c2921c86414a41877b205c95e4687081a5c30950f50c2dfe985560bb7068a5ab

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
06/11/2023, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.36049d9871582deade9f1164ced97740.exe
Size

176KB
MD5

36049d9871582deade9f1164ced97740
SHA1

d26d282d36ea36449950d6f0b8240f3ba1b5baaa
SHA256

c2921c86414a41877b205c95e4687081a5c30950f50c2dfe985560bb7068a5ab
SHA512

bf5e4c1ebabb898dd7d3b77e8a88766b6d78272cc7f4ffe4441dcf7b5273b56ade26a258f86c19048e8012b234f4d5aaca865ee7fc92660a034c0dd47435ac1b
SSDEEP

768:Ac/TbblFpQNwC3BEc4QEfu0Ei8XxNDI/vFaaz6JZ1Ssw63BEfb:x7bbl/eThavEjDUvFaaAXZL0b

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 43 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.36049d9871582deade9f1164ced97740.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 47 IoCs

pid	Process
2592	backup.exe
2712	backup.exe
2412	backup.exe
2660	backup.exe
2552	update.exe
2572	backup.exe
2476	backup.exe
268	backup.exe
2804	backup.exe
1096	backup.exe
2156	backup.exe
996	backup.exe
1056	backup.exe
1492	backup.exe
1376	backup.exe
2088	System Restore.exe
2148	backup.exe
1756	backup.exe
1204	backup.exe
2428	backup.exe
1400	backup.exe
2104	backup.exe
2916	backup.exe
2948	backup.exe
1936	backup.exe
1160	backup.exe
2336	backup.exe
1536	backup.exe
2608	backup.exe
3028	data.exe
2436	backup.exe
2500	backup.exe
3008	backup.exe
2840	backup.exe
1428	backup.exe
652	backup.exe
3020	backup.exe
2012	backup.exe
2016	data.exe
1912	backup.exe
1748	backup.exe
1668	backup.exe
1208	backup.exe
816	backup.exe
1908	update.exe
3036	data.exe
616	System Restore.exe

Loads dropped DLL 64 IoCs

pid	Process
2136	NEAS.36049d9871582deade9f1164ced97740.exe
2136	NEAS.36049d9871582deade9f1164ced97740.exe
2136	NEAS.36049d9871582deade9f1164ced97740.exe
2136	NEAS.36049d9871582deade9f1164ced97740.exe
2136	NEAS.36049d9871582deade9f1164ced97740.exe
2136	NEAS.36049d9871582deade9f1164ced97740.exe
2136	NEAS.36049d9871582deade9f1164ced97740.exe
2136	NEAS.36049d9871582deade9f1164ced97740.exe
2136	NEAS.36049d9871582deade9f1164ced97740.exe
2552	update.exe
2552	update.exe
2552	update.exe
2136	NEAS.36049d9871582deade9f1164ced97740.exe
2136	NEAS.36049d9871582deade9f1164ced97740.exe
2136	NEAS.36049d9871582deade9f1164ced97740.exe
2136	NEAS.36049d9871582deade9f1164ced97740.exe
2476	backup.exe
2476	backup.exe
2804	backup.exe
2804	backup.exe
2476	backup.exe
2476	backup.exe
2156	backup.exe
2156	backup.exe
996	backup.exe
996	backup.exe
2156	backup.exe
2156	backup.exe
1492	backup.exe
1492	backup.exe
1376	backup.exe
1376	backup.exe
2476	backup.exe
2476	backup.exe
2148	backup.exe
2148	backup.exe
1756	backup.exe
1756	backup.exe
2156	backup.exe
2156	backup.exe
1492	backup.exe
1492	backup.exe
1204	backup.exe
2428	backup.exe
1204	backup.exe
2428	backup.exe
1376	backup.exe
1376	backup.exe
1204	backup.exe
1204	backup.exe
2948	backup.exe
2948	backup.exe
1492	backup.exe
2428	backup.exe
1492	backup.exe
2428	backup.exe
2948	backup.exe
2948	backup.exe
1536	backup.exe
1536	backup.exe
2428	backup.exe
2428	backup.exe
1936	backup.exe
1936	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2136-0-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0030000000015c79-5.dat	upx
behavioral1/files/0x0030000000015c79-7.dat	upx
behavioral1/files/0x0030000000015c79-9.dat	upx
behavioral1/files/0x0030000000015c79-11.dat	upx
behavioral1/memory/2592-13-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0007000000015db7-20.dat	upx
behavioral1/files/0x0007000000015db7-25.dat	upx
behavioral1/files/0x0007000000015db7-17.dat	upx
behavioral1/memory/2712-29-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0007000000015f10-30.dat	upx
behavioral1/files/0x0007000000015f10-32.dat	upx
behavioral1/files/0x0007000000015f10-36.dat	upx
behavioral1/files/0x0009000000015e7c-40.dat	upx
behavioral1/memory/2136-47-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0009000000015e7c-46.dat	upx
behavioral1/files/0x0009000000015e7c-42.dat	upx
behavioral1/memory/2660-53-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x000700000001608c-54.dat	upx
behavioral1/files/0x000700000001608c-57.dat	upx
behavioral1/files/0x000700000001608c-59.dat	upx
behavioral1/memory/2592-58-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x000700000001608c-60.dat	upx
behavioral1/files/0x000700000001608c-62.dat	upx
behavioral1/files/0x000700000001608c-61.dat	upx
behavioral1/memory/2552-74-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x000800000001656d-73.dat	upx
behavioral1/files/0x000800000001656d-69.dat	upx
behavioral1/files/0x000800000001656d-66.dat	upx
behavioral1/files/0x0030000000015c79-78.dat	upx
behavioral1/files/0x000a000000015fea-89.dat	upx
behavioral1/files/0x000a000000015fea-94.dat	upx
behavioral1/files/0x0007000000016803-93.dat	upx
behavioral1/memory/2572-86-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2412-85-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x000a000000015fea-87.dat	upx
behavioral1/files/0x0007000000016803-100.dat	upx
behavioral1/files/0x0006000000016c1b-102.dat	upx
behavioral1/files/0x0006000000016c1b-104.dat	upx
behavioral1/files/0x0006000000016c1b-108.dat	upx
behavioral1/memory/268-112-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0006000000016c1b-114.dat	upx
behavioral1/files/0x0006000000016c8e-116.dat	upx
behavioral1/files/0x0006000000016c8e-118.dat	upx
behavioral1/files/0x0006000000016c8e-122.dat	upx
behavioral1/memory/2804-123-0x00000000005D0000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/2804-129-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0006000000016ccd-136.dat	upx
behavioral1/memory/2476-137-0x0000000000300000-0x000000000032C000-memory.dmp	upx
behavioral1/files/0x0006000000016ccd-132.dat	upx
behavioral1/files/0x0006000000016ccd-130.dat	upx
behavioral1/memory/1096-128-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0006000000016ccd-144.dat	upx
behavioral1/files/0x0007000000016cbc-146.dat	upx
behavioral1/files/0x0007000000016cbc-148.dat	upx
behavioral1/files/0x0007000000016cbc-153.dat	upx
behavioral1/files/0x0006000000016ce9-171.dat	upx
behavioral1/memory/2476-177-0x0000000000300000-0x000000000032C000-memory.dmp	upx
behavioral1/files/0x0006000000016ce9-178.dat	upx
behavioral1/files/0x0006000000016ce9-173.dat	upx
behavioral1/memory/1056-182-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0007000000016cbc-162.dat	upx
behavioral1/memory/2476-157-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1056-184-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\System Restore.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2136	NEAS.36049d9871582deade9f1164ced97740.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
2136	NEAS.36049d9871582deade9f1164ced97740.exe
2592	backup.exe
2712	backup.exe
2412	backup.exe
2660	backup.exe
2552	update.exe
2572	backup.exe
2476	backup.exe
268	backup.exe
2804	backup.exe
1096	backup.exe
2156	backup.exe
996	backup.exe
1056	backup.exe
1492	backup.exe
1376	backup.exe
2148	backup.exe
1756	backup.exe
1204	backup.exe
2428	backup.exe
1400	backup.exe
2104	backup.exe
2948	backup.exe
2916	backup.exe
1936	backup.exe
1160	backup.exe
2336	backup.exe
1536	backup.exe
2608	backup.exe
3028	data.exe
2436	backup.exe
2500	backup.exe
3008	backup.exe
652	backup.exe
3020	backup.exe
1428	backup.exe
2840	backup.exe
1912	backup.exe
2016	data.exe
2012	backup.exe
1748	backup.exe
1208	backup.exe
1668	backup.exe
816	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2592	2136	NEAS.36049d9871582deade9f1164ced97740.exe	28
PID 2136 wrote to memory of 2592	2136	NEAS.36049d9871582deade9f1164ced97740.exe	28
PID 2136 wrote to memory of 2592	2136	NEAS.36049d9871582deade9f1164ced97740.exe	28
PID 2136 wrote to memory of 2592	2136	NEAS.36049d9871582deade9f1164ced97740.exe	28
PID 2136 wrote to memory of 2712	2136	NEAS.36049d9871582deade9f1164ced97740.exe	29
PID 2136 wrote to memory of 2712	2136	NEAS.36049d9871582deade9f1164ced97740.exe	29
PID 2136 wrote to memory of 2712	2136	NEAS.36049d9871582deade9f1164ced97740.exe	29
PID 2136 wrote to memory of 2712	2136	NEAS.36049d9871582deade9f1164ced97740.exe	29
PID 2136 wrote to memory of 2412	2136	NEAS.36049d9871582deade9f1164ced97740.exe	30
PID 2136 wrote to memory of 2412	2136	NEAS.36049d9871582deade9f1164ced97740.exe	30
PID 2136 wrote to memory of 2412	2136	NEAS.36049d9871582deade9f1164ced97740.exe	30
PID 2136 wrote to memory of 2412	2136	NEAS.36049d9871582deade9f1164ced97740.exe	30
PID 2136 wrote to memory of 2660	2136	NEAS.36049d9871582deade9f1164ced97740.exe	31
PID 2136 wrote to memory of 2660	2136	NEAS.36049d9871582deade9f1164ced97740.exe	31
PID 2136 wrote to memory of 2660	2136	NEAS.36049d9871582deade9f1164ced97740.exe	31
PID 2136 wrote to memory of 2660	2136	NEAS.36049d9871582deade9f1164ced97740.exe	31
PID 2136 wrote to memory of 2552	2136	NEAS.36049d9871582deade9f1164ced97740.exe	32
PID 2136 wrote to memory of 2552	2136	NEAS.36049d9871582deade9f1164ced97740.exe	32
PID 2136 wrote to memory of 2552	2136	NEAS.36049d9871582deade9f1164ced97740.exe	32
PID 2136 wrote to memory of 2552	2136	NEAS.36049d9871582deade9f1164ced97740.exe	32
PID 2136 wrote to memory of 2552	2136	NEAS.36049d9871582deade9f1164ced97740.exe	32
PID 2136 wrote to memory of 2552	2136	NEAS.36049d9871582deade9f1164ced97740.exe	32
PID 2136 wrote to memory of 2552	2136	NEAS.36049d9871582deade9f1164ced97740.exe	32
PID 2136 wrote to memory of 2572	2136	NEAS.36049d9871582deade9f1164ced97740.exe	33
PID 2136 wrote to memory of 2572	2136	NEAS.36049d9871582deade9f1164ced97740.exe	33
PID 2136 wrote to memory of 2572	2136	NEAS.36049d9871582deade9f1164ced97740.exe	33
PID 2136 wrote to memory of 2572	2136	NEAS.36049d9871582deade9f1164ced97740.exe	33
PID 2592 wrote to memory of 2476	2592	backup.exe	34
PID 2592 wrote to memory of 2476	2592	backup.exe	34
PID 2592 wrote to memory of 2476	2592	backup.exe	34
PID 2592 wrote to memory of 2476	2592	backup.exe	34
PID 2136 wrote to memory of 268	2136	NEAS.36049d9871582deade9f1164ced97740.exe	35
PID 2136 wrote to memory of 268	2136	NEAS.36049d9871582deade9f1164ced97740.exe	35
PID 2136 wrote to memory of 268	2136	NEAS.36049d9871582deade9f1164ced97740.exe	35
PID 2136 wrote to memory of 268	2136	NEAS.36049d9871582deade9f1164ced97740.exe	35
PID 2476 wrote to memory of 2804	2476	backup.exe	36
PID 2476 wrote to memory of 2804	2476	backup.exe	36
PID 2476 wrote to memory of 2804	2476	backup.exe	36
PID 2476 wrote to memory of 2804	2476	backup.exe	36
PID 2804 wrote to memory of 1096	2804	backup.exe	37
PID 2804 wrote to memory of 1096	2804	backup.exe	37
PID 2804 wrote to memory of 1096	2804	backup.exe	37
PID 2804 wrote to memory of 1096	2804	backup.exe	37
PID 2476 wrote to memory of 2156	2476	backup.exe	38
PID 2476 wrote to memory of 2156	2476	backup.exe	38
PID 2476 wrote to memory of 2156	2476	backup.exe	38
PID 2476 wrote to memory of 2156	2476	backup.exe	38
PID 2156 wrote to memory of 996	2156	backup.exe	39
PID 2156 wrote to memory of 996	2156	backup.exe	39
PID 2156 wrote to memory of 996	2156	backup.exe	39
PID 2156 wrote to memory of 996	2156	backup.exe	39
PID 996 wrote to memory of 1056	996	backup.exe	40
PID 996 wrote to memory of 1056	996	backup.exe	40
PID 996 wrote to memory of 1056	996	backup.exe	40
PID 996 wrote to memory of 1056	996	backup.exe	40
PID 2156 wrote to memory of 1492	2156	backup.exe	41
PID 2156 wrote to memory of 1492	2156	backup.exe	41
PID 2156 wrote to memory of 1492	2156	backup.exe	41
PID 2156 wrote to memory of 1492	2156	backup.exe	41
PID 1492 wrote to memory of 1376	1492	backup.exe	42
PID 1492 wrote to memory of 1376	1492	backup.exe	42
PID 1492 wrote to memory of 1376	1492	backup.exe	42
PID 1492 wrote to memory of 1376	1492	backup.exe	42
PID 1376 wrote to memory of 2088	1376	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.36049d9871582deade9f1164ced97740.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.36049d9871582deade9f1164ced97740.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\2030295200\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2030295200\backup.exe C:\Users\Admin\AppData\Local\Temp\2030295200\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2592
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2476
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2804
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1096
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2156
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:996
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1056
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1492
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1428
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1208
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:2396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        
        PID:3032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        
        PID:2492
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:2784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        
        PID:1188
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:2904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        
        PID:2164
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:2600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:3048
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:2468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:2656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:2188
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:1148
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:860
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:2208
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:1880
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:2976
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:2116
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:816
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2232
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1924
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:2980
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1128
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2268
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:2500
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1400
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\data.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\data.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3028
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2840
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1912
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1668
        
        C:\Program Files\Common Files\System\ado\en-US\update.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\update.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:2140
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1596
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2532
        
        C:\Program Files\Common Files\System\ado\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\System Restore.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2844
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:848
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1732
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:2096
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:2032
        
        C:\Program Files\Common Files\System\it-IT\data.exe
        
        "C:\Program Files\Common Files\System\it-IT\data.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2664
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2016
        
        C:\Program Files\Common Files\System\msadc\update.exe
        
        "C:\Program Files\Common Files\System\msadc\update.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:2348
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:2400
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2428
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2916
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2336
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2436
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3020
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1748
      - C:\Program Files\DVD Maker\ja-JP\System Restore.exe
        
        "C:\Program Files\DVD Maker\ja-JP\System Restore.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Executes dropped EXE
        
        PID:616
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1676
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:1984
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:2260
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1588
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2964
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1652
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1864
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:760
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        
        PID:2528
      - C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        
        PID:1600
      - C:\Program Files\Microsoft Games\Mahjong\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
        6⤵
        
        PID:2216
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1452
    - - C:\Program Files\Mozilla Firefox\update.exe
        
        "C:\Program Files\Mozilla Firefox\update.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2576
    - - C:\Program Files\MSBuild\update.exe
        
        "C:\Program Files\MSBuild\update.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:732
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1712
    - - C:\Program Files\VideoLAN\System Restore.exe
        
        "C:\Program Files\VideoLAN\System Restore.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2312
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:2056
    - - C:\Program Files\Windows Journal\backup.exe
        
        "C:\Program Files\Windows Journal\backup.exe" C:\Program Files\Windows Journal\
        5⤵
        
        PID:1648
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2148
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1756
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1204
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2104
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1936
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2500
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:652
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2012
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:816
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:3036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:2132
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1144
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2460
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:2512
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1592
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:2108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2632
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2988
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2640
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2276
      - C:\Program Files (x86)\Google\Temp\System Restore.exe
        
        "C:\Program Files (x86)\Google\Temp\System Restore.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1028
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1512
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:1900
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1636
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1096
      - C:\Program Files (x86)\Internet Explorer\en-US\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\data.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1908
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:2744
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:2596
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:1140
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:2816
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:436
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        6⤵
        
        PID:2076
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:892
      - C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        6⤵
        
        PID:540
      - C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
        6⤵
        
        PID:1536
      - C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\
        6⤵
        
        PID:2136
      - C:\Program Files (x86)\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\
        6⤵
        
        PID:2616
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2496
      - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
        6⤵
        
        PID:1104
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1172
      - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\
        6⤵
        
        PID:2380
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:940
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1960
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:1964
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:2956
  - - C:\Users\System Restore.exe
      "C:\Users\System Restore.exe" C:\Users\
      4⤵
      PID:1368
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1160
      - C:\Users\Admin\Contacts\data.exe
        
        C:\Users\Admin\Contacts\data.exe C:\Users\Admin\Contacts\
        6⤵
        Executes dropped EXE
        
        PID:3036
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:2064
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:3008
      - C:\Users\Admin\Downloads\data.exe
        
        C:\Users\Admin\Downloads\data.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1708
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1688
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2700
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1300
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2612
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:912
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2756
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2412
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2660
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
176KB

MD5
6a4469978a420e5dc0c4691602a01c4c

SHA1
c3f463c167bd748542afdf85384acea8973f9516

SHA256
cfa83bc5770e85d564ff756ede8a87d776d6353a994d59bf1f3384efd5bf8ea6

SHA512
0047f3e0adcbce62d8ef617a2e39b88c1e169fc582786f562f140c5296954aa1ff5a3ab0fbf0d32a96ec7ac5f151ef233a7d8b00884d958662419010e11fd872

Download Submit
C:\PerfLogs\backup.exe

Filesize
176KB

MD5
83f22b0ba88facfc800a39ba1a02b4f4

SHA1
b363ff3a74eb4fec1c1bbaa9afd1ca4348fe919f

SHA256
6db23acb75e47ad5249ce1ffc1d50b5bbd6e4bdf0da3833b027dfdc4f3c94c0d

SHA512
96ab168fdf3ae530d0187b613d92ad51fbd1b452bf43108a956ac0dd976375dcb63f85a218ad228c80d1354674db03246d48bf5fe838fd22fc68c63f3e419a30

Download Submit
C:\PerfLogs\backup.exe

Filesize
176KB

MD5
83f22b0ba88facfc800a39ba1a02b4f4

SHA1
b363ff3a74eb4fec1c1bbaa9afd1ca4348fe919f

SHA256
6db23acb75e47ad5249ce1ffc1d50b5bbd6e4bdf0da3833b027dfdc4f3c94c0d

SHA512
96ab168fdf3ae530d0187b613d92ad51fbd1b452bf43108a956ac0dd976375dcb63f85a218ad228c80d1354674db03246d48bf5fe838fd22fc68c63f3e419a30

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
176KB

MD5
096de3b5584bc5168c6dc94504db372b

SHA1
5c8659a82b082f59ea389b882f28db7cc7609dbf

SHA256
cb670cd476b16ab881c5a404e1dd9f6f9b47c0db1aa2ea7b0816f68baba8510c

SHA512
93ca2cca84af2550304efdd3e8704197155fc4f746bad3a8614c4e013cc59b7b4ac4ff6b8f3af483cf284a6dae19b849af1ddf75c35b7f4ab347685b606efb1b

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
176KB

MD5
096de3b5584bc5168c6dc94504db372b

SHA1
5c8659a82b082f59ea389b882f28db7cc7609dbf

SHA256
cb670cd476b16ab881c5a404e1dd9f6f9b47c0db1aa2ea7b0816f68baba8510c

SHA512
93ca2cca84af2550304efdd3e8704197155fc4f746bad3a8614c4e013cc59b7b4ac4ff6b8f3af483cf284a6dae19b849af1ddf75c35b7f4ab347685b606efb1b

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
176KB

MD5
83f7ca0ef93ba0bdbcbe8f770d9f4898

SHA1
c4063af3b4372306d43743c07a74e958685085e3

SHA256
fa64b1e2a06e342adafd3cb5851d2ead8afd194206f67819c9b366616caafbd5

SHA512
9d644aacc237adb16cc47661fd4d8f07adb37b156b51d0b51b1f37be3fba7eee4c2fad05db99565635b2a3f94f756cd6e16e933a605de4d6876520a034d66db8

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
176KB

MD5
83f7ca0ef93ba0bdbcbe8f770d9f4898

SHA1
c4063af3b4372306d43743c07a74e958685085e3

SHA256
fa64b1e2a06e342adafd3cb5851d2ead8afd194206f67819c9b366616caafbd5

SHA512
9d644aacc237adb16cc47661fd4d8f07adb37b156b51d0b51b1f37be3fba7eee4c2fad05db99565635b2a3f94f756cd6e16e933a605de4d6876520a034d66db8

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
176KB

MD5
ae890ec7ad6e0168313ba7d4f53cedef

SHA1
0f68cd9fa27e8c240e96aad025c6a21eb50d639e

SHA256
e455e9ffc2d463a4f70492a982bebe9fbdccac795a6577f865ccbbcc9b06968d

SHA512
5944798f258a88820a42c446383cbc6a0e29c8ac70f9a4dd810d19c24719d8bffc9745730f795effbb07869f63102457f41def5201ed76b06425ec1705e5afa7

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
85a77742425db62b92fa1b99b8f6e07c

SHA1
29b9a2ac86bba313f4dcaf54237b540a7c046287

SHA256
66c48dea33fc4c123d1843ee7652632119d7dd444221a70f57bac54f8cbe30c5

SHA512
e1e55fd87c3981456c473ed76fc452254ca7eb56e75569a570ded1fb0a9872b9cd8b6cc27a339c57a66a75c5a4103b0e713e1fc0bf9fcb29310b577c9df363cc

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
85a77742425db62b92fa1b99b8f6e07c

SHA1
29b9a2ac86bba313f4dcaf54237b540a7c046287

SHA256
66c48dea33fc4c123d1843ee7652632119d7dd444221a70f57bac54f8cbe30c5

SHA512
e1e55fd87c3981456c473ed76fc452254ca7eb56e75569a570ded1fb0a9872b9cd8b6cc27a339c57a66a75c5a4103b0e713e1fc0bf9fcb29310b577c9df363cc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe

Filesize
176KB

MD5
aea8c10697772d16d54bfb497f10643b

SHA1
b4f5500e0cee60ae400d92a3e7c0958993a23a5d

SHA256
79472f26d1fc55a234799a41fef9cd8ba0499d5603635eea2ff408af0e33ee83

SHA512
cec2740d309aaefd416a2b91c17eb3870ff43efa14aad441a036b2a819aaba1d2a95de10a1d6dab409a132c9db96803feb471d57efcdad5b8813fb9ab682c57b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
176KB

MD5
ae890ec7ad6e0168313ba7d4f53cedef

SHA1
0f68cd9fa27e8c240e96aad025c6a21eb50d639e

SHA256
e455e9ffc2d463a4f70492a982bebe9fbdccac795a6577f865ccbbcc9b06968d

SHA512
5944798f258a88820a42c446383cbc6a0e29c8ac70f9a4dd810d19c24719d8bffc9745730f795effbb07869f63102457f41def5201ed76b06425ec1705e5afa7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
176KB

MD5
ae890ec7ad6e0168313ba7d4f53cedef

SHA1
0f68cd9fa27e8c240e96aad025c6a21eb50d639e

SHA256
e455e9ffc2d463a4f70492a982bebe9fbdccac795a6577f865ccbbcc9b06968d

SHA512
5944798f258a88820a42c446383cbc6a0e29c8ac70f9a4dd810d19c24719d8bffc9745730f795effbb07869f63102457f41def5201ed76b06425ec1705e5afa7

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
85a77742425db62b92fa1b99b8f6e07c

SHA1
29b9a2ac86bba313f4dcaf54237b540a7c046287

SHA256
66c48dea33fc4c123d1843ee7652632119d7dd444221a70f57bac54f8cbe30c5

SHA512
e1e55fd87c3981456c473ed76fc452254ca7eb56e75569a570ded1fb0a9872b9cd8b6cc27a339c57a66a75c5a4103b0e713e1fc0bf9fcb29310b577c9df363cc

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
85a77742425db62b92fa1b99b8f6e07c

SHA1
29b9a2ac86bba313f4dcaf54237b540a7c046287

SHA256
66c48dea33fc4c123d1843ee7652632119d7dd444221a70f57bac54f8cbe30c5

SHA512
e1e55fd87c3981456c473ed76fc452254ca7eb56e75569a570ded1fb0a9872b9cd8b6cc27a339c57a66a75c5a4103b0e713e1fc0bf9fcb29310b577c9df363cc

Download Submit
C:\Program Files\backup.exe

Filesize
176KB

MD5
2d425d2f5fc495d0466eaa0723e3354f

SHA1
deb02384de1b1e3ca9c3ad8c9bd5e701b0f8aca1

SHA256
5d877f14c1d62e29fd132415f8de3fb1e5ee1e723461ec8374f3d75c9875b8f0

SHA512
3c13e0986674bb9dcbbbc50824c9eba47ea8246513fdb3bfa811c0ca8074c1a1ba6f452f759cb72336581a124dae10a26323b73bc5b71565d12c572674e41d5c

Download Submit
C:\Program Files\backup.exe

Filesize
176KB

MD5
2d425d2f5fc495d0466eaa0723e3354f

SHA1
deb02384de1b1e3ca9c3ad8c9bd5e701b0f8aca1

SHA256
5d877f14c1d62e29fd132415f8de3fb1e5ee1e723461ec8374f3d75c9875b8f0

SHA512
3c13e0986674bb9dcbbbc50824c9eba47ea8246513fdb3bfa811c0ca8074c1a1ba6f452f759cb72336581a124dae10a26323b73bc5b71565d12c572674e41d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2030295200\backup.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2030295200\backup.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2030295200\backup.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
176KB

MD5
925c9ae879ebe0e71212dac4f5cbb809

SHA1
1c2905ba065b09738f19a481129ac09f34e0e5f8

SHA256
68cfdf282a3e235fe1b109a249643143c50a563a45fd2d2bf714069102b64680

SHA512
d30cd142541cfd8ce729504007ffac4acf6c90dc4a120592ca66e5be459cb56f0aaf5f9c658b10d28704914bd6148dfede9dd3389270a6800b22dee7084acf43

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
176KB

MD5
925c9ae879ebe0e71212dac4f5cbb809

SHA1
1c2905ba065b09738f19a481129ac09f34e0e5f8

SHA256
68cfdf282a3e235fe1b109a249643143c50a563a45fd2d2bf714069102b64680

SHA512
d30cd142541cfd8ce729504007ffac4acf6c90dc4a120592ca66e5be459cb56f0aaf5f9c658b10d28704914bd6148dfede9dd3389270a6800b22dee7084acf43

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
33KB

MD5
91ce129c414f229a9b3f0a4f5b3795e5

SHA1
b45734bb8c1db7211be4617b6b573269a4f38f2d

SHA256
f965ceb8939e83525897d57195f55fdc8ab9d732c7bded378595633990feb3d6

SHA512
6b7bb34c053fbc7a59a278953fca50e60e7c6f3842dc5ef3aed3e74f46fca9b9ae54d686269b35ead70dfa0e9ec1fc0fbdc84bbe5f1f9bc6eddcebaf3b2d5f60

Download Submit
C:\backup.exe

Filesize
176KB

MD5
fa9e1d8ea734fdabd3d7761ea954f8b4

SHA1
7032a9160ababe849f1a7a132fae695aa790d393

SHA256
99d5362875e3854fb7ab31bad03e1273fec00f5c7151f25955a7e69cff235405

SHA512
7a4ece0901e7446ad0d7740af5d892cae3dd095f654815e5ef0267f2f93b0373bfbaa3bade744d1e5a4f0c08e5d815e22161423e9e1479328a31a537ece673c8

Download Submit
C:\backup.exe

Filesize
176KB

MD5
fa9e1d8ea734fdabd3d7761ea954f8b4

SHA1
7032a9160ababe849f1a7a132fae695aa790d393

SHA256
99d5362875e3854fb7ab31bad03e1273fec00f5c7151f25955a7e69cff235405

SHA512
7a4ece0901e7446ad0d7740af5d892cae3dd095f654815e5ef0267f2f93b0373bfbaa3bade744d1e5a4f0c08e5d815e22161423e9e1479328a31a537ece673c8

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
176KB

MD5
6a4469978a420e5dc0c4691602a01c4c

SHA1
c3f463c167bd748542afdf85384acea8973f9516

SHA256
cfa83bc5770e85d564ff756ede8a87d776d6353a994d59bf1f3384efd5bf8ea6

SHA512
0047f3e0adcbce62d8ef617a2e39b88c1e169fc582786f562f140c5296954aa1ff5a3ab0fbf0d32a96ec7ac5f151ef233a7d8b00884d958662419010e11fd872

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
176KB

MD5
6a4469978a420e5dc0c4691602a01c4c

SHA1
c3f463c167bd748542afdf85384acea8973f9516

SHA256
cfa83bc5770e85d564ff756ede8a87d776d6353a994d59bf1f3384efd5bf8ea6

SHA512
0047f3e0adcbce62d8ef617a2e39b88c1e169fc582786f562f140c5296954aa1ff5a3ab0fbf0d32a96ec7ac5f151ef233a7d8b00884d958662419010e11fd872

Download Submit
\PerfLogs\backup.exe

Filesize
176KB

MD5
83f22b0ba88facfc800a39ba1a02b4f4

SHA1
b363ff3a74eb4fec1c1bbaa9afd1ca4348fe919f

SHA256
6db23acb75e47ad5249ce1ffc1d50b5bbd6e4bdf0da3833b027dfdc4f3c94c0d

SHA512
96ab168fdf3ae530d0187b613d92ad51fbd1b452bf43108a956ac0dd976375dcb63f85a218ad228c80d1354674db03246d48bf5fe838fd22fc68c63f3e419a30

Download Submit
\PerfLogs\backup.exe

Filesize
176KB

MD5
83f22b0ba88facfc800a39ba1a02b4f4

SHA1
b363ff3a74eb4fec1c1bbaa9afd1ca4348fe919f

SHA256
6db23acb75e47ad5249ce1ffc1d50b5bbd6e4bdf0da3833b027dfdc4f3c94c0d

SHA512
96ab168fdf3ae530d0187b613d92ad51fbd1b452bf43108a956ac0dd976375dcb63f85a218ad228c80d1354674db03246d48bf5fe838fd22fc68c63f3e419a30

Download Submit
\Program Files (x86)\Adobe\backup.exe

Filesize
176KB

MD5
096de3b5584bc5168c6dc94504db372b

SHA1
5c8659a82b082f59ea389b882f28db7cc7609dbf

SHA256
cb670cd476b16ab881c5a404e1dd9f6f9b47c0db1aa2ea7b0816f68baba8510c

SHA512
93ca2cca84af2550304efdd3e8704197155fc4f746bad3a8614c4e013cc59b7b4ac4ff6b8f3af483cf284a6dae19b849af1ddf75c35b7f4ab347685b606efb1b

Download Submit
\Program Files (x86)\Adobe\backup.exe

Filesize
176KB

MD5
096de3b5584bc5168c6dc94504db372b

SHA1
5c8659a82b082f59ea389b882f28db7cc7609dbf

SHA256
cb670cd476b16ab881c5a404e1dd9f6f9b47c0db1aa2ea7b0816f68baba8510c

SHA512
93ca2cca84af2550304efdd3e8704197155fc4f746bad3a8614c4e013cc59b7b4ac4ff6b8f3af483cf284a6dae19b849af1ddf75c35b7f4ab347685b606efb1b

Download Submit
\Program Files (x86)\backup.exe

Filesize
176KB

MD5
83f7ca0ef93ba0bdbcbe8f770d9f4898

SHA1
c4063af3b4372306d43743c07a74e958685085e3

SHA256
fa64b1e2a06e342adafd3cb5851d2ead8afd194206f67819c9b366616caafbd5

SHA512
9d644aacc237adb16cc47661fd4d8f07adb37b156b51d0b51b1f37be3fba7eee4c2fad05db99565635b2a3f94f756cd6e16e933a605de4d6876520a034d66db8

Download Submit
\Program Files (x86)\backup.exe

Filesize
176KB

MD5
83f7ca0ef93ba0bdbcbe8f770d9f4898

SHA1
c4063af3b4372306d43743c07a74e958685085e3

SHA256
fa64b1e2a06e342adafd3cb5851d2ead8afd194206f67819c9b366616caafbd5

SHA512
9d644aacc237adb16cc47661fd4d8f07adb37b156b51d0b51b1f37be3fba7eee4c2fad05db99565635b2a3f94f756cd6e16e933a605de4d6876520a034d66db8

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
176KB

MD5
ae890ec7ad6e0168313ba7d4f53cedef

SHA1
0f68cd9fa27e8c240e96aad025c6a21eb50d639e

SHA256
e455e9ffc2d463a4f70492a982bebe9fbdccac795a6577f865ccbbcc9b06968d

SHA512
5944798f258a88820a42c446383cbc6a0e29c8ac70f9a4dd810d19c24719d8bffc9745730f795effbb07869f63102457f41def5201ed76b06425ec1705e5afa7

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
176KB

MD5
ae890ec7ad6e0168313ba7d4f53cedef

SHA1
0f68cd9fa27e8c240e96aad025c6a21eb50d639e

SHA256
e455e9ffc2d463a4f70492a982bebe9fbdccac795a6577f865ccbbcc9b06968d

SHA512
5944798f258a88820a42c446383cbc6a0e29c8ac70f9a4dd810d19c24719d8bffc9745730f795effbb07869f63102457f41def5201ed76b06425ec1705e5afa7

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
85a77742425db62b92fa1b99b8f6e07c

SHA1
29b9a2ac86bba313f4dcaf54237b540a7c046287

SHA256
66c48dea33fc4c123d1843ee7652632119d7dd444221a70f57bac54f8cbe30c5

SHA512
e1e55fd87c3981456c473ed76fc452254ca7eb56e75569a570ded1fb0a9872b9cd8b6cc27a339c57a66a75c5a4103b0e713e1fc0bf9fcb29310b577c9df363cc

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
85a77742425db62b92fa1b99b8f6e07c

SHA1
29b9a2ac86bba313f4dcaf54237b540a7c046287

SHA256
66c48dea33fc4c123d1843ee7652632119d7dd444221a70f57bac54f8cbe30c5

SHA512
e1e55fd87c3981456c473ed76fc452254ca7eb56e75569a570ded1fb0a9872b9cd8b6cc27a339c57a66a75c5a4103b0e713e1fc0bf9fcb29310b577c9df363cc

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe

Filesize
176KB

MD5
aea8c10697772d16d54bfb497f10643b

SHA1
b4f5500e0cee60ae400d92a3e7c0958993a23a5d

SHA256
79472f26d1fc55a234799a41fef9cd8ba0499d5603635eea2ff408af0e33ee83

SHA512
cec2740d309aaefd416a2b91c17eb3870ff43efa14aad441a036b2a819aaba1d2a95de10a1d6dab409a132c9db96803feb471d57efcdad5b8813fb9ab682c57b

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe

Filesize
176KB

MD5
aea8c10697772d16d54bfb497f10643b

SHA1
b4f5500e0cee60ae400d92a3e7c0958993a23a5d

SHA256
79472f26d1fc55a234799a41fef9cd8ba0499d5603635eea2ff408af0e33ee83

SHA512
cec2740d309aaefd416a2b91c17eb3870ff43efa14aad441a036b2a819aaba1d2a95de10a1d6dab409a132c9db96803feb471d57efcdad5b8813fb9ab682c57b

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
176KB

MD5
ae890ec7ad6e0168313ba7d4f53cedef

SHA1
0f68cd9fa27e8c240e96aad025c6a21eb50d639e

SHA256
e455e9ffc2d463a4f70492a982bebe9fbdccac795a6577f865ccbbcc9b06968d

SHA512
5944798f258a88820a42c446383cbc6a0e29c8ac70f9a4dd810d19c24719d8bffc9745730f795effbb07869f63102457f41def5201ed76b06425ec1705e5afa7

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
176KB

MD5
ae890ec7ad6e0168313ba7d4f53cedef

SHA1
0f68cd9fa27e8c240e96aad025c6a21eb50d639e

SHA256
e455e9ffc2d463a4f70492a982bebe9fbdccac795a6577f865ccbbcc9b06968d

SHA512
5944798f258a88820a42c446383cbc6a0e29c8ac70f9a4dd810d19c24719d8bffc9745730f795effbb07869f63102457f41def5201ed76b06425ec1705e5afa7

Download Submit
\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
85a77742425db62b92fa1b99b8f6e07c

SHA1
29b9a2ac86bba313f4dcaf54237b540a7c046287

SHA256
66c48dea33fc4c123d1843ee7652632119d7dd444221a70f57bac54f8cbe30c5

SHA512
e1e55fd87c3981456c473ed76fc452254ca7eb56e75569a570ded1fb0a9872b9cd8b6cc27a339c57a66a75c5a4103b0e713e1fc0bf9fcb29310b577c9df363cc

Download Submit
\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
85a77742425db62b92fa1b99b8f6e07c

SHA1
29b9a2ac86bba313f4dcaf54237b540a7c046287

SHA256
66c48dea33fc4c123d1843ee7652632119d7dd444221a70f57bac54f8cbe30c5

SHA512
e1e55fd87c3981456c473ed76fc452254ca7eb56e75569a570ded1fb0a9872b9cd8b6cc27a339c57a66a75c5a4103b0e713e1fc0bf9fcb29310b577c9df363cc

Download Submit
\Program Files\backup.exe

Filesize
176KB

MD5
2d425d2f5fc495d0466eaa0723e3354f

SHA1
deb02384de1b1e3ca9c3ad8c9bd5e701b0f8aca1

SHA256
5d877f14c1d62e29fd132415f8de3fb1e5ee1e723461ec8374f3d75c9875b8f0

SHA512
3c13e0986674bb9dcbbbc50824c9eba47ea8246513fdb3bfa811c0ca8074c1a1ba6f452f759cb72336581a124dae10a26323b73bc5b71565d12c572674e41d5c

Download Submit
\Program Files\backup.exe

Filesize
176KB

MD5
2d425d2f5fc495d0466eaa0723e3354f

SHA1
deb02384de1b1e3ca9c3ad8c9bd5e701b0f8aca1

SHA256
5d877f14c1d62e29fd132415f8de3fb1e5ee1e723461ec8374f3d75c9875b8f0

SHA512
3c13e0986674bb9dcbbbc50824c9eba47ea8246513fdb3bfa811c0ca8074c1a1ba6f452f759cb72336581a124dae10a26323b73bc5b71565d12c572674e41d5c

Download Submit
\Users\Admin\AppData\Local\Temp\2030295200\backup.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
\Users\Admin\AppData\Local\Temp\2030295200\backup.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
176KB

MD5
925c9ae879ebe0e71212dac4f5cbb809

SHA1
1c2905ba065b09738f19a481129ac09f34e0e5f8

SHA256
68cfdf282a3e235fe1b109a249643143c50a563a45fd2d2bf714069102b64680

SHA512
d30cd142541cfd8ce729504007ffac4acf6c90dc4a120592ca66e5be459cb56f0aaf5f9c658b10d28704914bd6148dfede9dd3389270a6800b22dee7084acf43

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
176KB

MD5
925c9ae879ebe0e71212dac4f5cbb809

SHA1
1c2905ba065b09738f19a481129ac09f34e0e5f8

SHA256
68cfdf282a3e235fe1b109a249643143c50a563a45fd2d2bf714069102b64680

SHA512
d30cd142541cfd8ce729504007ffac4acf6c90dc4a120592ca66e5be459cb56f0aaf5f9c658b10d28704914bd6148dfede9dd3389270a6800b22dee7084acf43

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
176KB

MD5
2d750e210bd4802a31f559ea772ab971

SHA1
d4d348d01f8059dc1551a496df7929d40e11e23f

SHA256
99627936b6bbeb1eb866dcf96568e39da7a480b47af6eeeef1fbf8d111fb2b7b

SHA512
6d438b479581d276a3a3877312ad516b01e567a671815ec44015dc7018b29182e8718b175768dcf39dc3d92b77571f49bcc6dfbfab2aefd906aa47252c1caba3

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
176KB

MD5
925c9ae879ebe0e71212dac4f5cbb809

SHA1
1c2905ba065b09738f19a481129ac09f34e0e5f8

SHA256
68cfdf282a3e235fe1b109a249643143c50a563a45fd2d2bf714069102b64680

SHA512
d30cd142541cfd8ce729504007ffac4acf6c90dc4a120592ca66e5be459cb56f0aaf5f9c658b10d28704914bd6148dfede9dd3389270a6800b22dee7084acf43

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
176KB

MD5
925c9ae879ebe0e71212dac4f5cbb809

SHA1
1c2905ba065b09738f19a481129ac09f34e0e5f8

SHA256
68cfdf282a3e235fe1b109a249643143c50a563a45fd2d2bf714069102b64680

SHA512
d30cd142541cfd8ce729504007ffac4acf6c90dc4a120592ca66e5be459cb56f0aaf5f9c658b10d28704914bd6148dfede9dd3389270a6800b22dee7084acf43

Download Submit
memory/268-112-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/996-180-0x0000000000310000-0x000000000033C000-memory.dmp

Filesize
176KB

Download
memory/996-187-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1056-184-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1056-182-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1096-128-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1160-338-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1204-303-0x0000000000300000-0x000000000032C000-memory.dmp

Filesize
176KB

Download
memory/1204-323-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1204-300-0x0000000000300000-0x000000000032C000-memory.dmp

Filesize
176KB

Download
memory/1376-218-0x00000000005C0000-0x00000000005EC000-memory.dmp

Filesize
176KB

Download
memory/1376-229-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1376-306-0x00000000005C0000-0x00000000005EC000-memory.dmp

Filesize
176KB

Download
memory/1376-230-0x00000000005C0000-0x00000000005EC000-memory.dmp

Filesize
176KB

Download
memory/1400-335-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1492-343-0x0000000000430000-0x000000000045C000-memory.dmp

Filesize
176KB

Download
memory/1492-228-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1756-261-0x00000000003A0000-0x00000000003CC000-memory.dmp

Filesize
176KB

Download
memory/1756-297-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2104-305-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2104-310-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2136-50-0x00000000002F0000-0x000000000031C000-memory.dmp

Filesize
176KB

Download
memory/2136-47-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2136-76-0x00000000002F0000-0x000000000031C000-memory.dmp

Filesize
176KB

Download
memory/2136-24-0x00000000002F0000-0x000000000031C000-memory.dmp

Filesize
176KB

Download
memory/2136-19-0x00000000002F0000-0x000000000031C000-memory.dmp

Filesize
176KB

Download
memory/2136-95-0x00000000002F0000-0x000000000031C000-memory.dmp

Filesize
176KB

Download
memory/2136-143-0x00000000002F0000-0x000000000031C000-memory.dmp

Filesize
176KB

Download
memory/2136-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2136-220-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2136-140-0x00000000002F0000-0x000000000031C000-memory.dmp

Filesize
176KB

Download
memory/2136-12-0x00000000002F0000-0x000000000031C000-memory.dmp

Filesize
176KB

Download
memory/2136-159-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2136-227-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2136-48-0x00000000002F0000-0x000000000031C000-memory.dmp

Filesize
176KB

Download
memory/2148-278-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2148-307-0x0000000001CB0000-0x0000000001CDC000-memory.dmp

Filesize
176KB

Download
memory/2148-252-0x0000000001CB0000-0x0000000001CDC000-memory.dmp

Filesize
176KB

Download
memory/2156-205-0x0000000000290000-0x00000000002BC000-memory.dmp

Filesize
176KB

Download
memory/2156-268-0x0000000000290000-0x00000000002BC000-memory.dmp

Filesize
176KB

Download
memory/2156-152-0x0000000000290000-0x00000000002BC000-memory.dmp

Filesize
176KB

Download
memory/2156-216-0x0000000000290000-0x00000000002BC000-memory.dmp

Filesize
176KB

Download
memory/2156-203-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2412-85-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2412-244-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2428-304-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/2428-341-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/2476-177-0x0000000000300000-0x000000000032C000-memory.dmp

Filesize
176KB

Download
memory/2476-276-0x0000000000300000-0x000000000032C000-memory.dmp

Filesize
176KB

Download
memory/2476-277-0x0000000000300000-0x000000000032C000-memory.dmp

Filesize
176KB

Download
memory/2476-239-0x0000000000300000-0x000000000032C000-memory.dmp

Filesize
176KB

Download
memory/2476-137-0x0000000000300000-0x000000000032C000-memory.dmp

Filesize
176KB

Download
memory/2476-157-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2552-68-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/2552-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2572-86-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2592-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2592-58-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2660-53-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2712-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2804-123-0x00000000005D0000-0x00000000005FC000-memory.dmp

Filesize
176KB

Download
memory/2804-124-0x00000000005D0000-0x00000000005FC000-memory.dmp

Filesize
176KB

Download
memory/2804-129-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2916-336-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads