8aa84ef773441ad2171df5182243eb3f2757dfa55e6344ebb4a70f5f29edf0f7

Analysis

max time kernel
16s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83100dfa8b8c885e6994d9a6e3d85960.exe
Size

85KB
MD5

83100dfa8b8c885e6994d9a6e3d85960
SHA1

5497c1144e97627d5b2a9d3d726b7fb709b2028c
SHA256

8aa84ef773441ad2171df5182243eb3f2757dfa55e6344ebb4a70f5f29edf0f7
SHA512

baf864183b2d1a51000ce6db7f04d324422569729cf957e209a93c97a83c2da2be356cd75431fd1b96737fe6ec42c8f4cdebb953b524b1f54219b3b6480a8667
SSDEEP

768:8qnum1opQNwC3BESe4Vqth+0V5vKPyLylze70wi3BEmG:8vm1AeT7BVwxfvLFwjRG

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 49 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	83100dfa8b8c885e6994d9a6e3d85960.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 50 IoCs

pid	Process
2172	backup.exe
3032	backup.exe
2536	backup.exe
2728	backup.exe
1100	backup.exe
2824	backup.exe
2432	update.exe
2492	backup.exe
2812	backup.exe
3004	backup.exe
2776	backup.exe
1592	backup.exe
2840	backup.exe
636	backup.exe
2264	backup.exe
2896	backup.exe
784	backup.exe
1808	backup.exe
2160	backup.exe
1824	backup.exe
908	backup.exe
2928	backup.exe
756	data.exe
896	backup.exe
672	System Restore.exe
1568	backup.exe
2092	backup.exe
2108	backup.exe
2720	backup.exe
2592	backup.exe
2712	backup.exe
2464	backup.exe
1516	backup.exe
2408	backup.exe
2944	backup.exe
2968	backup.exe
2664	backup.exe
1532	backup.exe
1944	backup.exe
1268	backup.exe
1752	backup.exe
2356	backup.exe
2040	backup.exe
1816	backup.exe
684	backup.exe
576	backup.exe
2896	backup.exe
1640	backup.exe
1880	backup.exe
1852	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2432	update.exe
2432	update.exe
2432	update.exe
2432	update.exe
2432	update.exe
2492	backup.exe
2492	backup.exe
2492	backup.exe
2812	backup.exe
2812	backup.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2776	backup.exe
2776	backup.exe
3004	backup.exe
3004	backup.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2812	backup.exe
2812	backup.exe
2264	backup.exe
2264	backup.exe
2896	backup.exe
2896	backup.exe
2264	backup.exe
2264	backup.exe
1808	backup.exe
1808	backup.exe
2160	backup.exe
2160	backup.exe
2160	backup.exe
2160	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe
908	backup.exe

UPX packed file 45 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2360-0-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/files/0x00340000000144e4-5.dat	upx
behavioral1/memory/2360-7-0x0000000001D70000-0x0000000001D8C000-memory.dmp	upx
behavioral1/memory/3032-29-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/2536-36-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/2728-49-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/files/0x0006000000015be6-50.dat	upx
behavioral1/memory/1100-60-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/2360-69-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/2824-72-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/2172-75-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/2360-76-0x0000000001D70000-0x0000000001D8C000-memory.dmp	upx
behavioral1/files/0x0006000000015cba-87.dat	upx
behavioral1/files/0x0006000000015cd5-106.dat	upx
behavioral1/memory/2812-113-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/2536-96-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/files/0x0006000000015d07-119.dat	upx
behavioral1/memory/2360-123-0x0000000001D70000-0x0000000001D8C000-memory.dmp	upx
behavioral1/files/0x0006000000015d28-125.dat	upx
behavioral1/memory/2492-137-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/2432-134-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/files/0x0006000000015d56-151.dat	upx
behavioral1/memory/1592-165-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/files/0x0006000000015d4a-150.dat	upx
behavioral1/memory/2840-167-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/files/0x0006000000015d6f-169.dat	upx
behavioral1/memory/2360-176-0x0000000001D70000-0x0000000001D8C000-memory.dmp	upx
behavioral1/memory/2776-177-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/2840-186-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/2812-190-0x00000000003E0000-0x00000000003FC000-memory.dmp	upx
behavioral1/memory/3004-188-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/files/0x0008000000015ce1-187.dat	upx
behavioral1/memory/1592-181-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/files/0x0007000000015d67-197.dat	upx
behavioral1/memory/636-208-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/files/0x0008000000015d5e-211.dat	upx
behavioral1/memory/2812-221-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/784-229-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/2896-237-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/2160-262-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/2160-270-0x00000000005B0000-0x00000000005CC000-memory.dmp	upx
behavioral1/memory/2536-268-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/1824-282-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/2264-287-0x0000000000400000-0x000000000041B314-memory.dmp	upx
behavioral1/memory/2928-301-0x0000000000400000-0x000000000041B314-memory.dmp	upx

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2360	83100dfa8b8c885e6994d9a6e3d85960.exe

Suspicious use of SetWindowsHookEx 51 IoCs

pid	Process
2360	83100dfa8b8c885e6994d9a6e3d85960.exe
2172	backup.exe
3032	backup.exe
2536	backup.exe
2728	backup.exe
1100	backup.exe
2824	backup.exe
2432	update.exe
2492	backup.exe
2812	backup.exe
2776	backup.exe
3004	backup.exe
1592	backup.exe
2840	backup.exe
636	backup.exe
2264	backup.exe
2896	backup.exe
784	backup.exe
1808	backup.exe
2160	backup.exe
1824	backup.exe
908	backup.exe
2928	backup.exe
756	data.exe
896	backup.exe
672	System Restore.exe
1568	backup.exe
2092	backup.exe
2108	backup.exe
2720	backup.exe
2592	backup.exe
2712	backup.exe
2464	backup.exe
1516	backup.exe
2408	backup.exe
2944	backup.exe
2968	backup.exe
2664	backup.exe
1532	backup.exe
1944	backup.exe
1268	backup.exe
1752	backup.exe
2356	backup.exe
2040	backup.exe
1816	backup.exe
684	backup.exe
576	backup.exe
2896	backup.exe
1640	backup.exe
1880	backup.exe
1852	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2172	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	28
PID 2360 wrote to memory of 2172	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	28
PID 2360 wrote to memory of 2172	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	28
PID 2360 wrote to memory of 2172	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	28
PID 2360 wrote to memory of 3032	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	29
PID 2360 wrote to memory of 3032	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	29
PID 2360 wrote to memory of 3032	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	29
PID 2360 wrote to memory of 3032	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	29
PID 2360 wrote to memory of 2536	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	30
PID 2360 wrote to memory of 2536	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	30
PID 2360 wrote to memory of 2536	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	30
PID 2360 wrote to memory of 2536	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	30
PID 2360 wrote to memory of 2728	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	31
PID 2360 wrote to memory of 2728	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	31
PID 2360 wrote to memory of 2728	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	31
PID 2360 wrote to memory of 2728	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	31
PID 2360 wrote to memory of 1100	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	32
PID 2360 wrote to memory of 1100	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	32
PID 2360 wrote to memory of 1100	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	32
PID 2360 wrote to memory of 1100	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	32
PID 2360 wrote to memory of 2824	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	33
PID 2360 wrote to memory of 2824	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	33
PID 2360 wrote to memory of 2824	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	33
PID 2360 wrote to memory of 2824	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	33
PID 2360 wrote to memory of 2432	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	34
PID 2360 wrote to memory of 2432	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	34
PID 2360 wrote to memory of 2432	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	34
PID 2360 wrote to memory of 2432	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	34
PID 2360 wrote to memory of 2432	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	34
PID 2360 wrote to memory of 2432	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	34
PID 2360 wrote to memory of 2432	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	34
PID 2432 wrote to memory of 2492	2432	update.exe	35
PID 2432 wrote to memory of 2492	2432	update.exe	35
PID 2432 wrote to memory of 2492	2432	update.exe	35
PID 2432 wrote to memory of 2492	2432	update.exe	35
PID 2432 wrote to memory of 2492	2432	update.exe	35
PID 2432 wrote to memory of 2492	2432	update.exe	35
PID 2432 wrote to memory of 2492	2432	update.exe	35
PID 2172 wrote to memory of 2812	2172	backup.exe	36
PID 2172 wrote to memory of 2812	2172	backup.exe	36
PID 2172 wrote to memory of 2812	2172	backup.exe	36
PID 2172 wrote to memory of 2812	2172	backup.exe	36
PID 2812 wrote to memory of 3004	2812	backup.exe	37
PID 2812 wrote to memory of 3004	2812	backup.exe	37
PID 2812 wrote to memory of 3004	2812	backup.exe	37
PID 2812 wrote to memory of 3004	2812	backup.exe	37
PID 2360 wrote to memory of 2776	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	38
PID 2360 wrote to memory of 2776	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	38
PID 2360 wrote to memory of 2776	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	38
PID 2360 wrote to memory of 2776	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	38
PID 2776 wrote to memory of 1592	2776	backup.exe	39
PID 2776 wrote to memory of 1592	2776	backup.exe	39
PID 2776 wrote to memory of 1592	2776	backup.exe	39
PID 2776 wrote to memory of 1592	2776	backup.exe	39
PID 3004 wrote to memory of 2840	3004	backup.exe	40
PID 3004 wrote to memory of 2840	3004	backup.exe	40
PID 3004 wrote to memory of 2840	3004	backup.exe	40
PID 3004 wrote to memory of 2840	3004	backup.exe	40
PID 2360 wrote to memory of 636	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	41
PID 2360 wrote to memory of 636	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	41
PID 2360 wrote to memory of 636	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	41
PID 2360 wrote to memory of 636	2360	83100dfa8b8c885e6994d9a6e3d85960.exe	41
PID 2812 wrote to memory of 2264	2812	backup.exe	42
PID 2812 wrote to memory of 2264	2812	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	83100dfa8b8c885e6994d9a6e3d85960.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	83100dfa8b8c885e6994d9a6e3d85960.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\83100dfa8b8c885e6994d9a6e3d85960.exe
"C:\Users\Admin\AppData\Local\Temp\83100dfa8b8c885e6994d9a6e3d85960.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2360
- C:\Users\Admin\AppData\Local\Temp\669598473\backup.exe
  C:\Users\Admin\AppData\Local\Temp\669598473\backup.exe C:\Users\Admin\AppData\Local\Temp\669598473\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2172
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2812
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3004
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2840
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2264
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2896
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:784
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1808
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2160
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2928
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2092
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2720
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2712
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2464
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2408
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2356
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:2988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:860
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:2144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:2584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:2560
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:2444
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:636
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:992
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:2456
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:2648
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1312
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2296
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1344
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1256
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2568
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2964
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2620
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:1156
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:3020
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:2196
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        
        PID:2308
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:3008
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:576
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1160
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:3000
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1984
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1664
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1040
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2356
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2032
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2876
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1944
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1380
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1880
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:1040
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        
        PID:700
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:2748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:2116
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:2556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1612
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:2904
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1856
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:2156
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:540
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1516
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:2384
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:2792
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:2816
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1124
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1648
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:2452
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2892
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2512
    - - C:\Program Files (x86)\Google\update.exe
        
        "C:\Program Files (x86)\Google\update.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1140
    - - C:\Program Files (x86)\Internet Explorer\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\System Restore.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:3032
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2640
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2896
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:2884
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2412
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2124
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1100
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_1904683742\update.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_1904683742\update.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_1904683742\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_1904683742\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_1904683742\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_1904683742\CRX_INSTALL\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2492
- C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\CRX_INSTALL\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1592
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\backup.exe

Filesize
85KB

MD5
f58f0f6d781aa33887df85a8fa746104

SHA1
2862e4d2ae06f5af7efe7eed205dc79d03cc17d2

SHA256
e981b6574e45ac9ad38f1e68b125b14a3cd426acb462df65743c4dcaa2147564

SHA512
b537f42714c1dd93c39088ca45c56e476e79d8140bef9a2601345947eb9082c19dff5be24087987287a3e5cd244141f1c4aea6a361c7e5c2b710b14852de1d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\CRX_INSTALL\backup.exe

Filesize
85KB

MD5
9529ba00d14dd586c5d6989c6bb80ef9

SHA1
518dac7371004ee3a9c3b648eff56c2f8820347e

SHA256
0fa9da7cdf5013285e190b2cd76e19fae4080399bf91255a1d231416b0db3a96

SHA512
def4dfaacc541bb2f9a6a2e291eedea788c3ecb8ab055b8c8c602c5d5792c530fd7088649e577655ce5f710b7a21d017df8c17fc3488ac81c7828149c84a9cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
33KB

MD5
42e29bfeea34b28ffc00f75713a03fc1

SHA1
5665bf757207cb851317794477a6bb803f6fbda9

SHA256
f43ab5a1505a1df5a2cb04ab506cd3f583aa3ef4abd2a00bc95906114e42c6a8

SHA512
2b6975a82406661f9c6243a722539599eed51bb07661761a727041bab33a0574cafafa984939489a26d5706ee7e84c18b11eca60abfd5afefc7052bb0a2099ed

Download Submit
C:\backup.exe

Filesize
85KB

MD5
ee40d73734f2f8f7a09e4edb231d308f

SHA1
8a3d9d2d0f0750b4723e6ca0ad3b45ff3c39b44d

SHA256
f64921e29b773ec6282695f3f52a6529e01e072f651cc41d6ef7b5e5fc1d0a00

SHA512
28ea8d8c69f508b6de7cb4e6376dbe9b739934dff79bf329f3c55927dcb1ac8e579ef481d29133cc98599660ce34ca7847fcc2e76db25e366c1452d81bccc287

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
85KB

MD5
caca063c31b9ee083b2859b82eb0117e

SHA1
c9f6ce9f5da6f3863e154371fe939dc4c5baac68

SHA256
7fdc6382d75683b0ffe733aeb9fc88e11fcd4dfb96526aaa56d490ef8fe12aad

SHA512
f81aa2dfdefde3825df47cb48802dd13942e3badb85e9faed27ac9b82f9fd46f45266f092b5827f33a839252d4ffa322a99720af2c9f41645e280971cb9226dd

Download Submit
\PerfLogs\backup.exe

Filesize
85KB

MD5
8af4a1d4a3c2522aa463b18d1c4be57b

SHA1
ed943c03fec25788add2b6e8b0510682147ddc5f

SHA256
10e318078d8c9b3157669a8376b21a889ad4bae7ce41b38ddc029a9a385028be

SHA512
68b6f6f7844a84748bb2a58dcde933645d30bb61b290bde0143133c07c969469e6f15f42c4a7cb658bc2958aff8d827b755176d70f6cd7896731b6ba9c0b76b0

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
85KB

MD5
52539ceae462d7baf55c162b3831cd5a

SHA1
52c89438e9a530123e544ae1cf136f54557a6a3a

SHA256
d8b62ea4bd429a84e396d90bdeb565d73869db29339adef98ebce0243321fc1e

SHA512
6f174ae0c1bb2d3c9e35b806c6efbbb7b1304f0b4a462f524f2237797f57ab254495c96a3fe84e2830a186701639c02f3a74abc471c369b8972ee867b58b83c4

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
85KB

MD5
896c352944e3a56be3baaddda3994a92

SHA1
fa21aa04b9b8b5d5e4f570fc07dd1aa63aa366e3

SHA256
95d54bd4f484a760fb92eb91a05d39f5032ba4fde09f2fb6609b5bb7f9501e67

SHA512
687f1478d3e56977fba7498d89d2a2d0dbc183d0314b46e5b4b69e6b446a8c64f73bed74333827ee4dac90a483df45de6fe4032c7d192cedee120db06564d4e5

Download Submit
\Users\Admin\AppData\Local\Temp\669598473\backup.exe

Filesize
85KB

MD5
1f7837f251c22a9c507d23cd569773a4

SHA1
a1deea0ec3d654474729e3f72db66cc6b88659b6

SHA256
c4c3e05a5988a6804705a21e64818d6b0cefc15e53cd57dbd5619fd757db0ac6

SHA512
357f968a9bb9a2cb84de9f3590905ad329024341bff22231f7c4d5fc54d5e79835759fd3862e1bcbbf346369d017217254a54976065390f5f716307584ba105a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
85KB

MD5
09f80d47b11c03a52bbcaed617d79400

SHA1
838c18a6ac80430a9007fbb9a51bf1375f80eedd

SHA256
6d3a0dbc2d668b939067ec37f3fa298e5cfc4ce9629a25317a80ddbd16c7533b

SHA512
8f6fdc45f8e4df6bd17e8ebbdb1ef5f1747b1c6aa3cc69697580bb89f0a26e57d00485f5f8944c57dc38b1c010f351806a2e5c0f963309ceb5041e108b69cdda

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
85KB

MD5
7180149eb55e4710da016685a1f8d933

SHA1
b6dd09ac1e592325846efaa03d5798bc32e4594b

SHA256
5a7320a1b3221a4cda904bab7289079167fbb57e1b3ce685247729b8f67264a6

SHA512
12a476c2493be9dc7cc54d0834a2b6389da0841827b369ae74d2c2e2edbe7d00ce11f35bec205f23fff3ece3b17eadedee900f527add583e4469a57ae4e895e0

Download Submit
\Users\Admin\AppData\Local\Temp\scoped_dir2792_1904683742\CRX_INSTALL\backup.exe

Filesize
85KB

MD5
4fed78df8401baa5bf90a8ced642097c

SHA1
c4155b4e44201d05fc5e57b0ac74668d4c80bf7c

SHA256
fab9f3c9f84763083e677bd1b0880cd7472d5d831904c4c98d2fb7b96c30ea26

SHA512
20817f5b2b1370a97df83041e6be2cece3269030da6beb05e18793a59731938aa8b690a2ffae691119675d374f55dbf5f0786d34f1295cf34a11e5f031c792b4

Download Submit
\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\backup.exe

Filesize
85KB

MD5
74e77c9c7913b124a904ecdbd8521006

SHA1
8bda2c762bb6a72c52bbade037b76249704f2b5c

SHA256
635502b251b1789c390c959a914f5156748414dc3d5b49613f97f9e959986e96

SHA512
556fd70f729a669d400e944165acd52722391c168479ed9bfc8b5f37254e66c3a2d82f33129bc1c58dc6e3b7592e6a0aeb54fe20ed075db878b9f881febc26d2

Download Submit
memory/636-208-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/784-229-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/908-307-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/908-297-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/908-308-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/908-296-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/1100-60-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1592-181-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1592-165-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/1808-260-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/1808-258-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/1824-282-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2160-288-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2160-262-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2160-270-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2172-112-0x00000000007C0000-0x00000000007DC000-memory.dmp

Filesize
112KB

Download
memory/2172-218-0x00000000007C0000-0x00000000007DC000-memory.dmp

Filesize
112KB

Download
memory/2172-212-0x00000000007C0000-0x00000000007DC000-memory.dmp

Filesize
112KB

Download
memory/2172-75-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2172-110-0x00000000007C0000-0x00000000007DC000-memory.dmp

Filesize
112KB

Download
memory/2264-306-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2264-287-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2264-238-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2264-205-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2360-76-0x0000000001D70000-0x0000000001D8C000-memory.dmp

Filesize
112KB

Download
memory/2360-69-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2360-269-0x0000000001D70000-0x0000000001D8C000-memory.dmp

Filesize
112KB

Download
memory/2360-123-0x0000000001D70000-0x0000000001D8C000-memory.dmp

Filesize
112KB

Download
memory/2360-0-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2360-13-0x0000000001D70000-0x0000000001D8C000-memory.dmp

Filesize
112KB

Download
memory/2360-7-0x0000000001D70000-0x0000000001D8C000-memory.dmp

Filesize
112KB

Download
memory/2360-245-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/2360-176-0x0000000001D70000-0x0000000001D8C000-memory.dmp

Filesize
112KB

Download
memory/2360-160-0x0000000001D70000-0x0000000001D8C000-memory.dmp

Filesize
112KB

Download
memory/2432-101-0x0000000000310000-0x000000000032C000-memory.dmp

Filesize
112KB

Download
memory/2432-134-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2432-85-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2492-137-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2536-36-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2536-268-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2536-96-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2728-49-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2776-177-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2776-153-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2776-162-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2812-132-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2812-232-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2812-225-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2812-221-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2812-190-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2812-189-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2812-113-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2812-286-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2812-118-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2824-72-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2840-186-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2840-167-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2896-227-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2896-237-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/2896-226-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2928-301-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3004-166-0x0000000000310000-0x000000000032C000-memory.dmp

Filesize
112KB

Download
memory/3004-188-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download
memory/3032-29-0x0000000000400000-0x000000000041B314-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads