0ee9df4eef50b8cfc5eb6f1529cba23f9494ec6ab31f506564e2f77a52164a3d

Analysis

max time kernel
12s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe
Size

84KB
MD5

ed6cbf61c3148459ace8a533611c0a00
SHA1

c2cee7e9d683be897146534f1b4d065c04c83571
SHA256

0ee9df4eef50b8cfc5eb6f1529cba23f9494ec6ab31f506564e2f77a52164a3d
SHA512

60d11207699f40d724fa98093f8b49f46ea70b4df2dde3a26d03c6d7e0d0e60a5ea39ac48519a27b0048111003e78a218eb8b0319f36453938fc280ea099e564
SSDEEP

768:/pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEmY:BeT7BVwxfvEFwjRY

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 57 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 62 IoCs

pid	Process
2596	backup.exe
2972	backup.exe
2620	backup.exe
2880	backup.exe
2544	backup.exe
2560	backup.exe
652	backup.exe
2900	backup.exe
1312	backup.exe
2736	backup.exe
928	update.exe
2852	backup.exe
2452	update.exe
2196	backup.exe
2172	backup.exe
2112	backup.exe
656	backup.exe
2156	backup.exe
1772	backup.exe
2240	backup.exe
1304	backup.exe
1188	backup.exe
2000	backup.exe
2572	backup.exe
1456	backup.exe
1704	backup.exe
2712	backup.exe
2784	backup.exe
2656	backup.exe
2272	backup.exe
2604	data.exe
2872	backup.exe
2520	backup.exe
2580	backup.exe
2892	backup.exe
3032	backup.exe
1948	backup.exe
2456	backup.exe
920	backup.exe
2764	backup.exe
1912	backup.exe
1576	backup.exe
1640	backup.exe
1580	backup.exe
2852	backup.exe
2312	backup.exe
1460	backup.exe
396	backup.exe
2024	backup.exe
2952	backup.exe
1624	backup.exe
1868	backup.exe
592	backup.exe
2240	backup.exe
2464	backup.exe
1320	backup.exe
312	System Restore.exe
868	backup.exe
2572	backup.exe
1456	backup.exe
2296	backup.exe
2960	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
2900	backup.exe
2900	backup.exe
1312	backup.exe
1312	backup.exe
2900	backup.exe
928	update.exe
928	update.exe
928	update.exe
928	update.exe
928	update.exe
2852	backup.exe
2852	backup.exe
2852	backup.exe
2852	backup.exe
2452	update.exe
2452	update.exe
2452	update.exe
928	update.exe
928	update.exe
2196	backup.exe
2196	backup.exe
2196	backup.exe
2196	backup.exe
2196	backup.exe
2172	backup.exe
2172	backup.exe
2172	backup.exe
2172	backup.exe
2172	backup.exe
2112	backup.exe
2112	backup.exe
2112	backup.exe
2172	backup.exe
2172	backup.exe
656	backup.exe
656	backup.exe
656	backup.exe
656	backup.exe
656	backup.exe
2156	backup.exe
2156	backup.exe
2156	backup.exe
656	backup.exe
656	backup.exe
1772	backup.exe
1772	backup.exe
1772	backup.exe
656	backup.exe
656	backup.exe
2240	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1320-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015223-12.dat	upx
behavioral1/files/0x0008000000015223-9.dat	upx
behavioral1/memory/2596-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015223-7.dat	upx
behavioral1/files/0x00070000000155fd-17.dat	upx
behavioral1/files/0x00070000000155fd-23.dat	upx
behavioral1/memory/2972-28-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015654-27.dat	upx
behavioral1/memory/1320-48-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015601-47.dat	upx
behavioral1/files/0x0008000000015c57-55.dat	upx
behavioral1/memory/2596-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015c6c-71.dat	upx
behavioral1/memory/652-89-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015c7a-85.dat	upx
behavioral1/files/0x0006000000015c7a-80.dat	upx
behavioral1/memory/2620-79-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015c7a-77.dat	upx
behavioral1/files/0x000d000000015c28-111.dat	upx
behavioral1/files/0x0006000000015c9c-116.dat	upx
behavioral1/files/0x0006000000015c9c-126.dat	upx
behavioral1/files/0x0006000000015caf-136.dat	upx
behavioral1/files/0x0006000000015caf-131.dat	upx
behavioral1/files/0x0007000000015ce1-149.dat	upx
behavioral1/memory/2900-157-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015ce1-154.dat	upx
behavioral1/files/0x0007000000015ce1-153.dat	upx
behavioral1/files/0x0007000000015ce1-152.dat	upx
behavioral1/files/0x0007000000015ce1-144.dat	upx
behavioral1/files/0x0007000000015ce1-147.dat	upx
behavioral1/memory/1312-143-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2736-142-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015cf0-161.dat	upx
behavioral1/files/0x0006000000015cf0-172.dat	upx
behavioral1/files/0x0006000000015cf0-171.dat	upx
behavioral1/files/0x0006000000015dca-186.dat	upx
behavioral1/files/0x0006000000015e3c-197.dat	upx
behavioral1/memory/2452-208-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0012000000014c45-233.dat	upx
behavioral1/memory/2172-238-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2196-255-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/656-259-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2156-270-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1772-278-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2172-265-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2112-247-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0012000000014c45-232.dat	upx
behavioral1/files/0x0012000000014c45-231.dat	upx
behavioral1/files/0x0012000000014c45-230.dat	upx
behavioral1/files/0x0012000000014c45-229.dat	upx
behavioral1/files/0x0012000000014c45-224.dat	upx
behavioral1/files/0x0012000000014c45-222.dat	upx
behavioral1/files/0x0006000000015e3c-207.dat	upx
behavioral1/files/0x0006000000015e3c-206.dat	upx
behavioral1/files/0x0006000000015e3c-205.dat	upx
behavioral1/files/0x0006000000015e3c-204.dat	upx
behavioral1/memory/928-203-0x00000000004A0000-0x00000000004BC000-memory.dmp	upx
behavioral1/memory/2852-202-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015e3c-201.dat	upx
behavioral1/files/0x0006000000015e3c-194.dat	upx
behavioral1/memory/928-188-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015dca-184.dat	upx
behavioral1/files/0x0006000000015dca-185.dat	upx

Drops file in Program Files directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1320	backup.exe

Suspicious use of SetWindowsHookEx 62 IoCs

pid	Process
1320	backup.exe
2596	backup.exe
2972	backup.exe
2620	backup.exe
2880	backup.exe
2544	backup.exe
2560	backup.exe
652	backup.exe
2900	backup.exe
1312	backup.exe
2736	backup.exe
928	update.exe
2852	backup.exe
2452	update.exe
2196	backup.exe
2172	backup.exe
2112	backup.exe
656	backup.exe
2156	backup.exe
1772	backup.exe
2240	backup.exe
1304	backup.exe
1188	backup.exe
2000	backup.exe
2572	backup.exe
1456	backup.exe
1704	backup.exe
2712	backup.exe
2784	backup.exe
2656	backup.exe
2272	backup.exe
2604	data.exe
2872	backup.exe
2520	backup.exe
2580	backup.exe
2892	backup.exe
3032	backup.exe
1948	backup.exe
2456	backup.exe
920	backup.exe
2764	backup.exe
1912	backup.exe
1576	backup.exe
1640	backup.exe
1580	backup.exe
2852	backup.exe
2312	backup.exe
1460	backup.exe
396	backup.exe
2024	backup.exe
2952	backup.exe
1624	backup.exe
1868	backup.exe
592	backup.exe
2240	backup.exe
2464	backup.exe
1320	backup.exe
312	System Restore.exe
868	backup.exe
2572	backup.exe
1456	backup.exe
2296	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2596	1320	backup.exe	151
PID 1320 wrote to memory of 2596	1320	backup.exe	151
PID 1320 wrote to memory of 2596	1320	backup.exe	151
PID 1320 wrote to memory of 2596	1320	backup.exe	151
PID 1320 wrote to memory of 2972	1320	backup.exe	150
PID 1320 wrote to memory of 2972	1320	backup.exe	150
PID 1320 wrote to memory of 2972	1320	backup.exe	150
PID 1320 wrote to memory of 2972	1320	backup.exe	150
PID 1320 wrote to memory of 2620	1320	backup.exe	149
PID 1320 wrote to memory of 2620	1320	backup.exe	149
PID 1320 wrote to memory of 2620	1320	backup.exe	149
PID 1320 wrote to memory of 2620	1320	backup.exe	149
PID 1320 wrote to memory of 2880	1320	backup.exe	148
PID 1320 wrote to memory of 2880	1320	backup.exe	148
PID 1320 wrote to memory of 2880	1320	backup.exe	148
PID 1320 wrote to memory of 2880	1320	backup.exe	148
PID 1320 wrote to memory of 2544	1320	backup.exe	147
PID 1320 wrote to memory of 2544	1320	backup.exe	147
PID 1320 wrote to memory of 2544	1320	backup.exe	147
PID 1320 wrote to memory of 2544	1320	backup.exe	147
PID 1320 wrote to memory of 2560	1320	backup.exe	146
PID 1320 wrote to memory of 2560	1320	backup.exe	146
PID 1320 wrote to memory of 2560	1320	backup.exe	146
PID 1320 wrote to memory of 2560	1320	backup.exe	146
PID 1320 wrote to memory of 652	1320	backup.exe	24
PID 1320 wrote to memory of 652	1320	backup.exe	24
PID 1320 wrote to memory of 652	1320	backup.exe	24
PID 1320 wrote to memory of 652	1320	backup.exe	24
PID 2596 wrote to memory of 2900	2596	backup.exe	145
PID 2596 wrote to memory of 2900	2596	backup.exe	145
PID 2596 wrote to memory of 2900	2596	backup.exe	145
PID 2596 wrote to memory of 2900	2596	backup.exe	145
PID 2900 wrote to memory of 1312	2900	backup.exe	172
PID 2900 wrote to memory of 1312	2900	backup.exe	172
PID 2900 wrote to memory of 1312	2900	backup.exe	172
PID 2900 wrote to memory of 1312	2900	backup.exe	172
PID 1312 wrote to memory of 2736	1312	backup.exe	142
PID 1312 wrote to memory of 2736	1312	backup.exe	142
PID 1312 wrote to memory of 2736	1312	backup.exe	142
PID 1312 wrote to memory of 2736	1312	backup.exe	142
PID 2900 wrote to memory of 928	2900	backup.exe	25
PID 2900 wrote to memory of 928	2900	backup.exe	25
PID 2900 wrote to memory of 928	2900	backup.exe	25
PID 2900 wrote to memory of 928	2900	backup.exe	25
PID 2900 wrote to memory of 928	2900	backup.exe	25
PID 2900 wrote to memory of 928	2900	backup.exe	25
PID 2900 wrote to memory of 928	2900	backup.exe	25
PID 928 wrote to memory of 2852	928	update.exe	124
PID 928 wrote to memory of 2852	928	update.exe	124
PID 928 wrote to memory of 2852	928	update.exe	124
PID 928 wrote to memory of 2852	928	update.exe	124
PID 928 wrote to memory of 2852	928	update.exe	124
PID 928 wrote to memory of 2852	928	update.exe	124
PID 928 wrote to memory of 2852	928	update.exe	124
PID 2852 wrote to memory of 2452	2852	backup.exe	26
PID 2852 wrote to memory of 2452	2852	backup.exe	26
PID 2852 wrote to memory of 2452	2852	backup.exe	26
PID 2852 wrote to memory of 2452	2852	backup.exe	26
PID 2852 wrote to memory of 2452	2852	backup.exe	26
PID 2852 wrote to memory of 2452	2852	backup.exe	26
PID 2852 wrote to memory of 2452	2852	backup.exe	26
PID 928 wrote to memory of 2196	928	update.exe	120
PID 928 wrote to memory of 2196	928	update.exe	120
PID 928 wrote to memory of 2196	928	update.exe	120

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe"
1⤵
PID:1320
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:652

C:\Program Files\update.exe
"C:\Program Files\update.exe" C:\Program Files\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:928
- C:\Program Files\Common Files\backup.exe
  "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2196
- C:\Program Files\DVD Maker\backup.exe
  "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
  2⤵
  PID:2760
- - C:\Program Files\DVD Maker\de-DE\backup.exe
    "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
    3⤵
    PID:1928
- - C:\Program Files\DVD Maker\en-US\backup.exe
    "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
    3⤵
    PID:2300
- - C:\Program Files\DVD Maker\es-ES\backup.exe
    "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
    3⤵
    PID:2396
- - C:\Program Files\DVD Maker\fr-FR\System Restore.exe
    "C:\Program Files\DVD Maker\fr-FR\System Restore.exe" C:\Program Files\DVD Maker\fr-FR\
    3⤵
    PID:1052
- - C:\Program Files\DVD Maker\it-IT\backup.exe
    "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
    3⤵
    PID:2340
- - C:\Program Files\DVD Maker\ja-JP\backup.exe
    "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
    3⤵
    PID:272
- - C:\Program Files\DVD Maker\Shared\backup.exe
    "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
    3⤵
    PID:2936
  - - C:\Program Files\DVD Maker\Shared\DvdStyles\update.exe
      "C:\Program Files\DVD Maker\Shared\DvdStyles\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
      4⤵
      PID:2832
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        5⤵
        
        PID:1820
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        5⤵
        
        PID:560
- C:\Program Files\7-Zip\backup.exe
  "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2852
- C:\Program Files\Google\backup.exe
  "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
  2⤵
  PID:2732
- - C:\Program Files\Google\Chrome\backup.exe
    "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2580
- C:\Program Files\Internet Explorer\backup.exe
  "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
  2⤵
  PID:1136
- C:\Program Files\Java\backup.exe
  "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:868
- - C:\Program Files\Java\jdk1.7.0_80\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
    3⤵
    PID:924
  - - C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
      4⤵
      PID:2532
  - - C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
      4⤵
      PID:1540
  - - C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
      4⤵
      PID:1664
- - C:\Program Files\Java\jre7\backup.exe
    "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
    3⤵
    PID:1560
- C:\Program Files\Microsoft Games\backup.exe
  "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
  2⤵
  PID:652
- C:\Program Files\Microsoft Office\backup.exe
  "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
  2⤵
  PID:2740
- C:\Program Files\Mozilla Firefox\backup.exe
  "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
  2⤵
  PID:2328
- - C:\Program Files\Mozilla Firefox\browser\backup.exe
    "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
    3⤵
    PID:1756
- - C:\Program Files\Mozilla Firefox\defaults\data.exe
    "C:\Program Files\Mozilla Firefox\defaults\data.exe" C:\Program Files\Mozilla Firefox\defaults\
    3⤵
    PID:1720
- C:\Program Files\MSBuild\backup.exe
  "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
  2⤵
  PID:2056
- C:\Program Files\Reference Assemblies\backup.exe
  "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
  2⤵
  PID:1840
- C:\Program Files\VideoLAN\backup.exe
  "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
  2⤵
  PID:2168
- C:\Program Files\Windows Defender\backup.exe
  "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
  2⤵
  PID:860
- C:\Program Files\Windows Journal\backup.exe
  "C:\Program Files\Windows Journal\backup.exe" C:\Program Files\Windows Journal\
  2⤵
  PID:2512

C:\Program Files\7-Zip\Lang\update.exe
"C:\Program Files\7-Zip\Lang\update.exe" C:\Program Files\7-Zip\Lang\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2452

C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
1⤵
PID:2112

C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:656
- C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2156
- C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
  2⤵
  PID:1772
- C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
  2⤵
  PID:2240
- C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1304
- C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1188
- C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2000
- C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
  2⤵
  PID:2572
- C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
  2⤵
  PID:1456
- C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1704
- C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2712
- C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2784
- C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2656
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2272
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\data.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2604
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
    3⤵
    PID:2872
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2520
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
    3⤵
    PID:2580
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2892
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
    3⤵
    PID:3032
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
    3⤵
    PID:2456
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1948
- C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\System Restore.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
  2⤵
  PID:920
- C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2764
- C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1912
- C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1576
- C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1640
- C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1580
- C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
  2⤵
  PID:2852
- C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2312
- C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
  2⤵
  PID:1460
- C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:396
- C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
  2⤵
  PID:2952
- C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1624
- C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1868
- C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2240
- C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
  2⤵
  PID:592
- C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
  2⤵
  PID:2464
- C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2024
- C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
    C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
    "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2544
- - C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
    "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2880
- - C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
    C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2620
- - C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
    C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2972
- - C:\Users\Admin\AppData\Local\Temp\98278740\backup.exe
    C:\Users\Admin\AppData\Local\Temp\98278740\backup.exe C:\Users\Admin\AppData\Local\Temp\98278740\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2596
- C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\data.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
  2⤵
  PID:312
- C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
  2⤵
  PID:868
- C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2572
- C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1456
- C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
  2⤵
  PID:2960
- C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2296
- C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
  2⤵
  PID:2632

C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
1⤵
PID:2880
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
  2⤵
  PID:308
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
  2⤵
  PID:3056
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
  2⤵
  PID:2872
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
  2⤵
  PID:716
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
  2⤵
  PID:972
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
  2⤵
  PID:2472

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
1⤵
PID:3032

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
1⤵
PID:3060

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
1⤵
PID:1992

C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
1⤵
PID:1644

C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
1⤵
PID:1736

C:\Program Files\Common Files\Microsoft Shared\TextConv\update.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
1⤵
PID:2476
- C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
  2⤵
  PID:1928
- C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
  2⤵
  PID:2576
- C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
  2⤵
  PID:2228
- C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
  2⤵
  PID:2216
- C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
  2⤵
  PID:2348

C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
1⤵
PID:1384
- C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
  2⤵
  PID:2352
- C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
  2⤵
  PID:1760
- C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2112
- C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
  2⤵
  PID:1708
- C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\System Restore.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
  2⤵
  PID:1840
- C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
  2⤵
  PID:2184

C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:592

C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
1⤵
PID:2284

C:\Program Files\Common Files\Microsoft Shared\VSTO\data.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\data.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
1⤵
PID:2152
- C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
  2⤵
  PID:1508
- - C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
    3⤵
    PID:1788

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Program Files (x86)\System Restore.exe
"C:\Program Files (x86)\System Restore.exe" C:\Program Files (x86)\
1⤵
PID:1728
- C:\Program Files (x86)\Adobe\backup.exe
  "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
  2⤵
  PID:2772
- C:\Program Files (x86)\Common Files\backup.exe
  "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
  2⤵
  PID:2460
- - C:\Program Files (x86)\Common Files\Adobe\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
    3⤵
    PID:308
  - - C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
      4⤵
      PID:2708
  - - C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
      4⤵
      PID:2080
  - - C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
      4⤵
      PID:2260
- - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1460
  - - C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
      4⤵
      PID:1656
- - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
    "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
    3⤵
    PID:2704
- - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
    "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
    3⤵
    PID:1952
  - - C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
      4⤵
      PID:1580
  - - C:\Program Files (x86)\Common Files\microsoft shared\DW\update.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\DW\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
      4⤵
      PID:2196
- - C:\Program Files (x86)\Common Files\Services\backup.exe
    "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
    3⤵
    PID:1512
- - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
    "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
    3⤵
    PID:2584
- - C:\Program Files (x86)\Common Files\System\data.exe
    "C:\Program Files (x86)\Common Files\System\data.exe" C:\Program Files (x86)\Common Files\System\
    3⤵
    PID:1332
- C:\Program Files (x86)\Google\backup.exe
  "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1312
- - C:\Program Files (x86)\Google\CrashReports\backup.exe
    "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1772
- - C:\Program Files (x86)\Google\Temp\backup.exe
    "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
    3⤵
    PID:2516
- - C:\Program Files (x86)\Google\Update\backup.exe
    "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
    3⤵
    PID:1992
- C:\Program Files (x86)\Internet Explorer\backup.exe
  "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1320
- C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
  "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft Office\backup.exe
  "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft SQL Server Compact Edition\update.exe
  "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\update.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
  2⤵
  PID:1996
- - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe
    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
    3⤵
    PID:2468
- C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
  "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft Synchronization Services\System Restore.exe
  "C:\Program Files (x86)\Microsoft Synchronization Services\System Restore.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:312
- C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
  "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft.NET\backup.exe
  "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
  2⤵
  PID:1624
- C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
  "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
  2⤵
  PID:608

C:\Program Files\Common Files\Services\backup.exe
"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
1⤵
PID:2612

C:\Program Files\Common Files\SpeechEngines\backup.exe
"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
1⤵
PID:2648
- C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
  "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
  2⤵
  PID:1204

C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
1⤵
PID:2720
- C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
  2⤵
  PID:2500
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
  2⤵
  PID:2488
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
    3⤵
    PID:1160
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
    3⤵
    PID:1776
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
      4⤵
      PID:1816
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
    3⤵
    PID:2672
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
    3⤵
    PID:1856
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
      4⤵
      PID:892
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\System Restore.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
    3⤵
    PID:1480
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
    3⤵
    PID:2116
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
      4⤵
      PID:2168
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        5⤵
        
        PID:2356
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
      4⤵
      Executes dropped EXE
      PID:2960
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        5⤵
        
        PID:1776
      - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        6⤵
        
        PID:2660
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
      4⤵
      PID:1036
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        5⤵
        
        PID:2120
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2464
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:3032
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
      4⤵
      PID:2864
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
    3⤵
    PID:948
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
    3⤵
    PID:2772
- C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
  2⤵
  PID:2492
- - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\System Restore.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
    3⤵
    PID:1264
- - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
    3⤵
    PID:1696
- - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
    3⤵
    PID:1604
- - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2872
- - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:920
- C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
  2⤵
  PID:1964
- - C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
    3⤵
    PID:1004

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
1⤵
PID:768
- C:\Program Files\Common Files\System\ado\backup.exe
  "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
  2⤵
  PID:1484
- - C:\Program Files\Common Files\System\ado\de-DE\backup.exe
    "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
    3⤵
    PID:2924
- - C:\Program Files\Common Files\System\ado\en-US\backup.exe
    "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
    3⤵
    PID:716
- - C:\Program Files\Common Files\System\ado\es-ES\backup.exe
    "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2456
- - C:\Program Files\Common Files\System\ado\fr-FR\System Restore.exe
    "C:\Program Files\Common Files\System\ado\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\ado\fr-FR\
    3⤵
    PID:1036
- - C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
    "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
    3⤵
    PID:2992
- - C:\Program Files\Common Files\System\ado\it-IT\backup.exe
    "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
    3⤵
    PID:2584
- C:\Program Files\Common Files\System\de-DE\backup.exe
  "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2952
- C:\Program Files\Common Files\System\en-US\backup.exe
  "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
  2⤵
  PID:828
- C:\Program Files\Common Files\System\es-ES\backup.exe
  "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
  2⤵
  PID:2004
- C:\Program Files\Common Files\System\fr-FR\backup.exe
  "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
  2⤵
  PID:2980
- C:\Program Files\Common Files\System\it-IT\System Restore.exe
  "C:\Program Files\Common Files\System\it-IT\System Restore.exe" C:\Program Files\Common Files\System\it-IT\
  2⤵
  PID:2340
- C:\Program Files\Common Files\System\ja-JP\backup.exe
  "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
  2⤵
  PID:2912
- C:\Program Files\Common Files\System\msadc\backup.exe
  "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
  2⤵
  PID:1296
- - C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
    "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
    3⤵
    PID:2860
- - C:\Program Files\Common Files\System\msadc\en-US\backup.exe
    "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
    3⤵
    PID:764
- C:\Program Files\Common Files\System\Ole DB\backup.exe
  "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
  2⤵
  PID:2144

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
1⤵
PID:2580

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
1⤵
PID:2508

C:\PerfLogs\Admin\backup.exe
C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2736

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
1⤵
PID:1312

C:\backup.exe
\backup.exe \
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2900
- C:\Users\backup.exe
  C:\Users\backup.exe C:\Users\
  2⤵
  PID:2700
- - C:\Users\Admin\backup.exe
    C:\Users\Admin\backup.exe C:\Users\Admin\
    3⤵
    PID:2884
- - C:\Users\Public\backup.exe
    C:\Users\Public\backup.exe C:\Users\Public\
    3⤵
    PID:2292
  - - C:\Users\Public\Documents\backup.exe
      C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
      4⤵
      PID:2384
  - - C:\Users\Public\Downloads\backup.exe
      C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
      4⤵
      PID:2104
  - - C:\Users\Public\Music\backup.exe
      C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
      4⤵
      PID:2428
  - - C:\Users\Public\Pictures\backup.exe
      C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
      4⤵
      PID:388
  - - C:\Users\Public\Recorded TV\backup.exe
      "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
      4⤵
      PID:2244
- C:\Windows\backup.exe
  C:\Windows\backup.exe C:\Windows\
  2⤵
  PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
e048d3549d8bd72667e01122847806f9

SHA1
347fb304a2fec5672c1c3649ced834a63b5bc741

SHA256
009143a0cadfd66fae5fa28f434f68274ace054ff09268fe3ddb38a8e0065cbb

SHA512
2481226d736a8ac44ee2a2ae59fd9425b3dd3fc0cbea618673f1f00d140bc2037dfc90cf002bdf761386a090cfe835a4a72e57460c74307ae79bfa2618ed25fa

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
9a64c4e03cda4e00796a90328fc83f83

SHA1
4bf5faf984e83af6ffb7f1d5d26f005a0902f399

SHA256
fe4e3b9852badb7d25b27600f167372a9ad146b27f4c9610d5542bc84df55ab4

SHA512
4103772970ec23bfa5b5be4f897af2435411d975cd5ae5923d2980ab38846ef9118ba4b8bfa19a532ed589c580b37fdf20709a296190dc5d3199abfabeee3a36

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
9a64c4e03cda4e00796a90328fc83f83

SHA1
4bf5faf984e83af6ffb7f1d5d26f005a0902f399

SHA256
fe4e3b9852badb7d25b27600f167372a9ad146b27f4c9610d5542bc84df55ab4

SHA512
4103772970ec23bfa5b5be4f897af2435411d975cd5ae5923d2980ab38846ef9118ba4b8bfa19a532ed589c580b37fdf20709a296190dc5d3199abfabeee3a36

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
84KB

MD5
39404142cefd00b71a6138506ee74040

SHA1
6b21945316033ba04c98b6d3dd00ff71793cf5d0

SHA256
a28cda0e8ce3b6bf7ac542e6e3ce5dc7e1d2c9b31ec274d4bb80ad834362a9d4

SHA512
a01ae87983f578f469d72a3f0829179c9cdb052b51d57abd68535440a98cc83cd07c1ce6a975f76ba5ab0af50b1b2b1f1f7b267d10fa2cacee172bd98f236371

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
84KB

MD5
39404142cefd00b71a6138506ee74040

SHA1
6b21945316033ba04c98b6d3dd00ff71793cf5d0

SHA256
a28cda0e8ce3b6bf7ac542e6e3ce5dc7e1d2c9b31ec274d4bb80ad834362a9d4

SHA512
a01ae87983f578f469d72a3f0829179c9cdb052b51d57abd68535440a98cc83cd07c1ce6a975f76ba5ab0af50b1b2b1f1f7b267d10fa2cacee172bd98f236371

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
e23c63226ba8a11ef4b68660c7c83013

SHA1
b3124553349f91e333daa3189f190ef259f752f1

SHA256
93acca7247622ceb007c45969be5691d828a74be122f9a34e1a9367a0ab96d64

SHA512
aa936e733a1f6d8ff85d86edafb114da43da22a1f3680edd52bcd44639282b67af862cac03be0f48d85b30a78397399e14f61d434acff2082a4e8ec97c8b408e

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
e23c63226ba8a11ef4b68660c7c83013

SHA1
b3124553349f91e333daa3189f190ef259f752f1

SHA256
93acca7247622ceb007c45969be5691d828a74be122f9a34e1a9367a0ab96d64

SHA512
aa936e733a1f6d8ff85d86edafb114da43da22a1f3680edd52bcd44639282b67af862cac03be0f48d85b30a78397399e14f61d434acff2082a4e8ec97c8b408e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
d8bc1f7271f1034eb9e888360f09f868

SHA1
74b391180485a65c5773809e3951aeef9c2bec4a

SHA256
393cd42aac6ef485111ef4fa4a24308909610b408e374f3faeb1f30769ec17f0

SHA512
bb85b0381996cf2d3cc1460810253811f6cd49d5a75652905c1ab4b7e10b19860ac0ec423b7ad4917428dbc75eac29ee3e85b48ab06729f49631b5092e0c80fe

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
d8bc1f7271f1034eb9e888360f09f868

SHA1
74b391180485a65c5773809e3951aeef9c2bec4a

SHA256
393cd42aac6ef485111ef4fa4a24308909610b408e374f3faeb1f30769ec17f0

SHA512
bb85b0381996cf2d3cc1460810253811f6cd49d5a75652905c1ab4b7e10b19860ac0ec423b7ad4917428dbc75eac29ee3e85b48ab06729f49631b5092e0c80fe

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
c1599e2b02780fd6721cc1e38f7f7d6a

SHA1
9d0ac4c06ee886b1291939d3edf13950fe40f737

SHA256
4f19dd829f45627df15cd43ed7627d92c8396d2deeedd325a1d69d8171e78992

SHA512
3069bef3c3a2be6f59fc5fa6f60e19f97684b6b24f60fd23174772eb82c86710158ad9ca6646fd1e3b4bb8daf8b7f492991df89e59a7f88ffb35738fb2155148

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
c1599e2b02780fd6721cc1e38f7f7d6a

SHA1
9d0ac4c06ee886b1291939d3edf13950fe40f737

SHA256
4f19dd829f45627df15cd43ed7627d92c8396d2deeedd325a1d69d8171e78992

SHA512
3069bef3c3a2be6f59fc5fa6f60e19f97684b6b24f60fd23174772eb82c86710158ad9ca6646fd1e3b4bb8daf8b7f492991df89e59a7f88ffb35738fb2155148

Download Submit
C:\Program Files\update.exe

Filesize
84KB

MD5
9a64c4e03cda4e00796a90328fc83f83

SHA1
4bf5faf984e83af6ffb7f1d5d26f005a0902f399

SHA256
fe4e3b9852badb7d25b27600f167372a9ad146b27f4c9610d5542bc84df55ab4

SHA512
4103772970ec23bfa5b5be4f897af2435411d975cd5ae5923d2980ab38846ef9118ba4b8bfa19a532ed589c580b37fdf20709a296190dc5d3199abfabeee3a36

Download Submit
C:\Program Files\update.exe

Filesize
84KB

MD5
9a64c4e03cda4e00796a90328fc83f83

SHA1
4bf5faf984e83af6ffb7f1d5d26f005a0902f399

SHA256
fe4e3b9852badb7d25b27600f167372a9ad146b27f4c9610d5542bc84df55ab4

SHA512
4103772970ec23bfa5b5be4f897af2435411d975cd5ae5923d2980ab38846ef9118ba4b8bfa19a532ed589c580b37fdf20709a296190dc5d3199abfabeee3a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\98278740\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\98278740\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\98278740\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
84KB

MD5
5a4a1dac1cecc6e7bef7cae6a6054aa6

SHA1
899ba25c5eb789c6dd283767313a59a21074bc5d

SHA256
47b32aaebd2e588e083d37702be06ef5a0a50c8dec0ddcbf167c7fecef9a8cb3

SHA512
b5ea2d12ace4e8225a3192e7344b160ef9258b4780987e767711c5050cee979897cee71ed80e971c0715ee6cbb763dc0cf502f2aad1d8579cbbc0d97d4b21226

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
30KB

MD5
1c61a0bea9e93ef4507322dec3e31ac7

SHA1
3372e6a14c0791c7dcac30d84fd10e6fb20ec84b

SHA256
8c1b32ec88da792ec9c726b8fd6c87dbae564d05be8b7fff9ad0e1077cfb60cb

SHA512
4c82d1ec513fe0d47de083a9802b32cc1f14df86ccae49101d8b772c35f824e00cff327162e7148cb92a621ebd02149d1da53abc906fcdc6b36f7fe3155d894a

Download Submit
C:\backup.exe

Filesize
84KB

MD5
3b4347273ca3a2b780349c94b1d9eedc

SHA1
7c9b6896c154d4a81e637020c284f9f20f484cc9

SHA256
dcef148754a1983731b6b7dcbf7c9f8c8ccca3dc12cdb8a2b0c5dcd5dbfaf035

SHA512
a7cc2408bd7bbd106e4723e040deeec797c6e934b0fd1ffbc1c99579515a18c4f7d954953508e250389252acb90d9ccb92bc9d85ef55d02f4e581124b6175ad9

Download Submit
C:\backup.exe

Filesize
84KB

MD5
3b4347273ca3a2b780349c94b1d9eedc

SHA1
7c9b6896c154d4a81e637020c284f9f20f484cc9

SHA256
dcef148754a1983731b6b7dcbf7c9f8c8ccca3dc12cdb8a2b0c5dcd5dbfaf035

SHA512
a7cc2408bd7bbd106e4723e040deeec797c6e934b0fd1ffbc1c99579515a18c4f7d954953508e250389252acb90d9ccb92bc9d85ef55d02f4e581124b6175ad9

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
e048d3549d8bd72667e01122847806f9

SHA1
347fb304a2fec5672c1c3649ced834a63b5bc741

SHA256
009143a0cadfd66fae5fa28f434f68274ace054ff09268fe3ddb38a8e0065cbb

SHA512
2481226d736a8ac44ee2a2ae59fd9425b3dd3fc0cbea618673f1f00d140bc2037dfc90cf002bdf761386a090cfe835a4a72e57460c74307ae79bfa2618ed25fa

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
e048d3549d8bd72667e01122847806f9

SHA1
347fb304a2fec5672c1c3649ced834a63b5bc741

SHA256
009143a0cadfd66fae5fa28f434f68274ace054ff09268fe3ddb38a8e0065cbb

SHA512
2481226d736a8ac44ee2a2ae59fd9425b3dd3fc0cbea618673f1f00d140bc2037dfc90cf002bdf761386a090cfe835a4a72e57460c74307ae79bfa2618ed25fa

Download Submit
\PerfLogs\backup.exe

Filesize
84KB

MD5
9a64c4e03cda4e00796a90328fc83f83

SHA1
4bf5faf984e83af6ffb7f1d5d26f005a0902f399

SHA256
fe4e3b9852badb7d25b27600f167372a9ad146b27f4c9610d5542bc84df55ab4

SHA512
4103772970ec23bfa5b5be4f897af2435411d975cd5ae5923d2980ab38846ef9118ba4b8bfa19a532ed589c580b37fdf20709a296190dc5d3199abfabeee3a36

Download Submit
\PerfLogs\backup.exe

Filesize
84KB

MD5
9a64c4e03cda4e00796a90328fc83f83

SHA1
4bf5faf984e83af6ffb7f1d5d26f005a0902f399

SHA256
fe4e3b9852badb7d25b27600f167372a9ad146b27f4c9610d5542bc84df55ab4

SHA512
4103772970ec23bfa5b5be4f897af2435411d975cd5ae5923d2980ab38846ef9118ba4b8bfa19a532ed589c580b37fdf20709a296190dc5d3199abfabeee3a36

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
84KB

MD5
39404142cefd00b71a6138506ee74040

SHA1
6b21945316033ba04c98b6d3dd00ff71793cf5d0

SHA256
a28cda0e8ce3b6bf7ac542e6e3ce5dc7e1d2c9b31ec274d4bb80ad834362a9d4

SHA512
a01ae87983f578f469d72a3f0829179c9cdb052b51d57abd68535440a98cc83cd07c1ce6a975f76ba5ab0af50b1b2b1f1f7b267d10fa2cacee172bd98f236371

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
84KB

MD5
39404142cefd00b71a6138506ee74040

SHA1
6b21945316033ba04c98b6d3dd00ff71793cf5d0

SHA256
a28cda0e8ce3b6bf7ac542e6e3ce5dc7e1d2c9b31ec274d4bb80ad834362a9d4

SHA512
a01ae87983f578f469d72a3f0829179c9cdb052b51d57abd68535440a98cc83cd07c1ce6a975f76ba5ab0af50b1b2b1f1f7b267d10fa2cacee172bd98f236371

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
84KB

MD5
39404142cefd00b71a6138506ee74040

SHA1
6b21945316033ba04c98b6d3dd00ff71793cf5d0

SHA256
a28cda0e8ce3b6bf7ac542e6e3ce5dc7e1d2c9b31ec274d4bb80ad834362a9d4

SHA512
a01ae87983f578f469d72a3f0829179c9cdb052b51d57abd68535440a98cc83cd07c1ce6a975f76ba5ab0af50b1b2b1f1f7b267d10fa2cacee172bd98f236371

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
84KB

MD5
39404142cefd00b71a6138506ee74040

SHA1
6b21945316033ba04c98b6d3dd00ff71793cf5d0

SHA256
a28cda0e8ce3b6bf7ac542e6e3ce5dc7e1d2c9b31ec274d4bb80ad834362a9d4

SHA512
a01ae87983f578f469d72a3f0829179c9cdb052b51d57abd68535440a98cc83cd07c1ce6a975f76ba5ab0af50b1b2b1f1f7b267d10fa2cacee172bd98f236371

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
e23c63226ba8a11ef4b68660c7c83013

SHA1
b3124553349f91e333daa3189f190ef259f752f1

SHA256
93acca7247622ceb007c45969be5691d828a74be122f9a34e1a9367a0ab96d64

SHA512
aa936e733a1f6d8ff85d86edafb114da43da22a1f3680edd52bcd44639282b67af862cac03be0f48d85b30a78397399e14f61d434acff2082a4e8ec97c8b408e

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
e23c63226ba8a11ef4b68660c7c83013

SHA1
b3124553349f91e333daa3189f190ef259f752f1

SHA256
93acca7247622ceb007c45969be5691d828a74be122f9a34e1a9367a0ab96d64

SHA512
aa936e733a1f6d8ff85d86edafb114da43da22a1f3680edd52bcd44639282b67af862cac03be0f48d85b30a78397399e14f61d434acff2082a4e8ec97c8b408e

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
e23c63226ba8a11ef4b68660c7c83013

SHA1
b3124553349f91e333daa3189f190ef259f752f1

SHA256
93acca7247622ceb007c45969be5691d828a74be122f9a34e1a9367a0ab96d64

SHA512
aa936e733a1f6d8ff85d86edafb114da43da22a1f3680edd52bcd44639282b67af862cac03be0f48d85b30a78397399e14f61d434acff2082a4e8ec97c8b408e

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
e23c63226ba8a11ef4b68660c7c83013

SHA1
b3124553349f91e333daa3189f190ef259f752f1

SHA256
93acca7247622ceb007c45969be5691d828a74be122f9a34e1a9367a0ab96d64

SHA512
aa936e733a1f6d8ff85d86edafb114da43da22a1f3680edd52bcd44639282b67af862cac03be0f48d85b30a78397399e14f61d434acff2082a4e8ec97c8b408e

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
e23c63226ba8a11ef4b68660c7c83013

SHA1
b3124553349f91e333daa3189f190ef259f752f1

SHA256
93acca7247622ceb007c45969be5691d828a74be122f9a34e1a9367a0ab96d64

SHA512
aa936e733a1f6d8ff85d86edafb114da43da22a1f3680edd52bcd44639282b67af862cac03be0f48d85b30a78397399e14f61d434acff2082a4e8ec97c8b408e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
d8bc1f7271f1034eb9e888360f09f868

SHA1
74b391180485a65c5773809e3951aeef9c2bec4a

SHA256
393cd42aac6ef485111ef4fa4a24308909610b408e374f3faeb1f30769ec17f0

SHA512
bb85b0381996cf2d3cc1460810253811f6cd49d5a75652905c1ab4b7e10b19860ac0ec423b7ad4917428dbc75eac29ee3e85b48ab06729f49631b5092e0c80fe

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
d8bc1f7271f1034eb9e888360f09f868

SHA1
74b391180485a65c5773809e3951aeef9c2bec4a

SHA256
393cd42aac6ef485111ef4fa4a24308909610b408e374f3faeb1f30769ec17f0

SHA512
bb85b0381996cf2d3cc1460810253811f6cd49d5a75652905c1ab4b7e10b19860ac0ec423b7ad4917428dbc75eac29ee3e85b48ab06729f49631b5092e0c80fe

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
d8bc1f7271f1034eb9e888360f09f868

SHA1
74b391180485a65c5773809e3951aeef9c2bec4a

SHA256
393cd42aac6ef485111ef4fa4a24308909610b408e374f3faeb1f30769ec17f0

SHA512
bb85b0381996cf2d3cc1460810253811f6cd49d5a75652905c1ab4b7e10b19860ac0ec423b7ad4917428dbc75eac29ee3e85b48ab06729f49631b5092e0c80fe

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
d8bc1f7271f1034eb9e888360f09f868

SHA1
74b391180485a65c5773809e3951aeef9c2bec4a

SHA256
393cd42aac6ef485111ef4fa4a24308909610b408e374f3faeb1f30769ec17f0

SHA512
bb85b0381996cf2d3cc1460810253811f6cd49d5a75652905c1ab4b7e10b19860ac0ec423b7ad4917428dbc75eac29ee3e85b48ab06729f49631b5092e0c80fe

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
d8bc1f7271f1034eb9e888360f09f868

SHA1
74b391180485a65c5773809e3951aeef9c2bec4a

SHA256
393cd42aac6ef485111ef4fa4a24308909610b408e374f3faeb1f30769ec17f0

SHA512
bb85b0381996cf2d3cc1460810253811f6cd49d5a75652905c1ab4b7e10b19860ac0ec423b7ad4917428dbc75eac29ee3e85b48ab06729f49631b5092e0c80fe

Download Submit
\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
c1599e2b02780fd6721cc1e38f7f7d6a

SHA1
9d0ac4c06ee886b1291939d3edf13950fe40f737

SHA256
4f19dd829f45627df15cd43ed7627d92c8396d2deeedd325a1d69d8171e78992

SHA512
3069bef3c3a2be6f59fc5fa6f60e19f97684b6b24f60fd23174772eb82c86710158ad9ca6646fd1e3b4bb8daf8b7f492991df89e59a7f88ffb35738fb2155148

Download Submit
\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
c1599e2b02780fd6721cc1e38f7f7d6a

SHA1
9d0ac4c06ee886b1291939d3edf13950fe40f737

SHA256
4f19dd829f45627df15cd43ed7627d92c8396d2deeedd325a1d69d8171e78992

SHA512
3069bef3c3a2be6f59fc5fa6f60e19f97684b6b24f60fd23174772eb82c86710158ad9ca6646fd1e3b4bb8daf8b7f492991df89e59a7f88ffb35738fb2155148

Download Submit
\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
c1599e2b02780fd6721cc1e38f7f7d6a

SHA1
9d0ac4c06ee886b1291939d3edf13950fe40f737

SHA256
4f19dd829f45627df15cd43ed7627d92c8396d2deeedd325a1d69d8171e78992

SHA512
3069bef3c3a2be6f59fc5fa6f60e19f97684b6b24f60fd23174772eb82c86710158ad9ca6646fd1e3b4bb8daf8b7f492991df89e59a7f88ffb35738fb2155148

Download Submit
\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
c1599e2b02780fd6721cc1e38f7f7d6a

SHA1
9d0ac4c06ee886b1291939d3edf13950fe40f737

SHA256
4f19dd829f45627df15cd43ed7627d92c8396d2deeedd325a1d69d8171e78992

SHA512
3069bef3c3a2be6f59fc5fa6f60e19f97684b6b24f60fd23174772eb82c86710158ad9ca6646fd1e3b4bb8daf8b7f492991df89e59a7f88ffb35738fb2155148

Download Submit
\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
c1599e2b02780fd6721cc1e38f7f7d6a

SHA1
9d0ac4c06ee886b1291939d3edf13950fe40f737

SHA256
4f19dd829f45627df15cd43ed7627d92c8396d2deeedd325a1d69d8171e78992

SHA512
3069bef3c3a2be6f59fc5fa6f60e19f97684b6b24f60fd23174772eb82c86710158ad9ca6646fd1e3b4bb8daf8b7f492991df89e59a7f88ffb35738fb2155148

Download Submit
\Program Files\update.exe

Filesize
84KB

MD5
9a64c4e03cda4e00796a90328fc83f83

SHA1
4bf5faf984e83af6ffb7f1d5d26f005a0902f399

SHA256
fe4e3b9852badb7d25b27600f167372a9ad146b27f4c9610d5542bc84df55ab4

SHA512
4103772970ec23bfa5b5be4f897af2435411d975cd5ae5923d2980ab38846ef9118ba4b8bfa19a532ed589c580b37fdf20709a296190dc5d3199abfabeee3a36

Download Submit
\Program Files\update.exe

Filesize
84KB

MD5
9a64c4e03cda4e00796a90328fc83f83

SHA1
4bf5faf984e83af6ffb7f1d5d26f005a0902f399

SHA256
fe4e3b9852badb7d25b27600f167372a9ad146b27f4c9610d5542bc84df55ab4

SHA512
4103772970ec23bfa5b5be4f897af2435411d975cd5ae5923d2980ab38846ef9118ba4b8bfa19a532ed589c580b37fdf20709a296190dc5d3199abfabeee3a36

Download Submit
\Program Files\update.exe

Filesize
84KB

MD5
9a64c4e03cda4e00796a90328fc83f83

SHA1
4bf5faf984e83af6ffb7f1d5d26f005a0902f399

SHA256
fe4e3b9852badb7d25b27600f167372a9ad146b27f4c9610d5542bc84df55ab4

SHA512
4103772970ec23bfa5b5be4f897af2435411d975cd5ae5923d2980ab38846ef9118ba4b8bfa19a532ed589c580b37fdf20709a296190dc5d3199abfabeee3a36

Download Submit
\Program Files\update.exe

Filesize
84KB

MD5
9a64c4e03cda4e00796a90328fc83f83

SHA1
4bf5faf984e83af6ffb7f1d5d26f005a0902f399

SHA256
fe4e3b9852badb7d25b27600f167372a9ad146b27f4c9610d5542bc84df55ab4

SHA512
4103772970ec23bfa5b5be4f897af2435411d975cd5ae5923d2980ab38846ef9118ba4b8bfa19a532ed589c580b37fdf20709a296190dc5d3199abfabeee3a36

Download Submit
\Users\Admin\AppData\Local\Temp\98278740\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
\Users\Admin\AppData\Local\Temp\98278740\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
84KB

MD5
5a4a1dac1cecc6e7bef7cae6a6054aa6

SHA1
899ba25c5eb789c6dd283767313a59a21074bc5d

SHA256
47b32aaebd2e588e083d37702be06ef5a0a50c8dec0ddcbf167c7fecef9a8cb3

SHA512
b5ea2d12ace4e8225a3192e7344b160ef9258b4780987e767711c5050cee979897cee71ed80e971c0715ee6cbb763dc0cf502f2aad1d8579cbbc0d97d4b21226

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
84KB

MD5
5a4a1dac1cecc6e7bef7cae6a6054aa6

SHA1
899ba25c5eb789c6dd283767313a59a21074bc5d

SHA256
47b32aaebd2e588e083d37702be06ef5a0a50c8dec0ddcbf167c7fecef9a8cb3

SHA512
b5ea2d12ace4e8225a3192e7344b160ef9258b4780987e767711c5050cee979897cee71ed80e971c0715ee6cbb763dc0cf502f2aad1d8579cbbc0d97d4b21226

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
d23c9acfa5a04aca104dc6c42ce54e97

SHA1
b12a2d687ff66781841cb98aec972ded69ffb550

SHA256
e1d9faf50fd3232484bb30939218e3a26ba9aaeb71a0e8bf5f09316100e4755e

SHA512
56e11411f94f6bd96efe9e4293e4c7b5cee5e846ca69e0003f8e2f972e62611b04a9f7deaa95e979ddb3db7ff31b6065b5e736c4c024e61db693a0f22f072a94

Download Submit
memory/652-89-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/656-284-0x0000000000230000-0x000000000024C000-memory.dmp

Filesize
112KB

Download
memory/656-258-0x0000000000230000-0x000000000024C000-memory.dmp

Filesize
112KB

Download
memory/656-259-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/656-286-0x0000000000860000-0x000000000087C000-memory.dmp

Filesize
112KB

Download
memory/656-267-0x0000000000860000-0x000000000087C000-memory.dmp

Filesize
112KB

Download
memory/928-252-0x00000000004A0000-0x00000000004BC000-memory.dmp

Filesize
112KB

Download
memory/928-228-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/928-188-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/928-196-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/928-203-0x00000000004A0000-0x00000000004BC000-memory.dmp

Filesize
112KB

Download
memory/928-212-0x00000000004A0000-0x00000000004BC000-memory.dmp

Filesize
112KB

Download
memory/928-155-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/928-173-0x00000000004A0000-0x00000000004BC000-memory.dmp

Filesize
112KB

Download
memory/1312-137-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/1312-135-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/1312-143-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1320-48-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1320-86-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/1320-93-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1320-151-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1320-11-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/1320-35-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/1320-37-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/1320-72-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/1320-130-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/1320-148-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/1320-84-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/1320-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1320-123-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/1772-278-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2112-247-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2156-270-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2172-265-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2172-283-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/2172-236-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2172-238-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2172-234-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2172-257-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/2196-255-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2196-211-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2196-253-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2196-209-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2452-189-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2452-191-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2452-208-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2544-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2560-76-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2596-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2596-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2596-156-0x00000000004A0000-0x00000000004BC000-memory.dmp

Filesize
112KB

Download
memory/2620-39-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2620-79-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2736-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2736-142-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2852-202-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2852-177-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2852-175-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2880-52-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2900-187-0x0000000000320000-0x000000000033C000-memory.dmp

Filesize
112KB

Download
memory/2900-150-0x0000000000320000-0x000000000033C000-memory.dmp

Filesize
112KB

Download
memory/2900-157-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2900-168-0x0000000000320000-0x000000000033C000-memory.dmp

Filesize
112KB

Download
memory/2972-28-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads