80c44e5bc43bc6aa3f92863bcbddff89ce7b7c2ca2edf25d49e5ac3f5a35b77f

Analysis

max time kernel
51s
max time network
142s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
Size

84KB
MD5

6e07a9a8d0efecf3f4ff6fe70ee6fa60
SHA1

93314efe1a375a6efdacb22f820161c5f99d675c
SHA256

80c44e5bc43bc6aa3f92863bcbddff89ce7b7c2ca2edf25d49e5ac3f5a35b77f
SHA512

18e36343344a793cefcd11a242fc94f58fc4223fb111983d7539e1fae16f87afb69a78524fc5c5c8640843af08240603bf0cda768d017beb808cd99ba3ff9ddd
SSDEEP

768:/pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEmv:BeT7BVwxfvEFwjRv

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 57 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2612	backup.exe
2404	backup.exe
2808	backup.exe
2916	backup.exe
2560	update.exe
2736	System Restore.exe
2604	update.exe
2256	backup.exe
2392	backup.exe
2416	backup.exe
1276	backup.exe
2268	backup.exe
2408	backup.exe
1884	backup.exe
696	backup.exe
1296	data.exe
2348	backup.exe
1944	backup.exe
1808	backup.exe
992	backup.exe
2072	backup.exe
1464	backup.exe
1500	backup.exe
2144	backup.exe
3048	backup.exe
2492	backup.exe
2656	data.exe
2680	backup.exe
2384	data.exe
2740	backup.exe
2548	backup.exe
2544	backup.exe
2696	backup.exe
2604	backup.exe
2624	backup.exe
1628	backup.exe
1668	backup.exe
1936	backup.exe
2840	data.exe
1956	backup.exe
1908	backup.exe
2808	backup.exe
1988	backup.exe
2932	backup.exe
2080	backup.exe
976	backup.exe
1492	backup.exe
280	backup.exe
2480	backup.exe
2020	update.exe
1432	backup.exe
1264	backup.exe
2000	backup.exe
2284	backup.exe
2980	data.exe
1416	backup.exe
1612	backup.exe
1708	backup.exe
2184	backup.exe
2776	backup.exe
2804	backup.exe
2688	backup.exe
2768	backup.exe
3032	data.exe

Loads dropped DLL 64 IoCs

pid	Process
1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
2560	update.exe
2560	update.exe
2560	update.exe
1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
2604	update.exe
2604	update.exe
2604	update.exe
2256	backup.exe
2256	backup.exe
2392	backup.exe
2392	backup.exe
2256	backup.exe
2256	backup.exe
1276	backup.exe
1276	backup.exe
2268	backup.exe
2256	backup.exe
1276	backup.exe
2256	backup.exe
1276	backup.exe
2268	backup.exe
2256	backup.exe
2256	backup.exe
1884	backup.exe
1884	backup.exe
2408	backup.exe
2408	backup.exe
1276	backup.exe
1276	backup.exe
1808	backup.exe
1808	backup.exe
1296	data.exe
1944	backup.exe
1296	data.exe
1944	backup.exe
2348	backup.exe
2348	backup.exe
2072	backup.exe
2072	backup.exe
1944	backup.exe
1944	backup.exe
1808	backup.exe
1808	backup.exe
2072	backup.exe
2072	backup.exe
1944	backup.exe
1944	backup.exe
2492	backup.exe
1500	backup.exe
1500	backup.exe
2492	backup.exe
2656	data.exe
2656	data.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1948-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x00270000000153cc-5.dat	upx
behavioral1/files/0x00270000000153cc-7.dat	upx
behavioral1/files/0x00270000000153cc-11.dat	upx
behavioral1/files/0x00270000000153cc-9.dat	upx
behavioral1/memory/2612-12-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015c3e-16.dat	upx
behavioral1/files/0x0007000000015c3e-18.dat	upx
behavioral1/files/0x0007000000015c3e-23.dat	upx
behavioral1/memory/2404-27-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0009000000015c60-28.dat	upx
behavioral1/files/0x0009000000015c60-30.dat	upx
behavioral1/files/0x0009000000015c60-34.dat	upx
behavioral1/memory/1948-40-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015c58-38.dat	upx
behavioral1/files/0x0008000000015c58-45.dat	upx
behavioral1/files/0x0008000000015c58-41.dat	upx
behavioral1/memory/2916-49-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015ca9-50.dat	upx
behavioral1/files/0x0006000000015ca9-55.dat	upx
behavioral1/memory/2612-54-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015ca9-53.dat	upx
behavioral1/files/0x0006000000015ca9-56.dat	upx
behavioral1/files/0x0006000000015ca9-57.dat	upx
behavioral1/files/0x0006000000015ca9-58.dat	upx
behavioral1/memory/2560-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000a000000015c69-63.dat	upx
behavioral1/files/0x000a000000015c69-65.dat	upx
behavioral1/files/0x000a000000015c69-69.dat	upx
behavioral1/memory/2808-70-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2736-74-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015cb4-75.dat	upx
behavioral1/files/0x0006000000015cb4-78.dat	upx
behavioral1/files/0x0006000000015cb4-79.dat	upx
behavioral1/files/0x0006000000015cb4-80.dat	upx
behavioral1/files/0x0006000000015cb4-82.dat	upx
behavioral1/files/0x0006000000015cb4-81.dat	upx
behavioral1/files/0x00270000000153cc-87.dat	upx
behavioral1/memory/2604-89-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015d26-96.dat	upx
behavioral1/files/0x0006000000015d26-100.dat	upx
behavioral1/files/0x0006000000015dde-102.dat	upx
behavioral1/files/0x0006000000015dde-104.dat	upx
behavioral1/files/0x0006000000015dde-109.dat	upx
behavioral1/files/0x0006000000015dde-112.dat	upx
behavioral1/files/0x0006000000015eab-114.dat	upx
behavioral1/files/0x0006000000015eab-118.dat	upx
behavioral1/files/0x0006000000015eab-122.dat	upx
behavioral1/files/0x0006000000015f19-127.dat	upx
behavioral1/files/0x0006000000015f19-129.dat	upx
behavioral1/memory/2416-126-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015f19-133.dat	upx
behavioral1/memory/2392-150-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2256-149-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015f19-151.dat	upx
behavioral1/files/0x0007000000015e2f-155.dat	upx
behavioral1/files/0x0007000000015e2f-160.dat	upx
behavioral1/files/0x0007000000015e2f-153.dat	upx
behavioral1/memory/1276-165-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2808-167-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015e2f-170.dat	upx
behavioral1/files/0x0006000000016338-172.dat	upx
behavioral1/memory/2268-181-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1948-182-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Drops file in Program Files directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\data.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\data.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\data.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe

Suspicious use of SetWindowsHookEx 63 IoCs

pid	Process
1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
2612	backup.exe
2404	backup.exe
2808	backup.exe
2916	backup.exe
2560	update.exe
2736	System Restore.exe
2604	update.exe
2256	backup.exe
2392	backup.exe
2416	backup.exe
1276	backup.exe
2268	backup.exe
2408	backup.exe
1884	backup.exe
696	backup.exe
2348	backup.exe
1296	data.exe
1944	backup.exe
1808	backup.exe
2072	backup.exe
1464	backup.exe
992	backup.exe
2144	backup.exe
1500	backup.exe
3048	backup.exe
2492	backup.exe
2656	data.exe
2680	backup.exe
2384	data.exe
2548	backup.exe
2740	backup.exe
2696	backup.exe
2544	backup.exe
2604	backup.exe
2624	backup.exe
1628	backup.exe
1936	backup.exe
1668	backup.exe
2840	data.exe
1908	backup.exe
1956	backup.exe
2808	backup.exe
1988	backup.exe
2932	backup.exe
2080	backup.exe
976	backup.exe
1492	backup.exe
280	backup.exe
2480	backup.exe
2020	update.exe
1264	backup.exe
2000	backup.exe
1432	backup.exe
2284	backup.exe
2980	data.exe
1416	backup.exe
1708	backup.exe
1612	backup.exe
2184	backup.exe
2776	backup.exe
2804	backup.exe
1700	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2612	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	28
PID 1948 wrote to memory of 2612	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	28
PID 1948 wrote to memory of 2612	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	28
PID 1948 wrote to memory of 2612	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	28
PID 1948 wrote to memory of 2404	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	29
PID 1948 wrote to memory of 2404	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	29
PID 1948 wrote to memory of 2404	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	29
PID 1948 wrote to memory of 2404	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	29
PID 1948 wrote to memory of 2808	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	30
PID 1948 wrote to memory of 2808	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	30
PID 1948 wrote to memory of 2808	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	30
PID 1948 wrote to memory of 2808	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	30
PID 1948 wrote to memory of 2916	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	31
PID 1948 wrote to memory of 2916	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	31
PID 1948 wrote to memory of 2916	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	31
PID 1948 wrote to memory of 2916	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	31
PID 1948 wrote to memory of 2560	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	32
PID 1948 wrote to memory of 2560	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	32
PID 1948 wrote to memory of 2560	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	32
PID 1948 wrote to memory of 2560	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	32
PID 1948 wrote to memory of 2560	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	32
PID 1948 wrote to memory of 2560	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	32
PID 1948 wrote to memory of 2560	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	32
PID 1948 wrote to memory of 2736	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	33
PID 1948 wrote to memory of 2736	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	33
PID 1948 wrote to memory of 2736	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	33
PID 1948 wrote to memory of 2736	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	33
PID 1948 wrote to memory of 2604	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	34
PID 1948 wrote to memory of 2604	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	34
PID 1948 wrote to memory of 2604	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	34
PID 1948 wrote to memory of 2604	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	34
PID 1948 wrote to memory of 2604	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	34
PID 1948 wrote to memory of 2604	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	34
PID 1948 wrote to memory of 2604	1948	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe	34
PID 2612 wrote to memory of 2256	2612	backup.exe	35
PID 2612 wrote to memory of 2256	2612	backup.exe	35
PID 2612 wrote to memory of 2256	2612	backup.exe	35
PID 2612 wrote to memory of 2256	2612	backup.exe	35
PID 2256 wrote to memory of 2392	2256	backup.exe	36
PID 2256 wrote to memory of 2392	2256	backup.exe	36
PID 2256 wrote to memory of 2392	2256	backup.exe	36
PID 2256 wrote to memory of 2392	2256	backup.exe	36
PID 2392 wrote to memory of 2416	2392	backup.exe	37
PID 2392 wrote to memory of 2416	2392	backup.exe	37
PID 2392 wrote to memory of 2416	2392	backup.exe	37
PID 2392 wrote to memory of 2416	2392	backup.exe	37
PID 2256 wrote to memory of 1276	2256	backup.exe	38
PID 2256 wrote to memory of 1276	2256	backup.exe	38
PID 2256 wrote to memory of 1276	2256	backup.exe	38
PID 2256 wrote to memory of 1276	2256	backup.exe	38
PID 1276 wrote to memory of 2268	1276	backup.exe	39
PID 1276 wrote to memory of 2268	1276	backup.exe	39
PID 1276 wrote to memory of 2268	1276	backup.exe	39
PID 1276 wrote to memory of 2268	1276	backup.exe	39
PID 2256 wrote to memory of 1884	2256	backup.exe	41
PID 2256 wrote to memory of 1884	2256	backup.exe	41
PID 2256 wrote to memory of 1884	2256	backup.exe	41
PID 2256 wrote to memory of 1884	2256	backup.exe	41
PID 1276 wrote to memory of 2408	1276	backup.exe	42
PID 1276 wrote to memory of 2408	1276	backup.exe	42
PID 1276 wrote to memory of 2408	1276	backup.exe	42
PID 1276 wrote to memory of 2408	1276	backup.exe	42
PID 2268 wrote to memory of 696	2268	backup.exe	40
PID 2268 wrote to memory of 696	2268	backup.exe	40

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6e07a9a8d0efecf3f4ff6fe70ee6fa60.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1948
- C:\Users\Admin\AppData\Local\Temp\2696415612\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2696415612\backup.exe C:\Users\Admin\AppData\Local\Temp\2696415612\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2612
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2256
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2392
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2416
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1276
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2268
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:696
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2408
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1808
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2492
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2740
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        
        PID:2484
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:2520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:640
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:2620
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:3000
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:656
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1888
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2552
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:812
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2968
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:2800
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:312
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:2724
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:2364
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1944
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1464
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3048
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2680
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2696
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1628
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1908
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2932
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2480
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1432
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1612
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:2696
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1528
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:2196
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:2556
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:528
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:2036
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:2140
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        
        PID:2768
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:2788
    - - C:\Program Files\Internet Explorer\System Restore.exe
        
        "C:\Program Files\Internet Explorer\System Restore.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2728
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:932
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2160
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2640
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1648
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1312
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:2832
    - - C:\Program Files\Java\data.exe
        
        "C:\Program Files\Java\data.exe" C:\Program Files\Java\
        5⤵
        
        PID:2156
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2704
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2740
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1728
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1760
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1884
    - - C:\Program Files (x86)\Adobe\data.exe
        
        "C:\Program Files (x86)\Adobe\data.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1296
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2072
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2144
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2656
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2840
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1492
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1264
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2980
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2184
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1796
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:2168
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2340
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:2312
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1464
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:2276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:2928
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:2232
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:2536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1592
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1068
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:2360
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2076
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2860
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:576
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2908
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2644
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1892
      - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
        6⤵
        
        PID:3028
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1632
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2464
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2348
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1500
      - C:\Users\Admin\Contacts\data.exe
        
        C:\Users\Admin\Contacts\data.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2384
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2544
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1668
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2808
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2080
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:280
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2000
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1708
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2616
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:1660
    - - C:\Users\Public\data.exe
        
        C:\Users\Public\data.exe C:\Users\Public\
        5⤵
        
        PID:2572
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2780
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:2392
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1304
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:992
  - - C:\Windows\data.exe
      C:\Windows\data.exe C:\Windows\
      4⤵
      Executes dropped EXE
      PID:3032
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
09bb837fdd9da8a5edad329fa7423fa3

SHA1
187f79116b8260f8cad27c951606674e0de75c03

SHA256
c133e759f087b5b45815d31be2b6f667e20b2bfc186b5a49800cec5819244788

SHA512
a7e9a1974ff91d792d293dd20dff2547957f5ea4db9151d2ed1823e12179df356e5e0742c5544dd3e82ad2532313e07c411dbc9a7778a9948fdd661238ecf00a

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
5e97fbb5522949e29c7fe20aaac6b94c

SHA1
910e178ec68b353f5c3ed54cd99ac25ec126ff79

SHA256
4cf0b40fd95c63760af7b2de65bcc895703b8f37d7fbf98967edecec8a60267e

SHA512
89f927818d13d8a28128383e03bb34652598c12eb9bf6e43920476ee07c2c771dc718aa682018072fbfc20866faf9ce4261535aaec69151ddb6fd7726d4e76cd

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
5e97fbb5522949e29c7fe20aaac6b94c

SHA1
910e178ec68b353f5c3ed54cd99ac25ec126ff79

SHA256
4cf0b40fd95c63760af7b2de65bcc895703b8f37d7fbf98967edecec8a60267e

SHA512
89f927818d13d8a28128383e03bb34652598c12eb9bf6e43920476ee07c2c771dc718aa682018072fbfc20866faf9ce4261535aaec69151ddb6fd7726d4e76cd

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
84KB

MD5
bfebcc2ea8727fc9f927349285754b0f

SHA1
486c9c88dca1e1261e24a8c9a0ce9b69efd1a6d1

SHA256
88985536446de6333468fe746d3eb6358c2c2316bb47fe7cb2f8ba609bc252ad

SHA512
a0d94d492163b06f084ef55cfc6ec7a3800c8249815f6906a4c413c1c750a40f92de62d98a0a0e97a712c2a6abb09f2bedc5f7b4587e28b7fe390bc2566ccc42

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
84KB

MD5
bfebcc2ea8727fc9f927349285754b0f

SHA1
486c9c88dca1e1261e24a8c9a0ce9b69efd1a6d1

SHA256
88985536446de6333468fe746d3eb6358c2c2316bb47fe7cb2f8ba609bc252ad

SHA512
a0d94d492163b06f084ef55cfc6ec7a3800c8249815f6906a4c413c1c750a40f92de62d98a0a0e97a712c2a6abb09f2bedc5f7b4587e28b7fe390bc2566ccc42

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
18c3ad6610cd28bcb9bd2c24c1cf4f79

SHA1
31f5442e3d13f1e16180960285d64c671b3ef5de

SHA256
9ba94bc97ac31245b076cf80b22e353ec039d2e3f080797c49b194397d4c8f4d

SHA512
2375ca6787259fd0160f2b41aa26553df46432af32e3fe93fe82bd80993d945ec3b6f99b3a03e7ebb594a656040433c636f5105e478312d1a594548236078dd9

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
fd0cfe7ad532899e975d4d28aa54550b

SHA1
16bd560ba4c38f6ab275d1284410480f1e60a6ef

SHA256
1fec2f9ac437562539097ab9144764a3dcb184bfd091dfa3659a819864571b6a

SHA512
72b2b1e0ed5059ddb2960c771442a68a4e1390495233a17360f0767a3a198184d6686d611e62c5b7f24a22ac9d19c9b8ccffc2f2e10976bec44346e43cdb93f8

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
fd0cfe7ad532899e975d4d28aa54550b

SHA1
16bd560ba4c38f6ab275d1284410480f1e60a6ef

SHA256
1fec2f9ac437562539097ab9144764a3dcb184bfd091dfa3659a819864571b6a

SHA512
72b2b1e0ed5059ddb2960c771442a68a4e1390495233a17360f0767a3a198184d6686d611e62c5b7f24a22ac9d19c9b8ccffc2f2e10976bec44346e43cdb93f8

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
c30069f71359d7d4c01e0f56cb67857b

SHA1
d969cefd34eee55ecf8963a19f04a589bc8b650c

SHA256
013396cab6f5d5248fe3be639475d7f977f38643ddd1e794d116e3f10ad18e76

SHA512
5ccea6e0e887285fb68f1c9ca1f03d2f54d06db4bb9ec99793d4f505fd598743a3a2b26c5271d4e03ab6ec1a12ae8b66ba51feed1c28dbe154503c4fe0e83722

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
c30069f71359d7d4c01e0f56cb67857b

SHA1
d969cefd34eee55ecf8963a19f04a589bc8b650c

SHA256
013396cab6f5d5248fe3be639475d7f977f38643ddd1e794d116e3f10ad18e76

SHA512
5ccea6e0e887285fb68f1c9ca1f03d2f54d06db4bb9ec99793d4f505fd598743a3a2b26c5271d4e03ab6ec1a12ae8b66ba51feed1c28dbe154503c4fe0e83722

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
5e97fbb5522949e29c7fe20aaac6b94c

SHA1
910e178ec68b353f5c3ed54cd99ac25ec126ff79

SHA256
4cf0b40fd95c63760af7b2de65bcc895703b8f37d7fbf98967edecec8a60267e

SHA512
89f927818d13d8a28128383e03bb34652598c12eb9bf6e43920476ee07c2c771dc718aa682018072fbfc20866faf9ce4261535aaec69151ddb6fd7726d4e76cd

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
5e97fbb5522949e29c7fe20aaac6b94c

SHA1
910e178ec68b353f5c3ed54cd99ac25ec126ff79

SHA256
4cf0b40fd95c63760af7b2de65bcc895703b8f37d7fbf98967edecec8a60267e

SHA512
89f927818d13d8a28128383e03bb34652598c12eb9bf6e43920476ee07c2c771dc718aa682018072fbfc20866faf9ce4261535aaec69151ddb6fd7726d4e76cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2696415612\backup.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
C:\Users\Admin\AppData\Local\Temp\2696415612\backup.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
C:\Users\Admin\AppData\Local\Temp\2696415612\backup.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
84KB

MD5
e0fb3a82fa8f98fa27abd7d8b7a17cdf

SHA1
152daa3e0b481aef0526ad57b1a5090e96bd4209

SHA256
fe327169206726fa50ade072ff7c2803e7535839b39253a13fba3c32d0024539

SHA512
313831652b320fcfe67bc84c4ed5048fdbff26248d472ef756cac83ba2eef6f7fd25019ab9abf03c251f730de6b3220dd739578c90cdb4fcf4c7f925d859beb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
84KB

MD5
e0fb3a82fa8f98fa27abd7d8b7a17cdf

SHA1
152daa3e0b481aef0526ad57b1a5090e96bd4209

SHA256
fe327169206726fa50ade072ff7c2803e7535839b39253a13fba3c32d0024539

SHA512
313831652b320fcfe67bc84c4ed5048fdbff26248d472ef756cac83ba2eef6f7fd25019ab9abf03c251f730de6b3220dd739578c90cdb4fcf4c7f925d859beb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe

Filesize
84KB

MD5
e0fb3a82fa8f98fa27abd7d8b7a17cdf

SHA1
152daa3e0b481aef0526ad57b1a5090e96bd4209

SHA256
fe327169206726fa50ade072ff7c2803e7535839b39253a13fba3c32d0024539

SHA512
313831652b320fcfe67bc84c4ed5048fdbff26248d472ef756cac83ba2eef6f7fd25019ab9abf03c251f730de6b3220dd739578c90cdb4fcf4c7f925d859beb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
30KB

MD5
f7316598ad0897b75efd7d779483565b

SHA1
d9121a3da25e1bef084bb048c58624aee0a56f36

SHA256
b6f8c0f6b2cbdeeb1e25fd0fb896e14c99940b0daec2227bac7371a8571da457

SHA512
e7e81ee463cf97a3bad3f828e563b57cf45446dffcb30c57e88228f832f435e455bb846cd861542293331ec3b1dc4f625cf17479a137987231d98a98922f705d

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
84KB

MD5
245d8dc341fd86229d027c1a507036ac

SHA1
178ddef2a0187f363c94e29fc144726117dbf740

SHA256
d323d2abd46c09a816739765c5b3e0f25e6e17d33ac2fd7b8c5a2d816bea0a52

SHA512
a108428831c2d43b74bf39043df217ef962ba892a8cb531567da2815de1419d2285de3d384fefe300260f8db29ae1b4ba5aeeed9ae62effeaf3807fd1e7195f7

Download Submit
C:\backup.exe

Filesize
84KB

MD5
245d8dc341fd86229d027c1a507036ac

SHA1
178ddef2a0187f363c94e29fc144726117dbf740

SHA256
d323d2abd46c09a816739765c5b3e0f25e6e17d33ac2fd7b8c5a2d816bea0a52

SHA512
a108428831c2d43b74bf39043df217ef962ba892a8cb531567da2815de1419d2285de3d384fefe300260f8db29ae1b4ba5aeeed9ae62effeaf3807fd1e7195f7

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
09bb837fdd9da8a5edad329fa7423fa3

SHA1
187f79116b8260f8cad27c951606674e0de75c03

SHA256
c133e759f087b5b45815d31be2b6f667e20b2bfc186b5a49800cec5819244788

SHA512
a7e9a1974ff91d792d293dd20dff2547957f5ea4db9151d2ed1823e12179df356e5e0742c5544dd3e82ad2532313e07c411dbc9a7778a9948fdd661238ecf00a

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
09bb837fdd9da8a5edad329fa7423fa3

SHA1
187f79116b8260f8cad27c951606674e0de75c03

SHA256
c133e759f087b5b45815d31be2b6f667e20b2bfc186b5a49800cec5819244788

SHA512
a7e9a1974ff91d792d293dd20dff2547957f5ea4db9151d2ed1823e12179df356e5e0742c5544dd3e82ad2532313e07c411dbc9a7778a9948fdd661238ecf00a

Download Submit
\PerfLogs\backup.exe

Filesize
84KB

MD5
5e97fbb5522949e29c7fe20aaac6b94c

SHA1
910e178ec68b353f5c3ed54cd99ac25ec126ff79

SHA256
4cf0b40fd95c63760af7b2de65bcc895703b8f37d7fbf98967edecec8a60267e

SHA512
89f927818d13d8a28128383e03bb34652598c12eb9bf6e43920476ee07c2c771dc718aa682018072fbfc20866faf9ce4261535aaec69151ddb6fd7726d4e76cd

Download Submit
\PerfLogs\backup.exe

Filesize
84KB

MD5
5e97fbb5522949e29c7fe20aaac6b94c

SHA1
910e178ec68b353f5c3ed54cd99ac25ec126ff79

SHA256
4cf0b40fd95c63760af7b2de65bcc895703b8f37d7fbf98967edecec8a60267e

SHA512
89f927818d13d8a28128383e03bb34652598c12eb9bf6e43920476ee07c2c771dc718aa682018072fbfc20866faf9ce4261535aaec69151ddb6fd7726d4e76cd

Download Submit
\Program Files (x86)\Adobe\data.exe

Filesize
84KB

MD5
464eea78c24eb5ebae3cbee8dcdf8208

SHA1
e768db6104b7a3937c880e79496aa126d078bbbe

SHA256
8536cc5e7bfe304a375c98b109bb8a9b40a5d713d7bd0a075db8d78f820f5419

SHA512
437efd4760b89a067f49f19b094031c781454e4bf194152bb14b204f240cc1668464db1b817d56f1f3cf3d26d4c6a51df5ca6e777d1b03e65a38281092616e7f

Download Submit
\Program Files (x86)\Adobe\data.exe

Filesize
84KB

MD5
464eea78c24eb5ebae3cbee8dcdf8208

SHA1
e768db6104b7a3937c880e79496aa126d078bbbe

SHA256
8536cc5e7bfe304a375c98b109bb8a9b40a5d713d7bd0a075db8d78f820f5419

SHA512
437efd4760b89a067f49f19b094031c781454e4bf194152bb14b204f240cc1668464db1b817d56f1f3cf3d26d4c6a51df5ca6e777d1b03e65a38281092616e7f

Download Submit
\Program Files (x86)\backup.exe

Filesize
84KB

MD5
bfebcc2ea8727fc9f927349285754b0f

SHA1
486c9c88dca1e1261e24a8c9a0ce9b69efd1a6d1

SHA256
88985536446de6333468fe746d3eb6358c2c2316bb47fe7cb2f8ba609bc252ad

SHA512
a0d94d492163b06f084ef55cfc6ec7a3800c8249815f6906a4c413c1c750a40f92de62d98a0a0e97a712c2a6abb09f2bedc5f7b4587e28b7fe390bc2566ccc42

Download Submit
\Program Files (x86)\backup.exe

Filesize
84KB

MD5
bfebcc2ea8727fc9f927349285754b0f

SHA1
486c9c88dca1e1261e24a8c9a0ce9b69efd1a6d1

SHA256
88985536446de6333468fe746d3eb6358c2c2316bb47fe7cb2f8ba609bc252ad

SHA512
a0d94d492163b06f084ef55cfc6ec7a3800c8249815f6906a4c413c1c750a40f92de62d98a0a0e97a712c2a6abb09f2bedc5f7b4587e28b7fe390bc2566ccc42

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
18c3ad6610cd28bcb9bd2c24c1cf4f79

SHA1
31f5442e3d13f1e16180960285d64c671b3ef5de

SHA256
9ba94bc97ac31245b076cf80b22e353ec039d2e3f080797c49b194397d4c8f4d

SHA512
2375ca6787259fd0160f2b41aa26553df46432af32e3fe93fe82bd80993d945ec3b6f99b3a03e7ebb594a656040433c636f5105e478312d1a594548236078dd9

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
18c3ad6610cd28bcb9bd2c24c1cf4f79

SHA1
31f5442e3d13f1e16180960285d64c671b3ef5de

SHA256
9ba94bc97ac31245b076cf80b22e353ec039d2e3f080797c49b194397d4c8f4d

SHA512
2375ca6787259fd0160f2b41aa26553df46432af32e3fe93fe82bd80993d945ec3b6f99b3a03e7ebb594a656040433c636f5105e478312d1a594548236078dd9

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
fd0cfe7ad532899e975d4d28aa54550b

SHA1
16bd560ba4c38f6ab275d1284410480f1e60a6ef

SHA256
1fec2f9ac437562539097ab9144764a3dcb184bfd091dfa3659a819864571b6a

SHA512
72b2b1e0ed5059ddb2960c771442a68a4e1390495233a17360f0767a3a198184d6686d611e62c5b7f24a22ac9d19c9b8ccffc2f2e10976bec44346e43cdb93f8

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
fd0cfe7ad532899e975d4d28aa54550b

SHA1
16bd560ba4c38f6ab275d1284410480f1e60a6ef

SHA256
1fec2f9ac437562539097ab9144764a3dcb184bfd091dfa3659a819864571b6a

SHA512
72b2b1e0ed5059ddb2960c771442a68a4e1390495233a17360f0767a3a198184d6686d611e62c5b7f24a22ac9d19c9b8ccffc2f2e10976bec44346e43cdb93f8

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
def9d33ce0e424ec03f0522bd13cb8ee

SHA1
78399593a90fc0fb50051d09816f294bf0fb7a35

SHA256
09688e89efd05c691c30888ab3f1fb59cd59a62f0e930666b56f3ce5269b2797

SHA512
dc75d5ac9aa9c1863855395b7bea3650a870935300e220e84e868c38db11f8fa272eb360599e2580bc4b288cf6d19413c667cd626bf919f6ff49257178be9e71

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
def9d33ce0e424ec03f0522bd13cb8ee

SHA1
78399593a90fc0fb50051d09816f294bf0fb7a35

SHA256
09688e89efd05c691c30888ab3f1fb59cd59a62f0e930666b56f3ce5269b2797

SHA512
dc75d5ac9aa9c1863855395b7bea3650a870935300e220e84e868c38db11f8fa272eb360599e2580bc4b288cf6d19413c667cd626bf919f6ff49257178be9e71

Download Submit
\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
c30069f71359d7d4c01e0f56cb67857b

SHA1
d969cefd34eee55ecf8963a19f04a589bc8b650c

SHA256
013396cab6f5d5248fe3be639475d7f977f38643ddd1e794d116e3f10ad18e76

SHA512
5ccea6e0e887285fb68f1c9ca1f03d2f54d06db4bb9ec99793d4f505fd598743a3a2b26c5271d4e03ab6ec1a12ae8b66ba51feed1c28dbe154503c4fe0e83722

Download Submit
\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
c30069f71359d7d4c01e0f56cb67857b

SHA1
d969cefd34eee55ecf8963a19f04a589bc8b650c

SHA256
013396cab6f5d5248fe3be639475d7f977f38643ddd1e794d116e3f10ad18e76

SHA512
5ccea6e0e887285fb68f1c9ca1f03d2f54d06db4bb9ec99793d4f505fd598743a3a2b26c5271d4e03ab6ec1a12ae8b66ba51feed1c28dbe154503c4fe0e83722

Download Submit
\Program Files\DVD Maker\backup.exe

Filesize
84KB

MD5
ece0f9ceb9200c532a6415446d5fda6f

SHA1
c4106d8b53242bd6a5acfccdd67cf4503ee2d633

SHA256
726f5fe56d30da92669756df1ad027f5daf689bf47aa37778020b6943e6e6481

SHA512
230b6b009f8f43c4f043aeaa465403f60f0fce25c7dd50aea4a408f867be3f0900a6e4159f0d89e7f026735e6e54340265d626ec1ebbd5e356e39bbe33523b55

Download Submit
\Program Files\DVD Maker\backup.exe

Filesize
84KB

MD5
ece0f9ceb9200c532a6415446d5fda6f

SHA1
c4106d8b53242bd6a5acfccdd67cf4503ee2d633

SHA256
726f5fe56d30da92669756df1ad027f5daf689bf47aa37778020b6943e6e6481

SHA512
230b6b009f8f43c4f043aeaa465403f60f0fce25c7dd50aea4a408f867be3f0900a6e4159f0d89e7f026735e6e54340265d626ec1ebbd5e356e39bbe33523b55

Download Submit
\Program Files\backup.exe

Filesize
84KB

MD5
5e97fbb5522949e29c7fe20aaac6b94c

SHA1
910e178ec68b353f5c3ed54cd99ac25ec126ff79

SHA256
4cf0b40fd95c63760af7b2de65bcc895703b8f37d7fbf98967edecec8a60267e

SHA512
89f927818d13d8a28128383e03bb34652598c12eb9bf6e43920476ee07c2c771dc718aa682018072fbfc20866faf9ce4261535aaec69151ddb6fd7726d4e76cd

Download Submit
\Program Files\backup.exe

Filesize
84KB

MD5
5e97fbb5522949e29c7fe20aaac6b94c

SHA1
910e178ec68b353f5c3ed54cd99ac25ec126ff79

SHA256
4cf0b40fd95c63760af7b2de65bcc895703b8f37d7fbf98967edecec8a60267e

SHA512
89f927818d13d8a28128383e03bb34652598c12eb9bf6e43920476ee07c2c771dc718aa682018072fbfc20866faf9ce4261535aaec69151ddb6fd7726d4e76cd

Download Submit
\Users\Admin\AppData\Local\Temp\2696415612\backup.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
\Users\Admin\AppData\Local\Temp\2696415612\backup.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
84KB

MD5
e0fb3a82fa8f98fa27abd7d8b7a17cdf

SHA1
152daa3e0b481aef0526ad57b1a5090e96bd4209

SHA256
fe327169206726fa50ade072ff7c2803e7535839b39253a13fba3c32d0024539

SHA512
313831652b320fcfe67bc84c4ed5048fdbff26248d472ef756cac83ba2eef6f7fd25019ab9abf03c251f730de6b3220dd739578c90cdb4fcf4c7f925d859beb7

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
84KB

MD5
e0fb3a82fa8f98fa27abd7d8b7a17cdf

SHA1
152daa3e0b481aef0526ad57b1a5090e96bd4209

SHA256
fe327169206726fa50ade072ff7c2803e7535839b39253a13fba3c32d0024539

SHA512
313831652b320fcfe67bc84c4ed5048fdbff26248d472ef756cac83ba2eef6f7fd25019ab9abf03c251f730de6b3220dd739578c90cdb4fcf4c7f925d859beb7

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
84KB

MD5
e0fb3a82fa8f98fa27abd7d8b7a17cdf

SHA1
152daa3e0b481aef0526ad57b1a5090e96bd4209

SHA256
fe327169206726fa50ade072ff7c2803e7535839b39253a13fba3c32d0024539

SHA512
313831652b320fcfe67bc84c4ed5048fdbff26248d472ef756cac83ba2eef6f7fd25019ab9abf03c251f730de6b3220dd739578c90cdb4fcf4c7f925d859beb7

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
84KB

MD5
e0fb3a82fa8f98fa27abd7d8b7a17cdf

SHA1
152daa3e0b481aef0526ad57b1a5090e96bd4209

SHA256
fe327169206726fa50ade072ff7c2803e7535839b39253a13fba3c32d0024539

SHA512
313831652b320fcfe67bc84c4ed5048fdbff26248d472ef756cac83ba2eef6f7fd25019ab9abf03c251f730de6b3220dd739578c90cdb4fcf4c7f925d859beb7

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
442ce551fd81e27c10e131a02eb973d5

SHA1
49301536853330a2e1bce1a0059cf08d4a2bf077

SHA256
2f4bdf299189c741c17ff7475a2235659771bb3a9d94383d1b9b72de3855a453

SHA512
b277c6f736f82eadf2c7c55df9bf685679744a30ffacdf7a34083e5288f96fe7b22d1e5c7e054065acf90b0eb6be3316081c4a2ca1d7ed186b152bfd38927278

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe

Filesize
84KB

MD5
e0fb3a82fa8f98fa27abd7d8b7a17cdf

SHA1
152daa3e0b481aef0526ad57b1a5090e96bd4209

SHA256
fe327169206726fa50ade072ff7c2803e7535839b39253a13fba3c32d0024539

SHA512
313831652b320fcfe67bc84c4ed5048fdbff26248d472ef756cac83ba2eef6f7fd25019ab9abf03c251f730de6b3220dd739578c90cdb4fcf4c7f925d859beb7

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe

Filesize
84KB

MD5
e0fb3a82fa8f98fa27abd7d8b7a17cdf

SHA1
152daa3e0b481aef0526ad57b1a5090e96bd4209

SHA256
fe327169206726fa50ade072ff7c2803e7535839b39253a13fba3c32d0024539

SHA512
313831652b320fcfe67bc84c4ed5048fdbff26248d472ef756cac83ba2eef6f7fd25019ab9abf03c251f730de6b3220dd739578c90cdb4fcf4c7f925d859beb7

Download Submit
\Users\backup.exe

Filesize
84KB

MD5
f518987508041a6478a9bdcc00b58aa1

SHA1
3570208be7963f3c46bdf74a9800238f94202807

SHA256
da072a9fca83afad67eadd25f5060802d3d9bee7c9a297f274a894d4a4eb303d

SHA512
76d23e5ab8aca39fca530306386e0a64ab343ebc6e3647b8af8b163325bf11d9e292fce5c2b29b53f70dccb2d0459e813ee41fa54757893a497e8584e140131b

Download Submit
\Users\backup.exe

Filesize
84KB

MD5
f518987508041a6478a9bdcc00b58aa1

SHA1
3570208be7963f3c46bdf74a9800238f94202807

SHA256
da072a9fca83afad67eadd25f5060802d3d9bee7c9a297f274a894d4a4eb303d

SHA512
76d23e5ab8aca39fca530306386e0a64ab343ebc6e3647b8af8b163325bf11d9e292fce5c2b29b53f70dccb2d0459e813ee41fa54757893a497e8584e140131b

Download Submit
memory/696-227-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/992-309-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/992-307-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1276-213-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/1276-159-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/1276-165-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1276-196-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/1276-173-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/1296-300-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-318-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1500-329-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1808-263-0x0000000000740000-0x000000000075C000-memory.dmp

Filesize
112KB

Download
memory/1808-312-0x0000000000740000-0x000000000075C000-memory.dmp

Filesize
112KB

Download
memory/1808-305-0x0000000000740000-0x000000000075C000-memory.dmp

Filesize
112KB

Download
memory/1808-306-0x0000000000740000-0x000000000075C000-memory.dmp

Filesize
112KB

Download
memory/1808-294-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1884-215-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1884-247-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/1884-290-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/1944-336-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1944-275-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1944-316-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1944-293-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1944-301-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1948-22-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/1948-40-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1948-140-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1948-182-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1948-166-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1948-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2072-357-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/2072-325-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/2072-291-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/2072-340-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/2072-317-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2144-322-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2256-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2256-163-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2256-108-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2256-198-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2256-164-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2268-228-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2268-181-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2348-292-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2392-150-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2404-27-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2408-214-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2408-201-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2416-126-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2560-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2604-84-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2604-89-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2604-83-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2612-97-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2612-134-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2612-95-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2612-12-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2612-54-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2680-359-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2736-74-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2808-70-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2808-167-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2916-49-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3048-332-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads