Overview

overview

10

Static

static

bdaa3c7372...cd.exe

windows7-x64

10

bdaa3c7372...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    206s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    02/12/2022, 19:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bdaa3c73726c99a19a31848a2af3aa01c2756e2c51ada277a4add8daa167e9cd.exe

  • Size

    72KB

  • MD5

    9c505202eb99119296afbb600e9274d6

  • SHA1

    1fe1f186aa636a4872bf737af82703ef1e16293e

  • SHA256

    bdaa3c73726c99a19a31848a2af3aa01c2756e2c51ada277a4add8daa167e9cd

  • SHA512

    54e0d0c96aa42213c5e0b08f920eeba67cacdbb1f4bbfb9da982abb9c7a68f4d48b1a5b319a8dcc727a36e5cd567c0ea2e866c4e022b2bc837293e07c9ffa206

  • SSDEEP

    384:N6wayA+1mwnA353BXR+oGfPmfm4MlcTGXdhjwroyY2rebV5O6KgxWb/83BXR+oG2:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrT

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 52 IoCs
    evasion
  • Executes dropped EXE 59 IoCs
  • Loads dropped DLL 64 IoCs
  • Drops file in Program Files directory 55 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 59 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 64 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdaa3c73726c99a19a31848a2af3aa01c2756e2c51ada277a4add8daa167e9cd.exe
    "C:\Users\Admin\AppData\Local\Temp\bdaa3c73726c99a19a31848a2af3aa01c2756e2c51ada277a4add8daa167e9cd.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1324
    • C:\Users\Admin\AppData\Local\Temp\2965580551\backup.exe
      C:\Users\Admin\AppData\Local\Temp\2965580551\backup.exe C:\Users\Admin\AppData\Local\Temp\2965580551\
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:564
      • C:\backup.exe
        \backup.exe \
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:668
        • C:\PerfLogs\backup.exe
          C:\PerfLogs\backup.exe C:\PerfLogs\
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1580
          • C:\PerfLogs\Admin\backup.exe
            C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
            5⤵
            • Modifies visibility of file extensions in Explorer
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:1328
        • C:\Program Files\backup.exe
          "C:\Program Files\backup.exe" C:\Program Files\
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1336
          • C:\Program Files\7-Zip\backup.exe
            "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
            5⤵
            • Modifies visibility of file extensions in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1228
            • C:\Program Files\7-Zip\Lang\backup.exe
              "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:1660
          • C:\Program Files\Common Files\backup.exe
            "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
            5⤵
            • Modifies visibility of file extensions in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1796
            • C:\Program Files\Common Files\Microsoft Shared\backup.exe
              "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Program Files directory
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1552
              • C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
                "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
                7⤵
                • Modifies visibility of file extensions in Explorer
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1260
              • C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
                "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
                7⤵
                • Modifies visibility of file extensions in Explorer
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1592
                • C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:2028
                • C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:528
                • C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:332
                • C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1908
                • C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1868
                • C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1788
                • C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1396
                • C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1780
                • C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1172
                • C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1340
                • C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:836
                • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Suspicious use of SetWindowsHookEx
                  PID:1792
                  • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
                    9⤵
                    • Modifies visibility of file extensions in Explorer
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:344
                  • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
                    9⤵
                    • Modifies visibility of file extensions in Explorer
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    • System policy modification
                    PID:1980
                  • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
                    9⤵
                      PID:300
                  • C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:1968
                  • C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
                    8⤵
                    • Executes dropped EXE
                    PID:1540
                • C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
                  7⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Suspicious use of SetWindowsHookEx
                  PID:1328
                  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
                    8⤵
                    • Modifies visibility of file extensions in Explorer
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    • System policy modification
                    PID:432
                  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
                    8⤵
                      PID:776
                  • C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
                    7⤵
                    • Modifies visibility of file extensions in Explorer
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious use of SetWindowsHookEx
                    PID:1100
                    • C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
                      "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
                      8⤵
                      • Modifies visibility of file extensions in Explorer
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      • System policy modification
                      PID:1008
                  • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
                    7⤵
                    • Modifies visibility of file extensions in Explorer
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    • System policy modification
                    PID:1996
                  • C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
                    7⤵
                    • Modifies visibility of file extensions in Explorer
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    • System policy modification
                    PID:1384
                  • C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
                    7⤵
                      PID:1312
                  • C:\Program Files\Common Files\Services\backup.exe
                    "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
                    6⤵
                    • Modifies visibility of file extensions in Explorer
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    • System policy modification
                    PID:300
                  • C:\Program Files\Common Files\SpeechEngines\backup.exe
                    "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
                    6⤵
                    • Modifies visibility of file extensions in Explorer
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious use of SetWindowsHookEx
                    • System policy modification
                    PID:956
                    • C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
                      "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
                      7⤵
                      • Modifies visibility of file extensions in Explorer
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Suspicious use of SetWindowsHookEx
                      • System policy modification
                      PID:1940
                  • C:\Program Files\Common Files\System\backup.exe
                    "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
                    6⤵
                    • Modifies visibility of file extensions in Explorer
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious use of SetWindowsHookEx
                    • System policy modification
                    PID:292
                    • C:\Program Files\Common Files\System\ado\backup.exe
                      "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
                      7⤵
                      • Modifies visibility of file extensions in Explorer
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Suspicious use of SetWindowsHookEx
                      • System policy modification
                      PID:1316
                    • C:\Program Files\Common Files\System\de-DE\backup.exe
                      "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
                      7⤵
                        PID:1960
                  • C:\Program Files\DVD Maker\backup.exe
                    "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
                    5⤵
                    • Modifies visibility of file extensions in Explorer
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious use of SetWindowsHookEx
                    • System policy modification
                    PID:1248
                    • C:\Program Files\DVD Maker\de-DE\backup.exe
                      "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
                      6⤵
                      • Modifies visibility of file extensions in Explorer
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      • System policy modification
                      PID:1808
                    • C:\Program Files\DVD Maker\en-US\backup.exe
                      "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:1368
                    • C:\Program Files\DVD Maker\es-ES\backup.exe
                      "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
                      6⤵
                        PID:1580
                    • C:\Program Files\Google\backup.exe
                      "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
                      5⤵
                      • Modifies visibility of file extensions in Explorer
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Suspicious use of SetWindowsHookEx
                      • System policy modification
                      PID:1064
                      • C:\Program Files\Google\Chrome\backup.exe
                        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
                        6⤵
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        PID:1908
                    • C:\Program Files\Internet Explorer\backup.exe
                      "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
                      5⤵
                      • Modifies visibility of file extensions in Explorer
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Suspicious use of SetWindowsHookEx
                      • System policy modification
                      PID:1604
                      • C:\Program Files\Internet Explorer\de-DE\backup.exe
                        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
                        6⤵
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        PID:1760
                      • C:\Program Files\Internet Explorer\en-US\backup.exe
                        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
                        6⤵
                          PID:952
                      • C:\Program Files\Java\update.exe
                        "C:\Program Files\Java\update.exe" C:\Program Files\Java\
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        PID:1832
                      • C:\Program Files\Microsoft Games\backup.exe
                        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
                        5⤵
                          PID:332
                      • C:\Program Files (x86)\backup.exe
                        "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
                        4⤵
                        • Modifies visibility of file extensions in Explorer
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        • Suspicious use of SetWindowsHookEx
                        • System policy modification
                        PID:1092
                        • C:\Program Files (x86)\Adobe\backup.exe
                          "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
                          5⤵
                          • Modifies visibility of file extensions in Explorer
                          • Executes dropped EXE
                          • Drops file in Program Files directory
                          • Suspicious use of SetWindowsHookEx
                          • System policy modification
                          PID:1408
                          • C:\Program Files (x86)\Adobe\Reader 9.0\update.exe
                            "C:\Program Files (x86)\Adobe\Reader 9.0\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
                            6⤵
                            • Executes dropped EXE
                            • Suspicious use of SetWindowsHookEx
                            PID:1560
                        • C:\Program Files (x86)\Common Files\backup.exe
                          "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
                          5⤵
                            PID:1572
                        • C:\Users\backup.exe
                          C:\Users\backup.exe C:\Users\
                          4⤵
                          • Modifies visibility of file extensions in Explorer
                          • Executes dropped EXE
                          • Suspicious use of SetWindowsHookEx
                          • System policy modification
                          PID:1624
                          • C:\Users\Admin\update.exe
                            C:\Users\Admin\update.exe C:\Users\Admin\
                            5⤵
                            • Modifies visibility of file extensions in Explorer
                            • Executes dropped EXE
                            • Suspicious use of SetWindowsHookEx
                            • System policy modification
                            PID:520
                            • C:\Users\Admin\Contacts\update.exe
                              C:\Users\Admin\Contacts\update.exe C:\Users\Admin\Contacts\
                              6⤵
                              • Executes dropped EXE
                              • Suspicious use of SetWindowsHookEx
                              PID:1828
                            • C:\Users\Admin\Desktop\backup.exe
                              C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
                              6⤵
                                PID:1780
                          • C:\Windows\backup.exe
                            C:\Windows\backup.exe C:\Windows\
                            4⤵
                            • Modifies visibility of file extensions in Explorer
                            • Executes dropped EXE
                            PID:1732
                            • C:\Windows\addins\backup.exe
                              C:\Windows\addins\backup.exe C:\Windows\addins\
                              5⤵
                              • Modifies visibility of file extensions in Explorer
                              • Suspicious use of SetWindowsHookEx
                              PID:1868
                            • C:\Windows\AppCompat\backup.exe
                              C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
                              5⤵
                                PID:1992
                        • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
                          C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
                          2⤵
                          • Modifies visibility of file extensions in Explorer
                          • Executes dropped EXE
                          • Suspicious use of SetWindowsHookEx
                          • System policy modification
                          PID:432
                        • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
                          C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of SetWindowsHookEx
                          PID:1168
                        • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
                          "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
                          2⤵
                          • Modifies visibility of file extensions in Explorer
                          • Executes dropped EXE
                          • Suspicious use of SetWindowsHookEx
                          • System policy modification
                          PID:1788
                        • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe
                          "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
                          2⤵
                          • Modifies visibility of file extensions in Explorer
                          • Executes dropped EXE
                          • Suspicious use of SetWindowsHookEx
                          PID:1384
                        • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
                          C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
                          2⤵
                          • Modifies visibility of file extensions in Explorer
                          • Executes dropped EXE
                          • Suspicious use of SetWindowsHookEx
                          • System policy modification
                          PID:1932
                        • C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
                          C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
                          2⤵
                          • Modifies visibility of file extensions in Explorer
                          • Executes dropped EXE
                          • Suspicious use of SetWindowsHookEx
                          • System policy modification
                          PID:1448

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\PerfLogs\Admin\backup.exe
                        Filesize

                        72KB

                        MD5

                        5c6d094a44624d0168c0ace90b0fdf0a

                        SHA1

                        8be40b94ae30c6b7f3d7943721d6cdb6938d6224

                        SHA256

                        fde812d2be4430100378a886d20cf23b6e986d34183e1f5dd901699cd1b9c4da

                        SHA512

                        1e2e7b354b22b8353d57ef4c6be443e9e607f8d741128f114d8e091ef5a9bb75e9401a38c067cf508be0a309a4a81fa7b9f7e6df2b34af75a442eeade6433e3a

                        Download Submit

                      • C:\PerfLogs\backup.exe
                        Filesize

                        72KB

                        MD5

                        1ee9d07484c6a991990358978ef8cacc

                        SHA1

                        e6929ce23030b87eb1e2d30a92ac8de2a4a386b5

                        SHA256

                        4d323b8eab2abdae5f9c47b81f57493d7510ac991896563e8bab0e6b382e3d2b

                        SHA512

                        957d9585a60aba834bd1a729e2f03045dd0151572b86635451c39f9e393a7b8c23ef2ac78888101853474e0b6a374dc5dddc825b33900fb5896aaf633274e2e4

                        Download Submit

                      • C:\PerfLogs\backup.exe
                        Filesize

                        72KB

                        MD5

                        1ee9d07484c6a991990358978ef8cacc

                        SHA1

                        e6929ce23030b87eb1e2d30a92ac8de2a4a386b5

                        SHA256

                        4d323b8eab2abdae5f9c47b81f57493d7510ac991896563e8bab0e6b382e3d2b

                        SHA512

                        957d9585a60aba834bd1a729e2f03045dd0151572b86635451c39f9e393a7b8c23ef2ac78888101853474e0b6a374dc5dddc825b33900fb5896aaf633274e2e4

                        Download Submit

                      • C:\Program Files\7-Zip\Lang\backup.exe
                        Filesize

                        72KB

                        MD5

                        e5a0874263278724470bf95d5eb2458e

                        SHA1

                        393cfc24b8705c3975032c56e3b564232cbfa727

                        SHA256

                        156cdd97c2e4f2144b0d4558954432edb47711facdd0fadfacc6e9513a637033

                        SHA512

                        c49744c9788ea7baf299144bf012283f332ddf896e781248ad56dca10687d3c1622b03a2a9665a22d8831cdb43f78150cbc1266a419d60ba358c8382ae97c6d6

                        Download Submit

                      • C:\Program Files\7-Zip\backup.exe
                        Filesize

                        72KB

                        MD5

                        8e43d340ca916039db2c0401a3edcef3

                        SHA1

                        760b4e20488371f03bc6f904012c28639d9ab55f

                        SHA256

                        8528e7abac4dc4569992df8c81d27f15d63f2c0ae30859f387a113cf8123c75c

                        SHA512

                        57adc52902f834893ebf7172b02a25433d756ac5beca0420c63ead4be407cb7f4c370d3fb92a934bd7248fb78ab43963b3ab149fcae383b2a7e3ff6da2cbc63b

                        Download Submit

                      • C:\Program Files\7-Zip\backup.exe
                        Filesize

                        72KB

                        MD5

                        8e43d340ca916039db2c0401a3edcef3

                        SHA1

                        760b4e20488371f03bc6f904012c28639d9ab55f

                        SHA256

                        8528e7abac4dc4569992df8c81d27f15d63f2c0ae30859f387a113cf8123c75c

                        SHA512

                        57adc52902f834893ebf7172b02a25433d756ac5beca0420c63ead4be407cb7f4c370d3fb92a934bd7248fb78ab43963b3ab149fcae383b2a7e3ff6da2cbc63b

                        Download Submit

                      • C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
                        Filesize

                        72KB

                        MD5

                        74829ac4bbc46bdc90af00825787088b

                        SHA1

                        6c2f584a6e1faea134fb279729c757eb111e0cd7

                        SHA256

                        4a1ff7693b9efc7a75a5919678b3e5bb9b42244ee1179b593bc200f55c8ec42b

                        SHA512

                        650dbd9aad4d0d6958a331ab7accc75250aac109446cc45ee2bb5632edf2e168b19200e96ca1abe5f8584fb726f31531afec7f487c0cd72968afc401860c6cc3

                        Download Submit

                      • C:\Program Files\Common Files\Microsoft Shared\backup.exe
                        Filesize

                        72KB

                        MD5

                        e5a0874263278724470bf95d5eb2458e

                        SHA1

                        393cfc24b8705c3975032c56e3b564232cbfa727

                        SHA256

                        156cdd97c2e4f2144b0d4558954432edb47711facdd0fadfacc6e9513a637033

                        SHA512

                        c49744c9788ea7baf299144bf012283f332ddf896e781248ad56dca10687d3c1622b03a2a9665a22d8831cdb43f78150cbc1266a419d60ba358c8382ae97c6d6

                        Download Submit

                      • C:\Program Files\Common Files\Microsoft Shared\backup.exe
                        Filesize

                        72KB

                        MD5

                        e5a0874263278724470bf95d5eb2458e

                        SHA1

                        393cfc24b8705c3975032c56e3b564232cbfa727

                        SHA256

                        156cdd97c2e4f2144b0d4558954432edb47711facdd0fadfacc6e9513a637033

                        SHA512

                        c49744c9788ea7baf299144bf012283f332ddf896e781248ad56dca10687d3c1622b03a2a9665a22d8831cdb43f78150cbc1266a419d60ba358c8382ae97c6d6

                        Download Submit

                      • C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe
                        Filesize

                        72KB

                        MD5

                        d9a92e1497aa967f3098726e37ea7401

                        SHA1

                        01243719df2eb36098cb430d5a61ece169168c91

                        SHA256

                        5c7a6eaf57d41b48fe2793c4fa61c18097a23bf645f0c0f3db4b0cb1d4685289

                        SHA512

                        8f8692c520f003047456c7dd2ae853f3d5bd109f0a8b79f0aae5d0c98e4f9f1191fa4ac3bc1828a297f0b2ef1964045f42792b73251a09336080b65c4ebc26c9

                        Download Submit

                      • C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
                        Filesize

                        72KB

                        MD5

                        74829ac4bbc46bdc90af00825787088b

                        SHA1

                        6c2f584a6e1faea134fb279729c757eb111e0cd7

                        SHA256

                        4a1ff7693b9efc7a75a5919678b3e5bb9b42244ee1179b593bc200f55c8ec42b

                        SHA512

                        650dbd9aad4d0d6958a331ab7accc75250aac109446cc45ee2bb5632edf2e168b19200e96ca1abe5f8584fb726f31531afec7f487c0cd72968afc401860c6cc3

                        Download Submit

                      • C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
                        Filesize

                        72KB

                        MD5

                        74829ac4bbc46bdc90af00825787088b

                        SHA1

                        6c2f584a6e1faea134fb279729c757eb111e0cd7

                        SHA256

                        4a1ff7693b9efc7a75a5919678b3e5bb9b42244ee1179b593bc200f55c8ec42b

                        SHA512

                        650dbd9aad4d0d6958a331ab7accc75250aac109446cc45ee2bb5632edf2e168b19200e96ca1abe5f8584fb726f31531afec7f487c0cd72968afc401860c6cc3

                        Download Submit

                      • C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
                        Filesize

                        72KB

                        MD5

                        d9a92e1497aa967f3098726e37ea7401

                        SHA1

                        01243719df2eb36098cb430d5a61ece169168c91

                        SHA256

                        5c7a6eaf57d41b48fe2793c4fa61c18097a23bf645f0c0f3db4b0cb1d4685289

                        SHA512

                        8f8692c520f003047456c7dd2ae853f3d5bd109f0a8b79f0aae5d0c98e4f9f1191fa4ac3bc1828a297f0b2ef1964045f42792b73251a09336080b65c4ebc26c9

                        Download Submit

                      • C:\Program Files\Common Files\backup.exe
                        Filesize

                        72KB

                        MD5

                        8e43d340ca916039db2c0401a3edcef3

                        SHA1

                        760b4e20488371f03bc6f904012c28639d9ab55f

                        SHA256

                        8528e7abac4dc4569992df8c81d27f15d63f2c0ae30859f387a113cf8123c75c

                        SHA512

                        57adc52902f834893ebf7172b02a25433d756ac5beca0420c63ead4be407cb7f4c370d3fb92a934bd7248fb78ab43963b3ab149fcae383b2a7e3ff6da2cbc63b

                        Download Submit

                      • C:\Program Files\Common Files\backup.exe
                        Filesize

                        72KB

                        MD5

                        8e43d340ca916039db2c0401a3edcef3

                        SHA1

                        760b4e20488371f03bc6f904012c28639d9ab55f

                        SHA256

                        8528e7abac4dc4569992df8c81d27f15d63f2c0ae30859f387a113cf8123c75c

                        SHA512

                        57adc52902f834893ebf7172b02a25433d756ac5beca0420c63ead4be407cb7f4c370d3fb92a934bd7248fb78ab43963b3ab149fcae383b2a7e3ff6da2cbc63b

                        Download Submit

                      • C:\Program Files\backup.exe
                        Filesize

                        72KB

                        MD5

                        992305bd808bd21d7951f9a98de29d49

                        SHA1

                        2f148abbaa9b6edd7a5beb7f10f5702dfff799a7

                        SHA256

                        5dd821924750016b66ce968a17beae56fd66a72981686c86d3fb5a4c859ef23d

                        SHA512

                        cb7f1b8cf143305afaee0bd9a1747834484d8b71a76f3fd9b7928b2547a6b0862cc8431e79d072440ea118c27d7d54331bbc474e851cb0a700d89b7b7a9ce4f1

                        Download Submit

                      • C:\Program Files\backup.exe
                        Filesize

                        72KB

                        MD5

                        992305bd808bd21d7951f9a98de29d49

                        SHA1

                        2f148abbaa9b6edd7a5beb7f10f5702dfff799a7

                        SHA256

                        5dd821924750016b66ce968a17beae56fd66a72981686c86d3fb5a4c859ef23d

                        SHA512

                        cb7f1b8cf143305afaee0bd9a1747834484d8b71a76f3fd9b7928b2547a6b0862cc8431e79d072440ea118c27d7d54331bbc474e851cb0a700d89b7b7a9ce4f1

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\2965580551\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\2965580551\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
                        Filesize

                        72KB

                        MD5

                        f5fd5a7b591d9353f6188a34d538dadf

                        SHA1

                        4f1d752f05e7ccbf4ef08e56bed67a03d6ae6bbe

                        SHA256

                        26ec8d8dae0a3518f1b410800e5399d723b87e7a833708fe969e46eca9b1bf68

                        SHA512

                        01fb25c84b044501cc0f6f1d2ac3ecf4bf1f627d2e3078dc9dc30f9e9e90e2fb2974ebb01702685cefd6814c3c0a86b60ff9454b890927686cca774c844f2e31

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • C:\backup.exe
                        Filesize

                        72KB

                        MD5

                        8adde969158899f08044222bee65c47b

                        SHA1

                        334f46d46b5bd51766a5169e86ca70d5417078f0

                        SHA256

                        2d503ebf943db7f2bbae1de702759289d3f57590a8418b2a8fc1eb4b8b5845a3

                        SHA512

                        de9bc74ead6b8f37b0b43d51bc77d87bfeae8a6ba8de28d439ff553ab73c2b92c0ff24fb559bcbf8d7001f522ae0a710a6de23328d42d743738e77336f99850c

                        Download Submit

                      • C:\backup.exe
                        Filesize

                        72KB

                        MD5

                        8adde969158899f08044222bee65c47b

                        SHA1

                        334f46d46b5bd51766a5169e86ca70d5417078f0

                        SHA256

                        2d503ebf943db7f2bbae1de702759289d3f57590a8418b2a8fc1eb4b8b5845a3

                        SHA512

                        de9bc74ead6b8f37b0b43d51bc77d87bfeae8a6ba8de28d439ff553ab73c2b92c0ff24fb559bcbf8d7001f522ae0a710a6de23328d42d743738e77336f99850c

                        Download Submit

                      • \PerfLogs\Admin\backup.exe
                        Filesize

                        72KB

                        MD5

                        5c6d094a44624d0168c0ace90b0fdf0a

                        SHA1

                        8be40b94ae30c6b7f3d7943721d6cdb6938d6224

                        SHA256

                        fde812d2be4430100378a886d20cf23b6e986d34183e1f5dd901699cd1b9c4da

                        SHA512

                        1e2e7b354b22b8353d57ef4c6be443e9e607f8d741128f114d8e091ef5a9bb75e9401a38c067cf508be0a309a4a81fa7b9f7e6df2b34af75a442eeade6433e3a

                        Download Submit

                      • \PerfLogs\Admin\backup.exe
                        Filesize

                        72KB

                        MD5

                        5c6d094a44624d0168c0ace90b0fdf0a

                        SHA1

                        8be40b94ae30c6b7f3d7943721d6cdb6938d6224

                        SHA256

                        fde812d2be4430100378a886d20cf23b6e986d34183e1f5dd901699cd1b9c4da

                        SHA512

                        1e2e7b354b22b8353d57ef4c6be443e9e607f8d741128f114d8e091ef5a9bb75e9401a38c067cf508be0a309a4a81fa7b9f7e6df2b34af75a442eeade6433e3a

                        Download Submit

                      • \PerfLogs\backup.exe
                        Filesize

                        72KB

                        MD5

                        1ee9d07484c6a991990358978ef8cacc

                        SHA1

                        e6929ce23030b87eb1e2d30a92ac8de2a4a386b5

                        SHA256

                        4d323b8eab2abdae5f9c47b81f57493d7510ac991896563e8bab0e6b382e3d2b

                        SHA512

                        957d9585a60aba834bd1a729e2f03045dd0151572b86635451c39f9e393a7b8c23ef2ac78888101853474e0b6a374dc5dddc825b33900fb5896aaf633274e2e4

                        Download Submit

                      • \PerfLogs\backup.exe
                        Filesize

                        72KB

                        MD5

                        1ee9d07484c6a991990358978ef8cacc

                        SHA1

                        e6929ce23030b87eb1e2d30a92ac8de2a4a386b5

                        SHA256

                        4d323b8eab2abdae5f9c47b81f57493d7510ac991896563e8bab0e6b382e3d2b

                        SHA512

                        957d9585a60aba834bd1a729e2f03045dd0151572b86635451c39f9e393a7b8c23ef2ac78888101853474e0b6a374dc5dddc825b33900fb5896aaf633274e2e4

                        Download Submit

                      • \Program Files\7-Zip\Lang\backup.exe
                        Filesize

                        72KB

                        MD5

                        e5a0874263278724470bf95d5eb2458e

                        SHA1

                        393cfc24b8705c3975032c56e3b564232cbfa727

                        SHA256

                        156cdd97c2e4f2144b0d4558954432edb47711facdd0fadfacc6e9513a637033

                        SHA512

                        c49744c9788ea7baf299144bf012283f332ddf896e781248ad56dca10687d3c1622b03a2a9665a22d8831cdb43f78150cbc1266a419d60ba358c8382ae97c6d6

                        Download Submit

                      • \Program Files\7-Zip\Lang\backup.exe
                        Filesize

                        72KB

                        MD5

                        e5a0874263278724470bf95d5eb2458e

                        SHA1

                        393cfc24b8705c3975032c56e3b564232cbfa727

                        SHA256

                        156cdd97c2e4f2144b0d4558954432edb47711facdd0fadfacc6e9513a637033

                        SHA512

                        c49744c9788ea7baf299144bf012283f332ddf896e781248ad56dca10687d3c1622b03a2a9665a22d8831cdb43f78150cbc1266a419d60ba358c8382ae97c6d6

                        Download Submit

                      • \Program Files\7-Zip\backup.exe
                        Filesize

                        72KB

                        MD5

                        8e43d340ca916039db2c0401a3edcef3

                        SHA1

                        760b4e20488371f03bc6f904012c28639d9ab55f

                        SHA256

                        8528e7abac4dc4569992df8c81d27f15d63f2c0ae30859f387a113cf8123c75c

                        SHA512

                        57adc52902f834893ebf7172b02a25433d756ac5beca0420c63ead4be407cb7f4c370d3fb92a934bd7248fb78ab43963b3ab149fcae383b2a7e3ff6da2cbc63b

                        Download Submit

                      • \Program Files\7-Zip\backup.exe
                        Filesize

                        72KB

                        MD5

                        8e43d340ca916039db2c0401a3edcef3

                        SHA1

                        760b4e20488371f03bc6f904012c28639d9ab55f

                        SHA256

                        8528e7abac4dc4569992df8c81d27f15d63f2c0ae30859f387a113cf8123c75c

                        SHA512

                        57adc52902f834893ebf7172b02a25433d756ac5beca0420c63ead4be407cb7f4c370d3fb92a934bd7248fb78ab43963b3ab149fcae383b2a7e3ff6da2cbc63b

                        Download Submit

                      • \Program Files\Common Files\Microsoft Shared\Filters\backup.exe
                        Filesize

                        72KB

                        MD5

                        74829ac4bbc46bdc90af00825787088b

                        SHA1

                        6c2f584a6e1faea134fb279729c757eb111e0cd7

                        SHA256

                        4a1ff7693b9efc7a75a5919678b3e5bb9b42244ee1179b593bc200f55c8ec42b

                        SHA512

                        650dbd9aad4d0d6958a331ab7accc75250aac109446cc45ee2bb5632edf2e168b19200e96ca1abe5f8584fb726f31531afec7f487c0cd72968afc401860c6cc3

                        Download Submit

                      • \Program Files\Common Files\Microsoft Shared\Filters\backup.exe
                        Filesize

                        72KB

                        MD5

                        74829ac4bbc46bdc90af00825787088b

                        SHA1

                        6c2f584a6e1faea134fb279729c757eb111e0cd7

                        SHA256

                        4a1ff7693b9efc7a75a5919678b3e5bb9b42244ee1179b593bc200f55c8ec42b

                        SHA512

                        650dbd9aad4d0d6958a331ab7accc75250aac109446cc45ee2bb5632edf2e168b19200e96ca1abe5f8584fb726f31531afec7f487c0cd72968afc401860c6cc3

                        Download Submit

                      • \Program Files\Common Files\Microsoft Shared\backup.exe
                        Filesize

                        72KB

                        MD5

                        e5a0874263278724470bf95d5eb2458e

                        SHA1

                        393cfc24b8705c3975032c56e3b564232cbfa727

                        SHA256

                        156cdd97c2e4f2144b0d4558954432edb47711facdd0fadfacc6e9513a637033

                        SHA512

                        c49744c9788ea7baf299144bf012283f332ddf896e781248ad56dca10687d3c1622b03a2a9665a22d8831cdb43f78150cbc1266a419d60ba358c8382ae97c6d6

                        Download Submit

                      • \Program Files\Common Files\Microsoft Shared\backup.exe
                        Filesize

                        72KB

                        MD5

                        e5a0874263278724470bf95d5eb2458e

                        SHA1

                        393cfc24b8705c3975032c56e3b564232cbfa727

                        SHA256

                        156cdd97c2e4f2144b0d4558954432edb47711facdd0fadfacc6e9513a637033

                        SHA512

                        c49744c9788ea7baf299144bf012283f332ddf896e781248ad56dca10687d3c1622b03a2a9665a22d8831cdb43f78150cbc1266a419d60ba358c8382ae97c6d6

                        Download Submit

                      • \Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe
                        Filesize

                        72KB

                        MD5

                        d9a92e1497aa967f3098726e37ea7401

                        SHA1

                        01243719df2eb36098cb430d5a61ece169168c91

                        SHA256

                        5c7a6eaf57d41b48fe2793c4fa61c18097a23bf645f0c0f3db4b0cb1d4685289

                        SHA512

                        8f8692c520f003047456c7dd2ae853f3d5bd109f0a8b79f0aae5d0c98e4f9f1191fa4ac3bc1828a297f0b2ef1964045f42792b73251a09336080b65c4ebc26c9

                        Download Submit

                      • \Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe
                        Filesize

                        72KB

                        MD5

                        d9a92e1497aa967f3098726e37ea7401

                        SHA1

                        01243719df2eb36098cb430d5a61ece169168c91

                        SHA256

                        5c7a6eaf57d41b48fe2793c4fa61c18097a23bf645f0c0f3db4b0cb1d4685289

                        SHA512

                        8f8692c520f003047456c7dd2ae853f3d5bd109f0a8b79f0aae5d0c98e4f9f1191fa4ac3bc1828a297f0b2ef1964045f42792b73251a09336080b65c4ebc26c9

                        Download Submit

                      • \Program Files\Common Files\Microsoft Shared\ink\backup.exe
                        Filesize

                        72KB

                        MD5

                        74829ac4bbc46bdc90af00825787088b

                        SHA1

                        6c2f584a6e1faea134fb279729c757eb111e0cd7

                        SHA256

                        4a1ff7693b9efc7a75a5919678b3e5bb9b42244ee1179b593bc200f55c8ec42b

                        SHA512

                        650dbd9aad4d0d6958a331ab7accc75250aac109446cc45ee2bb5632edf2e168b19200e96ca1abe5f8584fb726f31531afec7f487c0cd72968afc401860c6cc3

                        Download Submit

                      • \Program Files\Common Files\Microsoft Shared\ink\backup.exe
                        Filesize

                        72KB

                        MD5

                        74829ac4bbc46bdc90af00825787088b

                        SHA1

                        6c2f584a6e1faea134fb279729c757eb111e0cd7

                        SHA256

                        4a1ff7693b9efc7a75a5919678b3e5bb9b42244ee1179b593bc200f55c8ec42b

                        SHA512

                        650dbd9aad4d0d6958a331ab7accc75250aac109446cc45ee2bb5632edf2e168b19200e96ca1abe5f8584fb726f31531afec7f487c0cd72968afc401860c6cc3

                        Download Submit

                      • \Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
                        Filesize

                        72KB

                        MD5

                        d9a92e1497aa967f3098726e37ea7401

                        SHA1

                        01243719df2eb36098cb430d5a61ece169168c91

                        SHA256

                        5c7a6eaf57d41b48fe2793c4fa61c18097a23bf645f0c0f3db4b0cb1d4685289

                        SHA512

                        8f8692c520f003047456c7dd2ae853f3d5bd109f0a8b79f0aae5d0c98e4f9f1191fa4ac3bc1828a297f0b2ef1964045f42792b73251a09336080b65c4ebc26c9

                        Download Submit

                      • \Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
                        Filesize

                        72KB

                        MD5

                        d9a92e1497aa967f3098726e37ea7401

                        SHA1

                        01243719df2eb36098cb430d5a61ece169168c91

                        SHA256

                        5c7a6eaf57d41b48fe2793c4fa61c18097a23bf645f0c0f3db4b0cb1d4685289

                        SHA512

                        8f8692c520f003047456c7dd2ae853f3d5bd109f0a8b79f0aae5d0c98e4f9f1191fa4ac3bc1828a297f0b2ef1964045f42792b73251a09336080b65c4ebc26c9

                        Download Submit

                      • \Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
                        Filesize

                        72KB

                        MD5

                        d9a92e1497aa967f3098726e37ea7401

                        SHA1

                        01243719df2eb36098cb430d5a61ece169168c91

                        SHA256

                        5c7a6eaf57d41b48fe2793c4fa61c18097a23bf645f0c0f3db4b0cb1d4685289

                        SHA512

                        8f8692c520f003047456c7dd2ae853f3d5bd109f0a8b79f0aae5d0c98e4f9f1191fa4ac3bc1828a297f0b2ef1964045f42792b73251a09336080b65c4ebc26c9

                        Download Submit

                      • \Program Files\Common Files\backup.exe
                        Filesize

                        72KB

                        MD5

                        8e43d340ca916039db2c0401a3edcef3

                        SHA1

                        760b4e20488371f03bc6f904012c28639d9ab55f

                        SHA256

                        8528e7abac4dc4569992df8c81d27f15d63f2c0ae30859f387a113cf8123c75c

                        SHA512

                        57adc52902f834893ebf7172b02a25433d756ac5beca0420c63ead4be407cb7f4c370d3fb92a934bd7248fb78ab43963b3ab149fcae383b2a7e3ff6da2cbc63b

                        Download Submit

                      • \Program Files\Common Files\backup.exe
                        Filesize

                        72KB

                        MD5

                        8e43d340ca916039db2c0401a3edcef3

                        SHA1

                        760b4e20488371f03bc6f904012c28639d9ab55f

                        SHA256

                        8528e7abac4dc4569992df8c81d27f15d63f2c0ae30859f387a113cf8123c75c

                        SHA512

                        57adc52902f834893ebf7172b02a25433d756ac5beca0420c63ead4be407cb7f4c370d3fb92a934bd7248fb78ab43963b3ab149fcae383b2a7e3ff6da2cbc63b

                        Download Submit

                      • \Program Files\backup.exe
                        Filesize

                        72KB

                        MD5

                        992305bd808bd21d7951f9a98de29d49

                        SHA1

                        2f148abbaa9b6edd7a5beb7f10f5702dfff799a7

                        SHA256

                        5dd821924750016b66ce968a17beae56fd66a72981686c86d3fb5a4c859ef23d

                        SHA512

                        cb7f1b8cf143305afaee0bd9a1747834484d8b71a76f3fd9b7928b2547a6b0862cc8431e79d072440ea118c27d7d54331bbc474e851cb0a700d89b7b7a9ce4f1

                        Download Submit

                      • \Program Files\backup.exe
                        Filesize

                        72KB

                        MD5

                        992305bd808bd21d7951f9a98de29d49

                        SHA1

                        2f148abbaa9b6edd7a5beb7f10f5702dfff799a7

                        SHA256

                        5dd821924750016b66ce968a17beae56fd66a72981686c86d3fb5a4c859ef23d

                        SHA512

                        cb7f1b8cf143305afaee0bd9a1747834484d8b71a76f3fd9b7928b2547a6b0862cc8431e79d072440ea118c27d7d54331bbc474e851cb0a700d89b7b7a9ce4f1

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\2965580551\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\2965580551\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\Low\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\Low\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
                        Filesize

                        72KB

                        MD5

                        f5fd5a7b591d9353f6188a34d538dadf

                        SHA1

                        4f1d752f05e7ccbf4ef08e56bed67a03d6ae6bbe

                        SHA256

                        26ec8d8dae0a3518f1b410800e5399d723b87e7a833708fe969e46eca9b1bf68

                        SHA512

                        01fb25c84b044501cc0f6f1d2ac3ecf4bf1f627d2e3078dc9dc30f9e9e90e2fb2974ebb01702685cefd6814c3c0a86b60ff9454b890927686cca774c844f2e31

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
                        Filesize

                        72KB

                        MD5

                        f5fd5a7b591d9353f6188a34d538dadf

                        SHA1

                        4f1d752f05e7ccbf4ef08e56bed67a03d6ae6bbe

                        SHA256

                        26ec8d8dae0a3518f1b410800e5399d723b87e7a833708fe969e46eca9b1bf68

                        SHA512

                        01fb25c84b044501cc0f6f1d2ac3ecf4bf1f627d2e3078dc9dc30f9e9e90e2fb2974ebb01702685cefd6814c3c0a86b60ff9454b890927686cca774c844f2e31

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
                        Filesize

                        72KB

                        MD5

                        e1c6c3378db2989da83bfd285c8f9fe5

                        SHA1

                        c021eaa34b94012a24826147cdbfcf3537536ecd

                        SHA256

                        6ac9fe25834d6e1ceea8e04c5688cfd307761fc0d19ad7b80c6c2e38208515a8

                        SHA512

                        e94f472f1c59ea6c67df5e163c1b18882f4d66ddd61843302784fad87a8d991323d7744b6c7bd931bb97d94665db783e8cad7716cd4300f13a8bef1c8d17d962

                        Download Submit

                      • memory/1324-143-0x0000000074A31000-0x0000000074A33000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/1324-108-0x0000000076931000-0x0000000076933000-memory.dmp

                        Filesize

                        8KB

                        Download