Analysis

  • max time kernel
    152s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 13:54

General

  • Target

    aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe

  • Size

    72KB

  • MD5

    330cd0826e5c477bb952ac637e605a00

  • SHA1

    f5bae314b8380c1e1cd307e542785f62c1d8755c

  • SHA256

    aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf

  • SHA512

    3b48c0386bcb517fdafb28804ba3f291a0bcddf9c5917a0e697add28cd25a84793ee68ff063a2af04b07d6ad0433c2dc83775bf420067666148a241d26d59aff

  • SSDEEP

    384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2Q:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrs

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 58 IoCs
  • Disables RegEdit via registry modification 64 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe
    "C:\Users\Admin\AppData\Local\Temp\aa288f29f3adc0a975dbfa41604d0bd2ed9e96ceb57f35cece44c972ec427aaf.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\1454186580\backup.exe
      C:\Users\Admin\AppData\Local\Temp\1454186580\backup.exe C:\Users\Admin\AppData\Local\Temp\1454186580\
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1256
      • C:\backup.exe
        \backup.exe \
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:788
        • C:\PerfLogs\backup.exe
          C:\PerfLogs\backup.exe C:\PerfLogs\
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1304
          • C:\PerfLogs\Admin\backup.exe
            C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
            5⤵
            • Modifies visibility of file extensions in Explorer
            • Disables RegEdit via registry modification
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:384
        • C:\Program Files\backup.exe
          "C:\Program Files\backup.exe" C:\Program Files\
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1960
          • C:\Program Files\7-Zip\backup.exe
            "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
            5⤵
            • Modifies visibility of file extensions in Explorer
            • Disables RegEdit via registry modification
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1516
            • C:\Program Files\7-Zip\Lang\backup.exe
              "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:1076
          • C:\Program Files\Common Files\backup.exe
            "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
            5⤵
            • Modifies visibility of file extensions in Explorer
            • Disables RegEdit via registry modification
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:1396
            • C:\Program Files\Common Files\Microsoft Shared\backup.exe
              "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Program Files directory
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:848
              • C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
                "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
                7⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1464
              • C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
                "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
                7⤵
                • Modifies visibility of file extensions in Explorer
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1264
                • C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1788
                • C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:992
                • C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1580
                • C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:616
                • C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1312
                • C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1116
                • C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:976
                • C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:572
                • C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:528
                • C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:784
                • C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
                  8⤵
                    PID:1596
                • C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
                  7⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:744
                  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:1864
                  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
                    8⤵
                      PID:1708
                  • C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
                    7⤵
                      PID:900
                  • C:\Program Files\Common Files\Services\backup.exe
                    "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
                    6⤵
                    • Modifies visibility of file extensions in Explorer
                    • Disables RegEdit via registry modification
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:1788
                  • C:\Program Files\Common Files\SpeechEngines\backup.exe
                    "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:1868
                  • C:\Program Files\Common Files\System\backup.exe
                    "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
                    6⤵
                      PID:792
                  • C:\Program Files\DVD Maker\backup.exe
                    "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
                    5⤵
                    • Modifies visibility of file extensions in Explorer
                    • Disables RegEdit via registry modification
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious use of SetWindowsHookEx
                    • System policy modification
                    PID:1816
                    • C:\Program Files\DVD Maker\de-DE\backup.exe
                      "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
                      6⤵
                      • Modifies visibility of file extensions in Explorer
                      • Disables RegEdit via registry modification
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      • System policy modification
                      PID:1312
                    • C:\Program Files\DVD Maker\en-US\backup.exe
                      "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
                      6⤵
                      • Modifies visibility of file extensions in Explorer
                      • Disables RegEdit via registry modification
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      • System policy modification
                      PID:2000
                    • C:\Program Files\DVD Maker\es-ES\backup.exe
                      "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
                      6⤵
                        PID:2024
                    • C:\Program Files\Google\backup.exe
                      "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
                      5⤵
                        PID:1592
                      • C:\Program Files\Internet Explorer\backup.exe
                        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
                        5⤵
                          PID:1992
                      • C:\Program Files (x86)\backup.exe
                        "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
                        4⤵
                        • Modifies visibility of file extensions in Explorer
                        • Disables RegEdit via registry modification
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in Program Files directory
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:1536
                        • C:\Program Files (x86)\Adobe\backup.exe
                          "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
                          5⤵
                          • Modifies visibility of file extensions in Explorer
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in Program Files directory
                          • Suspicious use of SetWindowsHookEx
                          • Suspicious use of WriteProcessMemory
                          PID:1980
                          • C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
                            "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
                            6⤵
                            • Modifies visibility of file extensions in Explorer
                            • Disables RegEdit via registry modification
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in Program Files directory
                            • Suspicious use of SetWindowsHookEx
                            • System policy modification
                            PID:1204
                            • C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
                              "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
                              7⤵
                              • Modifies visibility of file extensions in Explorer
                              • Executes dropped EXE
                              • Suspicious use of SetWindowsHookEx
                              • System policy modification
                              PID:1744
                            • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\data.exe
                              "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
                              7⤵
                              • Modifies visibility of file extensions in Explorer
                              • Disables RegEdit via registry modification
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in Program Files directory
                              • Suspicious use of SetWindowsHookEx
                              • System policy modification
                              PID:1216
                              • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
                                "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
                                8⤵
                                • Modifies visibility of file extensions in Explorer
                                • Disables RegEdit via registry modification
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                • System policy modification
                                PID:556
                              • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
                                "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
                                8⤵
                                • Modifies visibility of file extensions in Explorer
                                • Disables RegEdit via registry modification
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                PID:752
                              • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
                                "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
                                8⤵
                                • Modifies visibility of file extensions in Explorer
                                • Disables RegEdit via registry modification
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                • System policy modification
                                PID:1672
                              • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\data.exe
                                "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
                                8⤵
                                • Modifies visibility of file extensions in Explorer
                                • Disables RegEdit via registry modification
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Drops file in Program Files directory
                                • Suspicious use of SetWindowsHookEx
                                • System policy modification
                                PID:1724
                                • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
                                  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
                                  9⤵
                                  • Modifies visibility of file extensions in Explorer
                                  • Disables RegEdit via registry modification
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  PID:1888
                              • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
                                "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
                                8⤵
                                • Modifies visibility of file extensions in Explorer
                                • Disables RegEdit via registry modification
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                • System policy modification
                                PID:292
                              • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\System Restore.exe
                                "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
                                8⤵
                                • Modifies visibility of file extensions in Explorer
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • Suspicious use of SetWindowsHookEx
                                • System policy modification
                                PID:1864
                                • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
                                  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
                                  9⤵
                                  • Modifies visibility of file extensions in Explorer
                                  • Disables RegEdit via registry modification
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  • System policy modification
                                  PID:784
                              • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
                                "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
                                8⤵
                                • Modifies visibility of file extensions in Explorer
                                • Disables RegEdit via registry modification
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                • System policy modification
                                PID:1156
                              • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
                                "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
                                8⤵
                                • Modifies visibility of file extensions in Explorer
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • Suspicious use of SetWindowsHookEx
                                PID:1664
                                • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
                                  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
                                  9⤵
                                  • Modifies visibility of file extensions in Explorer
                                  • Disables RegEdit via registry modification
                                  • Executes dropped EXE
                                  • Drops file in Program Files directory
                                  • Suspicious use of SetWindowsHookEx
                                  PID:1832
                                  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
                                    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
                                    10⤵
                                    • Modifies visibility of file extensions in Explorer
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    PID:972
                                • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
                                  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
                                  9⤵
                                  • Modifies visibility of file extensions in Explorer
                                  • Executes dropped EXE
                                  • Drops file in Program Files directory
                                  • Suspicious use of SetWindowsHookEx
                                  • System policy modification
                                  PID:2004
                                  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
                                    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
                                    10⤵
                                    • Modifies visibility of file extensions in Explorer
                                    • Disables RegEdit via registry modification
                                    • Executes dropped EXE
                                    • Drops file in Program Files directory
                                    • Suspicious use of SetWindowsHookEx
                                    • System policy modification
                                    PID:2024
                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
                                      11⤵
                                      • Modifies visibility of file extensions in Explorer
                                      • Disables RegEdit via registry modification
                                      • Executes dropped EXE
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1600
                                • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
                                  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
                                  9⤵
                                  • Modifies visibility of file extensions in Explorer
                                  • Disables RegEdit via registry modification
                                  • Executes dropped EXE
                                  • Drops file in Program Files directory
                                  • Suspicious use of SetWindowsHookEx
                                  PID:1748
                                  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
                                    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
                                    10⤵
                                    • Modifies visibility of file extensions in Explorer
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    PID:1916
                                • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
                                  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
                                  9⤵
                                  • Modifies visibility of file extensions in Explorer
                                  • Disables RegEdit via registry modification
                                  • Executes dropped EXE
                                  • Drops file in Program Files directory
                                  • Suspicious use of SetWindowsHookEx
                                  • System policy modification
                                  PID:1196
                                  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
                                    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
                                    10⤵
                                    • Modifies visibility of file extensions in Explorer
                                    • Disables RegEdit via registry modification
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    • System policy modification
                                    PID:384
                              • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
                                "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
                                8⤵
                                • Modifies visibility of file extensions in Explorer
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • Suspicious use of SetWindowsHookEx
                                • System policy modification
                                PID:1780
                                • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
                                  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
                                  9⤵
                                  • Executes dropped EXE
                                  PID:672
                              • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
                                "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
                                8⤵
                                  PID:1632
                              • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
                                "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
                                7⤵
                                • Modifies visibility of file extensions in Explorer
                                • Disables RegEdit via registry modification
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • Suspicious use of SetWindowsHookEx
                                • System policy modification
                                PID:396
                                • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
                                  "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
                                  8⤵
                                    PID:1688
                                  • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\update.exe
                                    "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
                                    8⤵
                                      PID:1820
                                  • C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
                                    "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
                                    7⤵
                                      PID:2012
                                • C:\Program Files (x86)\Common Files\backup.exe
                                  "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
                                  5⤵
                                  • Modifies visibility of file extensions in Explorer
                                  • Disables RegEdit via registry modification
                                  • Executes dropped EXE
                                  • Drops file in Program Files directory
                                  • Suspicious use of SetWindowsHookEx
                                  • System policy modification
                                  PID:1508
                                  • C:\Program Files (x86)\Common Files\Adobe\backup.exe
                                    "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
                                    6⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    PID:560
                                  • C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
                                    "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
                                    6⤵
                                      PID:1600
                                  • C:\Program Files (x86)\Google\backup.exe
                                    "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
                                    5⤵
                                      PID:1580
                                  • C:\Users\backup.exe
                                    C:\Users\backup.exe C:\Users\
                                    4⤵
                                    • Modifies visibility of file extensions in Explorer
                                    • Disables RegEdit via registry modification
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    • System policy modification
                                    PID:316
                                    • C:\Users\Admin\backup.exe
                                      C:\Users\Admin\backup.exe C:\Users\Admin\
                                      5⤵
                                      • Executes dropped EXE
                                      PID:1116
                                    • C:\Users\Public\backup.exe
                                      C:\Users\Public\backup.exe C:\Users\Public\
                                      5⤵
                                        PID:1368
                                    • C:\Windows\backup.exe
                                      C:\Windows\backup.exe C:\Windows\
                                      4⤵
                                        PID:1120
                                  • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
                                    C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
                                    2⤵
                                    • Modifies visibility of file extensions in Explorer
                                    • Disables RegEdit via registry modification
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    PID:1920
                                  • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
                                    C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    PID:892
                                  • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
                                    2⤵
                                    • Modifies visibility of file extensions in Explorer
                                    • Disables RegEdit via registry modification
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    • System policy modification
                                    PID:1728
                                  • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
                                    2⤵
                                    • Modifies visibility of file extensions in Explorer
                                    • Disables RegEdit via registry modification
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    • System policy modification
                                    PID:548
                                  • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
                                    C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
                                    2⤵
                                    • Modifies visibility of file extensions in Explorer
                                    • Disables RegEdit via registry modification
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    • System policy modification
                                    PID:1224
                                  • C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
                                    C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
                                    2⤵
                                    • Modifies visibility of file extensions in Explorer
                                    • Disables RegEdit via registry modification
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    • System policy modification
                                    PID:1684

                                Network

                                      MITRE ATT&CK Enterprise v6

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\PerfLogs\Admin\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        1d045950018baca408a1662da64c74ef

                                        SHA1

                                        b70f0861faaef0f93105acb8380a14faae545628

                                        SHA256

                                        5be2a920097a40f83f70925522a5870978fcc9731958979f2b3f5cd15d28fa0e

                                        SHA512

                                        435f92145837852d5ad1ca22ce933dba847e5a47b958c0018184f89590e84c4cbc905bc11cca02e6b310104766d8ca8e1c62c6dcdc435c561802bf0ef396f520

                                      • C:\PerfLogs\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        6e443f3bbc74c28bfe4bb6bdfa7ee6d8

                                        SHA1

                                        fb39d8783f9cb03d09baf1f087737538778feebc

                                        SHA256

                                        ca1d120c6d1d211d3cec4c45900a696c1cb7895950097ed2e1d4584812e6ebc7

                                        SHA512

                                        0ad0eb03b00d7ed5564cc09886ed2ea9914c7ce2d184382a91d139e8d188e70942d3e90aa2293676ee3a936a1ef31014612e679240557bf38af49f4754406816

                                      • C:\PerfLogs\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        6e443f3bbc74c28bfe4bb6bdfa7ee6d8

                                        SHA1

                                        fb39d8783f9cb03d09baf1f087737538778feebc

                                        SHA256

                                        ca1d120c6d1d211d3cec4c45900a696c1cb7895950097ed2e1d4584812e6ebc7

                                        SHA512

                                        0ad0eb03b00d7ed5564cc09886ed2ea9914c7ce2d184382a91d139e8d188e70942d3e90aa2293676ee3a936a1ef31014612e679240557bf38af49f4754406816

                                      • C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        a03a381cbbacc7457e484288d0e8faa1

                                        SHA1

                                        5cf7fbf110cf192b6d798a6b32ba6551dc178c25

                                        SHA256

                                        001a1450add82faa1d318dca37ec7fde708e772171619a8147d6c90828564286

                                        SHA512

                                        461286c7e54c9c556e9dee5fd73da2f4474f9a1a20d9528342f6b0fef300df4f9edf17a964d7ed22e6eae24d249ea2df81f6283d4eeb966ab1f3df83f1cf3777

                                      • C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        8ce1ffbb684df67298a098644ba47ce6

                                        SHA1

                                        19ccdbf911ba71fdaf6888fb51142e00cbdbd0e6

                                        SHA256

                                        dda67fcb0411b1bb80cbfdf018d763023ce6cc75957012c779120b1dcbe76659

                                        SHA512

                                        2272b11641da03fc62a6805edbae1976c7be9662275e11c55999180e6aeb78c745a1e1533b3e59481f1fe5991fb87d056f9177d707e27e550c927e64e5525400

                                      • C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        8ce1ffbb684df67298a098644ba47ce6

                                        SHA1

                                        19ccdbf911ba71fdaf6888fb51142e00cbdbd0e6

                                        SHA256

                                        dda67fcb0411b1bb80cbfdf018d763023ce6cc75957012c779120b1dcbe76659

                                        SHA512

                                        2272b11641da03fc62a6805edbae1976c7be9662275e11c55999180e6aeb78c745a1e1533b3e59481f1fe5991fb87d056f9177d707e27e550c927e64e5525400

                                      • C:\Program Files (x86)\Adobe\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        0e21da3c27b072bbb0e11423e48fe8a3

                                        SHA1

                                        6ac63cdd5aef4abb69b3f2dd75e581aa676a83b1

                                        SHA256

                                        c55c29aafeae85261e0e6f3a9d9809e23daef81b37863981647dcdb8fa64f870

                                        SHA512

                                        081319bfc1cfc17f537f9d941b3fff75f23854e8241baa0b4e8f57fec6aaf3a277062ac6afa7e8a5094c5ecc12b794199b6b8f6440b74fd0ebfdd53367f44b0e

                                      • C:\Program Files (x86)\Adobe\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        0e21da3c27b072bbb0e11423e48fe8a3

                                        SHA1

                                        6ac63cdd5aef4abb69b3f2dd75e581aa676a83b1

                                        SHA256

                                        c55c29aafeae85261e0e6f3a9d9809e23daef81b37863981647dcdb8fa64f870

                                        SHA512

                                        081319bfc1cfc17f537f9d941b3fff75f23854e8241baa0b4e8f57fec6aaf3a277062ac6afa7e8a5094c5ecc12b794199b6b8f6440b74fd0ebfdd53367f44b0e

                                      • C:\Program Files (x86)\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        372795d4049587681d16dee187cf51cb

                                        SHA1

                                        c42d5de6cc29be78dfb8aff37aeb920f3edde65d

                                        SHA256

                                        ce53f24bd444c35158dbd4d7eb800c8e2a444100972cef533535f55b97ae8a91

                                        SHA512

                                        39ae1825abb1f8fe8bc3dafa789c3b2f04c2baab5e1a2d1ba9549f11d571d881ee023360683ae3252c9b532b70f563baadc8dbe94b6ed033bb637e2eb246b3d7

                                      • C:\Program Files (x86)\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        372795d4049587681d16dee187cf51cb

                                        SHA1

                                        c42d5de6cc29be78dfb8aff37aeb920f3edde65d

                                        SHA256

                                        ce53f24bd444c35158dbd4d7eb800c8e2a444100972cef533535f55b97ae8a91

                                        SHA512

                                        39ae1825abb1f8fe8bc3dafa789c3b2f04c2baab5e1a2d1ba9549f11d571d881ee023360683ae3252c9b532b70f563baadc8dbe94b6ed033bb637e2eb246b3d7

                                      • C:\Program Files\7-Zip\Lang\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        f19c71775d62219f481dd99ef8249325

                                        SHA1

                                        90985a33df8d6b113cc10509ef8063a63e968fb5

                                        SHA256

                                        065e7af86402a90a2069fda3b674703419aaad93617bd37618805b0e72b2beaf

                                        SHA512

                                        60951e3aed66bf88e2ea65021b6652fc176ae1d4b7abfcacb6b49f9bdf9d02b6752c32b37ad618de4d736db397b5d6e4d22561990004bc34f0bd62c05a6420b9

                                      • C:\Program Files\7-Zip\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        5a78883ec631d05656bd6b6adee86129

                                        SHA1

                                        2ce18885955fabd482e511e105393d76839722ba

                                        SHA256

                                        26810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755

                                        SHA512

                                        555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7

                                      • C:\Program Files\7-Zip\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        5a78883ec631d05656bd6b6adee86129

                                        SHA1

                                        2ce18885955fabd482e511e105393d76839722ba

                                        SHA256

                                        26810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755

                                        SHA512

                                        555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7

                                      • C:\Program Files\Common Files\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        5a78883ec631d05656bd6b6adee86129

                                        SHA1

                                        2ce18885955fabd482e511e105393d76839722ba

                                        SHA256

                                        26810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755

                                        SHA512

                                        555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7

                                      • C:\Program Files\Common Files\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        5a78883ec631d05656bd6b6adee86129

                                        SHA1

                                        2ce18885955fabd482e511e105393d76839722ba

                                        SHA256

                                        26810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755

                                        SHA512

                                        555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7

                                      • C:\Program Files\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        62545e13994aafe839d7f3017aeb45a1

                                        SHA1

                                        bdfad2e673030a43af6cdbd756f06e7c21521be6

                                        SHA256

                                        f5f085c2a495e520e963771341ab94a7b7736e4e38f6ac135bf7242628174375

                                        SHA512

                                        6d1d266d94eddb891337b9ffa06bab91fb3a28533a0e6ed3b8b219db68421f3bac78b0e8abd0aed5a8806097491cc590359b5a9e75b57ee154342b7ad3988bd7

                                      • C:\Program Files\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        62545e13994aafe839d7f3017aeb45a1

                                        SHA1

                                        bdfad2e673030a43af6cdbd756f06e7c21521be6

                                        SHA256

                                        f5f085c2a495e520e963771341ab94a7b7736e4e38f6ac135bf7242628174375

                                        SHA512

                                        6d1d266d94eddb891337b9ffa06bab91fb3a28533a0e6ed3b8b219db68421f3bac78b0e8abd0aed5a8806097491cc590359b5a9e75b57ee154342b7ad3988bd7

                                      • C:\Users\Admin\AppData\Local\Temp\1454186580\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        f5dcaa2215bdbb78d5c1c26f3ca90244

                                        SHA1

                                        003e694393f858e9e5f8d02c2996b6b8d5be8ba9

                                        SHA256

                                        ab13aa495e871f84e067e6320694a505c2f454e3808e29b39ca639b017706d19

                                        SHA512

                                        3329879255c5871ebf94c410a00107e29d733048c3b8613fe0370a14873b52ab3452d2e97246e03046e7b03673837895bbf544d2c55fcba2714a9f8c5de6fb7d

                                      • C:\Users\Admin\AppData\Local\Temp\1454186580\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        f5dcaa2215bdbb78d5c1c26f3ca90244

                                        SHA1

                                        003e694393f858e9e5f8d02c2996b6b8d5be8ba9

                                        SHA256

                                        ab13aa495e871f84e067e6320694a505c2f454e3808e29b39ca639b017706d19

                                        SHA512

                                        3329879255c5871ebf94c410a00107e29d733048c3b8613fe0370a14873b52ab3452d2e97246e03046e7b03673837895bbf544d2c55fcba2714a9f8c5de6fb7d

                                      • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        e471347ff977e0c34ff7fd3bdc5ee679

                                        SHA1

                                        a98dc4857f3a3d2e6664e0b9a1df0fe7671d861a

                                        SHA256

                                        e1ac423d0200bae0a84ff3b1be6ab1a58161cae46973d3fcee7c79b5af63eeb6

                                        SHA512

                                        bcf4dc085297201907a4a08af80ebabcdcc9fc45d13b9b081608268782fb29f715fe1145e10fe6e8981597c0ba2cae86ccce6e3a0bdd89b27562f21a74350fe6

                                      • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        a71c8196dc09bc6b936faa09fe3afa63

                                        SHA1

                                        e087f8c42ed2ad1abad421188817945b2482a0ec

                                        SHA256

                                        81784c6440725414c2d6c5985f773c3c5a0563e865a96a6bccdfe07d7cf4c49a

                                        SHA512

                                        c5a5ff7db0eedad747dc9c9e0639032f75ed0564f5c767de3a70b9b32619a5ac327078bd25fdda0c58195e29758ba2ef1db38cc840713dcb468ee1cb561cc649

                                      • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        5b237497210f8fc66ac6a436aff0d885

                                        SHA1

                                        efe5c2b3d097e1211c0837617d9f59976e35c7ae

                                        SHA256

                                        7493a459f1fa52c33fcde626fb59b74346e2bf39265d51297ef6b295eed366f2

                                        SHA512

                                        ad68803df2fd66b8616765d6236bf92f7cb0e269d9ee330c2c35c4875eeba25aaad34792c3a8785ea821dba0b7e9f20ce17fcb47bcbe609d4fe5da859a188f63

                                      • C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        76c5f8c11de7e8ff54d9eb4682713f1e

                                        SHA1

                                        58295bf26962fa7907ce7537a2bc28444aa213c1

                                        SHA256

                                        b7b287ea87c5e43498f86f493e62b7c0f48332dd94043b5f0acc831dd284fc9f

                                        SHA512

                                        e11866702dc81cc86dbedc90e762027fcce5ed3443f5f53758124dd56d5d7aea1b0ea5dc0a9620d94caeecf9a0dea3061ee729f16239267f0683aca5ed5998b2

                                      • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        f5607b6f63e312e623941085a5c06e54

                                        SHA1

                                        a0c8ff2f67cd76a39a6c1b9d5295a12cd517f67b

                                        SHA256

                                        3a1ad9eebe5970fb7b20bef3b09fe0e65979ecb6c87c0c0639051f7f7b957b36

                                        SHA512

                                        b32c3c879f1b437708d6a13dd20b25f6cd7eb631376077e3b700f22c7a80bdf5688c752229296613651e536a027b212beb4e735100beee905b77633fe2e83782

                                      • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        76c5f8c11de7e8ff54d9eb4682713f1e

                                        SHA1

                                        58295bf26962fa7907ce7537a2bc28444aa213c1

                                        SHA256

                                        b7b287ea87c5e43498f86f493e62b7c0f48332dd94043b5f0acc831dd284fc9f

                                        SHA512

                                        e11866702dc81cc86dbedc90e762027fcce5ed3443f5f53758124dd56d5d7aea1b0ea5dc0a9620d94caeecf9a0dea3061ee729f16239267f0683aca5ed5998b2

                                      • C:\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        be4091fbc00ef3b9ed5f1029ef0e0dad

                                        SHA1

                                        58a1c3faf1f1abe6411e30f86d2c90b8be7cc38b

                                        SHA256

                                        8ead7a6f4424817a6954e92b7597c67d34f394435442dc1f8aeb6128106f4271

                                        SHA512

                                        362e79b66af56ba8338093a3b6fb77953e2b2691e00d45eafa264f6f1526aa3d25f7cca97e20b3136fb7d9948b0c7f7b084cb3e50d86e51e4b7fda72069f981f

                                      • C:\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        be4091fbc00ef3b9ed5f1029ef0e0dad

                                        SHA1

                                        58a1c3faf1f1abe6411e30f86d2c90b8be7cc38b

                                        SHA256

                                        8ead7a6f4424817a6954e92b7597c67d34f394435442dc1f8aeb6128106f4271

                                        SHA512

                                        362e79b66af56ba8338093a3b6fb77953e2b2691e00d45eafa264f6f1526aa3d25f7cca97e20b3136fb7d9948b0c7f7b084cb3e50d86e51e4b7fda72069f981f

                                      • \PerfLogs\Admin\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        1d045950018baca408a1662da64c74ef

                                        SHA1

                                        b70f0861faaef0f93105acb8380a14faae545628

                                        SHA256

                                        5be2a920097a40f83f70925522a5870978fcc9731958979f2b3f5cd15d28fa0e

                                        SHA512

                                        435f92145837852d5ad1ca22ce933dba847e5a47b958c0018184f89590e84c4cbc905bc11cca02e6b310104766d8ca8e1c62c6dcdc435c561802bf0ef396f520

                                      • \PerfLogs\Admin\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        1d045950018baca408a1662da64c74ef

                                        SHA1

                                        b70f0861faaef0f93105acb8380a14faae545628

                                        SHA256

                                        5be2a920097a40f83f70925522a5870978fcc9731958979f2b3f5cd15d28fa0e

                                        SHA512

                                        435f92145837852d5ad1ca22ce933dba847e5a47b958c0018184f89590e84c4cbc905bc11cca02e6b310104766d8ca8e1c62c6dcdc435c561802bf0ef396f520

                                      • \PerfLogs\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        6e443f3bbc74c28bfe4bb6bdfa7ee6d8

                                        SHA1

                                        fb39d8783f9cb03d09baf1f087737538778feebc

                                        SHA256

                                        ca1d120c6d1d211d3cec4c45900a696c1cb7895950097ed2e1d4584812e6ebc7

                                        SHA512

                                        0ad0eb03b00d7ed5564cc09886ed2ea9914c7ce2d184382a91d139e8d188e70942d3e90aa2293676ee3a936a1ef31014612e679240557bf38af49f4754406816

                                      • \PerfLogs\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        6e443f3bbc74c28bfe4bb6bdfa7ee6d8

                                        SHA1

                                        fb39d8783f9cb03d09baf1f087737538778feebc

                                        SHA256

                                        ca1d120c6d1d211d3cec4c45900a696c1cb7895950097ed2e1d4584812e6ebc7

                                        SHA512

                                        0ad0eb03b00d7ed5564cc09886ed2ea9914c7ce2d184382a91d139e8d188e70942d3e90aa2293676ee3a936a1ef31014612e679240557bf38af49f4754406816

                                      • \Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        a03a381cbbacc7457e484288d0e8faa1

                                        SHA1

                                        5cf7fbf110cf192b6d798a6b32ba6551dc178c25

                                        SHA256

                                        001a1450add82faa1d318dca37ec7fde708e772171619a8147d6c90828564286

                                        SHA512

                                        461286c7e54c9c556e9dee5fd73da2f4474f9a1a20d9528342f6b0fef300df4f9edf17a964d7ed22e6eae24d249ea2df81f6283d4eeb966ab1f3df83f1cf3777

                                      • \Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        a03a381cbbacc7457e484288d0e8faa1

                                        SHA1

                                        5cf7fbf110cf192b6d798a6b32ba6551dc178c25

                                        SHA256

                                        001a1450add82faa1d318dca37ec7fde708e772171619a8147d6c90828564286

                                        SHA512

                                        461286c7e54c9c556e9dee5fd73da2f4474f9a1a20d9528342f6b0fef300df4f9edf17a964d7ed22e6eae24d249ea2df81f6283d4eeb966ab1f3df83f1cf3777

                                      • \Program Files (x86)\Adobe\Reader 9.0\Reader\data.exe

                                        Filesize

                                        72KB

                                        MD5

                                        a03a381cbbacc7457e484288d0e8faa1

                                        SHA1

                                        5cf7fbf110cf192b6d798a6b32ba6551dc178c25

                                        SHA256

                                        001a1450add82faa1d318dca37ec7fde708e772171619a8147d6c90828564286

                                        SHA512

                                        461286c7e54c9c556e9dee5fd73da2f4474f9a1a20d9528342f6b0fef300df4f9edf17a964d7ed22e6eae24d249ea2df81f6283d4eeb966ab1f3df83f1cf3777

                                      • \Program Files (x86)\Adobe\Reader 9.0\Reader\data.exe

                                        Filesize

                                        72KB

                                        MD5

                                        a03a381cbbacc7457e484288d0e8faa1

                                        SHA1

                                        5cf7fbf110cf192b6d798a6b32ba6551dc178c25

                                        SHA256

                                        001a1450add82faa1d318dca37ec7fde708e772171619a8147d6c90828564286

                                        SHA512

                                        461286c7e54c9c556e9dee5fd73da2f4474f9a1a20d9528342f6b0fef300df4f9edf17a964d7ed22e6eae24d249ea2df81f6283d4eeb966ab1f3df83f1cf3777

                                      • \Program Files (x86)\Adobe\Reader 9.0\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        8ce1ffbb684df67298a098644ba47ce6

                                        SHA1

                                        19ccdbf911ba71fdaf6888fb51142e00cbdbd0e6

                                        SHA256

                                        dda67fcb0411b1bb80cbfdf018d763023ce6cc75957012c779120b1dcbe76659

                                        SHA512

                                        2272b11641da03fc62a6805edbae1976c7be9662275e11c55999180e6aeb78c745a1e1533b3e59481f1fe5991fb87d056f9177d707e27e550c927e64e5525400

                                      • \Program Files (x86)\Adobe\Reader 9.0\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        8ce1ffbb684df67298a098644ba47ce6

                                        SHA1

                                        19ccdbf911ba71fdaf6888fb51142e00cbdbd0e6

                                        SHA256

                                        dda67fcb0411b1bb80cbfdf018d763023ce6cc75957012c779120b1dcbe76659

                                        SHA512

                                        2272b11641da03fc62a6805edbae1976c7be9662275e11c55999180e6aeb78c745a1e1533b3e59481f1fe5991fb87d056f9177d707e27e550c927e64e5525400

                                      • \Program Files (x86)\Adobe\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        0e21da3c27b072bbb0e11423e48fe8a3

                                        SHA1

                                        6ac63cdd5aef4abb69b3f2dd75e581aa676a83b1

                                        SHA256

                                        c55c29aafeae85261e0e6f3a9d9809e23daef81b37863981647dcdb8fa64f870

                                        SHA512

                                        081319bfc1cfc17f537f9d941b3fff75f23854e8241baa0b4e8f57fec6aaf3a277062ac6afa7e8a5094c5ecc12b794199b6b8f6440b74fd0ebfdd53367f44b0e

                                      • \Program Files (x86)\Adobe\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        0e21da3c27b072bbb0e11423e48fe8a3

                                        SHA1

                                        6ac63cdd5aef4abb69b3f2dd75e581aa676a83b1

                                        SHA256

                                        c55c29aafeae85261e0e6f3a9d9809e23daef81b37863981647dcdb8fa64f870

                                        SHA512

                                        081319bfc1cfc17f537f9d941b3fff75f23854e8241baa0b4e8f57fec6aaf3a277062ac6afa7e8a5094c5ecc12b794199b6b8f6440b74fd0ebfdd53367f44b0e

                                      • \Program Files (x86)\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        372795d4049587681d16dee187cf51cb

                                        SHA1

                                        c42d5de6cc29be78dfb8aff37aeb920f3edde65d

                                        SHA256

                                        ce53f24bd444c35158dbd4d7eb800c8e2a444100972cef533535f55b97ae8a91

                                        SHA512

                                        39ae1825abb1f8fe8bc3dafa789c3b2f04c2baab5e1a2d1ba9549f11d571d881ee023360683ae3252c9b532b70f563baadc8dbe94b6ed033bb637e2eb246b3d7

                                      • \Program Files (x86)\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        372795d4049587681d16dee187cf51cb

                                        SHA1

                                        c42d5de6cc29be78dfb8aff37aeb920f3edde65d

                                        SHA256

                                        ce53f24bd444c35158dbd4d7eb800c8e2a444100972cef533535f55b97ae8a91

                                        SHA512

                                        39ae1825abb1f8fe8bc3dafa789c3b2f04c2baab5e1a2d1ba9549f11d571d881ee023360683ae3252c9b532b70f563baadc8dbe94b6ed033bb637e2eb246b3d7

                                      • \Program Files\7-Zip\Lang\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        f19c71775d62219f481dd99ef8249325

                                        SHA1

                                        90985a33df8d6b113cc10509ef8063a63e968fb5

                                        SHA256

                                        065e7af86402a90a2069fda3b674703419aaad93617bd37618805b0e72b2beaf

                                        SHA512

                                        60951e3aed66bf88e2ea65021b6652fc176ae1d4b7abfcacb6b49f9bdf9d02b6752c32b37ad618de4d736db397b5d6e4d22561990004bc34f0bd62c05a6420b9

                                      • \Program Files\7-Zip\Lang\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        f19c71775d62219f481dd99ef8249325

                                        SHA1

                                        90985a33df8d6b113cc10509ef8063a63e968fb5

                                        SHA256

                                        065e7af86402a90a2069fda3b674703419aaad93617bd37618805b0e72b2beaf

                                        SHA512

                                        60951e3aed66bf88e2ea65021b6652fc176ae1d4b7abfcacb6b49f9bdf9d02b6752c32b37ad618de4d736db397b5d6e4d22561990004bc34f0bd62c05a6420b9

                                      • \Program Files\7-Zip\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        5a78883ec631d05656bd6b6adee86129

                                        SHA1

                                        2ce18885955fabd482e511e105393d76839722ba

                                        SHA256

                                        26810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755

                                        SHA512

                                        555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7

                                      • \Program Files\7-Zip\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        5a78883ec631d05656bd6b6adee86129

                                        SHA1

                                        2ce18885955fabd482e511e105393d76839722ba

                                        SHA256

                                        26810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755

                                        SHA512

                                        555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7

                                      • \Program Files\Common Files\Microsoft Shared\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        58df2f3f619d68da42b1c135cd398619

                                        SHA1

                                        23423a4b0cbb78fc5c67d0c072cf467cf97d93fe

                                        SHA256

                                        afedba02eeb2934165fc8d720be5d70e7a87d0a7bdd8113cc63df282d877cf47

                                        SHA512

                                        6d8de72965f50711e29031a6660c1fcf52a17bb9701ce5cc735c9b0f1d1649fe697cf0b59192dad8e130a4feeee4966d27532fb15777047503b6690493b7522f

                                      • \Program Files\Common Files\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        5a78883ec631d05656bd6b6adee86129

                                        SHA1

                                        2ce18885955fabd482e511e105393d76839722ba

                                        SHA256

                                        26810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755

                                        SHA512

                                        555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7

                                      • \Program Files\Common Files\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        5a78883ec631d05656bd6b6adee86129

                                        SHA1

                                        2ce18885955fabd482e511e105393d76839722ba

                                        SHA256

                                        26810f148dd17c328370f5b9170013e6ef3fcba87f3d0ca3b7819d7431a06755

                                        SHA512

                                        555631a42f6be8cf4f5f5cc402f3905e340634b026b811d6935be0f4f2e740e17d094f55f6a7a66e1d11f9da7efe9d531acdf664a81b982283cf4d54f6efb4a7

                                      • \Program Files\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        62545e13994aafe839d7f3017aeb45a1

                                        SHA1

                                        bdfad2e673030a43af6cdbd756f06e7c21521be6

                                        SHA256

                                        f5f085c2a495e520e963771341ab94a7b7736e4e38f6ac135bf7242628174375

                                        SHA512

                                        6d1d266d94eddb891337b9ffa06bab91fb3a28533a0e6ed3b8b219db68421f3bac78b0e8abd0aed5a8806097491cc590359b5a9e75b57ee154342b7ad3988bd7

                                      • \Program Files\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        62545e13994aafe839d7f3017aeb45a1

                                        SHA1

                                        bdfad2e673030a43af6cdbd756f06e7c21521be6

                                        SHA256

                                        f5f085c2a495e520e963771341ab94a7b7736e4e38f6ac135bf7242628174375

                                        SHA512

                                        6d1d266d94eddb891337b9ffa06bab91fb3a28533a0e6ed3b8b219db68421f3bac78b0e8abd0aed5a8806097491cc590359b5a9e75b57ee154342b7ad3988bd7

                                      • \Users\Admin\AppData\Local\Temp\1454186580\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        f5dcaa2215bdbb78d5c1c26f3ca90244

                                        SHA1

                                        003e694393f858e9e5f8d02c2996b6b8d5be8ba9

                                        SHA256

                                        ab13aa495e871f84e067e6320694a505c2f454e3808e29b39ca639b017706d19

                                        SHA512

                                        3329879255c5871ebf94c410a00107e29d733048c3b8613fe0370a14873b52ab3452d2e97246e03046e7b03673837895bbf544d2c55fcba2714a9f8c5de6fb7d

                                      • \Users\Admin\AppData\Local\Temp\1454186580\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        f5dcaa2215bdbb78d5c1c26f3ca90244

                                        SHA1

                                        003e694393f858e9e5f8d02c2996b6b8d5be8ba9

                                        SHA256

                                        ab13aa495e871f84e067e6320694a505c2f454e3808e29b39ca639b017706d19

                                        SHA512

                                        3329879255c5871ebf94c410a00107e29d733048c3b8613fe0370a14873b52ab3452d2e97246e03046e7b03673837895bbf544d2c55fcba2714a9f8c5de6fb7d

                                      • \Users\Admin\AppData\Local\Temp\Low\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        e471347ff977e0c34ff7fd3bdc5ee679

                                        SHA1

                                        a98dc4857f3a3d2e6664e0b9a1df0fe7671d861a

                                        SHA256

                                        e1ac423d0200bae0a84ff3b1be6ab1a58161cae46973d3fcee7c79b5af63eeb6

                                        SHA512

                                        bcf4dc085297201907a4a08af80ebabcdcc9fc45d13b9b081608268782fb29f715fe1145e10fe6e8981597c0ba2cae86ccce6e3a0bdd89b27562f21a74350fe6

                                      • \Users\Admin\AppData\Local\Temp\Low\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        e471347ff977e0c34ff7fd3bdc5ee679

                                        SHA1

                                        a98dc4857f3a3d2e6664e0b9a1df0fe7671d861a

                                        SHA256

                                        e1ac423d0200bae0a84ff3b1be6ab1a58161cae46973d3fcee7c79b5af63eeb6

                                        SHA512

                                        bcf4dc085297201907a4a08af80ebabcdcc9fc45d13b9b081608268782fb29f715fe1145e10fe6e8981597c0ba2cae86ccce6e3a0bdd89b27562f21a74350fe6

                                      • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        a71c8196dc09bc6b936faa09fe3afa63

                                        SHA1

                                        e087f8c42ed2ad1abad421188817945b2482a0ec

                                        SHA256

                                        81784c6440725414c2d6c5985f773c3c5a0563e865a96a6bccdfe07d7cf4c49a

                                        SHA512

                                        c5a5ff7db0eedad747dc9c9e0639032f75ed0564f5c767de3a70b9b32619a5ac327078bd25fdda0c58195e29758ba2ef1db38cc840713dcb468ee1cb561cc649

                                      • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        a71c8196dc09bc6b936faa09fe3afa63

                                        SHA1

                                        e087f8c42ed2ad1abad421188817945b2482a0ec

                                        SHA256

                                        81784c6440725414c2d6c5985f773c3c5a0563e865a96a6bccdfe07d7cf4c49a

                                        SHA512

                                        c5a5ff7db0eedad747dc9c9e0639032f75ed0564f5c767de3a70b9b32619a5ac327078bd25fdda0c58195e29758ba2ef1db38cc840713dcb468ee1cb561cc649

                                      • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        5b237497210f8fc66ac6a436aff0d885

                                        SHA1

                                        efe5c2b3d097e1211c0837617d9f59976e35c7ae

                                        SHA256

                                        7493a459f1fa52c33fcde626fb59b74346e2bf39265d51297ef6b295eed366f2

                                        SHA512

                                        ad68803df2fd66b8616765d6236bf92f7cb0e269d9ee330c2c35c4875eeba25aaad34792c3a8785ea821dba0b7e9f20ce17fcb47bcbe609d4fe5da859a188f63

                                      • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        5b237497210f8fc66ac6a436aff0d885

                                        SHA1

                                        efe5c2b3d097e1211c0837617d9f59976e35c7ae

                                        SHA256

                                        7493a459f1fa52c33fcde626fb59b74346e2bf39265d51297ef6b295eed366f2

                                        SHA512

                                        ad68803df2fd66b8616765d6236bf92f7cb0e269d9ee330c2c35c4875eeba25aaad34792c3a8785ea821dba0b7e9f20ce17fcb47bcbe609d4fe5da859a188f63

                                      • \Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        76c5f8c11de7e8ff54d9eb4682713f1e

                                        SHA1

                                        58295bf26962fa7907ce7537a2bc28444aa213c1

                                        SHA256

                                        b7b287ea87c5e43498f86f493e62b7c0f48332dd94043b5f0acc831dd284fc9f

                                        SHA512

                                        e11866702dc81cc86dbedc90e762027fcce5ed3443f5f53758124dd56d5d7aea1b0ea5dc0a9620d94caeecf9a0dea3061ee729f16239267f0683aca5ed5998b2

                                      • \Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        76c5f8c11de7e8ff54d9eb4682713f1e

                                        SHA1

                                        58295bf26962fa7907ce7537a2bc28444aa213c1

                                        SHA256

                                        b7b287ea87c5e43498f86f493e62b7c0f48332dd94043b5f0acc831dd284fc9f

                                        SHA512

                                        e11866702dc81cc86dbedc90e762027fcce5ed3443f5f53758124dd56d5d7aea1b0ea5dc0a9620d94caeecf9a0dea3061ee729f16239267f0683aca5ed5998b2

                                      • \Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        f5607b6f63e312e623941085a5c06e54

                                        SHA1

                                        a0c8ff2f67cd76a39a6c1b9d5295a12cd517f67b

                                        SHA256

                                        3a1ad9eebe5970fb7b20bef3b09fe0e65979ecb6c87c0c0639051f7f7b957b36

                                        SHA512

                                        b32c3c879f1b437708d6a13dd20b25f6cd7eb631376077e3b700f22c7a80bdf5688c752229296613651e536a027b212beb4e735100beee905b77633fe2e83782

                                      • \Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        f5607b6f63e312e623941085a5c06e54

                                        SHA1

                                        a0c8ff2f67cd76a39a6c1b9d5295a12cd517f67b

                                        SHA256

                                        3a1ad9eebe5970fb7b20bef3b09fe0e65979ecb6c87c0c0639051f7f7b957b36

                                        SHA512

                                        b32c3c879f1b437708d6a13dd20b25f6cd7eb631376077e3b700f22c7a80bdf5688c752229296613651e536a027b212beb4e735100beee905b77633fe2e83782

                                      • \Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        76c5f8c11de7e8ff54d9eb4682713f1e

                                        SHA1

                                        58295bf26962fa7907ce7537a2bc28444aa213c1

                                        SHA256

                                        b7b287ea87c5e43498f86f493e62b7c0f48332dd94043b5f0acc831dd284fc9f

                                        SHA512

                                        e11866702dc81cc86dbedc90e762027fcce5ed3443f5f53758124dd56d5d7aea1b0ea5dc0a9620d94caeecf9a0dea3061ee729f16239267f0683aca5ed5998b2

                                      • \Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

                                        Filesize

                                        72KB

                                        MD5

                                        76c5f8c11de7e8ff54d9eb4682713f1e

                                        SHA1

                                        58295bf26962fa7907ce7537a2bc28444aa213c1

                                        SHA256

                                        b7b287ea87c5e43498f86f493e62b7c0f48332dd94043b5f0acc831dd284fc9f

                                        SHA512

                                        e11866702dc81cc86dbedc90e762027fcce5ed3443f5f53758124dd56d5d7aea1b0ea5dc0a9620d94caeecf9a0dea3061ee729f16239267f0683aca5ed5998b2

                                      • memory/1188-266-0x0000000074A81000-0x0000000074A83000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/1188-181-0x00000000759F1000-0x00000000759F3000-memory.dmp

                                        Filesize

                                        8KB