Overview

overview

10

Static

static

346b35bcef...97.exe

windows7-x64

10

346b35bcef...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    250s
  • max time network
    337s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    346b35bcef2160aa2715f7b8b1b10493f71957e35e5431554cbe516044e50497.exe

  • Size

    72KB

  • MD5

    0c0b1c0d167a094a5dfeef38745d5a6a

  • SHA1

    e473937658d9a8ac94b87cc84466f4f598340501

  • SHA256

    346b35bcef2160aa2715f7b8b1b10493f71957e35e5431554cbe516044e50497

  • SHA512

    716aa8b1665dab0b94aa657be54bf4af4586b68c2599fcc58a11d74a775e8dea99cd00729fca1a6e35d64c966ee5aac6fdf826a2d7d1074d3a3918cfd2b93cba

  • SSDEEP

    384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2K:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrP+

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 52 IoCs
    evasion
  • Disables RegEdit via registry modification 64 IoCs
    evasion
  • Executes dropped EXE 60 IoCs
  • Loads dropped DLL 64 IoCs
  • Drops file in Program Files directory 48 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 56 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 64 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\346b35bcef2160aa2715f7b8b1b10493f71957e35e5431554cbe516044e50497.exe
    "C:\Users\Admin\AppData\Local\Temp\346b35bcef2160aa2715f7b8b1b10493f71957e35e5431554cbe516044e50497.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:580
    • C:\Users\Admin\AppData\Local\Temp\795642021\backup.exe
      C:\Users\Admin\AppData\Local\Temp\795642021\backup.exe C:\Users\Admin\AppData\Local\Temp\795642021\
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\backup.exe
        \backup.exe \
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\PerfLogs\backup.exe
          C:\PerfLogs\backup.exe C:\PerfLogs\
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:904
          • C:\PerfLogs\Admin\backup.exe
            C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
            5⤵
            • Modifies visibility of file extensions in Explorer
            • Disables RegEdit via registry modification
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:1016
        • C:\Program Files\backup.exe
          "C:\Program Files\backup.exe" C:\Program Files\
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2040
          • C:\Program Files\7-Zip\backup.exe
            "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
            5⤵
            • Modifies visibility of file extensions in Explorer
            • Disables RegEdit via registry modification
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1360
            • C:\Program Files\7-Zip\Lang\backup.exe
              "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:112
          • C:\Program Files\Common Files\backup.exe
            "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
            5⤵
            • Modifies visibility of file extensions in Explorer
            • Disables RegEdit via registry modification
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:968
            • C:\Program Files\Common Files\Microsoft Shared\backup.exe
              "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Program Files directory
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2004
              • C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe
                "C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
                7⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1624
              • C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
                "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
                7⤵
                • Modifies visibility of file extensions in Explorer
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:568
                • C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1980
                • C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1568
                • C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1548
                • C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1076
                • C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1640
                • C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:392
                • C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:828
                • C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1344
                • C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:2036
                • C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1932
                • C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:468
                • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:920
              • C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
                "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
                7⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                PID:1552
                • C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:952
                • C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1844
                • C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1784
                • C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
                  8⤵
                  • Executes dropped EXE
                  PID:1572
              • C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe
                "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
                7⤵
                • Modifies visibility of file extensions in Explorer
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1820
                • C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1916
              • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
                "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
                7⤵
                • Executes dropped EXE
                PID:2044
            • C:\Program Files\Common Files\Services\data.exe
              "C:\Program Files\Common Files\Services\data.exe" C:\Program Files\Common Files\Services\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:1832
            • C:\Program Files\Common Files\SpeechEngines\backup.exe
              "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:1928
              • C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
                "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
                7⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1588
            • C:\Program Files\Common Files\System\backup.exe
              "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              PID:324
              • C:\Program Files\Common Files\System\ado\backup.exe
                "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
                7⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                PID:1548
                • C:\Program Files\Common Files\System\ado\de-DE\backup.exe
                  "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
                  8⤵
                  • Executes dropped EXE
                  PID:892
              • C:\Program Files\Common Files\System\de-DE\backup.exe
                "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
                7⤵
                  PID:1840
            • C:\Program Files\DVD Maker\backup.exe
              "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
              5⤵
              • Modifies visibility of file extensions in Explorer
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:1196
              • C:\Program Files\DVD Maker\de-DE\update.exe
                "C:\Program Files\DVD Maker\de-DE\update.exe" C:\Program Files\DVD Maker\de-DE\
                6⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1624
              • C:\Program Files\DVD Maker\en-US\backup.exe
                "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
                6⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1996
              • C:\Program Files\DVD Maker\es-ES\update.exe
                "C:\Program Files\DVD Maker\es-ES\update.exe" C:\Program Files\DVD Maker\es-ES\
                6⤵
                  PID:1512
              • C:\Program Files\Google\System Restore.exe
                "C:\Program Files\Google\System Restore.exe" C:\Program Files\Google\
                5⤵
                • Modifies visibility of file extensions in Explorer
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                PID:744
                • C:\Program Files\Google\Chrome\backup.exe
                  "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
                  6⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1460
                  • C:\Program Files\Google\Chrome\Application\backup.exe
                    "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:636
              • C:\Program Files\Internet Explorer\backup.exe
                "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
                5⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1220
                • C:\Program Files\Internet Explorer\de-DE\backup.exe
                  "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
                  6⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1808
                • C:\Program Files\Internet Explorer\en-US\backup.exe
                  "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
                  6⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1268
                • C:\Program Files\Internet Explorer\es-ES\backup.exe
                  "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:112
              • C:\Program Files\Java\backup.exe
                "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
                5⤵
                  PID:1596
              • C:\Program Files (x86)\System Restore.exe
                "C:\Program Files (x86)\System Restore.exe" C:\Program Files (x86)\
                4⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1556
                • C:\Program Files (x86)\Adobe\backup.exe
                  "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
                  5⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1628
                  • C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
                    "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
                    6⤵
                    • Modifies visibility of file extensions in Explorer
                    • Disables RegEdit via registry modification
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious use of SetWindowsHookEx
                    • System policy modification
                    PID:280
                    • C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
                      "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
                      7⤵
                      • Executes dropped EXE
                      PID:1392
                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
                      7⤵
                        PID:1420
                • C:\Users\backup.exe
                  C:\Users\backup.exe C:\Users\
                  4⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1692
                  • C:\Users\Admin\backup.exe
                    C:\Users\Admin\backup.exe C:\Users\Admin\
                    5⤵
                    • Modifies visibility of file extensions in Explorer
                    • Disables RegEdit via registry modification
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    • System policy modification
                    PID:1528
                    • C:\Users\Admin\Contacts\update.exe
                      C:\Users\Admin\Contacts\update.exe C:\Users\Admin\Contacts\
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:1192
                    • C:\Users\Admin\Desktop\backup.exe
                      C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
                      6⤵
                        PID:1008
                  • C:\Windows\backup.exe
                    C:\Windows\backup.exe C:\Windows\
                    4⤵
                    • Executes dropped EXE
                    PID:1308
              • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
                C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
                2⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1028
              • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
                C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
                2⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1944
              • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
                "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
                2⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1808
              • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
                "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
                2⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:108
              • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
                C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
                2⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1648
              • C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
                C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
                2⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1260

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\PerfLogs\Admin\backup.exe
              Filesize

              72KB

              MD5

              e46158e215c9c332a72f9c8bcdbfc6be

              SHA1

              ba0ea6ee10c853a23056103a7a179e77c2dea46a

              SHA256

              ce2fa6bebc511004cf7800a197b102534c23623c717447dd465f15287d2c94aa

              SHA512

              d927651d9917c62959f1c4eaf3b7a45940ee31630fe8b3c3f04cd8e9dc50cc75e529da060ee66ddd9cf344869528c8a3e77ddd81e215bc6a5c7b236ed90f2c82

              Download Submit

            • C:\PerfLogs\backup.exe
              Filesize

              72KB

              MD5

              d91a51f41802969c1123be0cae671156

              SHA1

              aecbea62ae1f25cfd8c9c41fc4d481bc063ef7ff

              SHA256

              5bdf990bb6bd99afe5df57c93f128ba2a9160cb186b549eaaf7de18fad900930

              SHA512

              64e28893b5f648a2829756ab6bdedb4349e70f08992ed6f4623134910b2192e58906be7b13491d2d0f6774b43d8a1b5ed924257a78793c16de720325d2c58973

              Download Submit

            • C:\PerfLogs\backup.exe
              Filesize

              72KB

              MD5

              d91a51f41802969c1123be0cae671156

              SHA1

              aecbea62ae1f25cfd8c9c41fc4d481bc063ef7ff

              SHA256

              5bdf990bb6bd99afe5df57c93f128ba2a9160cb186b549eaaf7de18fad900930

              SHA512

              64e28893b5f648a2829756ab6bdedb4349e70f08992ed6f4623134910b2192e58906be7b13491d2d0f6774b43d8a1b5ed924257a78793c16de720325d2c58973

              Download Submit

            • C:\Program Files\7-Zip\Lang\backup.exe
              Filesize

              72KB

              MD5

              0d37a5970755b8a7780709a3cb3e8062

              SHA1

              3c7300ad14063e8047a57e6958233c2f4e3d8c85

              SHA256

              d42e8d80aa9cae17cd59aad1bbdea241ba00a62364e6b0dceb080a0d2f6604d8

              SHA512

              966a98779873145392a99ab3d02c94e48f43094f87fc7d3b0b981bb3c3531fa6c900876aa659468394d0f7d3c3b5c14d01869c684e49a9801365735bb4dbf7ed

              Download Submit

            • C:\Program Files\7-Zip\backup.exe
              Filesize

              72KB

              MD5

              e46158e215c9c332a72f9c8bcdbfc6be

              SHA1

              ba0ea6ee10c853a23056103a7a179e77c2dea46a

              SHA256

              ce2fa6bebc511004cf7800a197b102534c23623c717447dd465f15287d2c94aa

              SHA512

              d927651d9917c62959f1c4eaf3b7a45940ee31630fe8b3c3f04cd8e9dc50cc75e529da060ee66ddd9cf344869528c8a3e77ddd81e215bc6a5c7b236ed90f2c82

              Download Submit

            • C:\Program Files\7-Zip\backup.exe
              Filesize

              72KB

              MD5

              e46158e215c9c332a72f9c8bcdbfc6be

              SHA1

              ba0ea6ee10c853a23056103a7a179e77c2dea46a

              SHA256

              ce2fa6bebc511004cf7800a197b102534c23623c717447dd465f15287d2c94aa

              SHA512

              d927651d9917c62959f1c4eaf3b7a45940ee31630fe8b3c3f04cd8e9dc50cc75e529da060ee66ddd9cf344869528c8a3e77ddd81e215bc6a5c7b236ed90f2c82

              Download Submit

            • C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe
              Filesize

              72KB

              MD5

              172313bb33ef16de6cabbfe45c21e91f

              SHA1

              774fdd117a9ade1e0db6ffca4f6f09ba1b58f210

              SHA256

              54ebd043af419db5003692f9ebea321eb48d09e01545c604eea9ce860ed39bd3

              SHA512

              e192367578dd6e6d21bd068da8222218d38dc21765abddbf19eb3e6f17fdd0387893ae0f8fff7ef62d0a4beeed20e78df28487775dadfbc68bd321f7a5282ac8

              Download Submit

            • C:\Program Files\Common Files\Microsoft Shared\backup.exe
              Filesize

              72KB

              MD5

              e8084e395c9f572e9fecaed23ff6383e

              SHA1

              3a5a382b3393755a3c771edd66d0317dfca54dbf

              SHA256

              be2ceb02a0ae3e2b35a1c878e9528c40f5c14d8ed2eb0f8476196b320cec36fe

              SHA512

              e1bf5d4b8c82379ed04aeb5be62a71023c342dbc03f844d51b543a8e9c0e7f3f0c0ea8dda71132d69d05a0c532bef065f55ed274073c74f253450af8da16470a

              Download Submit

            • C:\Program Files\Common Files\Microsoft Shared\backup.exe
              Filesize

              72KB

              MD5

              e8084e395c9f572e9fecaed23ff6383e

              SHA1

              3a5a382b3393755a3c771edd66d0317dfca54dbf

              SHA256

              be2ceb02a0ae3e2b35a1c878e9528c40f5c14d8ed2eb0f8476196b320cec36fe

              SHA512

              e1bf5d4b8c82379ed04aeb5be62a71023c342dbc03f844d51b543a8e9c0e7f3f0c0ea8dda71132d69d05a0c532bef065f55ed274073c74f253450af8da16470a

              Download Submit

            • C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
              Filesize

              72KB

              MD5

              b9da8ced5cadd6bcaff4eaaabe4b3c3b

              SHA1

              98dacbc08ac36c8b8ce8cdb7b2b1ae5274cb353f

              SHA256

              3712a6f1c74f53d80f45e753238c51128fdc05e829410cec2f758d695aefbe73

              SHA512

              a20037a6a9db347ef55d189f6eea2fcc283b423cf8261578f3fc0ac3410211214a19bd2cb710bbaf293a5df63b757199de19ac3c9b4ac04af5985c78b7704100

              Download Submit

            • C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
              Filesize

              72KB

              MD5

              172313bb33ef16de6cabbfe45c21e91f

              SHA1

              774fdd117a9ade1e0db6ffca4f6f09ba1b58f210

              SHA256

              54ebd043af419db5003692f9ebea321eb48d09e01545c604eea9ce860ed39bd3

              SHA512

              e192367578dd6e6d21bd068da8222218d38dc21765abddbf19eb3e6f17fdd0387893ae0f8fff7ef62d0a4beeed20e78df28487775dadfbc68bd321f7a5282ac8

              Download Submit

            • C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
              Filesize

              72KB

              MD5

              172313bb33ef16de6cabbfe45c21e91f

              SHA1

              774fdd117a9ade1e0db6ffca4f6f09ba1b58f210

              SHA256

              54ebd043af419db5003692f9ebea321eb48d09e01545c604eea9ce860ed39bd3

              SHA512

              e192367578dd6e6d21bd068da8222218d38dc21765abddbf19eb3e6f17fdd0387893ae0f8fff7ef62d0a4beeed20e78df28487775dadfbc68bd321f7a5282ac8

              Download Submit

            • C:\Program Files\Common Files\backup.exe
              Filesize

              72KB

              MD5

              7998c73c1bbc72144b7a20cabadd42e1

              SHA1

              ff15930726016fe09faadc310f838d167b93cfc6

              SHA256

              3c5860d9799cf89135f1605e5629dafed0b0c09cdc02d344f85410b59100762c

              SHA512

              ce5964e0325c06de6f33bc4462d5663be195f9ce4f90ae767e159f0a650d09f0beec022a6eb909fb586dc32bfe1faad8299ab8c9a0b10ee48846f4233d22fb46

              Download Submit

            • C:\Program Files\Common Files\backup.exe
              Filesize

              72KB

              MD5

              7998c73c1bbc72144b7a20cabadd42e1

              SHA1

              ff15930726016fe09faadc310f838d167b93cfc6

              SHA256

              3c5860d9799cf89135f1605e5629dafed0b0c09cdc02d344f85410b59100762c

              SHA512

              ce5964e0325c06de6f33bc4462d5663be195f9ce4f90ae767e159f0a650d09f0beec022a6eb909fb586dc32bfe1faad8299ab8c9a0b10ee48846f4233d22fb46

              Download Submit

            • C:\Program Files\backup.exe
              Filesize

              72KB

              MD5

              d91a51f41802969c1123be0cae671156

              SHA1

              aecbea62ae1f25cfd8c9c41fc4d481bc063ef7ff

              SHA256

              5bdf990bb6bd99afe5df57c93f128ba2a9160cb186b549eaaf7de18fad900930

              SHA512

              64e28893b5f648a2829756ab6bdedb4349e70f08992ed6f4623134910b2192e58906be7b13491d2d0f6774b43d8a1b5ed924257a78793c16de720325d2c58973

              Download Submit

            • C:\Program Files\backup.exe
              Filesize

              72KB

              MD5

              d91a51f41802969c1123be0cae671156

              SHA1

              aecbea62ae1f25cfd8c9c41fc4d481bc063ef7ff

              SHA256

              5bdf990bb6bd99afe5df57c93f128ba2a9160cb186b549eaaf7de18fad900930

              SHA512

              64e28893b5f648a2829756ab6bdedb4349e70f08992ed6f4623134910b2192e58906be7b13491d2d0f6774b43d8a1b5ed924257a78793c16de720325d2c58973

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\795642021\backup.exe
              Filesize

              72KB

              MD5

              7c91c8f2d94a9c8887b41b48915a7038

              SHA1

              66b249318e08c97b2ea0098a76fc8694baf11530

              SHA256

              f809a042da2a0e1bf55e519d6545bebdb82bde48a933c6cf1f90fd0f16f5e3ea

              SHA512

              c0bdcb9d99e1741ece9bd53e685c6bb79d118ca43a6c25a3490d43a6a54f95bd9e9cfa53d96349456a215e49cd23dbbbe6878aed9cb852e2b40435f0b794e93b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\795642021\backup.exe
              Filesize

              72KB

              MD5

              7c91c8f2d94a9c8887b41b48915a7038

              SHA1

              66b249318e08c97b2ea0098a76fc8694baf11530

              SHA256

              f809a042da2a0e1bf55e519d6545bebdb82bde48a933c6cf1f90fd0f16f5e3ea

              SHA512

              c0bdcb9d99e1741ece9bd53e685c6bb79d118ca43a6c25a3490d43a6a54f95bd9e9cfa53d96349456a215e49cd23dbbbe6878aed9cb852e2b40435f0b794e93b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
              Filesize

              72KB

              MD5

              18c3ae60fffb30f3cb7c1149af422ad3

              SHA1

              568a065eff72d63f7352b1cfb9a6e9f01c88d3f9

              SHA256

              0f82b1cb6b1fbbf772ef3ebf03102377804f0d650fefaf1bf462e8e0ed1db726

              SHA512

              dc71482c3d9efe38efb9824efd98f8921851436e5cffea0dd7f38620b724fa09cff718a8bd534ddf57d05cf22e3d2b5d2340d4a96a53940668577eda160f5ad9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
              Filesize

              72KB

              MD5

              18c3ae60fffb30f3cb7c1149af422ad3

              SHA1

              568a065eff72d63f7352b1cfb9a6e9f01c88d3f9

              SHA256

              0f82b1cb6b1fbbf772ef3ebf03102377804f0d650fefaf1bf462e8e0ed1db726

              SHA512

              dc71482c3d9efe38efb9824efd98f8921851436e5cffea0dd7f38620b724fa09cff718a8bd534ddf57d05cf22e3d2b5d2340d4a96a53940668577eda160f5ad9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
              Filesize

              72KB

              MD5

              315d9aa585178be9c4e09c331497aede

              SHA1

              97d40a3bf6324a68ea374dd38443142a35f5a971

              SHA256

              95ee785da1c0407c3dfc048a406dd62ccd85a04d478e4d3e45eef4e9a0aaad3b

              SHA512

              1a7cdf1fa77d642a684d20ff4fb8dd5bd072178cb27963157bdf608201169c8c142d7898b9debf92f96b3f7902d5290ad01da727f3da6a2b036078c62118ef2a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
              Filesize

              72KB

              MD5

              7ff5cec4dcb5da755b2df399106145e4

              SHA1

              5ea31e630e37d64d864719d932fa89153d581c3f

              SHA256

              9e4f93a20dd338d942a62e615f835d6ff4cabd3472400ef74558cc180356f913

              SHA512

              6296e9f40235c186296ddeb8e8d94e578cbf6be10cb09b5fbede6c37501beb46768908b22c03b255bc3cb7a1ccfaa8c1695b6377871e444668338f30cbf875e4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
              Filesize

              72KB

              MD5

              18c3ae60fffb30f3cb7c1149af422ad3

              SHA1

              568a065eff72d63f7352b1cfb9a6e9f01c88d3f9

              SHA256

              0f82b1cb6b1fbbf772ef3ebf03102377804f0d650fefaf1bf462e8e0ed1db726

              SHA512

              dc71482c3d9efe38efb9824efd98f8921851436e5cffea0dd7f38620b724fa09cff718a8bd534ddf57d05cf22e3d2b5d2340d4a96a53940668577eda160f5ad9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
              Filesize

              72KB

              MD5

              315d9aa585178be9c4e09c331497aede

              SHA1

              97d40a3bf6324a68ea374dd38443142a35f5a971

              SHA256

              95ee785da1c0407c3dfc048a406dd62ccd85a04d478e4d3e45eef4e9a0aaad3b

              SHA512

              1a7cdf1fa77d642a684d20ff4fb8dd5bd072178cb27963157bdf608201169c8c142d7898b9debf92f96b3f7902d5290ad01da727f3da6a2b036078c62118ef2a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
              Filesize

              72KB

              MD5

              315d9aa585178be9c4e09c331497aede

              SHA1

              97d40a3bf6324a68ea374dd38443142a35f5a971

              SHA256

              95ee785da1c0407c3dfc048a406dd62ccd85a04d478e4d3e45eef4e9a0aaad3b

              SHA512

              1a7cdf1fa77d642a684d20ff4fb8dd5bd072178cb27963157bdf608201169c8c142d7898b9debf92f96b3f7902d5290ad01da727f3da6a2b036078c62118ef2a

              Download Submit

            • C:\backup.exe
              Filesize

              72KB

              MD5

              84c17d2c915b6458d705afb1ec1d84ec

              SHA1

              ac3f8b43b0799370baa59cfaf47b823b4954f374

              SHA256

              d2b9836c9bcd98e821a987b7a8931736de2ffe682ccce277237e392e717c59ff

              SHA512

              19efe1cba54628a97975b4aace8ba9dfc85df49dcdb69a42192c627d585d58ee599b395b5d17951843ac339d7616810f87cd5e0766578efd1b8939cf796af4de

              Download Submit

            • C:\backup.exe
              Filesize

              72KB

              MD5

              84c17d2c915b6458d705afb1ec1d84ec

              SHA1

              ac3f8b43b0799370baa59cfaf47b823b4954f374

              SHA256

              d2b9836c9bcd98e821a987b7a8931736de2ffe682ccce277237e392e717c59ff

              SHA512

              19efe1cba54628a97975b4aace8ba9dfc85df49dcdb69a42192c627d585d58ee599b395b5d17951843ac339d7616810f87cd5e0766578efd1b8939cf796af4de

              Download Submit

            • \PerfLogs\Admin\backup.exe
              Filesize

              72KB

              MD5

              e46158e215c9c332a72f9c8bcdbfc6be

              SHA1

              ba0ea6ee10c853a23056103a7a179e77c2dea46a

              SHA256

              ce2fa6bebc511004cf7800a197b102534c23623c717447dd465f15287d2c94aa

              SHA512

              d927651d9917c62959f1c4eaf3b7a45940ee31630fe8b3c3f04cd8e9dc50cc75e529da060ee66ddd9cf344869528c8a3e77ddd81e215bc6a5c7b236ed90f2c82

              Download Submit

            • \PerfLogs\Admin\backup.exe
              Filesize

              72KB

              MD5

              e46158e215c9c332a72f9c8bcdbfc6be

              SHA1

              ba0ea6ee10c853a23056103a7a179e77c2dea46a

              SHA256

              ce2fa6bebc511004cf7800a197b102534c23623c717447dd465f15287d2c94aa

              SHA512

              d927651d9917c62959f1c4eaf3b7a45940ee31630fe8b3c3f04cd8e9dc50cc75e529da060ee66ddd9cf344869528c8a3e77ddd81e215bc6a5c7b236ed90f2c82

              Download Submit

            • \PerfLogs\backup.exe
              Filesize

              72KB

              MD5

              d91a51f41802969c1123be0cae671156

              SHA1

              aecbea62ae1f25cfd8c9c41fc4d481bc063ef7ff

              SHA256

              5bdf990bb6bd99afe5df57c93f128ba2a9160cb186b549eaaf7de18fad900930

              SHA512

              64e28893b5f648a2829756ab6bdedb4349e70f08992ed6f4623134910b2192e58906be7b13491d2d0f6774b43d8a1b5ed924257a78793c16de720325d2c58973

              Download Submit

            • \PerfLogs\backup.exe
              Filesize

              72KB

              MD5

              d91a51f41802969c1123be0cae671156

              SHA1

              aecbea62ae1f25cfd8c9c41fc4d481bc063ef7ff

              SHA256

              5bdf990bb6bd99afe5df57c93f128ba2a9160cb186b549eaaf7de18fad900930

              SHA512

              64e28893b5f648a2829756ab6bdedb4349e70f08992ed6f4623134910b2192e58906be7b13491d2d0f6774b43d8a1b5ed924257a78793c16de720325d2c58973

              Download Submit

            • \Program Files\7-Zip\Lang\backup.exe
              Filesize

              72KB

              MD5

              0d37a5970755b8a7780709a3cb3e8062

              SHA1

              3c7300ad14063e8047a57e6958233c2f4e3d8c85

              SHA256

              d42e8d80aa9cae17cd59aad1bbdea241ba00a62364e6b0dceb080a0d2f6604d8

              SHA512

              966a98779873145392a99ab3d02c94e48f43094f87fc7d3b0b981bb3c3531fa6c900876aa659468394d0f7d3c3b5c14d01869c684e49a9801365735bb4dbf7ed

              Download Submit

            • \Program Files\7-Zip\Lang\backup.exe
              Filesize

              72KB

              MD5

              0d37a5970755b8a7780709a3cb3e8062

              SHA1

              3c7300ad14063e8047a57e6958233c2f4e3d8c85

              SHA256

              d42e8d80aa9cae17cd59aad1bbdea241ba00a62364e6b0dceb080a0d2f6604d8

              SHA512

              966a98779873145392a99ab3d02c94e48f43094f87fc7d3b0b981bb3c3531fa6c900876aa659468394d0f7d3c3b5c14d01869c684e49a9801365735bb4dbf7ed

              Download Submit

            • \Program Files\7-Zip\backup.exe
              Filesize

              72KB

              MD5

              e46158e215c9c332a72f9c8bcdbfc6be

              SHA1

              ba0ea6ee10c853a23056103a7a179e77c2dea46a

              SHA256

              ce2fa6bebc511004cf7800a197b102534c23623c717447dd465f15287d2c94aa

              SHA512

              d927651d9917c62959f1c4eaf3b7a45940ee31630fe8b3c3f04cd8e9dc50cc75e529da060ee66ddd9cf344869528c8a3e77ddd81e215bc6a5c7b236ed90f2c82

              Download Submit

            • \Program Files\7-Zip\backup.exe
              Filesize

              72KB

              MD5

              e46158e215c9c332a72f9c8bcdbfc6be

              SHA1

              ba0ea6ee10c853a23056103a7a179e77c2dea46a

              SHA256

              ce2fa6bebc511004cf7800a197b102534c23623c717447dd465f15287d2c94aa

              SHA512

              d927651d9917c62959f1c4eaf3b7a45940ee31630fe8b3c3f04cd8e9dc50cc75e529da060ee66ddd9cf344869528c8a3e77ddd81e215bc6a5c7b236ed90f2c82

              Download Submit

            • \Program Files\Common Files\Microsoft Shared\Filters\data.exe
              Filesize

              72KB

              MD5

              172313bb33ef16de6cabbfe45c21e91f

              SHA1

              774fdd117a9ade1e0db6ffca4f6f09ba1b58f210

              SHA256

              54ebd043af419db5003692f9ebea321eb48d09e01545c604eea9ce860ed39bd3

              SHA512

              e192367578dd6e6d21bd068da8222218d38dc21765abddbf19eb3e6f17fdd0387893ae0f8fff7ef62d0a4beeed20e78df28487775dadfbc68bd321f7a5282ac8

              Download Submit

            • \Program Files\Common Files\Microsoft Shared\Filters\data.exe
              Filesize

              72KB

              MD5

              172313bb33ef16de6cabbfe45c21e91f

              SHA1

              774fdd117a9ade1e0db6ffca4f6f09ba1b58f210

              SHA256

              54ebd043af419db5003692f9ebea321eb48d09e01545c604eea9ce860ed39bd3

              SHA512

              e192367578dd6e6d21bd068da8222218d38dc21765abddbf19eb3e6f17fdd0387893ae0f8fff7ef62d0a4beeed20e78df28487775dadfbc68bd321f7a5282ac8

              Download Submit

            • \Program Files\Common Files\Microsoft Shared\backup.exe
              Filesize

              72KB

              MD5

              e8084e395c9f572e9fecaed23ff6383e

              SHA1

              3a5a382b3393755a3c771edd66d0317dfca54dbf

              SHA256

              be2ceb02a0ae3e2b35a1c878e9528c40f5c14d8ed2eb0f8476196b320cec36fe

              SHA512

              e1bf5d4b8c82379ed04aeb5be62a71023c342dbc03f844d51b543a8e9c0e7f3f0c0ea8dda71132d69d05a0c532bef065f55ed274073c74f253450af8da16470a

              Download Submit

            • \Program Files\Common Files\Microsoft Shared\backup.exe
              Filesize

              72KB

              MD5

              e8084e395c9f572e9fecaed23ff6383e

              SHA1

              3a5a382b3393755a3c771edd66d0317dfca54dbf

              SHA256

              be2ceb02a0ae3e2b35a1c878e9528c40f5c14d8ed2eb0f8476196b320cec36fe

              SHA512

              e1bf5d4b8c82379ed04aeb5be62a71023c342dbc03f844d51b543a8e9c0e7f3f0c0ea8dda71132d69d05a0c532bef065f55ed274073c74f253450af8da16470a

              Download Submit

            • \Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
              Filesize

              72KB

              MD5

              b9da8ced5cadd6bcaff4eaaabe4b3c3b

              SHA1

              98dacbc08ac36c8b8ce8cdb7b2b1ae5274cb353f

              SHA256

              3712a6f1c74f53d80f45e753238c51128fdc05e829410cec2f758d695aefbe73

              SHA512

              a20037a6a9db347ef55d189f6eea2fcc283b423cf8261578f3fc0ac3410211214a19bd2cb710bbaf293a5df63b757199de19ac3c9b4ac04af5985c78b7704100

              Download Submit

            • \Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
              Filesize

              72KB

              MD5

              b9da8ced5cadd6bcaff4eaaabe4b3c3b

              SHA1

              98dacbc08ac36c8b8ce8cdb7b2b1ae5274cb353f

              SHA256

              3712a6f1c74f53d80f45e753238c51128fdc05e829410cec2f758d695aefbe73

              SHA512

              a20037a6a9db347ef55d189f6eea2fcc283b423cf8261578f3fc0ac3410211214a19bd2cb710bbaf293a5df63b757199de19ac3c9b4ac04af5985c78b7704100

              Download Submit

            • \Program Files\Common Files\Microsoft Shared\ink\backup.exe
              Filesize

              72KB

              MD5

              172313bb33ef16de6cabbfe45c21e91f

              SHA1

              774fdd117a9ade1e0db6ffca4f6f09ba1b58f210

              SHA256

              54ebd043af419db5003692f9ebea321eb48d09e01545c604eea9ce860ed39bd3

              SHA512

              e192367578dd6e6d21bd068da8222218d38dc21765abddbf19eb3e6f17fdd0387893ae0f8fff7ef62d0a4beeed20e78df28487775dadfbc68bd321f7a5282ac8

              Download Submit

            • \Program Files\Common Files\Microsoft Shared\ink\backup.exe
              Filesize

              72KB

              MD5

              172313bb33ef16de6cabbfe45c21e91f

              SHA1

              774fdd117a9ade1e0db6ffca4f6f09ba1b58f210

              SHA256

              54ebd043af419db5003692f9ebea321eb48d09e01545c604eea9ce860ed39bd3

              SHA512

              e192367578dd6e6d21bd068da8222218d38dc21765abddbf19eb3e6f17fdd0387893ae0f8fff7ef62d0a4beeed20e78df28487775dadfbc68bd321f7a5282ac8

              Download Submit

            • \Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
              Filesize

              72KB

              MD5

              b9da8ced5cadd6bcaff4eaaabe4b3c3b

              SHA1

              98dacbc08ac36c8b8ce8cdb7b2b1ae5274cb353f

              SHA256

              3712a6f1c74f53d80f45e753238c51128fdc05e829410cec2f758d695aefbe73

              SHA512

              a20037a6a9db347ef55d189f6eea2fcc283b423cf8261578f3fc0ac3410211214a19bd2cb710bbaf293a5df63b757199de19ac3c9b4ac04af5985c78b7704100

              Download Submit

            • \Program Files\Common Files\backup.exe
              Filesize

              72KB

              MD5

              7998c73c1bbc72144b7a20cabadd42e1

              SHA1

              ff15930726016fe09faadc310f838d167b93cfc6

              SHA256

              3c5860d9799cf89135f1605e5629dafed0b0c09cdc02d344f85410b59100762c

              SHA512

              ce5964e0325c06de6f33bc4462d5663be195f9ce4f90ae767e159f0a650d09f0beec022a6eb909fb586dc32bfe1faad8299ab8c9a0b10ee48846f4233d22fb46

              Download Submit

            • \Program Files\Common Files\backup.exe
              Filesize

              72KB

              MD5

              7998c73c1bbc72144b7a20cabadd42e1

              SHA1

              ff15930726016fe09faadc310f838d167b93cfc6

              SHA256

              3c5860d9799cf89135f1605e5629dafed0b0c09cdc02d344f85410b59100762c

              SHA512

              ce5964e0325c06de6f33bc4462d5663be195f9ce4f90ae767e159f0a650d09f0beec022a6eb909fb586dc32bfe1faad8299ab8c9a0b10ee48846f4233d22fb46

              Download Submit

            • \Program Files\backup.exe
              Filesize

              72KB

              MD5

              d91a51f41802969c1123be0cae671156

              SHA1

              aecbea62ae1f25cfd8c9c41fc4d481bc063ef7ff

              SHA256

              5bdf990bb6bd99afe5df57c93f128ba2a9160cb186b549eaaf7de18fad900930

              SHA512

              64e28893b5f648a2829756ab6bdedb4349e70f08992ed6f4623134910b2192e58906be7b13491d2d0f6774b43d8a1b5ed924257a78793c16de720325d2c58973

              Download Submit

            • \Program Files\backup.exe
              Filesize

              72KB

              MD5

              d91a51f41802969c1123be0cae671156

              SHA1

              aecbea62ae1f25cfd8c9c41fc4d481bc063ef7ff

              SHA256

              5bdf990bb6bd99afe5df57c93f128ba2a9160cb186b549eaaf7de18fad900930

              SHA512

              64e28893b5f648a2829756ab6bdedb4349e70f08992ed6f4623134910b2192e58906be7b13491d2d0f6774b43d8a1b5ed924257a78793c16de720325d2c58973

              Download Submit

            • \Users\Admin\AppData\Local\Temp\795642021\backup.exe
              Filesize

              72KB

              MD5

              7c91c8f2d94a9c8887b41b48915a7038

              SHA1

              66b249318e08c97b2ea0098a76fc8694baf11530

              SHA256

              f809a042da2a0e1bf55e519d6545bebdb82bde48a933c6cf1f90fd0f16f5e3ea

              SHA512

              c0bdcb9d99e1741ece9bd53e685c6bb79d118ca43a6c25a3490d43a6a54f95bd9e9cfa53d96349456a215e49cd23dbbbe6878aed9cb852e2b40435f0b794e93b

              Download Submit

            • \Users\Admin\AppData\Local\Temp\795642021\backup.exe
              Filesize

              72KB

              MD5

              7c91c8f2d94a9c8887b41b48915a7038

              SHA1

              66b249318e08c97b2ea0098a76fc8694baf11530

              SHA256

              f809a042da2a0e1bf55e519d6545bebdb82bde48a933c6cf1f90fd0f16f5e3ea

              SHA512

              c0bdcb9d99e1741ece9bd53e685c6bb79d118ca43a6c25a3490d43a6a54f95bd9e9cfa53d96349456a215e49cd23dbbbe6878aed9cb852e2b40435f0b794e93b

              Download Submit

            • \Users\Admin\AppData\Local\Temp\Low\backup.exe
              Filesize

              72KB

              MD5

              18c3ae60fffb30f3cb7c1149af422ad3

              SHA1

              568a065eff72d63f7352b1cfb9a6e9f01c88d3f9

              SHA256

              0f82b1cb6b1fbbf772ef3ebf03102377804f0d650fefaf1bf462e8e0ed1db726

              SHA512

              dc71482c3d9efe38efb9824efd98f8921851436e5cffea0dd7f38620b724fa09cff718a8bd534ddf57d05cf22e3d2b5d2340d4a96a53940668577eda160f5ad9

              Download Submit

            • \Users\Admin\AppData\Local\Temp\Low\backup.exe
              Filesize

              72KB

              MD5

              18c3ae60fffb30f3cb7c1149af422ad3

              SHA1

              568a065eff72d63f7352b1cfb9a6e9f01c88d3f9

              SHA256

              0f82b1cb6b1fbbf772ef3ebf03102377804f0d650fefaf1bf462e8e0ed1db726

              SHA512

              dc71482c3d9efe38efb9824efd98f8921851436e5cffea0dd7f38620b724fa09cff718a8bd534ddf57d05cf22e3d2b5d2340d4a96a53940668577eda160f5ad9

              Download Submit

            • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
              Filesize

              72KB

              MD5

              18c3ae60fffb30f3cb7c1149af422ad3

              SHA1

              568a065eff72d63f7352b1cfb9a6e9f01c88d3f9

              SHA256

              0f82b1cb6b1fbbf772ef3ebf03102377804f0d650fefaf1bf462e8e0ed1db726

              SHA512

              dc71482c3d9efe38efb9824efd98f8921851436e5cffea0dd7f38620b724fa09cff718a8bd534ddf57d05cf22e3d2b5d2340d4a96a53940668577eda160f5ad9

              Download Submit

            • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
              Filesize

              72KB

              MD5

              18c3ae60fffb30f3cb7c1149af422ad3

              SHA1

              568a065eff72d63f7352b1cfb9a6e9f01c88d3f9

              SHA256

              0f82b1cb6b1fbbf772ef3ebf03102377804f0d650fefaf1bf462e8e0ed1db726

              SHA512

              dc71482c3d9efe38efb9824efd98f8921851436e5cffea0dd7f38620b724fa09cff718a8bd534ddf57d05cf22e3d2b5d2340d4a96a53940668577eda160f5ad9

              Download Submit

            • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
              Filesize

              72KB

              MD5

              315d9aa585178be9c4e09c331497aede

              SHA1

              97d40a3bf6324a68ea374dd38443142a35f5a971

              SHA256

              95ee785da1c0407c3dfc048a406dd62ccd85a04d478e4d3e45eef4e9a0aaad3b

              SHA512

              1a7cdf1fa77d642a684d20ff4fb8dd5bd072178cb27963157bdf608201169c8c142d7898b9debf92f96b3f7902d5290ad01da727f3da6a2b036078c62118ef2a

              Download Submit

            • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
              Filesize

              72KB

              MD5

              315d9aa585178be9c4e09c331497aede

              SHA1

              97d40a3bf6324a68ea374dd38443142a35f5a971

              SHA256

              95ee785da1c0407c3dfc048a406dd62ccd85a04d478e4d3e45eef4e9a0aaad3b

              SHA512

              1a7cdf1fa77d642a684d20ff4fb8dd5bd072178cb27963157bdf608201169c8c142d7898b9debf92f96b3f7902d5290ad01da727f3da6a2b036078c62118ef2a

              Download Submit

            • \Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
              Filesize

              72KB

              MD5

              7ff5cec4dcb5da755b2df399106145e4

              SHA1

              5ea31e630e37d64d864719d932fa89153d581c3f

              SHA256

              9e4f93a20dd338d942a62e615f835d6ff4cabd3472400ef74558cc180356f913

              SHA512

              6296e9f40235c186296ddeb8e8d94e578cbf6be10cb09b5fbede6c37501beb46768908b22c03b255bc3cb7a1ccfaa8c1695b6377871e444668338f30cbf875e4

              Download Submit

            • \Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
              Filesize

              72KB

              MD5

              7ff5cec4dcb5da755b2df399106145e4

              SHA1

              5ea31e630e37d64d864719d932fa89153d581c3f

              SHA256

              9e4f93a20dd338d942a62e615f835d6ff4cabd3472400ef74558cc180356f913

              SHA512

              6296e9f40235c186296ddeb8e8d94e578cbf6be10cb09b5fbede6c37501beb46768908b22c03b255bc3cb7a1ccfaa8c1695b6377871e444668338f30cbf875e4

              Download Submit

            • \Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
              Filesize

              72KB

              MD5

              18c3ae60fffb30f3cb7c1149af422ad3

              SHA1

              568a065eff72d63f7352b1cfb9a6e9f01c88d3f9

              SHA256

              0f82b1cb6b1fbbf772ef3ebf03102377804f0d650fefaf1bf462e8e0ed1db726

              SHA512

              dc71482c3d9efe38efb9824efd98f8921851436e5cffea0dd7f38620b724fa09cff718a8bd534ddf57d05cf22e3d2b5d2340d4a96a53940668577eda160f5ad9

              Download Submit

            • \Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
              Filesize

              72KB

              MD5

              18c3ae60fffb30f3cb7c1149af422ad3

              SHA1

              568a065eff72d63f7352b1cfb9a6e9f01c88d3f9

              SHA256

              0f82b1cb6b1fbbf772ef3ebf03102377804f0d650fefaf1bf462e8e0ed1db726

              SHA512

              dc71482c3d9efe38efb9824efd98f8921851436e5cffea0dd7f38620b724fa09cff718a8bd534ddf57d05cf22e3d2b5d2340d4a96a53940668577eda160f5ad9

              Download Submit

            • \Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
              Filesize

              72KB

              MD5

              315d9aa585178be9c4e09c331497aede

              SHA1

              97d40a3bf6324a68ea374dd38443142a35f5a971

              SHA256

              95ee785da1c0407c3dfc048a406dd62ccd85a04d478e4d3e45eef4e9a0aaad3b

              SHA512

              1a7cdf1fa77d642a684d20ff4fb8dd5bd072178cb27963157bdf608201169c8c142d7898b9debf92f96b3f7902d5290ad01da727f3da6a2b036078c62118ef2a

              Download Submit

            • \Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
              Filesize

              72KB

              MD5

              315d9aa585178be9c4e09c331497aede

              SHA1

              97d40a3bf6324a68ea374dd38443142a35f5a971

              SHA256

              95ee785da1c0407c3dfc048a406dd62ccd85a04d478e4d3e45eef4e9a0aaad3b

              SHA512

              1a7cdf1fa77d642a684d20ff4fb8dd5bd072178cb27963157bdf608201169c8c142d7898b9debf92f96b3f7902d5290ad01da727f3da6a2b036078c62118ef2a

              Download Submit

            • \Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
              Filesize

              72KB

              MD5

              315d9aa585178be9c4e09c331497aede

              SHA1

              97d40a3bf6324a68ea374dd38443142a35f5a971

              SHA256

              95ee785da1c0407c3dfc048a406dd62ccd85a04d478e4d3e45eef4e9a0aaad3b

              SHA512

              1a7cdf1fa77d642a684d20ff4fb8dd5bd072178cb27963157bdf608201169c8c142d7898b9debf92f96b3f7902d5290ad01da727f3da6a2b036078c62118ef2a

              Download Submit

            • \Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
              Filesize

              72KB

              MD5

              315d9aa585178be9c4e09c331497aede

              SHA1

              97d40a3bf6324a68ea374dd38443142a35f5a971

              SHA256

              95ee785da1c0407c3dfc048a406dd62ccd85a04d478e4d3e45eef4e9a0aaad3b

              SHA512

              1a7cdf1fa77d642a684d20ff4fb8dd5bd072178cb27963157bdf608201169c8c142d7898b9debf92f96b3f7902d5290ad01da727f3da6a2b036078c62118ef2a

              Download Submit

            • memory/580-149-0x0000000074171000-0x0000000074173000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1648-91-0x00000000759F1000-0x00000000759F3000-memory.dmp

              Filesize

              8KB

              Download