e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed

Analysis

max time kernel
187s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
Size

72KB
MD5

0a8393698e8056b807a60d5a7d9b5ef5
SHA1

1ed3a729b07d0c13e7df4efdba24d3616cd8c8b1
SHA256

e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed
SHA512

4b3eb9ba017d1056baa1f8d6b41dcd2e9a8cc5da5ac57252d92824155ab50af735643c9d09750be5e4ed91dbaf0202b505601cf070b7520d26905d15de8990de
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr9Sn:teThavEjDWguK9S

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

System Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exee60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
700	backup.exe
1176	backup.exe
1356	backup.exe
1348	backup.exe
560	backup.exe
1496	backup.exe
1616	backup.exe
364	backup.exe
1556	backup.exe
848	backup.exe
640	backup.exe
1136	update.exe
436	backup.exe
1860	backup.exe
2028	backup.exe
1244	backup.exe
1704	backup.exe
776	System Restore.exe
524	backup.exe
1092	backup.exe
708	System Restore.exe
2044	backup.exe
1444	backup.exe
292	backup.exe
1052	backup.exe
1532	backup.exe
1616	backup.exe
1648	backup.exe
1164	backup.exe
112	backup.exe
1804	backup.exe
556	backup.exe
1572	backup.exe
1996	backup.exe
340	backup.exe
1944	backup.exe
1972	backup.exe
2012	backup.exe
436	backup.exe
956	backup.exe
1760	backup.exe
1484	backup.exe
1608	backup.exe
1776	backup.exe
472	backup.exe
1180	backup.exe
1160	backup.exe
524	backup.exe
320	backup.exe
1012	backup.exe
1992	System Restore.exe
1820	System Restore.exe
1548	backup.exe
908	backup.exe
1620	backup.exe
612	backup.exe
1452	backup.exe
1540	backup.exe
2032	data.exe
556	backup.exe
2004	backup.exe
1572	backup.exe
1932	backup.exe
1996	backup.exe

Loads dropped DLL 64 IoCs

Processes:

e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exe

pid	process
2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
1556	backup.exe
848	backup.exe
848	backup.exe
640	backup.exe
640	backup.exe
1136	update.exe
1136	update.exe
1136	update.exe
848	backup.exe
848	backup.exe
1860	backup.exe
1860	backup.exe
2028	backup.exe
2028	backup.exe
2028	backup.exe
2028	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1164	backup.exe
1164	backup.exe
1164	backup.exe
1164	backup.exe
1164	backup.exe
1164	backup.exe

Drops file in Program Files directory 64 IoCs

Processes:

backup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Services\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\System Restore.exe	backup.exe

Drops file in Windows directory 1 IoCs

Processes:

backup.exe

description ioc process

File opened for modification C:\Windows\backup.exe backup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\backup.exe	backup.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exe

pid	process
2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
700	backup.exe
1176	backup.exe
1356	backup.exe
1348	backup.exe
560	backup.exe
1496	backup.exe
1616	backup.exe
364	backup.exe
1556	backup.exe
848	backup.exe
640	backup.exe
1136	update.exe
436	backup.exe
1860	backup.exe
2028	backup.exe
1244	backup.exe
1704	backup.exe
776	System Restore.exe
524	backup.exe
1092	backup.exe
708	System Restore.exe
2044	backup.exe
1444	backup.exe
292	backup.exe
1052	backup.exe
1532	backup.exe
1616	backup.exe
1648	backup.exe
1164	backup.exe
112	backup.exe
1804	backup.exe
556	backup.exe
1572	backup.exe
1996	backup.exe
340	backup.exe
1944	backup.exe
1972	backup.exe
2012	backup.exe
436	backup.exe
956	backup.exe
1760	backup.exe
1484	backup.exe
1608	backup.exe
1776	backup.exe
472	backup.exe
1180	backup.exe
1160	backup.exe
524	backup.exe
1012	backup.exe
320	backup.exe
1992	System Restore.exe
1820	System Restore.exe
908	backup.exe
1548	backup.exe
1620	backup.exe
612	backup.exe
1452	backup.exe
1540	backup.exe
2032	data.exe
1572	backup.exe
2004	backup.exe
1932	backup.exe
1752	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	pid	process	target process
PID 2040 wrote to memory of 700	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 700	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 700	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 700	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1176	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1176	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1176	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1176	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1356	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1356	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1356	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1356	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1348	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1348	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1348	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1348	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 560	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 560	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 560	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 560	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1496	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1496	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1496	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1496	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1616	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1616	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1616	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 2040 wrote to memory of 1616	2040	e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe	backup.exe
PID 700 wrote to memory of 364	700	backup.exe	backup.exe
PID 700 wrote to memory of 364	700	backup.exe	backup.exe
PID 700 wrote to memory of 364	700	backup.exe	backup.exe
PID 700 wrote to memory of 364	700	backup.exe	backup.exe
PID 364 wrote to memory of 1556	364	backup.exe	backup.exe
PID 364 wrote to memory of 1556	364	backup.exe	backup.exe
PID 364 wrote to memory of 1556	364	backup.exe	backup.exe
PID 364 wrote to memory of 1556	364	backup.exe	backup.exe
PID 364 wrote to memory of 848	364	backup.exe	backup.exe
PID 364 wrote to memory of 848	364	backup.exe	backup.exe
PID 364 wrote to memory of 848	364	backup.exe	backup.exe
PID 364 wrote to memory of 848	364	backup.exe	backup.exe
PID 848 wrote to memory of 640	848	backup.exe	backup.exe
PID 848 wrote to memory of 640	848	backup.exe	backup.exe
PID 848 wrote to memory of 640	848	backup.exe	backup.exe
PID 848 wrote to memory of 640	848	backup.exe	backup.exe
PID 1556 wrote to memory of 1136	1556	backup.exe	update.exe
PID 1556 wrote to memory of 1136	1556	backup.exe	update.exe
PID 1556 wrote to memory of 1136	1556	backup.exe	update.exe
PID 1556 wrote to memory of 1136	1556	backup.exe	update.exe
PID 1556 wrote to memory of 1136	1556	backup.exe	update.exe
PID 1556 wrote to memory of 1136	1556	backup.exe	update.exe
PID 1556 wrote to memory of 1136	1556	backup.exe	update.exe
PID 640 wrote to memory of 436	640	backup.exe	backup.exe
PID 640 wrote to memory of 436	640	backup.exe	backup.exe
PID 640 wrote to memory of 436	640	backup.exe	backup.exe
PID 640 wrote to memory of 436	640	backup.exe	backup.exe
PID 848 wrote to memory of 1860	848	backup.exe	backup.exe
PID 848 wrote to memory of 1860	848	backup.exe	backup.exe
PID 848 wrote to memory of 1860	848	backup.exe	backup.exe
PID 848 wrote to memory of 1860	848	backup.exe	backup.exe
PID 1860 wrote to memory of 2028	1860	backup.exe	backup.exe
PID 1860 wrote to memory of 2028	1860	backup.exe	backup.exe
PID 1860 wrote to memory of 2028	1860	backup.exe	backup.exe
PID 1860 wrote to memory of 2028	1860	backup.exe	backup.exe
PID 2028 wrote to memory of 1244	2028	backup.exe	backup.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exedata.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe
"C:\Users\Admin\AppData\Local\Temp\e60ebdf514f2c57bb3b6e58aee00e35477e8a45b0561cefa0846b38cf938e0ed.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\2280752441\backup.exe
C:\Users\Admin\AppData\Local\Temp\2280752441\backup.exe C:\Users\Admin\AppData\Local\Temp\2280752441\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:700

C:\backup.exe
\backup.exe \
3⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:364

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556

C:\PerfLogs\Admin\update.exe
C:\PerfLogs\Admin\update.exe C:\PerfLogs\Admin\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1136

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:848

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:640

C:\Program Files\7-Zip\Lang\backup.exe
"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:436

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1860

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1244

C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1704

C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:776

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:524

C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1092

C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:708

C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1444

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:292

C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1052

C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1616

C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1648

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1164

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:112

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1804

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:556

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1572

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:340

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1944

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1972

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2012

C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:436

C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:956

C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1760

C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1776

C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:472

C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1180

C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:320

C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:908

C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
8⤵
- Executes dropped EXE
PID:556

C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
8⤵
PID:1760

C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
8⤵
PID:340

C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
8⤵
PID:112

C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1012

C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:612

C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
8⤵
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1244

C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
8⤵
- System policy modification
PID:964

C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
8⤵
PID:1540

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
8⤵
PID:1796

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2032

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
8⤵
- Executes dropped EXE
PID:1996

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
7⤵
PID:1104

C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
7⤵
PID:1724

C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
7⤵
PID:876

C:\Program Files\Common Files\Microsoft Shared\Triedit\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
7⤵
PID:1604

C:\Program Files\Common Files\Services\System Restore.exe
"C:\Program Files\Common Files\Services\System Restore.exe" C:\Program Files\Common Files\Services\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1992

C:\Program Files\Common Files\SpeechEngines\backup.exe
"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1548

C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
7⤵
PID:1936

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
6⤵
PID:292

C:\Program Files\DVD Maker\System Restore.exe
"C:\Program Files\DVD Maker\System Restore.exe" C:\Program Files\DVD Maker\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1820

C:\Program Files\DVD Maker\de-DE\backup.exe
"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Program Files\DVD Maker\en-US\backup.exe
"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1932

C:\Program Files\DVD Maker\es-ES\backup.exe
"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
6⤵
- Modifies visibility of file extensions in Explorer
PID:772

C:\Program Files\DVD Maker\fr-FR\backup.exe
"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
6⤵
PID:1740

C:\Program Files\DVD Maker\it-IT\backup.exe
"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
6⤵
PID:1096

C:\Program Files\DVD Maker\ja-JP\backup.exe
"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
6⤵
PID:1868

C:\Program Files\DVD Maker\Shared\backup.exe
"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
6⤵
PID:1636

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
5⤵
PID:912

C:\Program Files\Internet Explorer\backup.exe
"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
5⤵
PID:376

C:\Program Files\Java\backup.exe
"C:\Program Files\Java\backup.exe" C:\Program Files\Java\
5⤵
PID:1048

C:\Program Files\Microsoft Games\backup.exe
"C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
5⤵
PID:2032

C:\Program Files (x86)\backup.exe
"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:524

C:\Program Files (x86)\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1620

C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1572

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
7⤵
PID:640

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1148

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
7⤵
PID:1980

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
7⤵
PID:2012

C:\Program Files (x86)\Common Files\backup.exe
"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
5⤵
PID:1748

C:\Program Files (x86)\Google\System Restore.exe
"C:\Program Files (x86)\Google\System Restore.exe" C:\Program Files (x86)\Google\
5⤵
PID:1652

C:\Program Files (x86)\Internet Explorer\backup.exe
"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
5⤵
PID:1216

C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
5⤵
PID:816

C:\Users\backup.exe
C:\Users\backup.exe C:\Users\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1452

C:\Users\Admin\backup.exe
C:\Users\Admin\backup.exe C:\Users\Admin\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2004

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1320

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
6⤵
PID:568

C:\Users\Admin\Documents\backup.exe
C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
6⤵
PID:1200

C:\Users\Admin\Downloads\backup.exe
C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
6⤵
PID:612

C:\Users\Admin\Favorites\backup.exe
C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
6⤵
PID:1252

C:\Users\Admin\Links\backup.exe
C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
6⤵
PID:1716

C:\Users\Public\backup.exe
C:\Users\Public\backup.exe C:\Users\Public\
5⤵
PID:1800

C:\Windows\backup.exe
C:\Windows\backup.exe C:\Windows\
4⤵
- Modifies visibility of file extensions in Explorer
PID:1792

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1176

C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1356

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1348

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:560

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1496

C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
ca7f82e9dfdb82cf87e388ffe3ac6354

SHA1
a459f5fcaf9a8f0d0b4b39669d0be932fe248516

SHA256
45cab266ed1c0e1f56cda18bdf8faa86b7be9ae040505066efd3d9a7d31208a4

SHA512
fa6d9b4b93659d720e81b107ea6b944edc9824fd886550d6dea3233ff525816e7fb63bd7dfef207fd3c11146f91e32932bb251ddcb570735087823cb2f376c44

Download Submit
C:\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
ca7f82e9dfdb82cf87e388ffe3ac6354

SHA1
a459f5fcaf9a8f0d0b4b39669d0be932fe248516

SHA256
45cab266ed1c0e1f56cda18bdf8faa86b7be9ae040505066efd3d9a7d31208a4

SHA512
fa6d9b4b93659d720e81b107ea6b944edc9824fd886550d6dea3233ff525816e7fb63bd7dfef207fd3c11146f91e32932bb251ddcb570735087823cb2f376c44

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
5950401b916376d4e656ededbbe1904c

SHA1
43b9904224f8ddf5de2e956dfbc4059e229efb01

SHA256
ced16708c2ee04ed8fdd5cee64bc4628c24fe83fe5a0d81011a4a724c333a54b

SHA512
36fb38f7835e26dd2bbf4fec7ad005c4d8ffa1db53e58d3c802ea8a304572d9beae48ada41f9506b56b610285136b51292277f53d7a98cdeb391b5f85449c490

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
5950401b916376d4e656ededbbe1904c

SHA1
43b9904224f8ddf5de2e956dfbc4059e229efb01

SHA256
ced16708c2ee04ed8fdd5cee64bc4628c24fe83fe5a0d81011a4a724c333a54b

SHA512
36fb38f7835e26dd2bbf4fec7ad005c4d8ffa1db53e58d3c802ea8a304572d9beae48ada41f9506b56b610285136b51292277f53d7a98cdeb391b5f85449c490

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
d5162f1c27ead86e6f43490f1dd2a167

SHA1
396d12799c68077e65b7c74cbe45efdb6bef2faa

SHA256
8fb717fc90c61f25169586a17f904a04e542788820a2adb470632d56f993b6d8

SHA512
7cfcdbb677938cd33d108676bd189dcb50b80e4494670d48cefb1bb5ff01e9b57ddce9922e20edc69f3a9240dbf5f9b88fe12e6aaaf19c0ff778c624344da757

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2b3b4426480700b7f024fa1f498c3e28

SHA1
749d72f1aeabcfcee2c776c4bb1c15e9b71236e5

SHA256
65dac8b621998430e802b98a3862dcf193e5236599fc71ecc9b498085e44c23c

SHA512
eb9e89c2079e00fd730450371c7816bfcd3a2b0e3c2f699f1fc745dcbb03304f7ec6d063f51d80948ff67e9d1c7da248918130791c04ad2a5f6286de33e5d719

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2b3b4426480700b7f024fa1f498c3e28

SHA1
749d72f1aeabcfcee2c776c4bb1c15e9b71236e5

SHA256
65dac8b621998430e802b98a3862dcf193e5236599fc71ecc9b498085e44c23c

SHA512
eb9e89c2079e00fd730450371c7816bfcd3a2b0e3c2f699f1fc745dcbb03304f7ec6d063f51d80948ff67e9d1c7da248918130791c04ad2a5f6286de33e5d719

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
564b61d7929093e22fa4466acf261def

SHA1
274643d561fe112085e7562c9b87ab6122b35194

SHA256
1688378bf7bad69bdbb9606ca53ffba56da9e6bf04dbb5fd2b5afec1c7abafa4

SHA512
8dc208f8f8d8f9eda7a0b21c3d1e616c796ac1bf6e35a89d71d64acc8b97d456566bec619a5e80c6ace698808412b691e956361631e915cc6f616b0980c5c772

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
53ba2f2d9ae63fb3c18200c9bff4c35e

SHA1
554ddab2a40680063141d88973dcb4b75ae5ab6f

SHA256
df0a0e8cbd18b1f10642b3447d1a0687fe03a171ded4e72b253397a9b7c4c4b1

SHA512
295183ec48189184b29fbe2072eeee42ba04d5dece657b303412b659134f8250e0e9ddde6e853a3e84c670d90a2df0ec3b7cef0825a7def9b0a695c132d89df3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
53ba2f2d9ae63fb3c18200c9bff4c35e

SHA1
554ddab2a40680063141d88973dcb4b75ae5ab6f

SHA256
df0a0e8cbd18b1f10642b3447d1a0687fe03a171ded4e72b253397a9b7c4c4b1

SHA512
295183ec48189184b29fbe2072eeee42ba04d5dece657b303412b659134f8250e0e9ddde6e853a3e84c670d90a2df0ec3b7cef0825a7def9b0a695c132d89df3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe

Filesize
72KB

MD5
008eb0cca2ed6371c0c19a81b58329c9

SHA1
f87a90ec3e2185b7ab1124187c6b1c1a8fa204b7

SHA256
c072f1931c7c6cce0cf9c5b6f93795edd552ccb2f6d1d00d79b19e2355dbc6eb

SHA512
70e3baa4acd474db16ea111f0dca31e325711942b8635eebdc736588c8a57d415afddd55dd0afd3365f3a6e9119eb631502ebb72ff79496d0c3410ed20ff08ef

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
564b61d7929093e22fa4466acf261def

SHA1
274643d561fe112085e7562c9b87ab6122b35194

SHA256
1688378bf7bad69bdbb9606ca53ffba56da9e6bf04dbb5fd2b5afec1c7abafa4

SHA512
8dc208f8f8d8f9eda7a0b21c3d1e616c796ac1bf6e35a89d71d64acc8b97d456566bec619a5e80c6ace698808412b691e956361631e915cc6f616b0980c5c772

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
564b61d7929093e22fa4466acf261def

SHA1
274643d561fe112085e7562c9b87ab6122b35194

SHA256
1688378bf7bad69bdbb9606ca53ffba56da9e6bf04dbb5fd2b5afec1c7abafa4

SHA512
8dc208f8f8d8f9eda7a0b21c3d1e616c796ac1bf6e35a89d71d64acc8b97d456566bec619a5e80c6ace698808412b691e956361631e915cc6f616b0980c5c772

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
ed2641ef40c9365c7b957fdc93701005

SHA1
0b9c9d87637fff76a049088293bef441fc03cb39

SHA256
c5397d5b2f0a3535534ef5d13c62e55befc8805983e7c88cc11fa44c5a6f7028

SHA512
95be9b99fc32e4e3a0a46073ffa5ffbfbaf494b94bab951c375b6baf83ca769d19b4d20243f108863a6f88d9f3cfebdf4257b998d0e38fd293462b80879ef1b3

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
ed2641ef40c9365c7b957fdc93701005

SHA1
0b9c9d87637fff76a049088293bef441fc03cb39

SHA256
c5397d5b2f0a3535534ef5d13c62e55befc8805983e7c88cc11fa44c5a6f7028

SHA512
95be9b99fc32e4e3a0a46073ffa5ffbfbaf494b94bab951c375b6baf83ca769d19b4d20243f108863a6f88d9f3cfebdf4257b998d0e38fd293462b80879ef1b3

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
016c58bf1b683ba3f08f79c2ac13259e

SHA1
924698382910f68b943f5e27ebb08d9e122af065

SHA256
72311375099610428d80924b571c4c723099d38615574d32ea3393c8bb8e79a0

SHA512
30c0e33eccc38667371527aa7b5e1d9cf62544389fe543520f8e516dd9cd25ed1b86e743ed65a28d93d30b8d2afce10679f9839713952058298200adc5317686

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
016c58bf1b683ba3f08f79c2ac13259e

SHA1
924698382910f68b943f5e27ebb08d9e122af065

SHA256
72311375099610428d80924b571c4c723099d38615574d32ea3393c8bb8e79a0

SHA512
30c0e33eccc38667371527aa7b5e1d9cf62544389fe543520f8e516dd9cd25ed1b86e743ed65a28d93d30b8d2afce10679f9839713952058298200adc5317686

Download Submit
C:\Users\Admin\AppData\Local\Temp\2280752441\backup.exe

Filesize
72KB

MD5
ce92ab0bdb25358b0267d4d7f19cf6f7

SHA1
8fe35533b1c255ce541e96397cbf07c02f1dbdaf

SHA256
089306bf43a05dc2407671a0333e6968aafa377d313586ac802746ad0275104d

SHA512
e61f91b32474dd7610b1606762c8745538ac0acaa84bbcbb12db80bcbb0ee568b07f7d26784d1dfbc736290917469485be75d60217233effc9851731c40870a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2280752441\backup.exe

Filesize
72KB

MD5
ce92ab0bdb25358b0267d4d7f19cf6f7

SHA1
8fe35533b1c255ce541e96397cbf07c02f1dbdaf

SHA256
089306bf43a05dc2407671a0333e6968aafa377d313586ac802746ad0275104d

SHA512
e61f91b32474dd7610b1606762c8745538ac0acaa84bbcbb12db80bcbb0ee568b07f7d26784d1dfbc736290917469485be75d60217233effc9851731c40870a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
C:\backup.exe

Filesize
72KB

MD5
e7cbea11594a853870af15886411bc00

SHA1
e5ff7461df1926c7af5ea567ad5491f2bf27f52a

SHA256
6002ef4bb13c441317481b7dcaf4009f81e69b49e946c626168aeb3d53aa2b88

SHA512
7f4a455996c2d42cb75572b3586992e7fc29ba4cb560137ce48dedcbad01def96b2a55eef05cbae328c075a5e91fb23322a4c8b49f00749074af473ec7fa1e66

Download Submit
C:\backup.exe

Filesize
72KB

MD5
e7cbea11594a853870af15886411bc00

SHA1
e5ff7461df1926c7af5ea567ad5491f2bf27f52a

SHA256
6002ef4bb13c441317481b7dcaf4009f81e69b49e946c626168aeb3d53aa2b88

SHA512
7f4a455996c2d42cb75572b3586992e7fc29ba4cb560137ce48dedcbad01def96b2a55eef05cbae328c075a5e91fb23322a4c8b49f00749074af473ec7fa1e66

Download Submit
\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
ca7f82e9dfdb82cf87e388ffe3ac6354

SHA1
a459f5fcaf9a8f0d0b4b39669d0be932fe248516

SHA256
45cab266ed1c0e1f56cda18bdf8faa86b7be9ae040505066efd3d9a7d31208a4

SHA512
fa6d9b4b93659d720e81b107ea6b944edc9824fd886550d6dea3233ff525816e7fb63bd7dfef207fd3c11146f91e32932bb251ddcb570735087823cb2f376c44

Download Submit
\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
ca7f82e9dfdb82cf87e388ffe3ac6354

SHA1
a459f5fcaf9a8f0d0b4b39669d0be932fe248516

SHA256
45cab266ed1c0e1f56cda18bdf8faa86b7be9ae040505066efd3d9a7d31208a4

SHA512
fa6d9b4b93659d720e81b107ea6b944edc9824fd886550d6dea3233ff525816e7fb63bd7dfef207fd3c11146f91e32932bb251ddcb570735087823cb2f376c44

Download Submit
\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
ca7f82e9dfdb82cf87e388ffe3ac6354

SHA1
a459f5fcaf9a8f0d0b4b39669d0be932fe248516

SHA256
45cab266ed1c0e1f56cda18bdf8faa86b7be9ae040505066efd3d9a7d31208a4

SHA512
fa6d9b4b93659d720e81b107ea6b944edc9824fd886550d6dea3233ff525816e7fb63bd7dfef207fd3c11146f91e32932bb251ddcb570735087823cb2f376c44

Download Submit
\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
ca7f82e9dfdb82cf87e388ffe3ac6354

SHA1
a459f5fcaf9a8f0d0b4b39669d0be932fe248516

SHA256
45cab266ed1c0e1f56cda18bdf8faa86b7be9ae040505066efd3d9a7d31208a4

SHA512
fa6d9b4b93659d720e81b107ea6b944edc9824fd886550d6dea3233ff525816e7fb63bd7dfef207fd3c11146f91e32932bb251ddcb570735087823cb2f376c44

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
5950401b916376d4e656ededbbe1904c

SHA1
43b9904224f8ddf5de2e956dfbc4059e229efb01

SHA256
ced16708c2ee04ed8fdd5cee64bc4628c24fe83fe5a0d81011a4a724c333a54b

SHA512
36fb38f7835e26dd2bbf4fec7ad005c4d8ffa1db53e58d3c802ea8a304572d9beae48ada41f9506b56b610285136b51292277f53d7a98cdeb391b5f85449c490

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
5950401b916376d4e656ededbbe1904c

SHA1
43b9904224f8ddf5de2e956dfbc4059e229efb01

SHA256
ced16708c2ee04ed8fdd5cee64bc4628c24fe83fe5a0d81011a4a724c333a54b

SHA512
36fb38f7835e26dd2bbf4fec7ad005c4d8ffa1db53e58d3c802ea8a304572d9beae48ada41f9506b56b610285136b51292277f53d7a98cdeb391b5f85449c490

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
d5162f1c27ead86e6f43490f1dd2a167

SHA1
396d12799c68077e65b7c74cbe45efdb6bef2faa

SHA256
8fb717fc90c61f25169586a17f904a04e542788820a2adb470632d56f993b6d8

SHA512
7cfcdbb677938cd33d108676bd189dcb50b80e4494670d48cefb1bb5ff01e9b57ddce9922e20edc69f3a9240dbf5f9b88fe12e6aaaf19c0ff778c624344da757

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
d5162f1c27ead86e6f43490f1dd2a167

SHA1
396d12799c68077e65b7c74cbe45efdb6bef2faa

SHA256
8fb717fc90c61f25169586a17f904a04e542788820a2adb470632d56f993b6d8

SHA512
7cfcdbb677938cd33d108676bd189dcb50b80e4494670d48cefb1bb5ff01e9b57ddce9922e20edc69f3a9240dbf5f9b88fe12e6aaaf19c0ff778c624344da757

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2b3b4426480700b7f024fa1f498c3e28

SHA1
749d72f1aeabcfcee2c776c4bb1c15e9b71236e5

SHA256
65dac8b621998430e802b98a3862dcf193e5236599fc71ecc9b498085e44c23c

SHA512
eb9e89c2079e00fd730450371c7816bfcd3a2b0e3c2f699f1fc745dcbb03304f7ec6d063f51d80948ff67e9d1c7da248918130791c04ad2a5f6286de33e5d719

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2b3b4426480700b7f024fa1f498c3e28

SHA1
749d72f1aeabcfcee2c776c4bb1c15e9b71236e5

SHA256
65dac8b621998430e802b98a3862dcf193e5236599fc71ecc9b498085e44c23c

SHA512
eb9e89c2079e00fd730450371c7816bfcd3a2b0e3c2f699f1fc745dcbb03304f7ec6d063f51d80948ff67e9d1c7da248918130791c04ad2a5f6286de33e5d719

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
564b61d7929093e22fa4466acf261def

SHA1
274643d561fe112085e7562c9b87ab6122b35194

SHA256
1688378bf7bad69bdbb9606ca53ffba56da9e6bf04dbb5fd2b5afec1c7abafa4

SHA512
8dc208f8f8d8f9eda7a0b21c3d1e616c796ac1bf6e35a89d71d64acc8b97d456566bec619a5e80c6ace698808412b691e956361631e915cc6f616b0980c5c772

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
564b61d7929093e22fa4466acf261def

SHA1
274643d561fe112085e7562c9b87ab6122b35194

SHA256
1688378bf7bad69bdbb9606ca53ffba56da9e6bf04dbb5fd2b5afec1c7abafa4

SHA512
8dc208f8f8d8f9eda7a0b21c3d1e616c796ac1bf6e35a89d71d64acc8b97d456566bec619a5e80c6ace698808412b691e956361631e915cc6f616b0980c5c772

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
53ba2f2d9ae63fb3c18200c9bff4c35e

SHA1
554ddab2a40680063141d88973dcb4b75ae5ab6f

SHA256
df0a0e8cbd18b1f10642b3447d1a0687fe03a171ded4e72b253397a9b7c4c4b1

SHA512
295183ec48189184b29fbe2072eeee42ba04d5dece657b303412b659134f8250e0e9ddde6e853a3e84c670d90a2df0ec3b7cef0825a7def9b0a695c132d89df3

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
53ba2f2d9ae63fb3c18200c9bff4c35e

SHA1
554ddab2a40680063141d88973dcb4b75ae5ab6f

SHA256
df0a0e8cbd18b1f10642b3447d1a0687fe03a171ded4e72b253397a9b7c4c4b1

SHA512
295183ec48189184b29fbe2072eeee42ba04d5dece657b303412b659134f8250e0e9ddde6e853a3e84c670d90a2df0ec3b7cef0825a7def9b0a695c132d89df3

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe

Filesize
72KB

MD5
008eb0cca2ed6371c0c19a81b58329c9

SHA1
f87a90ec3e2185b7ab1124187c6b1c1a8fa204b7

SHA256
c072f1931c7c6cce0cf9c5b6f93795edd552ccb2f6d1d00d79b19e2355dbc6eb

SHA512
70e3baa4acd474db16ea111f0dca31e325711942b8635eebdc736588c8a57d415afddd55dd0afd3365f3a6e9119eb631502ebb72ff79496d0c3410ed20ff08ef

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe

Filesize
72KB

MD5
008eb0cca2ed6371c0c19a81b58329c9

SHA1
f87a90ec3e2185b7ab1124187c6b1c1a8fa204b7

SHA256
c072f1931c7c6cce0cf9c5b6f93795edd552ccb2f6d1d00d79b19e2355dbc6eb

SHA512
70e3baa4acd474db16ea111f0dca31e325711942b8635eebdc736588c8a57d415afddd55dd0afd3365f3a6e9119eb631502ebb72ff79496d0c3410ed20ff08ef

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
564b61d7929093e22fa4466acf261def

SHA1
274643d561fe112085e7562c9b87ab6122b35194

SHA256
1688378bf7bad69bdbb9606ca53ffba56da9e6bf04dbb5fd2b5afec1c7abafa4

SHA512
8dc208f8f8d8f9eda7a0b21c3d1e616c796ac1bf6e35a89d71d64acc8b97d456566bec619a5e80c6ace698808412b691e956361631e915cc6f616b0980c5c772

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
564b61d7929093e22fa4466acf261def

SHA1
274643d561fe112085e7562c9b87ab6122b35194

SHA256
1688378bf7bad69bdbb9606ca53ffba56da9e6bf04dbb5fd2b5afec1c7abafa4

SHA512
8dc208f8f8d8f9eda7a0b21c3d1e616c796ac1bf6e35a89d71d64acc8b97d456566bec619a5e80c6ace698808412b691e956361631e915cc6f616b0980c5c772

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
bbca679efb3be787baafed5c556c2109

SHA1
485f657a1b5f0436a3badbc5834f4a657d45e1fb

SHA256
0649cf1eb06d9aabfb6842828d28166c025906e6bfcbcd8e173bf3b1f4b0f229

SHA512
889c420aae5da25df5b1103bc981651e0acf43f1e29a2bc33da19b8e69dae243ac457031db9f25a65015461f7f2f7f154c537be622d963b4bd981a34019f1240

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
ed2641ef40c9365c7b957fdc93701005

SHA1
0b9c9d87637fff76a049088293bef441fc03cb39

SHA256
c5397d5b2f0a3535534ef5d13c62e55befc8805983e7c88cc11fa44c5a6f7028

SHA512
95be9b99fc32e4e3a0a46073ffa5ffbfbaf494b94bab951c375b6baf83ca769d19b4d20243f108863a6f88d9f3cfebdf4257b998d0e38fd293462b80879ef1b3

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
ed2641ef40c9365c7b957fdc93701005

SHA1
0b9c9d87637fff76a049088293bef441fc03cb39

SHA256
c5397d5b2f0a3535534ef5d13c62e55befc8805983e7c88cc11fa44c5a6f7028

SHA512
95be9b99fc32e4e3a0a46073ffa5ffbfbaf494b94bab951c375b6baf83ca769d19b4d20243f108863a6f88d9f3cfebdf4257b998d0e38fd293462b80879ef1b3

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
016c58bf1b683ba3f08f79c2ac13259e

SHA1
924698382910f68b943f5e27ebb08d9e122af065

SHA256
72311375099610428d80924b571c4c723099d38615574d32ea3393c8bb8e79a0

SHA512
30c0e33eccc38667371527aa7b5e1d9cf62544389fe543520f8e516dd9cd25ed1b86e743ed65a28d93d30b8d2afce10679f9839713952058298200adc5317686

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
016c58bf1b683ba3f08f79c2ac13259e

SHA1
924698382910f68b943f5e27ebb08d9e122af065

SHA256
72311375099610428d80924b571c4c723099d38615574d32ea3393c8bb8e79a0

SHA512
30c0e33eccc38667371527aa7b5e1d9cf62544389fe543520f8e516dd9cd25ed1b86e743ed65a28d93d30b8d2afce10679f9839713952058298200adc5317686

Download Submit
\Users\Admin\AppData\Local\Temp\2280752441\backup.exe

Filesize
72KB

MD5
ce92ab0bdb25358b0267d4d7f19cf6f7

SHA1
8fe35533b1c255ce541e96397cbf07c02f1dbdaf

SHA256
089306bf43a05dc2407671a0333e6968aafa377d313586ac802746ad0275104d

SHA512
e61f91b32474dd7610b1606762c8745538ac0acaa84bbcbb12db80bcbb0ee568b07f7d26784d1dfbc736290917469485be75d60217233effc9851731c40870a0

Download Submit
\Users\Admin\AppData\Local\Temp\2280752441\backup.exe

Filesize
72KB

MD5
ce92ab0bdb25358b0267d4d7f19cf6f7

SHA1
8fe35533b1c255ce541e96397cbf07c02f1dbdaf

SHA256
089306bf43a05dc2407671a0333e6968aafa377d313586ac802746ad0275104d

SHA512
e61f91b32474dd7610b1606762c8745538ac0acaa84bbcbb12db80bcbb0ee568b07f7d26784d1dfbc736290917469485be75d60217233effc9851731c40870a0

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
bc5a023bb83d95ea53e686f95466b53e

SHA1
6553c0beaac81f239e3952e65a50d7c07d1aa63a

SHA256
f1ba27e713955de5ee30168e51cc10a06fcd5c54f6d25c79bdddfab0211e88d7

SHA512
6d956c3e9d9bc227d576620e74dc59be8e6ca03a25ec00405b861c3dbb1a747b0e64f1edf966557ffa655598b7349372bf39790d16931218a614cbb04403b7de

Download Submit
memory/112-209-0x0000000000000000-mapping.dmp

Download
memory/292-191-0x0000000000000000-mapping.dmp

Download
memory/320-265-0x0000000000000000-mapping.dmp

Download
memory/340-224-0x0000000000000000-mapping.dmp

Download
memory/364-100-0x0000000000000000-mapping.dmp

Download
memory/436-236-0x0000000000000000-mapping.dmp

Download
memory/436-133-0x0000000000000000-mapping.dmp

Download
memory/472-254-0x0000000000000000-mapping.dmp

Download
memory/524-263-0x0000000000000000-mapping.dmp

Download
memory/524-176-0x0000000000000000-mapping.dmp

Download
memory/556-215-0x0000000000000000-mapping.dmp

Download
memory/556-299-0x0000000000000000-mapping.dmp

Download
memory/560-82-0x0000000000000000-mapping.dmp

Download
memory/612-284-0x0000000000000000-mapping.dmp

Download
memory/640-122-0x0000000000000000-mapping.dmp

Download
memory/700-58-0x0000000000000000-mapping.dmp

Download
memory/708-182-0x0000000000000000-mapping.dmp

Download
memory/776-171-0x0000000000000000-mapping.dmp

Download
memory/848-114-0x0000000000000000-mapping.dmp

Download
memory/908-279-0x0000000000000000-mapping.dmp

Download
memory/956-239-0x0000000000000000-mapping.dmp

Download
memory/1012-266-0x0000000000000000-mapping.dmp

Download
memory/1052-194-0x0000000000000000-mapping.dmp

Download
memory/1092-179-0x0000000000000000-mapping.dmp

Download
memory/1136-124-0x0000000000000000-mapping.dmp

Download
memory/1160-260-0x0000000000000000-mapping.dmp

Download
memory/1164-206-0x0000000000000000-mapping.dmp

Download
memory/1176-64-0x0000000000000000-mapping.dmp

Download
memory/1180-257-0x0000000000000000-mapping.dmp

Download
memory/1244-158-0x0000000000000000-mapping.dmp

Download
memory/1348-76-0x0000000000000000-mapping.dmp

Download
memory/1356-70-0x0000000000000000-mapping.dmp

Download
memory/1444-188-0x0000000000000000-mapping.dmp

Download
memory/1452-291-0x0000000000000000-mapping.dmp

Download
memory/1484-245-0x0000000000000000-mapping.dmp

Download
memory/1496-88-0x0000000000000000-mapping.dmp

Download
memory/1532-197-0x0000000000000000-mapping.dmp

Download
memory/1540-290-0x0000000000000000-mapping.dmp

Download
memory/1548-278-0x0000000000000000-mapping.dmp

Download
memory/1556-107-0x0000000000000000-mapping.dmp

Download
memory/1572-301-0x0000000000000000-mapping.dmp

Download
memory/1572-218-0x0000000000000000-mapping.dmp

Download
memory/1608-248-0x0000000000000000-mapping.dmp

Download
memory/1616-200-0x0000000000000000-mapping.dmp

Download
memory/1616-94-0x0000000000000000-mapping.dmp

Download
memory/1620-280-0x0000000000000000-mapping.dmp

Download
memory/1648-203-0x0000000000000000-mapping.dmp

Download
memory/1704-164-0x0000000000000000-mapping.dmp

Download
memory/1752-304-0x0000000000000000-mapping.dmp

Download
memory/1760-242-0x0000000000000000-mapping.dmp

Download
memory/1776-251-0x0000000000000000-mapping.dmp

Download
memory/1804-212-0x0000000000000000-mapping.dmp

Download
memory/1820-272-0x0000000000000000-mapping.dmp

Download
memory/1860-144-0x0000000000000000-mapping.dmp

Download
memory/1944-227-0x0000000000000000-mapping.dmp

Download
memory/1972-230-0x0000000000000000-mapping.dmp

Download
memory/1992-273-0x0000000000000000-mapping.dmp

Download
memory/1996-221-0x0000000000000000-mapping.dmp

Download
memory/1996-303-0x0000000000000000-mapping.dmp

Download
memory/2004-300-0x0000000000000000-mapping.dmp

Download
memory/2012-233-0x0000000000000000-mapping.dmp

Download
memory/2028-151-0x0000000000000000-mapping.dmp

Download
memory/2032-292-0x0000000000000000-mapping.dmp

Download
memory/2040-98-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/2044-185-0x0000000000000000-mapping.dmp

Download