db86d09a692

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
85f3ac996b724bea03601b67cfb453f3

SHA1
6a8bb9caa83cc45b34e091cf22dec8a083f33bcb

SHA256
f36820ba816555d5e5f28e1b28549da52dd41f8e721d12626a2d8c16c4cf8639

SHA512
579e85b709c57e04782ce6c896dd4c681e9680888774e028ff5d8e28ed660733cc24b411a82de9b7e3dd9854ebf901772020c6ce4c3955d763f4936103ebd896

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
85f3ac996b724bea03601b67cfb453f3

SHA1
6a8bb9caa83cc45b34e091cf22dec8a083f33bcb

SHA256
f36820ba816555d5e5f28e1b28549da52dd41f8e721d12626a2d8c16c4cf8639

SHA512
579e85b709c57e04782ce6c896dd4c681e9680888774e028ff5d8e28ed660733cc24b411a82de9b7e3dd9854ebf901772020c6ce4c3955d763f4936103ebd896

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
34f5b7d344ffe36df163c8fa13968040

SHA1
8772f47a3b5d93791ea02d7e306eb641e3004aba

SHA256
f59be0b34edcd0b8c0a188ac2cf1cdcb69797ca80d8553b30a173e08a3cce5e2

SHA512
81109541165b18443a9eda678975aafa63f766196eddb47ced7f3e82c9111b181e071aa8369e41dc5c86dbba31b3826ec4f0115777f48a90245a8db86d09a692

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
34f5b7d344ffe36df163c8fa13968040

SHA1
8772f47a3b5d93791ea02d7e306eb641e3004aba

SHA256
f59be0b34edcd0b8c0a188ac2cf1cdcb69797ca80d8553b30a173e08a3cce5e2

SHA512
81109541165b18443a9eda678975aafa63f766196eddb47ced7f3e82c9111b181e071aa8369e41dc5c86dbba31b3826ec4f0115777f48a90245a8db86d09a692

Download Submit
memory/108-130-0x0000000000000000-mapping.dmp

Download
memory/324-200-0x0000000000000000-mapping.dmp

Download
memory/324-93-0x0000000000000000-mapping.dmp

Download
memory/384-233-0x0000000000000000-mapping.dmp

Download
memory/540-235-0x0000000000000000-mapping.dmp

Download
memory/560-264-0x0000000000000000-mapping.dmp

Download
memory/668-184-0x0000000000000000-mapping.dmp

Download
memory/668-76-0x0000000000000000-mapping.dmp

Download
memory/680-211-0x0000000000000000-mapping.dmp

Download
memory/748-263-0x0000000000000000-mapping.dmp

Download
memory/756-192-0x0000000000000000-mapping.dmp

Download
memory/756-274-0x0000000000000000-mapping.dmp

Download
memory/768-87-0x0000000000000000-mapping.dmp

Download
memory/824-290-0x0000000000000000-mapping.dmp

Download
memory/824-106-0x0000000000000000-mapping.dmp

Download
memory/844-247-0x0000000000000000-mapping.dmp

Download
memory/892-313-0x0000000000000000-mapping.dmp

Download
memory/948-251-0x0000000000000000-mapping.dmp

Download
memory/1064-301-0x0000000000000000-mapping.dmp

Download
memory/1068-204-0x0000000000000000-mapping.dmp

Download
memory/1076-298-0x0000000000000000-mapping.dmp

Download
memory/1152-276-0x0000000000000000-mapping.dmp

Download
memory/1172-70-0x0000000000000000-mapping.dmp

Download
memory/1180-217-0x0000000000000000-mapping.dmp

Download
memory/1180-314-0x0000000000000000-mapping.dmp

Download
memory/1228-296-0x0000000000000000-mapping.dmp

Download
memory/1248-58-0x0000000000000000-mapping.dmp

Download
memory/1276-230-0x0000000000000000-mapping.dmp

Download
memory/1300-275-0x0000000000000000-mapping.dmp

Download
memory/1316-286-0x0000000000000000-mapping.dmp

Download
memory/1324-171-0x0000000000000000-mapping.dmp

Download
memory/1332-119-0x0000000000000000-mapping.dmp

Download
memory/1336-228-0x0000000000000000-mapping.dmp

Download
memory/1344-229-0x0000000000000000-mapping.dmp

Download
memory/1344-321-0x0000000000000000-mapping.dmp

Download
memory/1416-152-0x0000000000000000-mapping.dmp

Download
memory/1432-320-0x0000000000000000-mapping.dmp

Download
memory/1432-250-0x0000000000000000-mapping.dmp

Download
memory/1456-176-0x0000000000000000-mapping.dmp

Download
memory/1464-282-0x0000000000000000-mapping.dmp

Download
memory/1468-82-0x0000000000000000-mapping.dmp

Download
memory/1472-315-0x0000000000000000-mapping.dmp

Download
memory/1488-188-0x0000000000000000-mapping.dmp

Download
memory/1504-249-0x0000000000000000-mapping.dmp

Download
memory/1548-272-0x0000000000000000-mapping.dmp

Download
memory/1564-273-0x0000000000000000-mapping.dmp

Download
memory/1580-248-0x0000000000000000-mapping.dmp

Download
memory/1612-225-0x0000000000000000-mapping.dmp

Download
memory/1632-180-0x0000000000000000-mapping.dmp

Download
memory/1644-196-0x0000000000000000-mapping.dmp

Download
memory/1648-175-0x0000000073FC1000-0x0000000073FC3000-memory.dmp

Filesize
8KB

Download
memory/1648-117-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1652-312-0x0000000000000000-mapping.dmp

Download
memory/1716-100-0x0000000000000000-mapping.dmp

Download
memory/1724-208-0x0000000000000000-mapping.dmp

Download
memory/1744-277-0x0000000000000000-mapping.dmp

Download
memory/1748-113-0x0000000000000000-mapping.dmp

Download
memory/1756-212-0x0000000000000000-mapping.dmp

Download
memory/1764-285-0x0000000000000000-mapping.dmp

Download
memory/1784-163-0x0000000000000000-mapping.dmp

Download
memory/1792-64-0x0000000000000000-mapping.dmp

Download
memory/1924-210-0x0000000000000000-mapping.dmp

Download
memory/1928-232-0x0000000000000000-mapping.dmp

Download
memory/1988-141-0x0000000000000000-mapping.dmp

Download
memory/1992-304-0x0000000000000000-mapping.dmp

Download
memory/2028-284-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads