fed5f43d54a794688cc827e0a4139b5bfa95ae0c657e017ed72dc1af0c52f98b

Analysis

max time kernel
170s
max time network
41s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfa7525469b461db1247c4abc8d4eff0_JC.exe
Size

40KB
MD5

dfa7525469b461db1247c4abc8d4eff0
SHA1

51425c11c148ff73861b1d3af96c108d6935d3ad
SHA256

fed5f43d54a794688cc827e0a4139b5bfa95ae0c657e017ed72dc1af0c52f98b
SHA512

56ac4bb7c7f0fb1ecd8fe75e2f92ac39012c0a2f8cdaca232d4614970bc2158da14dac5b45e857f01aebf63eecd7d82a4bd54dbf5dc62e3b87fd03623d8ce1ee
SSDEEP

384:kqnuO1JCHYdHz4XpfHEI6/dDEPjaVC6fMbUyFm0tyXLBI89wvuAv1mwnA3Z3BXRo:kqnum1F6/789ujYTyLylze70wi3BEmIP

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 48 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	dfa7525469b461db1247c4abc8d4eff0_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 60 IoCs

pid	Process
2524	update.exe
2352	backup.exe
2528	backup.exe
3036	backup.exe
1472	backup.exe
2968	System Restore.exe
668	backup.exe
1188	backup.exe
1924	System Restore.exe
1308	backup.exe
1228	backup.exe
1324	backup.exe
1484	backup.exe
1272	data.exe
1620	backup.exe
368	backup.exe
2100	backup.exe
1996	backup.exe
2868	backup.exe
2712	backup.exe
2624	backup.exe
1588	backup.exe
2756	backup.exe
1600	backup.exe
2484	backup.exe
1808	backup.exe
2276	backup.exe
2184	data.exe
1804	update.exe
596	backup.exe
1352	backup.exe
1868	backup.exe
2340	backup.exe
2272	backup.exe
1796	backup.exe
1140	backup.exe
2936	backup.exe
932	backup.exe
1648	backup.exe
992	backup.exe
1956	backup.exe
916	backup.exe
1212	backup.exe
2940	backup.exe
2008	backup.exe
2268	backup.exe
2428	backup.exe
2392	backup.exe
2448	backup.exe
2752	backup.exe
2692	backup.exe
2800	backup.exe
2688	backup.exe
2860	backup.exe
1228	backup.exe
800	backup.exe
2612	backup.exe
2136	backup.exe
980	backup.exe
1188	update.exe

Loads dropped DLL 64 IoCs

pid	Process
2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe
2524	update.exe
2524	update.exe
2524	update.exe
2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe
2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe
2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe
2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe
2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe
2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe
1472	backup.exe
1472	backup.exe
2968	System Restore.exe
2968	System Restore.exe
2968	System Restore.exe
2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe
2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe
2968	System Restore.exe
2968	System Restore.exe
2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe
2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe
1188	backup.exe
1188	backup.exe
1188	backup.exe
1472	backup.exe
1472	backup.exe
2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe
1308	backup.exe
1308	backup.exe
1308	backup.exe
2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe
1308	backup.exe
1308	backup.exe
1324	backup.exe
1324	backup.exe
1324	backup.exe
1324	backup.exe
1324	backup.exe
1484	backup.exe
1484	backup.exe
1484	backup.exe
1308	backup.exe
1308	backup.exe
1272	data.exe
1272	data.exe
1272	data.exe
1272	data.exe
1272	data.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
368	backup.exe
368	backup.exe
368	backup.exe
1620	backup.exe
1620	backup.exe
2100	backup.exe
2100	backup.exe
2100	backup.exe
2100	backup.exe
2100	backup.exe
1996	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2784-0-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2784-1-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2784-4-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0029000000015daf-7.dat	upx
behavioral1/files/0x0029000000015daf-12.dat	upx
behavioral1/memory/2784-11-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0029000000015daf-9.dat	upx
behavioral1/memory/2524-13-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0029000000015daf-14.dat	upx
behavioral1/files/0x0029000000015daf-15.dat	upx
behavioral1/files/0x0029000000015daf-17.dat	upx
behavioral1/files/0x000700000001605b-21.dat	upx
behavioral1/files/0x000700000001605b-22.dat	upx
behavioral1/files/0x000700000001605b-24.dat	upx
behavioral1/files/0x000700000001605b-28.dat	upx
behavioral1/memory/2352-32-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x00070000000162e2-33.dat	upx
behavioral1/files/0x00070000000162e2-35.dat	upx
behavioral1/files/0x00070000000162e2-39.dat	upx
behavioral1/memory/2528-43-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0008000000016279-45.dat	upx
behavioral1/files/0x0009000000016599-57.dat	upx
behavioral1/files/0x0009000000016599-58.dat	upx
behavioral1/memory/2524-56-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2784-60-0x0000000000280000-0x000000000029B000-memory.dmp	upx
behavioral1/memory/2524-63-0x0000000000290000-0x00000000002AB000-memory.dmp	upx
behavioral1/files/0x0008000000016279-55.dat	upx
behavioral1/files/0x0008000000016279-48.dat	upx
behavioral1/memory/3036-65-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/1472-66-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0006000000016c31-70.dat	upx
behavioral1/memory/2968-82-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0006000000016c9e-90.dat	upx
behavioral1/memory/668-93-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/3036-91-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0006000000016c9e-86.dat	upx
behavioral1/files/0x0006000000016c9e-84.dat	upx
behavioral1/files/0x0006000000016c31-81.dat	upx
behavioral1/files/0x0006000000016c31-80.dat	upx
behavioral1/files/0x0006000000016c31-79.dat	upx
behavioral1/files/0x0006000000016c31-78.dat	upx
behavioral1/files/0x0006000000016c31-77.dat	upx
behavioral1/files/0x0006000000016c31-72.dat	upx
behavioral1/files/0x0006000000016cda-107.dat	upx
behavioral1/memory/1188-118-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0006000000016ce3-120.dat	upx
behavioral1/memory/668-119-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0006000000016cda-117.dat	upx
behavioral1/files/0x0006000000016cda-116.dat	upx
behavioral1/files/0x0006000000016cda-115.dat	upx
behavioral1/files/0x0006000000016cda-114.dat	upx
behavioral1/files/0x0006000000016ce3-110.dat	upx
behavioral1/files/0x0006000000016ce3-108.dat	upx
behavioral1/files/0x0006000000016cda-103.dat	upx
behavioral1/files/0x0006000000016cda-99.dat	upx
behavioral1/memory/2968-127-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/1188-128-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/1924-149-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x0008000000016c26-150.dat	upx
behavioral1/files/0x0008000000016c26-145.dat	upx
behavioral1/files/0x0006000000016cf1-143.dat	upx
behavioral1/files/0x0006000000016cf1-142.dat	upx
behavioral1/files/0x0006000000016cf1-141.dat	upx
behavioral1/files/0x0006000000016cf1-140.dat	upx

Drops file in Program Files directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\update.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe

Suspicious use of SetWindowsHookEx 56 IoCs

pid	Process
2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe
2524	update.exe
2352	backup.exe
2528	backup.exe
1472	backup.exe
3036	backup.exe
2968	System Restore.exe
668	backup.exe
1188	backup.exe
1924	System Restore.exe
1228	backup.exe
1308	backup.exe
1324	backup.exe
1484	backup.exe
1272	data.exe
1620	backup.exe
368	backup.exe
2100	backup.exe
1996	backup.exe
2868	backup.exe
2712	backup.exe
1588	backup.exe
2484	backup.exe
2756	backup.exe
1600	backup.exe
2624	backup.exe
2184	data.exe
1804	update.exe
2276	backup.exe
1808	backup.exe
596	backup.exe
1352	backup.exe
1868	backup.exe
992	backup.exe
2340	backup.exe
1956	backup.exe
916	backup.exe
1140	backup.exe
932	backup.exe
2936	backup.exe
1648	backup.exe
2272	backup.exe
1796	backup.exe
1212	backup.exe
2940	backup.exe
2752	backup.exe
2688	backup.exe
2008	backup.exe
2268	backup.exe
2800	backup.exe
2392	backup.exe
2692	backup.exe
2428	backup.exe
2448	backup.exe
2860	backup.exe
800	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2524	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	29
PID 2784 wrote to memory of 2524	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	29
PID 2784 wrote to memory of 2524	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	29
PID 2784 wrote to memory of 2524	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	29
PID 2784 wrote to memory of 2524	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	29
PID 2784 wrote to memory of 2524	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	29
PID 2784 wrote to memory of 2524	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	29
PID 2784 wrote to memory of 2352	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	30
PID 2784 wrote to memory of 2352	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	30
PID 2784 wrote to memory of 2352	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	30
PID 2784 wrote to memory of 2352	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	30
PID 2784 wrote to memory of 2528	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	31
PID 2784 wrote to memory of 2528	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	31
PID 2784 wrote to memory of 2528	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	31
PID 2784 wrote to memory of 2528	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	31
PID 2784 wrote to memory of 3036	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	32
PID 2784 wrote to memory of 3036	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	32
PID 2784 wrote to memory of 3036	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	32
PID 2784 wrote to memory of 3036	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	32
PID 2524 wrote to memory of 1472	2524	update.exe	33
PID 2524 wrote to memory of 1472	2524	update.exe	33
PID 2524 wrote to memory of 1472	2524	update.exe	33
PID 2524 wrote to memory of 1472	2524	update.exe	33
PID 2524 wrote to memory of 1472	2524	update.exe	33
PID 2524 wrote to memory of 1472	2524	update.exe	33
PID 2524 wrote to memory of 1472	2524	update.exe	33
PID 1472 wrote to memory of 2968	1472	backup.exe	34
PID 1472 wrote to memory of 2968	1472	backup.exe	34
PID 1472 wrote to memory of 2968	1472	backup.exe	34
PID 1472 wrote to memory of 2968	1472	backup.exe	34
PID 1472 wrote to memory of 2968	1472	backup.exe	34
PID 1472 wrote to memory of 2968	1472	backup.exe	34
PID 1472 wrote to memory of 2968	1472	backup.exe	34
PID 2784 wrote to memory of 668	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	35
PID 2784 wrote to memory of 668	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	35
PID 2784 wrote to memory of 668	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	35
PID 2784 wrote to memory of 668	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	35
PID 2968 wrote to memory of 1188	2968	System Restore.exe	36
PID 2968 wrote to memory of 1188	2968	System Restore.exe	36
PID 2968 wrote to memory of 1188	2968	System Restore.exe	36
PID 2968 wrote to memory of 1188	2968	System Restore.exe	36
PID 2968 wrote to memory of 1188	2968	System Restore.exe	36
PID 2968 wrote to memory of 1188	2968	System Restore.exe	36
PID 2968 wrote to memory of 1188	2968	System Restore.exe	36
PID 2784 wrote to memory of 1924	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	37
PID 2784 wrote to memory of 1924	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	37
PID 2784 wrote to memory of 1924	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	37
PID 2784 wrote to memory of 1924	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	37
PID 1472 wrote to memory of 1308	1472	backup.exe	38
PID 1472 wrote to memory of 1308	1472	backup.exe	38
PID 1472 wrote to memory of 1308	1472	backup.exe	38
PID 1472 wrote to memory of 1308	1472	backup.exe	38
PID 1472 wrote to memory of 1308	1472	backup.exe	38
PID 1472 wrote to memory of 1308	1472	backup.exe	38
PID 1472 wrote to memory of 1308	1472	backup.exe	38
PID 2784 wrote to memory of 1228	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	39
PID 2784 wrote to memory of 1228	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	39
PID 2784 wrote to memory of 1228	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	39
PID 2784 wrote to memory of 1228	2784	dfa7525469b461db1247c4abc8d4eff0_JC.exe	39
PID 1308 wrote to memory of 1324	1308	backup.exe	40
PID 1308 wrote to memory of 1324	1308	backup.exe	40
PID 1308 wrote to memory of 1324	1308	backup.exe	40
PID 1308 wrote to memory of 1324	1308	backup.exe	40
PID 1308 wrote to memory of 1324	1308	backup.exe	40

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dfa7525469b461db1247c4abc8d4eff0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	dfa7525469b461db1247c4abc8d4eff0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\dfa7525469b461db1247c4abc8d4eff0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\dfa7525469b461db1247c4abc8d4eff0_JC.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2784
- C:\Users\Admin\AppData\Local\Temp\2350043107\update.exe
  C:\Users\Admin\AppData\Local\Temp\2350043107\update.exe C:\Users\Admin\AppData\Local\Temp\2350043107\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2524
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1472
  - - C:\PerfLogs\System Restore.exe
      "C:\PerfLogs\System Restore.exe" C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2968
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1188
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1308
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1324
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1484
    - - C:\Program Files\Common Files\data.exe
        
        "C:\Program Files\Common Files\data.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1272
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:368
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2868
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2340
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:2784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        
        PID:1200
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2484
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:916
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2688
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:2852
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:2764
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:2840
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:2900
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2184
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1868
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1436
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:848
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2756
      - C:\Program Files\Common Files\SpeechEngines\update.exe
        
        "C:\Program Files\Common Files\SpeechEngines\update.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1804
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2940
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2916
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1124
        
        C:\Program Files\Common Files\System\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\System\es-ES\System Restore.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:2788
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:812
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1588
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1212
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2800
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1960
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:2528
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1232
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1808
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:992
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2268
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:3044
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2272
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2752
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Executes dropped EXE
        
        PID:980
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:488
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1296
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:800
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2112
    - - C:\Program Files\Microsoft Office\System Restore.exe
        
        "C:\Program Files\Microsoft Office\System Restore.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2836
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1816
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2624
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1352
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1956
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:1540
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:2064
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2936
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2428
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1788
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:2016
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1924
    - - C:\Program Files (x86)\Google\update.exe
        
        "C:\Program Files (x86)\Google\update.exe" C:\Program Files (x86)\Google\
        5⤵
        Executes dropped EXE
        
        PID:1188
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2664
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2828
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2884
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:596
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:932
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2008
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Executes dropped EXE
        
        PID:1228
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:2920
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:2816
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1500
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:564
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:280
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1140
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2448
    - - C:\Windows\AppCompat\update.exe
        
        C:\Windows\AppCompat\update.exe C:\Windows\AppCompat\
        5⤵
        
        PID:556
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:1628
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:2284
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3036
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:668
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1924
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
40KB

MD5
ac26bbf82a56789a69224a2c90ac9562

SHA1
0d747c6b6c70f7ba958acb6b7c00871184862243

SHA256
d4027250e3a65e648e1536b8b861d78d146ea8ceaef83d0f25ac61e7c49024c3

SHA512
11aac9c60a1de8679f9eee06a74885af860beb11921b47c2160cd59ee34475f772b69acdc76b63bc0a2e2073ee29d539ccee9d5b9c0636238e8f89eb1c7bae30

Download Submit
C:\PerfLogs\Admin\backup.exe

Filesize
40KB

MD5
ac26bbf82a56789a69224a2c90ac9562

SHA1
0d747c6b6c70f7ba958acb6b7c00871184862243

SHA256
d4027250e3a65e648e1536b8b861d78d146ea8ceaef83d0f25ac61e7c49024c3

SHA512
11aac9c60a1de8679f9eee06a74885af860beb11921b47c2160cd59ee34475f772b69acdc76b63bc0a2e2073ee29d539ccee9d5b9c0636238e8f89eb1c7bae30

Download Submit
C:\PerfLogs\System Restore.exe

Filesize
40KB

MD5
294845856d8cd4336593e20f4f9c913c

SHA1
bf473a7050e93b2e2f94c174225ff43d121a2039

SHA256
40dce6166de0a5898dcda2caab983efbabfc01368198a1994f8e6c29baa52596

SHA512
e9325ef990627b4f58121aea128c1305904316836e0b8f5f66542da8ed927108507e4f335786bcf1fddb4ea1d6e1f10dbe2bef7defa78bbd37f0c93e2dce7d25

Download Submit
C:\PerfLogs\System Restore.exe

Filesize
40KB

MD5
294845856d8cd4336593e20f4f9c913c

SHA1
bf473a7050e93b2e2f94c174225ff43d121a2039

SHA256
40dce6166de0a5898dcda2caab983efbabfc01368198a1994f8e6c29baa52596

SHA512
e9325ef990627b4f58121aea128c1305904316836e0b8f5f66542da8ed927108507e4f335786bcf1fddb4ea1d6e1f10dbe2bef7defa78bbd37f0c93e2dce7d25

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
40KB

MD5
385231f96e0a4dcecaddf6a0b75e1b63

SHA1
95fb6a44e7fdf71a439f2095e83936aef9c0d282

SHA256
13de9c330e4abbb46a2bf54316119a0a375111787078f55b294f4120155c3f3d

SHA512
e1c45864fda656dde27c424ef508ca9d58c854adc956b7d669635827a05e37b63dd2d37745610e952293173aa4250c5af777830b02c9d0c3698d5172087dbd29

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
40KB

MD5
385231f96e0a4dcecaddf6a0b75e1b63

SHA1
95fb6a44e7fdf71a439f2095e83936aef9c0d282

SHA256
13de9c330e4abbb46a2bf54316119a0a375111787078f55b294f4120155c3f3d

SHA512
e1c45864fda656dde27c424ef508ca9d58c854adc956b7d669635827a05e37b63dd2d37745610e952293173aa4250c5af777830b02c9d0c3698d5172087dbd29

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
40KB

MD5
c69c65005d41d879d25f2193f651a39b

SHA1
a9b07859449b9197df19322983b1830d4684d09f

SHA256
49abbb28ab017d505166f02628cce913193b4bf105a58b97b9d0293b7caa44fa

SHA512
274ad517e6d5ece0a2da7c270d847c1e188b4f4df744b6455cdd62a913b2c40e091c4c0a47a8cc8d9592c5b1d4005912179f8dce6e8af5d607407e7f44aff956

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
40KB

MD5
c69c65005d41d879d25f2193f651a39b

SHA1
a9b07859449b9197df19322983b1830d4684d09f

SHA256
49abbb28ab017d505166f02628cce913193b4bf105a58b97b9d0293b7caa44fa

SHA512
274ad517e6d5ece0a2da7c270d847c1e188b4f4df744b6455cdd62a913b2c40e091c4c0a47a8cc8d9592c5b1d4005912179f8dce6e8af5d607407e7f44aff956

Download Submit
C:\Program Files\Common Files\data.exe

Filesize
40KB

MD5
678a9d66f26f8929ab6edc52431592e1

SHA1
d1db5f4bdf598921c9de3117b0ffc3cf4e85caca

SHA256
92e22ce96ffef147cecc18fc80d8a7a0a19c3231b83ca02c0d94bc1d0a5afcbb

SHA512
4c692ec25b5e82cf3597d9af5da48e36f40585a17496c91aab39c237750307dec9b5dff019f269f9551e442dc316f8fa3fb5555b1548e1e52f1818780d54e947

Download Submit
C:\Program Files\backup.exe

Filesize
40KB

MD5
6db63f3b08d982987e7ab079b7c3eade

SHA1
63741d6ee79ecbc04768ec58e172bc2a7d87aaca

SHA256
8fc996df5d4d262ed28f0370088640841358c1d244364cada1e437e334373467

SHA512
db2a1e2c7c84a442b41cf2cca0dff4e6fde325c98151d6e6acce5485d2c9e6ad4a7da75cb5758b85aa61f402a1cb73f32e8cdfba363524c81a90eb21b1c42993

Download Submit
C:\Program Files\backup.exe

Filesize
40KB

MD5
6db63f3b08d982987e7ab079b7c3eade

SHA1
63741d6ee79ecbc04768ec58e172bc2a7d87aaca

SHA256
8fc996df5d4d262ed28f0370088640841358c1d244364cada1e437e334373467

SHA512
db2a1e2c7c84a442b41cf2cca0dff4e6fde325c98151d6e6acce5485d2c9e6ad4a7da75cb5758b85aa61f402a1cb73f32e8cdfba363524c81a90eb21b1c42993

Download Submit
C:\Users\Admin\AppData\Local\Temp\2350043107\update.exe

Filesize
40KB

MD5
d3d8bdde51b265f25ec6c73c2e63b630

SHA1
aad933a2bbae74c516513500bc2fc0f13e3fd291

SHA256
30e4c598c55eff45e8e513f50a4c9a43d5f74a35c88c09f3d9be3cc80aaf988c

SHA512
50d4785c110fd14f9f745bdced80dd9ad61b40d0ec8a9ff6a4572edb5fa44b0daea785a830727c5ccda64e2d6753da2231a63b967b9d9e39f61fb6e805d9977b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2350043107\update.exe

Filesize
40KB

MD5
d3d8bdde51b265f25ec6c73c2e63b630

SHA1
aad933a2bbae74c516513500bc2fc0f13e3fd291

SHA256
30e4c598c55eff45e8e513f50a4c9a43d5f74a35c88c09f3d9be3cc80aaf988c

SHA512
50d4785c110fd14f9f745bdced80dd9ad61b40d0ec8a9ff6a4572edb5fa44b0daea785a830727c5ccda64e2d6753da2231a63b967b9d9e39f61fb6e805d9977b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
40KB

MD5
f86387e0b05ab90ef5e1fb0a14a0a385

SHA1
35caf89680c6f95e024838a0352526d6f0a11c2b

SHA256
e56072a8fa41a314650cdcb3103d1637d5fd09a91ab320d43f61a37fe93af2e2

SHA512
7577fa1d1b3d03a7e502fe01a0c975978832efeffc4d5bfee5bc323fc10e8597c8cea9b7f7100d63b589cea770b47328ea957f95a61f3b22951a8fbd76bf89d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
40KB

MD5
f86387e0b05ab90ef5e1fb0a14a0a385

SHA1
35caf89680c6f95e024838a0352526d6f0a11c2b

SHA256
e56072a8fa41a314650cdcb3103d1637d5fd09a91ab320d43f61a37fe93af2e2

SHA512
7577fa1d1b3d03a7e502fe01a0c975978832efeffc4d5bfee5bc323fc10e8597c8cea9b7f7100d63b589cea770b47328ea957f95a61f3b22951a8fbd76bf89d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
40KB

MD5
d6044788362bdf2f7f248abd8f93b2ec

SHA1
18c8e5e6503ca43b2b6801060b5151a0b343b3da

SHA256
4ce5e62e848ef101d3507271d4d40f7a98defee99ae6ec805b77299b59cabf14

SHA512
0d862398d97b172e62f3bd26c7de4aeccc97ee36ab0857b7ea947671a3a192e9419be00d804b99b2bab914d5e17a1aed94181d9ce1ddf1f7e52f046dc663ed5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
40KB

MD5
d6044788362bdf2f7f248abd8f93b2ec

SHA1
18c8e5e6503ca43b2b6801060b5151a0b343b3da

SHA256
4ce5e62e848ef101d3507271d4d40f7a98defee99ae6ec805b77299b59cabf14

SHA512
0d862398d97b172e62f3bd26c7de4aeccc97ee36ab0857b7ea947671a3a192e9419be00d804b99b2bab914d5e17a1aed94181d9ce1ddf1f7e52f046dc663ed5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
40KB

MD5
f86387e0b05ab90ef5e1fb0a14a0a385

SHA1
35caf89680c6f95e024838a0352526d6f0a11c2b

SHA256
e56072a8fa41a314650cdcb3103d1637d5fd09a91ab320d43f61a37fe93af2e2

SHA512
7577fa1d1b3d03a7e502fe01a0c975978832efeffc4d5bfee5bc323fc10e8597c8cea9b7f7100d63b589cea770b47328ea957f95a61f3b22951a8fbd76bf89d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
40KB

MD5
f86387e0b05ab90ef5e1fb0a14a0a385

SHA1
35caf89680c6f95e024838a0352526d6f0a11c2b

SHA256
e56072a8fa41a314650cdcb3103d1637d5fd09a91ab320d43f61a37fe93af2e2

SHA512
7577fa1d1b3d03a7e502fe01a0c975978832efeffc4d5bfee5bc323fc10e8597c8cea9b7f7100d63b589cea770b47328ea957f95a61f3b22951a8fbd76bf89d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe

Filesize
40KB

MD5
d6044788362bdf2f7f248abd8f93b2ec

SHA1
18c8e5e6503ca43b2b6801060b5151a0b343b3da

SHA256
4ce5e62e848ef101d3507271d4d40f7a98defee99ae6ec805b77299b59cabf14

SHA512
0d862398d97b172e62f3bd26c7de4aeccc97ee36ab0857b7ea947671a3a192e9419be00d804b99b2bab914d5e17a1aed94181d9ce1ddf1f7e52f046dc663ed5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22KB

MD5
70583e939da83fdf525b8f8f230ddd59

SHA1
bb55e92428ea6d824909f1e23cc100ae35000af3

SHA256
2954b847b7db136b6fbb240a0c85d806751bfaaac325b47e81ec1b00fc36a998

SHA512
0408f159ecf2c8f24f4f6b1b69289ff288cc8e31569b5514e623933281b004453ae2db94280577f76b82c73a31f46a15388dbecc935aca744de054a534eef25a

Download Submit
C:\backup.exe

Filesize
40KB

MD5
a1071d7310082daadfd90bfc5d085e52

SHA1
0d81c51e53e021c673530c34ae59e0696e94f913

SHA256
9680cb271746f3a08b85552b50075a8e61ff959b0973791f54b05242555d0b2b

SHA512
a503ff9c261b25b47095a528323576b7ebac816c6ca658988917d7ce2f26a54cb6149818e373f270384f5bdc75993d3baf68014941b6835220efe448206b24ff

Download Submit
C:\backup.exe

Filesize
40KB

MD5
a1071d7310082daadfd90bfc5d085e52

SHA1
0d81c51e53e021c673530c34ae59e0696e94f913

SHA256
9680cb271746f3a08b85552b50075a8e61ff959b0973791f54b05242555d0b2b

SHA512
a503ff9c261b25b47095a528323576b7ebac816c6ca658988917d7ce2f26a54cb6149818e373f270384f5bdc75993d3baf68014941b6835220efe448206b24ff

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
40KB

MD5
ac26bbf82a56789a69224a2c90ac9562

SHA1
0d747c6b6c70f7ba958acb6b7c00871184862243

SHA256
d4027250e3a65e648e1536b8b861d78d146ea8ceaef83d0f25ac61e7c49024c3

SHA512
11aac9c60a1de8679f9eee06a74885af860beb11921b47c2160cd59ee34475f772b69acdc76b63bc0a2e2073ee29d539ccee9d5b9c0636238e8f89eb1c7bae30

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
40KB

MD5
ac26bbf82a56789a69224a2c90ac9562

SHA1
0d747c6b6c70f7ba958acb6b7c00871184862243

SHA256
d4027250e3a65e648e1536b8b861d78d146ea8ceaef83d0f25ac61e7c49024c3

SHA512
11aac9c60a1de8679f9eee06a74885af860beb11921b47c2160cd59ee34475f772b69acdc76b63bc0a2e2073ee29d539ccee9d5b9c0636238e8f89eb1c7bae30

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
40KB

MD5
ac26bbf82a56789a69224a2c90ac9562

SHA1
0d747c6b6c70f7ba958acb6b7c00871184862243

SHA256
d4027250e3a65e648e1536b8b861d78d146ea8ceaef83d0f25ac61e7c49024c3

SHA512
11aac9c60a1de8679f9eee06a74885af860beb11921b47c2160cd59ee34475f772b69acdc76b63bc0a2e2073ee29d539ccee9d5b9c0636238e8f89eb1c7bae30

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
40KB

MD5
ac26bbf82a56789a69224a2c90ac9562

SHA1
0d747c6b6c70f7ba958acb6b7c00871184862243

SHA256
d4027250e3a65e648e1536b8b861d78d146ea8ceaef83d0f25ac61e7c49024c3

SHA512
11aac9c60a1de8679f9eee06a74885af860beb11921b47c2160cd59ee34475f772b69acdc76b63bc0a2e2073ee29d539ccee9d5b9c0636238e8f89eb1c7bae30

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
40KB

MD5
ac26bbf82a56789a69224a2c90ac9562

SHA1
0d747c6b6c70f7ba958acb6b7c00871184862243

SHA256
d4027250e3a65e648e1536b8b861d78d146ea8ceaef83d0f25ac61e7c49024c3

SHA512
11aac9c60a1de8679f9eee06a74885af860beb11921b47c2160cd59ee34475f772b69acdc76b63bc0a2e2073ee29d539ccee9d5b9c0636238e8f89eb1c7bae30

Download Submit
\PerfLogs\System Restore.exe

Filesize
40KB

MD5
294845856d8cd4336593e20f4f9c913c

SHA1
bf473a7050e93b2e2f94c174225ff43d121a2039

SHA256
40dce6166de0a5898dcda2caab983efbabfc01368198a1994f8e6c29baa52596

SHA512
e9325ef990627b4f58121aea128c1305904316836e0b8f5f66542da8ed927108507e4f335786bcf1fddb4ea1d6e1f10dbe2bef7defa78bbd37f0c93e2dce7d25

Download Submit
\PerfLogs\System Restore.exe

Filesize
40KB

MD5
294845856d8cd4336593e20f4f9c913c

SHA1
bf473a7050e93b2e2f94c174225ff43d121a2039

SHA256
40dce6166de0a5898dcda2caab983efbabfc01368198a1994f8e6c29baa52596

SHA512
e9325ef990627b4f58121aea128c1305904316836e0b8f5f66542da8ed927108507e4f335786bcf1fddb4ea1d6e1f10dbe2bef7defa78bbd37f0c93e2dce7d25

Download Submit
\PerfLogs\System Restore.exe

Filesize
40KB

MD5
294845856d8cd4336593e20f4f9c913c

SHA1
bf473a7050e93b2e2f94c174225ff43d121a2039

SHA256
40dce6166de0a5898dcda2caab983efbabfc01368198a1994f8e6c29baa52596

SHA512
e9325ef990627b4f58121aea128c1305904316836e0b8f5f66542da8ed927108507e4f335786bcf1fddb4ea1d6e1f10dbe2bef7defa78bbd37f0c93e2dce7d25

Download Submit
\PerfLogs\System Restore.exe

Filesize
40KB

MD5
294845856d8cd4336593e20f4f9c913c

SHA1
bf473a7050e93b2e2f94c174225ff43d121a2039

SHA256
40dce6166de0a5898dcda2caab983efbabfc01368198a1994f8e6c29baa52596

SHA512
e9325ef990627b4f58121aea128c1305904316836e0b8f5f66542da8ed927108507e4f335786bcf1fddb4ea1d6e1f10dbe2bef7defa78bbd37f0c93e2dce7d25

Download Submit
\PerfLogs\System Restore.exe

Filesize
40KB

MD5
294845856d8cd4336593e20f4f9c913c

SHA1
bf473a7050e93b2e2f94c174225ff43d121a2039

SHA256
40dce6166de0a5898dcda2caab983efbabfc01368198a1994f8e6c29baa52596

SHA512
e9325ef990627b4f58121aea128c1305904316836e0b8f5f66542da8ed927108507e4f335786bcf1fddb4ea1d6e1f10dbe2bef7defa78bbd37f0c93e2dce7d25

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
40KB

MD5
385231f96e0a4dcecaddf6a0b75e1b63

SHA1
95fb6a44e7fdf71a439f2095e83936aef9c0d282

SHA256
13de9c330e4abbb46a2bf54316119a0a375111787078f55b294f4120155c3f3d

SHA512
e1c45864fda656dde27c424ef508ca9d58c854adc956b7d669635827a05e37b63dd2d37745610e952293173aa4250c5af777830b02c9d0c3698d5172087dbd29

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
40KB

MD5
385231f96e0a4dcecaddf6a0b75e1b63

SHA1
95fb6a44e7fdf71a439f2095e83936aef9c0d282

SHA256
13de9c330e4abbb46a2bf54316119a0a375111787078f55b294f4120155c3f3d

SHA512
e1c45864fda656dde27c424ef508ca9d58c854adc956b7d669635827a05e37b63dd2d37745610e952293173aa4250c5af777830b02c9d0c3698d5172087dbd29

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
40KB

MD5
385231f96e0a4dcecaddf6a0b75e1b63

SHA1
95fb6a44e7fdf71a439f2095e83936aef9c0d282

SHA256
13de9c330e4abbb46a2bf54316119a0a375111787078f55b294f4120155c3f3d

SHA512
e1c45864fda656dde27c424ef508ca9d58c854adc956b7d669635827a05e37b63dd2d37745610e952293173aa4250c5af777830b02c9d0c3698d5172087dbd29

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
40KB

MD5
385231f96e0a4dcecaddf6a0b75e1b63

SHA1
95fb6a44e7fdf71a439f2095e83936aef9c0d282

SHA256
13de9c330e4abbb46a2bf54316119a0a375111787078f55b294f4120155c3f3d

SHA512
e1c45864fda656dde27c424ef508ca9d58c854adc956b7d669635827a05e37b63dd2d37745610e952293173aa4250c5af777830b02c9d0c3698d5172087dbd29

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
40KB

MD5
385231f96e0a4dcecaddf6a0b75e1b63

SHA1
95fb6a44e7fdf71a439f2095e83936aef9c0d282

SHA256
13de9c330e4abbb46a2bf54316119a0a375111787078f55b294f4120155c3f3d

SHA512
e1c45864fda656dde27c424ef508ca9d58c854adc956b7d669635827a05e37b63dd2d37745610e952293173aa4250c5af777830b02c9d0c3698d5172087dbd29

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
40KB

MD5
c69c65005d41d879d25f2193f651a39b

SHA1
a9b07859449b9197df19322983b1830d4684d09f

SHA256
49abbb28ab017d505166f02628cce913193b4bf105a58b97b9d0293b7caa44fa

SHA512
274ad517e6d5ece0a2da7c270d847c1e188b4f4df744b6455cdd62a913b2c40e091c4c0a47a8cc8d9592c5b1d4005912179f8dce6e8af5d607407e7f44aff956

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
40KB

MD5
c69c65005d41d879d25f2193f651a39b

SHA1
a9b07859449b9197df19322983b1830d4684d09f

SHA256
49abbb28ab017d505166f02628cce913193b4bf105a58b97b9d0293b7caa44fa

SHA512
274ad517e6d5ece0a2da7c270d847c1e188b4f4df744b6455cdd62a913b2c40e091c4c0a47a8cc8d9592c5b1d4005912179f8dce6e8af5d607407e7f44aff956

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
40KB

MD5
c69c65005d41d879d25f2193f651a39b

SHA1
a9b07859449b9197df19322983b1830d4684d09f

SHA256
49abbb28ab017d505166f02628cce913193b4bf105a58b97b9d0293b7caa44fa

SHA512
274ad517e6d5ece0a2da7c270d847c1e188b4f4df744b6455cdd62a913b2c40e091c4c0a47a8cc8d9592c5b1d4005912179f8dce6e8af5d607407e7f44aff956

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
40KB

MD5
c69c65005d41d879d25f2193f651a39b

SHA1
a9b07859449b9197df19322983b1830d4684d09f

SHA256
49abbb28ab017d505166f02628cce913193b4bf105a58b97b9d0293b7caa44fa

SHA512
274ad517e6d5ece0a2da7c270d847c1e188b4f4df744b6455cdd62a913b2c40e091c4c0a47a8cc8d9592c5b1d4005912179f8dce6e8af5d607407e7f44aff956

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
40KB

MD5
c69c65005d41d879d25f2193f651a39b

SHA1
a9b07859449b9197df19322983b1830d4684d09f

SHA256
49abbb28ab017d505166f02628cce913193b4bf105a58b97b9d0293b7caa44fa

SHA512
274ad517e6d5ece0a2da7c270d847c1e188b4f4df744b6455cdd62a913b2c40e091c4c0a47a8cc8d9592c5b1d4005912179f8dce6e8af5d607407e7f44aff956

Download Submit
\Program Files\Common Files\data.exe

Filesize
40KB

MD5
678a9d66f26f8929ab6edc52431592e1

SHA1
d1db5f4bdf598921c9de3117b0ffc3cf4e85caca

SHA256
92e22ce96ffef147cecc18fc80d8a7a0a19c3231b83ca02c0d94bc1d0a5afcbb

SHA512
4c692ec25b5e82cf3597d9af5da48e36f40585a17496c91aab39c237750307dec9b5dff019f269f9551e442dc316f8fa3fb5555b1548e1e52f1818780d54e947

Download Submit
\Program Files\Common Files\data.exe

Filesize
40KB

MD5
678a9d66f26f8929ab6edc52431592e1

SHA1
d1db5f4bdf598921c9de3117b0ffc3cf4e85caca

SHA256
92e22ce96ffef147cecc18fc80d8a7a0a19c3231b83ca02c0d94bc1d0a5afcbb

SHA512
4c692ec25b5e82cf3597d9af5da48e36f40585a17496c91aab39c237750307dec9b5dff019f269f9551e442dc316f8fa3fb5555b1548e1e52f1818780d54e947

Download Submit
\Program Files\backup.exe

Filesize
40KB

MD5
6db63f3b08d982987e7ab079b7c3eade

SHA1
63741d6ee79ecbc04768ec58e172bc2a7d87aaca

SHA256
8fc996df5d4d262ed28f0370088640841358c1d244364cada1e437e334373467

SHA512
db2a1e2c7c84a442b41cf2cca0dff4e6fde325c98151d6e6acce5485d2c9e6ad4a7da75cb5758b85aa61f402a1cb73f32e8cdfba363524c81a90eb21b1c42993

Download Submit
\Program Files\backup.exe

Filesize
40KB

MD5
6db63f3b08d982987e7ab079b7c3eade

SHA1
63741d6ee79ecbc04768ec58e172bc2a7d87aaca

SHA256
8fc996df5d4d262ed28f0370088640841358c1d244364cada1e437e334373467

SHA512
db2a1e2c7c84a442b41cf2cca0dff4e6fde325c98151d6e6acce5485d2c9e6ad4a7da75cb5758b85aa61f402a1cb73f32e8cdfba363524c81a90eb21b1c42993

Download Submit
\Program Files\backup.exe

Filesize
40KB

MD5
6db63f3b08d982987e7ab079b7c3eade

SHA1
63741d6ee79ecbc04768ec58e172bc2a7d87aaca

SHA256
8fc996df5d4d262ed28f0370088640841358c1d244364cada1e437e334373467

SHA512
db2a1e2c7c84a442b41cf2cca0dff4e6fde325c98151d6e6acce5485d2c9e6ad4a7da75cb5758b85aa61f402a1cb73f32e8cdfba363524c81a90eb21b1c42993

Download Submit
\Program Files\backup.exe

Filesize
40KB

MD5
6db63f3b08d982987e7ab079b7c3eade

SHA1
63741d6ee79ecbc04768ec58e172bc2a7d87aaca

SHA256
8fc996df5d4d262ed28f0370088640841358c1d244364cada1e437e334373467

SHA512
db2a1e2c7c84a442b41cf2cca0dff4e6fde325c98151d6e6acce5485d2c9e6ad4a7da75cb5758b85aa61f402a1cb73f32e8cdfba363524c81a90eb21b1c42993

Download Submit
\Program Files\backup.exe

Filesize
40KB

MD5
6db63f3b08d982987e7ab079b7c3eade

SHA1
63741d6ee79ecbc04768ec58e172bc2a7d87aaca

SHA256
8fc996df5d4d262ed28f0370088640841358c1d244364cada1e437e334373467

SHA512
db2a1e2c7c84a442b41cf2cca0dff4e6fde325c98151d6e6acce5485d2c9e6ad4a7da75cb5758b85aa61f402a1cb73f32e8cdfba363524c81a90eb21b1c42993

Download Submit
\Users\Admin\AppData\Local\Temp\2350043107\update.exe

Filesize
40KB

MD5
d3d8bdde51b265f25ec6c73c2e63b630

SHA1
aad933a2bbae74c516513500bc2fc0f13e3fd291

SHA256
30e4c598c55eff45e8e513f50a4c9a43d5f74a35c88c09f3d9be3cc80aaf988c

SHA512
50d4785c110fd14f9f745bdced80dd9ad61b40d0ec8a9ff6a4572edb5fa44b0daea785a830727c5ccda64e2d6753da2231a63b967b9d9e39f61fb6e805d9977b

Download Submit
\Users\Admin\AppData\Local\Temp\2350043107\update.exe

Filesize
40KB

MD5
d3d8bdde51b265f25ec6c73c2e63b630

SHA1
aad933a2bbae74c516513500bc2fc0f13e3fd291

SHA256
30e4c598c55eff45e8e513f50a4c9a43d5f74a35c88c09f3d9be3cc80aaf988c

SHA512
50d4785c110fd14f9f745bdced80dd9ad61b40d0ec8a9ff6a4572edb5fa44b0daea785a830727c5ccda64e2d6753da2231a63b967b9d9e39f61fb6e805d9977b

Download Submit
\Users\Admin\AppData\Local\Temp\2350043107\update.exe

Filesize
40KB

MD5
d3d8bdde51b265f25ec6c73c2e63b630

SHA1
aad933a2bbae74c516513500bc2fc0f13e3fd291

SHA256
30e4c598c55eff45e8e513f50a4c9a43d5f74a35c88c09f3d9be3cc80aaf988c

SHA512
50d4785c110fd14f9f745bdced80dd9ad61b40d0ec8a9ff6a4572edb5fa44b0daea785a830727c5ccda64e2d6753da2231a63b967b9d9e39f61fb6e805d9977b

Download Submit
\Users\Admin\AppData\Local\Temp\2350043107\update.exe

Filesize
40KB

MD5
d3d8bdde51b265f25ec6c73c2e63b630

SHA1
aad933a2bbae74c516513500bc2fc0f13e3fd291

SHA256
30e4c598c55eff45e8e513f50a4c9a43d5f74a35c88c09f3d9be3cc80aaf988c

SHA512
50d4785c110fd14f9f745bdced80dd9ad61b40d0ec8a9ff6a4572edb5fa44b0daea785a830727c5ccda64e2d6753da2231a63b967b9d9e39f61fb6e805d9977b

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
40KB

MD5
f86387e0b05ab90ef5e1fb0a14a0a385

SHA1
35caf89680c6f95e024838a0352526d6f0a11c2b

SHA256
e56072a8fa41a314650cdcb3103d1637d5fd09a91ab320d43f61a37fe93af2e2

SHA512
7577fa1d1b3d03a7e502fe01a0c975978832efeffc4d5bfee5bc323fc10e8597c8cea9b7f7100d63b589cea770b47328ea957f95a61f3b22951a8fbd76bf89d1

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
40KB

MD5
f86387e0b05ab90ef5e1fb0a14a0a385

SHA1
35caf89680c6f95e024838a0352526d6f0a11c2b

SHA256
e56072a8fa41a314650cdcb3103d1637d5fd09a91ab320d43f61a37fe93af2e2

SHA512
7577fa1d1b3d03a7e502fe01a0c975978832efeffc4d5bfee5bc323fc10e8597c8cea9b7f7100d63b589cea770b47328ea957f95a61f3b22951a8fbd76bf89d1

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
40KB

MD5
f86387e0b05ab90ef5e1fb0a14a0a385

SHA1
35caf89680c6f95e024838a0352526d6f0a11c2b

SHA256
e56072a8fa41a314650cdcb3103d1637d5fd09a91ab320d43f61a37fe93af2e2

SHA512
7577fa1d1b3d03a7e502fe01a0c975978832efeffc4d5bfee5bc323fc10e8597c8cea9b7f7100d63b589cea770b47328ea957f95a61f3b22951a8fbd76bf89d1

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
40KB

MD5
f86387e0b05ab90ef5e1fb0a14a0a385

SHA1
35caf89680c6f95e024838a0352526d6f0a11c2b

SHA256
e56072a8fa41a314650cdcb3103d1637d5fd09a91ab320d43f61a37fe93af2e2

SHA512
7577fa1d1b3d03a7e502fe01a0c975978832efeffc4d5bfee5bc323fc10e8597c8cea9b7f7100d63b589cea770b47328ea957f95a61f3b22951a8fbd76bf89d1

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
40KB

MD5
d6044788362bdf2f7f248abd8f93b2ec

SHA1
18c8e5e6503ca43b2b6801060b5151a0b343b3da

SHA256
4ce5e62e848ef101d3507271d4d40f7a98defee99ae6ec805b77299b59cabf14

SHA512
0d862398d97b172e62f3bd26c7de4aeccc97ee36ab0857b7ea947671a3a192e9419be00d804b99b2bab914d5e17a1aed94181d9ce1ddf1f7e52f046dc663ed5a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
40KB

MD5
d6044788362bdf2f7f248abd8f93b2ec

SHA1
18c8e5e6503ca43b2b6801060b5151a0b343b3da

SHA256
4ce5e62e848ef101d3507271d4d40f7a98defee99ae6ec805b77299b59cabf14

SHA512
0d862398d97b172e62f3bd26c7de4aeccc97ee36ab0857b7ea947671a3a192e9419be00d804b99b2bab914d5e17a1aed94181d9ce1ddf1f7e52f046dc663ed5a

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
40KB

MD5
d6044788362bdf2f7f248abd8f93b2ec

SHA1
18c8e5e6503ca43b2b6801060b5151a0b343b3da

SHA256
4ce5e62e848ef101d3507271d4d40f7a98defee99ae6ec805b77299b59cabf14

SHA512
0d862398d97b172e62f3bd26c7de4aeccc97ee36ab0857b7ea947671a3a192e9419be00d804b99b2bab914d5e17a1aed94181d9ce1ddf1f7e52f046dc663ed5a

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
40KB

MD5
d6044788362bdf2f7f248abd8f93b2ec

SHA1
18c8e5e6503ca43b2b6801060b5151a0b343b3da

SHA256
4ce5e62e848ef101d3507271d4d40f7a98defee99ae6ec805b77299b59cabf14

SHA512
0d862398d97b172e62f3bd26c7de4aeccc97ee36ab0857b7ea947671a3a192e9419be00d804b99b2bab914d5e17a1aed94181d9ce1ddf1f7e52f046dc663ed5a

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
40KB

MD5
f86387e0b05ab90ef5e1fb0a14a0a385

SHA1
35caf89680c6f95e024838a0352526d6f0a11c2b

SHA256
e56072a8fa41a314650cdcb3103d1637d5fd09a91ab320d43f61a37fe93af2e2

SHA512
7577fa1d1b3d03a7e502fe01a0c975978832efeffc4d5bfee5bc323fc10e8597c8cea9b7f7100d63b589cea770b47328ea957f95a61f3b22951a8fbd76bf89d1

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
40KB

MD5
f86387e0b05ab90ef5e1fb0a14a0a385

SHA1
35caf89680c6f95e024838a0352526d6f0a11c2b

SHA256
e56072a8fa41a314650cdcb3103d1637d5fd09a91ab320d43f61a37fe93af2e2

SHA512
7577fa1d1b3d03a7e502fe01a0c975978832efeffc4d5bfee5bc323fc10e8597c8cea9b7f7100d63b589cea770b47328ea957f95a61f3b22951a8fbd76bf89d1

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe

Filesize
40KB

MD5
d6044788362bdf2f7f248abd8f93b2ec

SHA1
18c8e5e6503ca43b2b6801060b5151a0b343b3da

SHA256
4ce5e62e848ef101d3507271d4d40f7a98defee99ae6ec805b77299b59cabf14

SHA512
0d862398d97b172e62f3bd26c7de4aeccc97ee36ab0857b7ea947671a3a192e9419be00d804b99b2bab914d5e17a1aed94181d9ce1ddf1f7e52f046dc663ed5a

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe

Filesize
40KB

MD5
d6044788362bdf2f7f248abd8f93b2ec

SHA1
18c8e5e6503ca43b2b6801060b5151a0b343b3da

SHA256
4ce5e62e848ef101d3507271d4d40f7a98defee99ae6ec805b77299b59cabf14

SHA512
0d862398d97b172e62f3bd26c7de4aeccc97ee36ab0857b7ea947671a3a192e9419be00d804b99b2bab914d5e17a1aed94181d9ce1ddf1f7e52f046dc663ed5a

Download Submit
memory/368-250-0x00000000003D0000-0x00000000003EB000-memory.dmp

Filesize
108KB

Download
memory/368-249-0x00000000003D0000-0x00000000003EB000-memory.dmp

Filesize
108KB

Download
memory/368-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/668-93-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/668-119-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1188-128-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1188-118-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1228-157-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1228-158-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1272-283-0x0000000000320000-0x000000000033B000-memory.dmp

Filesize
108KB

Download
memory/1272-215-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1272-214-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1272-239-0x0000000000320000-0x000000000033B000-memory.dmp

Filesize
108KB

Download
memory/1272-260-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1272-262-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1272-264-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1308-252-0x0000000000320000-0x000000000033B000-memory.dmp

Filesize
108KB

Download
memory/1308-219-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1308-212-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1308-144-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1308-151-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1308-210-0x0000000000320000-0x000000000033B000-memory.dmp

Filesize
108KB

Download
memory/1308-208-0x0000000000320000-0x000000000033B000-memory.dmp

Filesize
108KB

Download
memory/1308-156-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1308-251-0x0000000000320000-0x000000000033B000-memory.dmp

Filesize
108KB

Download
memory/1308-220-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1308-243-0x0000000000320000-0x000000000033B000-memory.dmp

Filesize
108KB

Download
memory/1324-175-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1324-179-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1324-177-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1324-201-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1324-190-0x00000000002D0000-0x00000000002EB000-memory.dmp

Filesize
108KB

Download
memory/1352-524-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1472-211-0x0000000000290000-0x00000000002AB000-memory.dmp

Filesize
108KB

Download
memory/1472-66-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1472-67-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1472-137-0x0000000000290000-0x00000000002AB000-memory.dmp

Filesize
108KB

Download
memory/1472-213-0x0000000000290000-0x00000000002AB000-memory.dmp

Filesize
108KB

Download
memory/1472-174-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1484-200-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1484-197-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1588-508-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1600-495-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1620-268-0x0000000000420000-0x000000000043B000-memory.dmp

Filesize
108KB

Download
memory/1620-241-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1620-267-0x0000000000420000-0x000000000043B000-memory.dmp

Filesize
108KB

Download
memory/1620-281-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1620-285-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1804-512-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1924-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1996-287-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1996-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2100-265-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2100-269-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2100-286-0x0000000000350000-0x000000000036B000-memory.dmp

Filesize
108KB

Download
memory/2276-499-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2352-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2484-509-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2524-16-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2524-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2524-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2524-92-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2524-63-0x0000000000290000-0x00000000002AB000-memory.dmp

Filesize
108KB

Download
memory/2524-13-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2524-18-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2524-173-0x0000000000290000-0x00000000002AB000-memory.dmp

Filesize
108KB

Download
memory/2524-69-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2524-76-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/2528-43-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2624-507-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2712-315-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-418-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-472-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-316-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-237-0x0000000000280000-0x000000000029B000-memory.dmp

Filesize
108KB

Download
memory/2784-4-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-60-0x0000000000280000-0x000000000029B000-memory.dmp

Filesize
108KB

Download
memory/2784-218-0x0000000000280000-0x000000000029B000-memory.dmp

Filesize
108KB

Download
memory/2784-221-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2784-180-0x0000000000280000-0x000000000029B000-memory.dmp

Filesize
108KB

Download
memory/2784-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-167-0x0000000000280000-0x000000000029B000-memory.dmp

Filesize
108KB

Download
memory/2784-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-270-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2868-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2968-121-0x0000000000A90000-0x0000000000AAB000-memory.dmp

Filesize
108KB

Download
memory/2968-127-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2968-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2968-101-0x0000000000A90000-0x0000000000AAB000-memory.dmp

Filesize
108KB

Download
memory/3036-91-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3036-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads