0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db

Analysis

max time kernel
175s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
Size

72KB
MD5

0eda9b05e2cdd552b67f65a2842ce698
SHA1

dd315a086ab4e71ccbf3fd0d24c603bc97fae647
SHA256

0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db
SHA512

76571d05e032447b73f7eac53293cdf37b055c714c976dbad024f8bd4cc3fc130344cbfa75750ced5910a2bc141d9db765a1a1cfee7102ad08b636bbcd40f126
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr3k7On:teThavEjDWguKU7W

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 36 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
948	backup.exe
1680	backup.exe
1600	backup.exe
1216	backup.exe
1112	backup.exe
588	backup.exe
968	backup.exe
1840	backup.exe
980	backup.exe
1504	data.exe
1172	backup.exe
1628	backup.exe
1384	backup.exe
1992	data.exe
1096	backup.exe
2012	backup.exe
1824	backup.exe
1684	backup.exe
1616	backup.exe
1692	backup.exe
1500	backup.exe
576	backup.exe
908	backup.exe
1112	backup.exe
976	backup.exe
952	backup.exe
588	update.exe
904	backup.exe
112	data.exe
1740	System Restore.exe
1308	backup.exe
1160	backup.exe
1540	backup.exe
2000	System Restore.exe
840	backup.exe
1808	backup.exe
556	backup.exe
748	backup.exe
540	backup.exe
1668	backup.exe
1588	backup.exe
1032	backup.exe
1672	backup.exe
1568	backup.exe
912	backup.exe
1304	backup.exe
824	backup.exe
1932	backup.exe
856	backup.exe
908	data.exe
1708	backup.exe
112	backup.exe
996	backup.exe
668	backup.exe
1676	System Restore.exe
1272	backup.exe
608	backup.exe
1384	backup.exe
1712	backup.exe
1732	backup.exe
820	backup.exe
1000	backup.exe
1816	backup.exe
1572	data.exe

Loads dropped DLL 64 IoCs

pid	Process
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
1840	backup.exe
1840	backup.exe
980	backup.exe
980	backup.exe
1840	backup.exe
1840	backup.exe
1172	backup.exe
1172	backup.exe
1628	backup.exe
1628	backup.exe
1172	backup.exe
1172	backup.exe
1992	data.exe
1992	data.exe
1172	backup.exe
1840	backup.exe
1840	backup.exe
1172	backup.exe
1992	data.exe
1172	backup.exe
1992	data.exe
1172	backup.exe
1096	backup.exe
1840	backup.exe
1840	backup.exe
1096	backup.exe
2012	backup.exe
2012	backup.exe
1992	data.exe
1992	data.exe
1824	backup.exe
1824	backup.exe
1096	backup.exe
1692	backup.exe
1692	backup.exe
1500	backup.exe
1500	backup.exe
576	backup.exe
576	backup.exe
2012	backup.exe
2012	backup.exe
976	backup.exe
976	backup.exe
588	update.exe
588	update.exe
588	update.exe
952	backup.exe
952	backup.exe
2012	backup.exe
2012	backup.exe

Drops file in Program Files directory 48 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\data.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	update.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\update.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
948	backup.exe
1680	backup.exe
1600	backup.exe
1216	backup.exe
1112	backup.exe
588	backup.exe
968	backup.exe
1840	backup.exe
980	backup.exe
1504	data.exe
1172	backup.exe
1628	backup.exe
1384	backup.exe
1992	data.exe
1096	backup.exe
2012	backup.exe
1824	backup.exe
1684	backup.exe
1616	backup.exe
1692	backup.exe
1500	backup.exe
576	backup.exe
908	backup.exe
1112	backup.exe
952	backup.exe
976	backup.exe
904	backup.exe
112	data.exe
1740	System Restore.exe
588	update.exe
1308	backup.exe
1160	backup.exe
1540	backup.exe
840	backup.exe
2000	System Restore.exe
1808	backup.exe
556	backup.exe
748	backup.exe
540	backup.exe
1668	backup.exe
1032	backup.exe
1588	backup.exe
912	backup.exe
824	backup.exe
1672	backup.exe
1568	backup.exe
112	backup.exe
1712	backup.exe
1304	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 948	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	28
PID 1948 wrote to memory of 948	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	28
PID 1948 wrote to memory of 948	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	28
PID 1948 wrote to memory of 948	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	28
PID 1948 wrote to memory of 1680	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	29
PID 1948 wrote to memory of 1680	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	29
PID 1948 wrote to memory of 1680	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	29
PID 1948 wrote to memory of 1680	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	29
PID 1948 wrote to memory of 1600	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	30
PID 1948 wrote to memory of 1600	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	30
PID 1948 wrote to memory of 1600	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	30
PID 1948 wrote to memory of 1600	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	30
PID 1948 wrote to memory of 1216	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	31
PID 1948 wrote to memory of 1216	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	31
PID 1948 wrote to memory of 1216	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	31
PID 1948 wrote to memory of 1216	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	31
PID 1948 wrote to memory of 1112	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	32
PID 1948 wrote to memory of 1112	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	32
PID 1948 wrote to memory of 1112	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	32
PID 1948 wrote to memory of 1112	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	32
PID 1948 wrote to memory of 588	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	33
PID 1948 wrote to memory of 588	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	33
PID 1948 wrote to memory of 588	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	33
PID 1948 wrote to memory of 588	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	33
PID 1948 wrote to memory of 968	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	34
PID 1948 wrote to memory of 968	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	34
PID 1948 wrote to memory of 968	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	34
PID 1948 wrote to memory of 968	1948	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe	34
PID 948 wrote to memory of 1840	948	backup.exe	35
PID 948 wrote to memory of 1840	948	backup.exe	35
PID 948 wrote to memory of 1840	948	backup.exe	35
PID 948 wrote to memory of 1840	948	backup.exe	35
PID 1840 wrote to memory of 980	1840	backup.exe	36
PID 1840 wrote to memory of 980	1840	backup.exe	36
PID 1840 wrote to memory of 980	1840	backup.exe	36
PID 1840 wrote to memory of 980	1840	backup.exe	36
PID 980 wrote to memory of 1504	980	backup.exe	37
PID 980 wrote to memory of 1504	980	backup.exe	37
PID 980 wrote to memory of 1504	980	backup.exe	37
PID 980 wrote to memory of 1504	980	backup.exe	37
PID 1840 wrote to memory of 1172	1840	backup.exe	38
PID 1840 wrote to memory of 1172	1840	backup.exe	38
PID 1840 wrote to memory of 1172	1840	backup.exe	38
PID 1840 wrote to memory of 1172	1840	backup.exe	38
PID 1172 wrote to memory of 1628	1172	backup.exe	39
PID 1172 wrote to memory of 1628	1172	backup.exe	39
PID 1172 wrote to memory of 1628	1172	backup.exe	39
PID 1172 wrote to memory of 1628	1172	backup.exe	39
PID 1628 wrote to memory of 1384	1628	backup.exe	40
PID 1628 wrote to memory of 1384	1628	backup.exe	40
PID 1628 wrote to memory of 1384	1628	backup.exe	40
PID 1628 wrote to memory of 1384	1628	backup.exe	40
PID 1172 wrote to memory of 1992	1172	backup.exe	41
PID 1172 wrote to memory of 1992	1172	backup.exe	41
PID 1172 wrote to memory of 1992	1172	backup.exe	41
PID 1172 wrote to memory of 1992	1172	backup.exe	41
PID 1992 wrote to memory of 1096	1992	data.exe	42
PID 1992 wrote to memory of 1096	1992	data.exe	42
PID 1992 wrote to memory of 1096	1992	data.exe	42
PID 1992 wrote to memory of 1096	1992	data.exe	42
PID 1840 wrote to memory of 1824	1840	backup.exe	43
PID 1840 wrote to memory of 1824	1840	backup.exe	43
PID 1840 wrote to memory of 1824	1840	backup.exe	43
PID 1840 wrote to memory of 1824	1840	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe
"C:\Users\Admin\AppData\Local\Temp\0e56b531d362bc2e40d550b05d643edc5280afd5bf2d958f2c19a363ede064db.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1948
- C:\Users\Admin\AppData\Local\Temp\3873942876\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3873942876\backup.exe C:\Users\Admin\AppData\Local\Temp\3873942876\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:948
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1840
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:980
    - - C:\PerfLogs\Admin\data.exe
        
        C:\PerfLogs\Admin\data.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1504
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1172
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1628
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1384
    - - C:\Program Files\Common Files\data.exe
        
        "C:\Program Files\Common Files\data.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1992
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1096
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        
        PID:668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1612
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1684
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:576
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:904
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1540
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:956
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2012
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:908
      - C:\Program Files\DVD Maker\en-US\data.exe
        
        "C:\Program Files\DVD Maker\en-US\data.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:112
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1160
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:556
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Executes dropped EXE
        
        PID:1932
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Executes dropped EXE
        
        PID:1272
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:952
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1308
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1808
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:540
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\System Restore.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Executes dropped EXE
        
        PID:1676
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1672
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Executes dropped EXE
        
        PID:996
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        Executes dropped EXE
        
        PID:1384
    - - C:\Program Files\Microsoft Office\System Restore.exe
        
        "C:\Program Files\Microsoft Office\System Restore.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:960
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1824
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1112
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:912
    - - C:\Program Files (x86)\Google\data.exe
        
        "C:\Program Files (x86)\Google\data.exe" C:\Program Files (x86)\Google\
        5⤵
        Executes dropped EXE
        
        PID:908
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Executes dropped EXE
        
        PID:1000
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1784
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1500
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:976
      - C:\Users\Admin\Contacts\System Restore.exe
        
        "C:\Users\Admin\Contacts\System Restore.exe" C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1740
      - C:\Users\Admin\Desktop\System Restore.exe
        
        "C:\Users\Admin\Desktop\System Restore.exe" C:\Users\Admin\Desktop\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:748
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:112
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        Executes dropped EXE
        
        PID:608
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Executes dropped EXE
        
        PID:1816
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1060
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:824
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1668
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1216
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:588
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\data.exe

Filesize
72KB

MD5
88b27de49ebd8c068cf7b4ca00593a37

SHA1
37a0544206f9d1e2f0e0364fe81d648c46e1271c

SHA256
598be69573d36e93420ed4102f57c6d881086c6ec283f3c7d7d1f1b5d0d8989c

SHA512
5ca40b3e785bffc621ab0627e06b602b2e229b4999ce302ac35bdccd6ca2c21188ab4b7f132e05c21af5d857cc3a1350f3e6c23bfe3f183a2f7820667a31d5d4

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
64d5543bf0b23711334ea4145469c58e

SHA1
a26811dae0e2d968a6e120b352225b2b584f97f1

SHA256
0ab7516ea733a46418f677c163ecc8a673fd229148b9c2cfc25013975a2a6bca

SHA512
7bc961e09657e606033375149cd4fe4569589f1b197edf63c44b89468a9b2b6d2315f5ed28332acd6954fb132864a72074481542de2161ed22c93c6c73fb5100

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
64d5543bf0b23711334ea4145469c58e

SHA1
a26811dae0e2d968a6e120b352225b2b584f97f1

SHA256
0ab7516ea733a46418f677c163ecc8a673fd229148b9c2cfc25013975a2a6bca

SHA512
7bc961e09657e606033375149cd4fe4569589f1b197edf63c44b89468a9b2b6d2315f5ed28332acd6954fb132864a72074481542de2161ed22c93c6c73fb5100

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
daeb2e03c2ebf4724f8b7ce82cd198a0

SHA1
08388bacda170c3d3e90489dc6272d27c5d988ef

SHA256
74f8f8adb726f95d0a565b9dd9746809181fc7fe40f050198632e46e1ffe7388

SHA512
10789586fde480ee2eb24c8c0aa0b6251cd062cba004ce19e0519e854eaae1c93fc6b9fe7a99da2be2c31770447cdd4ff8233bd3ffc491aabd8e9413673d2b44

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
daeb2e03c2ebf4724f8b7ce82cd198a0

SHA1
08388bacda170c3d3e90489dc6272d27c5d988ef

SHA256
74f8f8adb726f95d0a565b9dd9746809181fc7fe40f050198632e46e1ffe7388

SHA512
10789586fde480ee2eb24c8c0aa0b6251cd062cba004ce19e0519e854eaae1c93fc6b9fe7a99da2be2c31770447cdd4ff8233bd3ffc491aabd8e9413673d2b44

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
7cff9cf7fc7f4073acd3aa0bcf5b7047

SHA1
5d9c953b343f53d1c08f7d7a6d06dc5cd8802646

SHA256
9ebc3159d553b87b460c07096e16a978dc1caa37f5d07f7cda04ab8d9d2f23f4

SHA512
98b92c97ecc3de04161fe4ea9905880d1429458b527f949f52c4792f8dd7d86f4a9ffd20237b8e266f0356e6e20310a70c41b51ed068acaefa4c0e833a3d81fa

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
88b27de49ebd8c068cf7b4ca00593a37

SHA1
37a0544206f9d1e2f0e0364fe81d648c46e1271c

SHA256
598be69573d36e93420ed4102f57c6d881086c6ec283f3c7d7d1f1b5d0d8989c

SHA512
5ca40b3e785bffc621ab0627e06b602b2e229b4999ce302ac35bdccd6ca2c21188ab4b7f132e05c21af5d857cc3a1350f3e6c23bfe3f183a2f7820667a31d5d4

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
88b27de49ebd8c068cf7b4ca00593a37

SHA1
37a0544206f9d1e2f0e0364fe81d648c46e1271c

SHA256
598be69573d36e93420ed4102f57c6d881086c6ec283f3c7d7d1f1b5d0d8989c

SHA512
5ca40b3e785bffc621ab0627e06b602b2e229b4999ce302ac35bdccd6ca2c21188ab4b7f132e05c21af5d857cc3a1350f3e6c23bfe3f183a2f7820667a31d5d4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
dee40953b4641d55569bda14750bc7f7

SHA1
b11fa7768b776a6c4180ec29eaf6dfb7c9d6bfba

SHA256
f91f6ae97ff2f190729eee06d7de5016b49fdcea318467617c2d6ddf2c16c29a

SHA512
d08915c7468a4f66ba2e4b3f14be2a905bf50428437310021e719a6590c929724e9d73901123f605abdce00c13a03344270399c79adf3f3c47844679d4ae66b8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
dee40953b4641d55569bda14750bc7f7

SHA1
b11fa7768b776a6c4180ec29eaf6dfb7c9d6bfba

SHA256
f91f6ae97ff2f190729eee06d7de5016b49fdcea318467617c2d6ddf2c16c29a

SHA512
d08915c7468a4f66ba2e4b3f14be2a905bf50428437310021e719a6590c929724e9d73901123f605abdce00c13a03344270399c79adf3f3c47844679d4ae66b8

Download Submit
C:\Program Files\Common Files\data.exe

Filesize
72KB

MD5
fee02ffc0a6263a8b684774a3bcb7f4b

SHA1
84b5d6f0652143f3383f1df31267e95ecc8d837c

SHA256
fff3cf65f0ff5916c2a48935dde4d9973e4e796f25eeb35763512c2e26f6ba9c

SHA512
be6600bfbba6f182ac2b3e8c541dcfe229f5be2bb76a56b973f12b90dd31171a44d689a152d025223858d0e8cee491e3dd686ebc51101cc85f05a9cd123f6548

Download Submit
C:\Program Files\Common Files\data.exe

Filesize
72KB

MD5
fee02ffc0a6263a8b684774a3bcb7f4b

SHA1
84b5d6f0652143f3383f1df31267e95ecc8d837c

SHA256
fff3cf65f0ff5916c2a48935dde4d9973e4e796f25eeb35763512c2e26f6ba9c

SHA512
be6600bfbba6f182ac2b3e8c541dcfe229f5be2bb76a56b973f12b90dd31171a44d689a152d025223858d0e8cee491e3dd686ebc51101cc85f05a9cd123f6548

Download Submit
C:\Program Files\DVD Maker\backup.exe

Filesize
72KB

MD5
070d85c38999149f98854d00cc70353a

SHA1
90e44296618ed8440b8f94d8934e13c922580a88

SHA256
cdf6697ef92377ed02acffdff873e5748eb2a9e7427ca0946c1ef3d53ec5836c

SHA512
05789bd9a24c158672daa07ffd827643c9a320d97f57379d416e8e7aac1f99211a32574a019c4a602f5b87f45d51fd657ef080ce7bdc04d7ffd6dc7482b7757c

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
64d5543bf0b23711334ea4145469c58e

SHA1
a26811dae0e2d968a6e120b352225b2b584f97f1

SHA256
0ab7516ea733a46418f677c163ecc8a673fd229148b9c2cfc25013975a2a6bca

SHA512
7bc961e09657e606033375149cd4fe4569589f1b197edf63c44b89468a9b2b6d2315f5ed28332acd6954fb132864a72074481542de2161ed22c93c6c73fb5100

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
64d5543bf0b23711334ea4145469c58e

SHA1
a26811dae0e2d968a6e120b352225b2b584f97f1

SHA256
0ab7516ea733a46418f677c163ecc8a673fd229148b9c2cfc25013975a2a6bca

SHA512
7bc961e09657e606033375149cd4fe4569589f1b197edf63c44b89468a9b2b6d2315f5ed28332acd6954fb132864a72074481542de2161ed22c93c6c73fb5100

Download Submit
C:\Users\Admin\AppData\Local\Temp\3873942876\backup.exe

Filesize
72KB

MD5
45bc4a8caf8637a1c85e74bfe1b72ae1

SHA1
55d04a32e9d18913c67cacea4929bd5edcd18c07

SHA256
27b195d5ae0374ba8cf06fd6eb026cdbcd71dba39e6d3c2fb0175b0bda39d81d

SHA512
1f5257ad551234fce54ec7eda97b072638d6772c66eb39d6736eff1d689fd69bec4a458d8f845d0592e246a018ec3767669bac2df17032acdf69e69d066bb64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3873942876\backup.exe

Filesize
72KB

MD5
45bc4a8caf8637a1c85e74bfe1b72ae1

SHA1
55d04a32e9d18913c67cacea4929bd5edcd18c07

SHA256
27b195d5ae0374ba8cf06fd6eb026cdbcd71dba39e6d3c2fb0175b0bda39d81d

SHA512
1f5257ad551234fce54ec7eda97b072638d6772c66eb39d6736eff1d689fd69bec4a458d8f845d0592e246a018ec3767669bac2df17032acdf69e69d066bb64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ae2384bcc83a660f39e341c0b8c67016

SHA1
107f704cfb4c41973a7f29aa61f3d30294809705

SHA256
9d6271ee8ad69ed4c6e3e06a5863ccbc6c03fe9cb9c60c97dc1d3e05c51d367f

SHA512
3a1de20898fb32f14cf52de7ce2d231209c3e16e5b2c2c72156141d3c9d3ee931ef0e1f4f93bc1ceddc1d0b398dd6a4d043477bc22b92d96df7eb88767f3f5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ae2384bcc83a660f39e341c0b8c67016

SHA1
107f704cfb4c41973a7f29aa61f3d30294809705

SHA256
9d6271ee8ad69ed4c6e3e06a5863ccbc6c03fe9cb9c60c97dc1d3e05c51d367f

SHA512
3a1de20898fb32f14cf52de7ce2d231209c3e16e5b2c2c72156141d3c9d3ee931ef0e1f4f93bc1ceddc1d0b398dd6a4d043477bc22b92d96df7eb88767f3f5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ae2384bcc83a660f39e341c0b8c67016

SHA1
107f704cfb4c41973a7f29aa61f3d30294809705

SHA256
9d6271ee8ad69ed4c6e3e06a5863ccbc6c03fe9cb9c60c97dc1d3e05c51d367f

SHA512
3a1de20898fb32f14cf52de7ce2d231209c3e16e5b2c2c72156141d3c9d3ee931ef0e1f4f93bc1ceddc1d0b398dd6a4d043477bc22b92d96df7eb88767f3f5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ae2384bcc83a660f39e341c0b8c67016

SHA1
107f704cfb4c41973a7f29aa61f3d30294809705

SHA256
9d6271ee8ad69ed4c6e3e06a5863ccbc6c03fe9cb9c60c97dc1d3e05c51d367f

SHA512
3a1de20898fb32f14cf52de7ce2d231209c3e16e5b2c2c72156141d3c9d3ee931ef0e1f4f93bc1ceddc1d0b398dd6a4d043477bc22b92d96df7eb88767f3f5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
45bc4a8caf8637a1c85e74bfe1b72ae1

SHA1
55d04a32e9d18913c67cacea4929bd5edcd18c07

SHA256
27b195d5ae0374ba8cf06fd6eb026cdbcd71dba39e6d3c2fb0175b0bda39d81d

SHA512
1f5257ad551234fce54ec7eda97b072638d6772c66eb39d6736eff1d689fd69bec4a458d8f845d0592e246a018ec3767669bac2df17032acdf69e69d066bb64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
ae2384bcc83a660f39e341c0b8c67016

SHA1
107f704cfb4c41973a7f29aa61f3d30294809705

SHA256
9d6271ee8ad69ed4c6e3e06a5863ccbc6c03fe9cb9c60c97dc1d3e05c51d367f

SHA512
3a1de20898fb32f14cf52de7ce2d231209c3e16e5b2c2c72156141d3c9d3ee931ef0e1f4f93bc1ceddc1d0b398dd6a4d043477bc22b92d96df7eb88767f3f5bf

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a048ba0145014810c6dec599e2a28716

SHA1
8f746d47f0e08deef5d14004142bca9873299c68

SHA256
ca24870239212b8fb73141996a609335d60c1a66708e26aa872a1987b64df3f0

SHA512
45e23f89daa78d49c125ad9515c820b34d640177ab8cfdbf2d6e4cf7de886e7c563834407253bf4212fb6b71b8510de00d505bc243d20759451b2fba5abfa684

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a048ba0145014810c6dec599e2a28716

SHA1
8f746d47f0e08deef5d14004142bca9873299c68

SHA256
ca24870239212b8fb73141996a609335d60c1a66708e26aa872a1987b64df3f0

SHA512
45e23f89daa78d49c125ad9515c820b34d640177ab8cfdbf2d6e4cf7de886e7c563834407253bf4212fb6b71b8510de00d505bc243d20759451b2fba5abfa684

Download Submit
\PerfLogs\Admin\data.exe

Filesize
72KB

MD5
88b27de49ebd8c068cf7b4ca00593a37

SHA1
37a0544206f9d1e2f0e0364fe81d648c46e1271c

SHA256
598be69573d36e93420ed4102f57c6d881086c6ec283f3c7d7d1f1b5d0d8989c

SHA512
5ca40b3e785bffc621ab0627e06b602b2e229b4999ce302ac35bdccd6ca2c21188ab4b7f132e05c21af5d857cc3a1350f3e6c23bfe3f183a2f7820667a31d5d4

Download Submit
\PerfLogs\Admin\data.exe

Filesize
72KB

MD5
88b27de49ebd8c068cf7b4ca00593a37

SHA1
37a0544206f9d1e2f0e0364fe81d648c46e1271c

SHA256
598be69573d36e93420ed4102f57c6d881086c6ec283f3c7d7d1f1b5d0d8989c

SHA512
5ca40b3e785bffc621ab0627e06b602b2e229b4999ce302ac35bdccd6ca2c21188ab4b7f132e05c21af5d857cc3a1350f3e6c23bfe3f183a2f7820667a31d5d4

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
64d5543bf0b23711334ea4145469c58e

SHA1
a26811dae0e2d968a6e120b352225b2b584f97f1

SHA256
0ab7516ea733a46418f677c163ecc8a673fd229148b9c2cfc25013975a2a6bca

SHA512
7bc961e09657e606033375149cd4fe4569589f1b197edf63c44b89468a9b2b6d2315f5ed28332acd6954fb132864a72074481542de2161ed22c93c6c73fb5100

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
64d5543bf0b23711334ea4145469c58e

SHA1
a26811dae0e2d968a6e120b352225b2b584f97f1

SHA256
0ab7516ea733a46418f677c163ecc8a673fd229148b9c2cfc25013975a2a6bca

SHA512
7bc961e09657e606033375149cd4fe4569589f1b197edf63c44b89468a9b2b6d2315f5ed28332acd6954fb132864a72074481542de2161ed22c93c6c73fb5100

Download Submit
\Program Files (x86)\backup.exe

Filesize
72KB

MD5
daeb2e03c2ebf4724f8b7ce82cd198a0

SHA1
08388bacda170c3d3e90489dc6272d27c5d988ef

SHA256
74f8f8adb726f95d0a565b9dd9746809181fc7fe40f050198632e46e1ffe7388

SHA512
10789586fde480ee2eb24c8c0aa0b6251cd062cba004ce19e0519e854eaae1c93fc6b9fe7a99da2be2c31770447cdd4ff8233bd3ffc491aabd8e9413673d2b44

Download Submit
\Program Files (x86)\backup.exe

Filesize
72KB

MD5
daeb2e03c2ebf4724f8b7ce82cd198a0

SHA1
08388bacda170c3d3e90489dc6272d27c5d988ef

SHA256
74f8f8adb726f95d0a565b9dd9746809181fc7fe40f050198632e46e1ffe7388

SHA512
10789586fde480ee2eb24c8c0aa0b6251cd062cba004ce19e0519e854eaae1c93fc6b9fe7a99da2be2c31770447cdd4ff8233bd3ffc491aabd8e9413673d2b44

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
7cff9cf7fc7f4073acd3aa0bcf5b7047

SHA1
5d9c953b343f53d1c08f7d7a6d06dc5cd8802646

SHA256
9ebc3159d553b87b460c07096e16a978dc1caa37f5d07f7cda04ab8d9d2f23f4

SHA512
98b92c97ecc3de04161fe4ea9905880d1429458b527f949f52c4792f8dd7d86f4a9ffd20237b8e266f0356e6e20310a70c41b51ed068acaefa4c0e833a3d81fa

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
7cff9cf7fc7f4073acd3aa0bcf5b7047

SHA1
5d9c953b343f53d1c08f7d7a6d06dc5cd8802646

SHA256
9ebc3159d553b87b460c07096e16a978dc1caa37f5d07f7cda04ab8d9d2f23f4

SHA512
98b92c97ecc3de04161fe4ea9905880d1429458b527f949f52c4792f8dd7d86f4a9ffd20237b8e266f0356e6e20310a70c41b51ed068acaefa4c0e833a3d81fa

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
88b27de49ebd8c068cf7b4ca00593a37

SHA1
37a0544206f9d1e2f0e0364fe81d648c46e1271c

SHA256
598be69573d36e93420ed4102f57c6d881086c6ec283f3c7d7d1f1b5d0d8989c

SHA512
5ca40b3e785bffc621ab0627e06b602b2e229b4999ce302ac35bdccd6ca2c21188ab4b7f132e05c21af5d857cc3a1350f3e6c23bfe3f183a2f7820667a31d5d4

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
88b27de49ebd8c068cf7b4ca00593a37

SHA1
37a0544206f9d1e2f0e0364fe81d648c46e1271c

SHA256
598be69573d36e93420ed4102f57c6d881086c6ec283f3c7d7d1f1b5d0d8989c

SHA512
5ca40b3e785bffc621ab0627e06b602b2e229b4999ce302ac35bdccd6ca2c21188ab4b7f132e05c21af5d857cc3a1350f3e6c23bfe3f183a2f7820667a31d5d4

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
74ccd4c0aa875ec64d913ce9e036be8f

SHA1
a800a2d4bced2098be28068cc9593d05c7b73596

SHA256
deb2e1ffca88083e465e1b06ab9facc7524132ab64a05a8616a98e8921d8ec3b

SHA512
84690e6cca3a85022a690e255a69c079deb32abe2b32fb08ece0280f22b6872a5d022e8a14e5db449b9fb463241eff3b57e153077a76007544fbfa56daf1d000

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
dee40953b4641d55569bda14750bc7f7

SHA1
b11fa7768b776a6c4180ec29eaf6dfb7c9d6bfba

SHA256
f91f6ae97ff2f190729eee06d7de5016b49fdcea318467617c2d6ddf2c16c29a

SHA512
d08915c7468a4f66ba2e4b3f14be2a905bf50428437310021e719a6590c929724e9d73901123f605abdce00c13a03344270399c79adf3f3c47844679d4ae66b8

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
dee40953b4641d55569bda14750bc7f7

SHA1
b11fa7768b776a6c4180ec29eaf6dfb7c9d6bfba

SHA256
f91f6ae97ff2f190729eee06d7de5016b49fdcea318467617c2d6ddf2c16c29a

SHA512
d08915c7468a4f66ba2e4b3f14be2a905bf50428437310021e719a6590c929724e9d73901123f605abdce00c13a03344270399c79adf3f3c47844679d4ae66b8

Download Submit
\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
c6259c7c734b442c40d4e64593916361

SHA1
f7a49ef3da3ce3a1230ecafb38dc3bda6b902c73

SHA256
e1a86fbb94edc9dae33a8ed0dda52d0b0809d30685c9b3229bd1df348341e4f5

SHA512
3e1b8c60a197cf0e77e2c5c5e776f76e885e8ddaa435f205754f9fb85754a2e3dda1a74690db2d3363898046c4f9fdec973576e5d1a3c8e2d620bc9ab0c1487c

Download Submit
\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
c6259c7c734b442c40d4e64593916361

SHA1
f7a49ef3da3ce3a1230ecafb38dc3bda6b902c73

SHA256
e1a86fbb94edc9dae33a8ed0dda52d0b0809d30685c9b3229bd1df348341e4f5

SHA512
3e1b8c60a197cf0e77e2c5c5e776f76e885e8ddaa435f205754f9fb85754a2e3dda1a74690db2d3363898046c4f9fdec973576e5d1a3c8e2d620bc9ab0c1487c

Download Submit
\Program Files\Common Files\data.exe

Filesize
72KB

MD5
fee02ffc0a6263a8b684774a3bcb7f4b

SHA1
84b5d6f0652143f3383f1df31267e95ecc8d837c

SHA256
fff3cf65f0ff5916c2a48935dde4d9973e4e796f25eeb35763512c2e26f6ba9c

SHA512
be6600bfbba6f182ac2b3e8c541dcfe229f5be2bb76a56b973f12b90dd31171a44d689a152d025223858d0e8cee491e3dd686ebc51101cc85f05a9cd123f6548

Download Submit
\Program Files\Common Files\data.exe

Filesize
72KB

MD5
fee02ffc0a6263a8b684774a3bcb7f4b

SHA1
84b5d6f0652143f3383f1df31267e95ecc8d837c

SHA256
fff3cf65f0ff5916c2a48935dde4d9973e4e796f25eeb35763512c2e26f6ba9c

SHA512
be6600bfbba6f182ac2b3e8c541dcfe229f5be2bb76a56b973f12b90dd31171a44d689a152d025223858d0e8cee491e3dd686ebc51101cc85f05a9cd123f6548

Download Submit
\Program Files\DVD Maker\backup.exe

Filesize
72KB

MD5
070d85c38999149f98854d00cc70353a

SHA1
90e44296618ed8440b8f94d8934e13c922580a88

SHA256
cdf6697ef92377ed02acffdff873e5748eb2a9e7427ca0946c1ef3d53ec5836c

SHA512
05789bd9a24c158672daa07ffd827643c9a320d97f57379d416e8e7aac1f99211a32574a019c4a602f5b87f45d51fd657ef080ce7bdc04d7ffd6dc7482b7757c

Download Submit
\Program Files\DVD Maker\backup.exe

Filesize
72KB

MD5
070d85c38999149f98854d00cc70353a

SHA1
90e44296618ed8440b8f94d8934e13c922580a88

SHA256
cdf6697ef92377ed02acffdff873e5748eb2a9e7427ca0946c1ef3d53ec5836c

SHA512
05789bd9a24c158672daa07ffd827643c9a320d97f57379d416e8e7aac1f99211a32574a019c4a602f5b87f45d51fd657ef080ce7bdc04d7ffd6dc7482b7757c

Download Submit
\Program Files\Google\backup.exe

Filesize
72KB

MD5
af8941cabac7de4723062e063a0bc884

SHA1
cc0a44d12d3322553cdc9cdbd2bcd4b169fca457

SHA256
8f385d7ed7784202a723c09e78a58d2733d8f62a93f0305c7ee5e98da2c0942c

SHA512
cb2cdc3b0a8cdab79d22720be937394137eba721d34da4d75ad1a3b05b641e175dcd8ae1e6ae1fad61b7d6d429ceb607b43e4597457e3265dcf2e49be78368eb

Download Submit
\Program Files\Google\backup.exe

Filesize
72KB

MD5
af8941cabac7de4723062e063a0bc884

SHA1
cc0a44d12d3322553cdc9cdbd2bcd4b169fca457

SHA256
8f385d7ed7784202a723c09e78a58d2733d8f62a93f0305c7ee5e98da2c0942c

SHA512
cb2cdc3b0a8cdab79d22720be937394137eba721d34da4d75ad1a3b05b641e175dcd8ae1e6ae1fad61b7d6d429ceb607b43e4597457e3265dcf2e49be78368eb

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
64d5543bf0b23711334ea4145469c58e

SHA1
a26811dae0e2d968a6e120b352225b2b584f97f1

SHA256
0ab7516ea733a46418f677c163ecc8a673fd229148b9c2cfc25013975a2a6bca

SHA512
7bc961e09657e606033375149cd4fe4569589f1b197edf63c44b89468a9b2b6d2315f5ed28332acd6954fb132864a72074481542de2161ed22c93c6c73fb5100

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
64d5543bf0b23711334ea4145469c58e

SHA1
a26811dae0e2d968a6e120b352225b2b584f97f1

SHA256
0ab7516ea733a46418f677c163ecc8a673fd229148b9c2cfc25013975a2a6bca

SHA512
7bc961e09657e606033375149cd4fe4569589f1b197edf63c44b89468a9b2b6d2315f5ed28332acd6954fb132864a72074481542de2161ed22c93c6c73fb5100

Download Submit
\Users\Admin\AppData\Local\Temp\3873942876\backup.exe

Filesize
72KB

MD5
45bc4a8caf8637a1c85e74bfe1b72ae1

SHA1
55d04a32e9d18913c67cacea4929bd5edcd18c07

SHA256
27b195d5ae0374ba8cf06fd6eb026cdbcd71dba39e6d3c2fb0175b0bda39d81d

SHA512
1f5257ad551234fce54ec7eda97b072638d6772c66eb39d6736eff1d689fd69bec4a458d8f845d0592e246a018ec3767669bac2df17032acdf69e69d066bb64a

Download Submit
\Users\Admin\AppData\Local\Temp\3873942876\backup.exe

Filesize
72KB

MD5
45bc4a8caf8637a1c85e74bfe1b72ae1

SHA1
55d04a32e9d18913c67cacea4929bd5edcd18c07

SHA256
27b195d5ae0374ba8cf06fd6eb026cdbcd71dba39e6d3c2fb0175b0bda39d81d

SHA512
1f5257ad551234fce54ec7eda97b072638d6772c66eb39d6736eff1d689fd69bec4a458d8f845d0592e246a018ec3767669bac2df17032acdf69e69d066bb64a

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ae2384bcc83a660f39e341c0b8c67016

SHA1
107f704cfb4c41973a7f29aa61f3d30294809705

SHA256
9d6271ee8ad69ed4c6e3e06a5863ccbc6c03fe9cb9c60c97dc1d3e05c51d367f

SHA512
3a1de20898fb32f14cf52de7ce2d231209c3e16e5b2c2c72156141d3c9d3ee931ef0e1f4f93bc1ceddc1d0b398dd6a4d043477bc22b92d96df7eb88767f3f5bf

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ae2384bcc83a660f39e341c0b8c67016

SHA1
107f704cfb4c41973a7f29aa61f3d30294809705

SHA256
9d6271ee8ad69ed4c6e3e06a5863ccbc6c03fe9cb9c60c97dc1d3e05c51d367f

SHA512
3a1de20898fb32f14cf52de7ce2d231209c3e16e5b2c2c72156141d3c9d3ee931ef0e1f4f93bc1ceddc1d0b398dd6a4d043477bc22b92d96df7eb88767f3f5bf

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ae2384bcc83a660f39e341c0b8c67016

SHA1
107f704cfb4c41973a7f29aa61f3d30294809705

SHA256
9d6271ee8ad69ed4c6e3e06a5863ccbc6c03fe9cb9c60c97dc1d3e05c51d367f

SHA512
3a1de20898fb32f14cf52de7ce2d231209c3e16e5b2c2c72156141d3c9d3ee931ef0e1f4f93bc1ceddc1d0b398dd6a4d043477bc22b92d96df7eb88767f3f5bf

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ae2384bcc83a660f39e341c0b8c67016

SHA1
107f704cfb4c41973a7f29aa61f3d30294809705

SHA256
9d6271ee8ad69ed4c6e3e06a5863ccbc6c03fe9cb9c60c97dc1d3e05c51d367f

SHA512
3a1de20898fb32f14cf52de7ce2d231209c3e16e5b2c2c72156141d3c9d3ee931ef0e1f4f93bc1ceddc1d0b398dd6a4d043477bc22b92d96df7eb88767f3f5bf

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ae2384bcc83a660f39e341c0b8c67016

SHA1
107f704cfb4c41973a7f29aa61f3d30294809705

SHA256
9d6271ee8ad69ed4c6e3e06a5863ccbc6c03fe9cb9c60c97dc1d3e05c51d367f

SHA512
3a1de20898fb32f14cf52de7ce2d231209c3e16e5b2c2c72156141d3c9d3ee931ef0e1f4f93bc1ceddc1d0b398dd6a4d043477bc22b92d96df7eb88767f3f5bf

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ae2384bcc83a660f39e341c0b8c67016

SHA1
107f704cfb4c41973a7f29aa61f3d30294809705

SHA256
9d6271ee8ad69ed4c6e3e06a5863ccbc6c03fe9cb9c60c97dc1d3e05c51d367f

SHA512
3a1de20898fb32f14cf52de7ce2d231209c3e16e5b2c2c72156141d3c9d3ee931ef0e1f4f93bc1ceddc1d0b398dd6a4d043477bc22b92d96df7eb88767f3f5bf

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ae2384bcc83a660f39e341c0b8c67016

SHA1
107f704cfb4c41973a7f29aa61f3d30294809705

SHA256
9d6271ee8ad69ed4c6e3e06a5863ccbc6c03fe9cb9c60c97dc1d3e05c51d367f

SHA512
3a1de20898fb32f14cf52de7ce2d231209c3e16e5b2c2c72156141d3c9d3ee931ef0e1f4f93bc1ceddc1d0b398dd6a4d043477bc22b92d96df7eb88767f3f5bf

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ae2384bcc83a660f39e341c0b8c67016

SHA1
107f704cfb4c41973a7f29aa61f3d30294809705

SHA256
9d6271ee8ad69ed4c6e3e06a5863ccbc6c03fe9cb9c60c97dc1d3e05c51d367f

SHA512
3a1de20898fb32f14cf52de7ce2d231209c3e16e5b2c2c72156141d3c9d3ee931ef0e1f4f93bc1ceddc1d0b398dd6a4d043477bc22b92d96df7eb88767f3f5bf

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
45bc4a8caf8637a1c85e74bfe1b72ae1

SHA1
55d04a32e9d18913c67cacea4929bd5edcd18c07

SHA256
27b195d5ae0374ba8cf06fd6eb026cdbcd71dba39e6d3c2fb0175b0bda39d81d

SHA512
1f5257ad551234fce54ec7eda97b072638d6772c66eb39d6736eff1d689fd69bec4a458d8f845d0592e246a018ec3767669bac2df17032acdf69e69d066bb64a

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
45bc4a8caf8637a1c85e74bfe1b72ae1

SHA1
55d04a32e9d18913c67cacea4929bd5edcd18c07

SHA256
27b195d5ae0374ba8cf06fd6eb026cdbcd71dba39e6d3c2fb0175b0bda39d81d

SHA512
1f5257ad551234fce54ec7eda97b072638d6772c66eb39d6736eff1d689fd69bec4a458d8f845d0592e246a018ec3767669bac2df17032acdf69e69d066bb64a

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
ae2384bcc83a660f39e341c0b8c67016

SHA1
107f704cfb4c41973a7f29aa61f3d30294809705

SHA256
9d6271ee8ad69ed4c6e3e06a5863ccbc6c03fe9cb9c60c97dc1d3e05c51d367f

SHA512
3a1de20898fb32f14cf52de7ce2d231209c3e16e5b2c2c72156141d3c9d3ee931ef0e1f4f93bc1ceddc1d0b398dd6a4d043477bc22b92d96df7eb88767f3f5bf

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
ae2384bcc83a660f39e341c0b8c67016

SHA1
107f704cfb4c41973a7f29aa61f3d30294809705

SHA256
9d6271ee8ad69ed4c6e3e06a5863ccbc6c03fe9cb9c60c97dc1d3e05c51d367f

SHA512
3a1de20898fb32f14cf52de7ce2d231209c3e16e5b2c2c72156141d3c9d3ee931ef0e1f4f93bc1ceddc1d0b398dd6a4d043477bc22b92d96df7eb88767f3f5bf

Download Submit
\Users\backup.exe

Filesize
72KB

MD5
0dc6fcaadaa4745dbe059ef527c6483a

SHA1
00faa28cd1888537ee5a2fd5baff6e08f383d1a2

SHA256
71c1821ced7a91bfae92e25c71e902228e41d2d26abb6774519fe17edd44f09c

SHA512
02516e50f308585afa62e88d94ce96b0cfce4ad793d245f97fc8a3290bb5d13965f43c545b44231367d2d8fe4860b59d509e011f0bd4b747cc5f3bb62d9659ff

Download Submit
\Users\backup.exe

Filesize
72KB

MD5
0dc6fcaadaa4745dbe059ef527c6483a

SHA1
00faa28cd1888537ee5a2fd5baff6e08f383d1a2

SHA256
71c1821ced7a91bfae92e25c71e902228e41d2d26abb6774519fe17edd44f09c

SHA512
02516e50f308585afa62e88d94ce96b0cfce4ad793d245f97fc8a3290bb5d13965f43c545b44231367d2d8fe4860b59d509e011f0bd4b747cc5f3bb62d9659ff

Download Submit
memory/1948-132-0x00000000741F1000-0x00000000741F3000-memory.dmp

Filesize
8KB

Download
memory/1948-98-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads