a0c1b2f607c0052b9dca932963be54d724fef1b6610eac8a32184620c54a7e1c

Analysis

max time kernel
32s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
11-11-2023 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
Size

168KB
MD5

a7ecc75fd0530baeed81fcd2d1cc5f40
SHA1

439a7ad534b18b14af00c86ccf478141988a0746
SHA256

a0c1b2f607c0052b9dca932963be54d724fef1b6610eac8a32184620c54a7e1c
SHA512

0004d7e49c8193ba571f0f4008de9c366b43ebf42c6e80ff76951fd5192e8c329cf70b455cc44c36bd4b15fb654b6d963abb3e2c674c124f8ecfb5b5a957214c
SSDEEP

1536:9eT7BVwxfvEFwjRbe+X9nw0lRxNm1V2UrEN7gJMVro:9mVwRKCbe+X5lR302U4kh

Score

10^/10

dropper evasion persistence trojan upx

Malware Config

Signatures

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/memory/3060-0-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x001c000000015c74-5.dat	family_berbew
behavioral1/files/0x001c000000015c74-9.dat	family_berbew
behavioral1/files/0x001c000000015c74-11.dat	family_berbew
behavioral1/files/0x001c000000015c74-7.dat	family_berbew
behavioral1/memory/764-13-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x0007000000015db8-17.dat	family_berbew
behavioral1/files/0x0007000000015db8-19.dat	family_berbew
behavioral1/files/0x0007000000015db8-23.dat	family_berbew
behavioral1/files/0x0007000000015e0c-27.dat	family_berbew
behavioral1/files/0x0007000000015e0c-30.dat	family_berbew
behavioral1/files/0x0007000000015e0c-34.dat	family_berbew
behavioral1/memory/2456-29-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x0008000000015dcb-38.dat	family_berbew
behavioral1/files/0x0008000000015dcb-40.dat	family_berbew
behavioral1/memory/3060-45-0x00000000003D0000-0x00000000003FA000-memory.dmp	family_berbew
behavioral1/files/0x0008000000015dcb-44.dat	family_berbew
behavioral1/memory/2784-50-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x0008000000015eb5-51.dat	family_berbew
behavioral1/memory/3060-53-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x0008000000015eb5-54.dat	family_berbew
behavioral1/files/0x0008000000015eb5-59.dat	family_berbew
behavioral1/memory/3060-58-0x00000000003D0000-0x00000000003FA000-memory.dmp	family_berbew
behavioral1/memory/1420-63-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x00060000000162e3-66.dat	family_berbew
behavioral1/files/0x00060000000162e3-71.dat	family_berbew
behavioral1/memory/3060-74-0x00000000003D0000-0x00000000003FA000-memory.dmp	family_berbew
behavioral1/memory/764-70-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x00060000000162e3-64.dat	family_berbew
behavioral1/files/0x0006000000016454-77.dat	family_berbew
behavioral1/files/0x0006000000016454-80.dat	family_berbew
behavioral1/files/0x0006000000016454-84.dat	family_berbew
behavioral1/memory/2752-79-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x001c000000015c74-89.dat	family_berbew
behavioral1/memory/1104-87-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x000600000001659c-95.dat	family_berbew
behavioral1/memory/764-100-0x0000000000430000-0x000000000045A000-memory.dmp	family_berbew
behavioral1/memory/868-99-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/memory/764-98-0x0000000000430000-0x000000000045A000-memory.dmp	family_berbew
behavioral1/files/0x000600000001659c-102.dat	family_berbew
behavioral1/files/0x00060000000167f7-104.dat	family_berbew
behavioral1/memory/2328-106-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x00060000000167f7-107.dat	family_berbew
behavioral1/files/0x00060000000167f7-111.dat	family_berbew
behavioral1/memory/3060-114-0x00000000003D0000-0x00000000003FA000-memory.dmp	family_berbew
behavioral1/memory/868-116-0x00000000003C0000-0x00000000003EA000-memory.dmp	family_berbew
behavioral1/memory/2916-117-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x00060000000167f7-118.dat	family_berbew
behavioral1/files/0x0006000000016baa-120.dat	family_berbew
behavioral1/files/0x0006000000016baa-122.dat	family_berbew
behavioral1/memory/2916-128-0x00000000002D0000-0x00000000002FA000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016baa-127.dat	family_berbew
behavioral1/memory/2916-132-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/memory/3060-126-0x00000000003D0000-0x00000000003FA000-memory.dmp	family_berbew
behavioral1/memory/2948-133-0x0000000000400000-0x000000000042A000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016c2c-142.dat	family_berbew
behavioral1/files/0x0006000000016c2c-138.dat	family_berbew
behavioral1/files/0x0006000000016c2c-136.dat	family_berbew
behavioral1/files/0x0007000000016c26-149.dat	family_berbew
behavioral1/files/0x0007000000016c26-151.dat	family_berbew
behavioral1/files/0x0006000000016c2c-147.dat	family_berbew
behavioral1/files/0x0007000000016c26-160.dat	family_berbew
behavioral1/files/0x0007000000016ca4-173.dat	family_berbew
behavioral1/files/0x0007000000016ca4-176.dat	family_berbew

Modifies visibility of file extensions in Explorer 2 TTPs 32 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe

Executes dropped EXE 36 IoCs

pid	Process
764	backup.exe
2456	backup.exe
2328	backup.exe
2784	backup.exe
1420	backup.exe
2752	backup.exe
1104	backup.exe
868	backup.exe
2916	backup.exe
2948	backup.exe
1692	backup.exe
1240	backup.exe
580	backup.exe
1468	backup.exe
2204	backup.exe
2072	backup.exe
1920	backup.exe
2472	backup.exe
1828	backup.exe
1252	backup.exe
1012	backup.exe
2080	backup.exe
636	System Restore.exe
828	backup.exe
2664	backup.exe
3036	backup.exe
1524	backup.exe
1584	backup.exe
2992	backup.exe
2132	backup.exe
3012	backup.exe
2808	backup.exe
2984	backup.exe
2832	backup.exe
2620	backup.exe
2632	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
868	backup.exe
868	backup.exe
2916	backup.exe
2916	backup.exe
868	backup.exe
868	backup.exe
1692	backup.exe
1692	backup.exe
1240	backup.exe
1240	backup.exe
1692	backup.exe
1692	backup.exe
1468	backup.exe
1468	backup.exe
1692	backup.exe
1692	backup.exe
868	backup.exe
868	backup.exe
1920	backup.exe
1920	backup.exe
2072	backup.exe
2204	backup.exe
2072	backup.exe
2204	backup.exe
2072	backup.exe
2072	backup.exe
2472	backup.exe
2472	backup.exe
2204	backup.exe
2204	backup.exe
636	System Restore.exe
636	System Restore.exe
1012	backup.exe
1012	backup.exe
2072	backup.exe
2072	backup.exe
1012	backup.exe
1012	backup.exe
636	System Restore.exe
636	System Restore.exe
2072	backup.exe
2072	backup.exe
636	System Restore.exe
636	System Restore.exe
1584	backup.exe
2072	backup.exe
1584	backup.exe
2072	backup.exe
636	System Restore.exe
2072	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3060-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x001c000000015c74-5.dat	upx
behavioral1/files/0x001c000000015c74-9.dat	upx
behavioral1/files/0x001c000000015c74-11.dat	upx
behavioral1/files/0x001c000000015c74-7.dat	upx
behavioral1/memory/764-13-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0007000000015db8-17.dat	upx
behavioral1/files/0x0007000000015db8-19.dat	upx
behavioral1/files/0x0007000000015db8-23.dat	upx
behavioral1/files/0x0007000000015e0c-27.dat	upx
behavioral1/files/0x0007000000015e0c-30.dat	upx
behavioral1/files/0x0007000000015e0c-34.dat	upx
behavioral1/memory/2456-29-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0008000000015dcb-38.dat	upx
behavioral1/files/0x0008000000015dcb-40.dat	upx
behavioral1/files/0x0008000000015dcb-44.dat	upx
behavioral1/memory/2784-50-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0008000000015eb5-51.dat	upx
behavioral1/memory/3060-53-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0008000000015eb5-54.dat	upx
behavioral1/files/0x0008000000015eb5-59.dat	upx
behavioral1/memory/1420-63-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x00060000000162e3-66.dat	upx
behavioral1/files/0x00060000000162e3-71.dat	upx
behavioral1/memory/764-70-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x00060000000162e3-64.dat	upx
behavioral1/files/0x0006000000016454-77.dat	upx
behavioral1/files/0x0006000000016454-80.dat	upx
behavioral1/files/0x0006000000016454-84.dat	upx
behavioral1/memory/2752-79-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x001c000000015c74-89.dat	upx
behavioral1/memory/1104-87-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x000600000001659c-95.dat	upx
behavioral1/memory/868-99-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x000600000001659c-102.dat	upx
behavioral1/files/0x00060000000167f7-104.dat	upx
behavioral1/memory/2328-106-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x00060000000167f7-107.dat	upx
behavioral1/files/0x00060000000167f7-111.dat	upx
behavioral1/memory/2916-117-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x00060000000167f7-118.dat	upx
behavioral1/files/0x0006000000016baa-120.dat	upx
behavioral1/files/0x0006000000016baa-122.dat	upx
behavioral1/files/0x0006000000016baa-127.dat	upx
behavioral1/memory/2916-132-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2948-133-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0006000000016c2c-142.dat	upx
behavioral1/files/0x0006000000016c2c-138.dat	upx
behavioral1/files/0x0006000000016c2c-136.dat	upx
behavioral1/files/0x0007000000016c26-149.dat	upx
behavioral1/files/0x0007000000016c26-151.dat	upx
behavioral1/files/0x0006000000016c2c-147.dat	upx
behavioral1/files/0x0007000000016c26-160.dat	upx
behavioral1/files/0x0007000000016ca4-173.dat	upx
behavioral1/files/0x0007000000016ca4-176.dat	upx
behavioral1/files/0x0007000000016ca4-180.dat	upx
behavioral1/memory/868-181-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/580-184-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1240-187-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/580-186-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0006000000016ce0-194.dat	upx
behavioral1/files/0x0006000000016ce0-190.dat	upx
behavioral1/files/0x0006000000016ce0-188.dat	upx
behavioral1/files/0x0006000000016ce0-197.dat	upx

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
764	backup.exe
2456	backup.exe
2328	backup.exe
2784	backup.exe
1420	backup.exe
2752	backup.exe
1104	backup.exe
868	backup.exe
2916	backup.exe
2948	backup.exe
1692	backup.exe
1240	backup.exe
580	backup.exe
1468	backup.exe
2204	backup.exe
2072	backup.exe
1920	backup.exe
1828	backup.exe
2472	backup.exe
1252	backup.exe
1012	backup.exe
636	System Restore.exe
2080	backup.exe
828	backup.exe
2664	backup.exe
3036	backup.exe
1524	backup.exe
1584	backup.exe
2992	backup.exe
2132	backup.exe
2808	backup.exe
3012	backup.exe
2984	backup.exe
2832	backup.exe
2632	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 764	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	28
PID 3060 wrote to memory of 764	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	28
PID 3060 wrote to memory of 764	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	28
PID 3060 wrote to memory of 764	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	28
PID 3060 wrote to memory of 2456	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	29
PID 3060 wrote to memory of 2456	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	29
PID 3060 wrote to memory of 2456	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	29
PID 3060 wrote to memory of 2456	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	29
PID 3060 wrote to memory of 2328	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	30
PID 3060 wrote to memory of 2328	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	30
PID 3060 wrote to memory of 2328	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	30
PID 3060 wrote to memory of 2328	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	30
PID 3060 wrote to memory of 2784	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	31
PID 3060 wrote to memory of 2784	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	31
PID 3060 wrote to memory of 2784	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	31
PID 3060 wrote to memory of 2784	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	31
PID 3060 wrote to memory of 1420	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	32
PID 3060 wrote to memory of 1420	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	32
PID 3060 wrote to memory of 1420	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	32
PID 3060 wrote to memory of 1420	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	32
PID 3060 wrote to memory of 2752	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	33
PID 3060 wrote to memory of 2752	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	33
PID 3060 wrote to memory of 2752	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	33
PID 3060 wrote to memory of 2752	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	33
PID 3060 wrote to memory of 1104	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	34
PID 3060 wrote to memory of 1104	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	34
PID 3060 wrote to memory of 1104	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	34
PID 3060 wrote to memory of 1104	3060	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe	34
PID 764 wrote to memory of 868	764	backup.exe	35
PID 764 wrote to memory of 868	764	backup.exe	35
PID 764 wrote to memory of 868	764	backup.exe	35
PID 764 wrote to memory of 868	764	backup.exe	35
PID 868 wrote to memory of 2916	868	backup.exe	36
PID 868 wrote to memory of 2916	868	backup.exe	36
PID 868 wrote to memory of 2916	868	backup.exe	36
PID 868 wrote to memory of 2916	868	backup.exe	36
PID 2916 wrote to memory of 2948	2916	backup.exe	37
PID 2916 wrote to memory of 2948	2916	backup.exe	37
PID 2916 wrote to memory of 2948	2916	backup.exe	37
PID 2916 wrote to memory of 2948	2916	backup.exe	37
PID 868 wrote to memory of 1692	868	backup.exe	38
PID 868 wrote to memory of 1692	868	backup.exe	38
PID 868 wrote to memory of 1692	868	backup.exe	38
PID 868 wrote to memory of 1692	868	backup.exe	38
PID 1692 wrote to memory of 1240	1692	backup.exe	39
PID 1692 wrote to memory of 1240	1692	backup.exe	39
PID 1692 wrote to memory of 1240	1692	backup.exe	39
PID 1692 wrote to memory of 1240	1692	backup.exe	39
PID 1240 wrote to memory of 580	1240	backup.exe	41
PID 1240 wrote to memory of 580	1240	backup.exe	41
PID 1240 wrote to memory of 580	1240	backup.exe	41
PID 1240 wrote to memory of 580	1240	backup.exe	41
PID 1692 wrote to memory of 1468	1692	backup.exe	40
PID 1692 wrote to memory of 1468	1692	backup.exe	40
PID 1692 wrote to memory of 1468	1692	backup.exe	40
PID 1692 wrote to memory of 1468	1692	backup.exe	40
PID 1468 wrote to memory of 2204	1468	backup.exe	42
PID 1468 wrote to memory of 2204	1468	backup.exe	42
PID 1468 wrote to memory of 2204	1468	backup.exe	42
PID 1468 wrote to memory of 2204	1468	backup.exe	42
PID 1692 wrote to memory of 2072	1692	backup.exe	43
PID 1692 wrote to memory of 2072	1692	backup.exe	43
PID 1692 wrote to memory of 2072	1692	backup.exe	43
PID 1692 wrote to memory of 2072	1692	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a7ecc75fd0530baeed81fcd2d1cc5f40.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3060
- C:\Users\Admin\AppData\Local\Temp\2341099562\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2341099562\backup.exe C:\Users\Admin\AppData\Local\Temp\2341099562\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:764
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:868
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2916
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2948
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1692
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1240
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:580
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1468
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2204
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1252
        
        C:\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2132
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:2768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        
        PID:2532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:2960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:2920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        
        PID:2216
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        
        PID:2588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:3032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:2992
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:2892
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:1924
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:2772
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:2900
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:2996
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:2976
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2784
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:304
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2580
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1840
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:3004
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1088
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        
        PID:2620
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:2908
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:1552
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:2724
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:524
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:2012
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2884
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:3044
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1968
        
        C:\Program Files\Common Files\System\fr-FR\data.exe
        
        "C:\Program Files\Common Files\System\fr-FR\data.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:960
        
        C:\Program Files\Common Files\System\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\System\it-IT\System Restore.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:672
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2248
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2072
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1828
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2080
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2664
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2992
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2808
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2984
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:2412
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1660
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:2644
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:2164
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1064
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:2592
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:2396
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:2068
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:2072
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1284
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2356
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:2348
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2804
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2492
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1560
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:576
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1292
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2860
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:1884
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1192
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:3020
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:2088
    - - C:\Program Files\Microsoft Games\update.exe
        
        "C:\Program Files\Microsoft Games\update.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2972
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1668
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1048
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:3056
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1712
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2388
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1920
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2472
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1012
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1584
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1112
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:996
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:2280
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2516
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:880
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:2904
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:2464
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:2200
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1576
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:272
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:2700
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:2116
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:2044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:2812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2380
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1636
      - C:\Program Files (x86)\Common Files\Adobe\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:2468
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:556
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2808
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:2888
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:2476
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:2852
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2876
      - C:\Program Files (x86)\Common Files\Services\data.exe
        
        "C:\Program Files (x86)\Common Files\Services\data.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2452
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1068
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2652
    - - C:\Program Files (x86)\Google\System Restore.exe
        
        "C:\Program Files (x86)\Google\System Restore.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1948
    - - C:\Program Files (x86)\Internet Explorer\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\data.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2460
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:472
    - - C:\Program Files (x86)\Microsoft Office\data.exe
        
        "C:\Program Files (x86)\Microsoft Office\data.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2940
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2684
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2416
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1612
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2488
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1664
    - - C:\Users\Admin\System Restore.exe
        
        "C:\Users\Admin\System Restore.exe" C:\Users\Admin\
        5⤵
        
        PID:1764
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1824
      - C:\Users\Admin\Desktop\System Restore.exe
        
        "C:\Users\Admin\Desktop\System Restore.exe" C:\Users\Admin\Desktop\
        6⤵
        
        PID:2372
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:980
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:2140
      - C:\Users\Admin\Favorites\data.exe
        
        C:\Users\Admin\Favorites\data.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2304
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1804
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2496
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:112
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:3008
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1720
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:396
      - C:\Users\Public\Videos\System Restore.exe
        
        "C:\Users\Public\Videos\System Restore.exe" C:\Users\Public\Videos\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2984
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2056
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:320
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
168KB

MD5
9daf7d621aad7bddbdf1c55cd85fd0f6

SHA1
fc9c20996c031a4ff85cd22d2812f2aa28f38cee

SHA256
234ac3bc1973b8d86e7dc6f187acad8b052434349e0aed925a1cee2e4afeffd1

SHA512
05987776c83f3e9f03451ed5f16c6f8a001721eeab2f55ed95907d2820ddfa19289179f48e20daa37f9daf3340bd5cc5de905087d4cfafef32c1b4b9f845ba3b

Download Submit
C:\PerfLogs\backup.exe

Filesize
168KB

MD5
b1470659da5e32535b2010e8c3d3d675

SHA1
8336ac378b73c856d6fd74aa66ad54173c6ae319

SHA256
e02726320e929693b8a0da1aea83e0800ce9f3f786df907783946ce00b4a3857

SHA512
cf42707c39e32fe94aa0fafb830805c83f65cfa6786a49bea4651f598330624a391f58ffa11626287c043ca0772b6b9796c10a4fc739dba85e5f6ad7d78becc2

Download Submit
C:\PerfLogs\backup.exe

Filesize
168KB

MD5
b1470659da5e32535b2010e8c3d3d675

SHA1
8336ac378b73c856d6fd74aa66ad54173c6ae319

SHA256
e02726320e929693b8a0da1aea83e0800ce9f3f786df907783946ce00b4a3857

SHA512
cf42707c39e32fe94aa0fafb830805c83f65cfa6786a49bea4651f598330624a391f58ffa11626287c043ca0772b6b9796c10a4fc739dba85e5f6ad7d78becc2

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
168KB

MD5
cd2f29d62a477f482c30dc76537e98c6

SHA1
65d821c601fbd0618ecb53d4e64f2208e148bbfd

SHA256
2f0c6cb6c85effb585b8cd00c37438b2e9105be022695c6a503202706e52adc1

SHA512
899ebdf5e920543f6b9e6c23d0137fabe9be4fa1b1e36fd7df30868d092f6181a987e24e1e4bc9247ea45a0d7a8fc3be99a637042719d25b7379f5422785ce52

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
168KB

MD5
cd2f29d62a477f482c30dc76537e98c6

SHA1
65d821c601fbd0618ecb53d4e64f2208e148bbfd

SHA256
2f0c6cb6c85effb585b8cd00c37438b2e9105be022695c6a503202706e52adc1

SHA512
899ebdf5e920543f6b9e6c23d0137fabe9be4fa1b1e36fd7df30868d092f6181a987e24e1e4bc9247ea45a0d7a8fc3be99a637042719d25b7379f5422785ce52

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
168KB

MD5
dcefa97404f682b15898ca2061f68096

SHA1
d45cec1cb60c237b75b76ab15c8405ae5d248fec

SHA256
d794bd65b055102edb1ca4401ed7dd0e3785d6e9d2bf6e09027a5b5b4c913c52

SHA512
d299a8e36ff3f2af4732db6c9c679d8f201c20613af7bb02eeb5bbb9a4a5a4dbaf35360bd5a9a9efaad2565dd3ca5f35e3f3aca9cfa8914b64e34e4da3ef8508

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
168KB

MD5
5399d6e056d8003a6d9db47a83853d2c

SHA1
e248f3d4178b52e7a0cf2bf846e4f9945d264f05

SHA256
2564f576cd6e232ca3b6436cfbd88a2f325b1757a81958da3c2738e550f0feb7

SHA512
9a58c1c9b20549cf452d102494b3f78f3d5be26d9658e287b31e98469c781e3ba344a8a20805903c9602c18d748bae4381d0597f6520d9853875a5774348ff92

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
168KB

MD5
5399d6e056d8003a6d9db47a83853d2c

SHA1
e248f3d4178b52e7a0cf2bf846e4f9945d264f05

SHA256
2564f576cd6e232ca3b6436cfbd88a2f325b1757a81958da3c2738e550f0feb7

SHA512
9a58c1c9b20549cf452d102494b3f78f3d5be26d9658e287b31e98469c781e3ba344a8a20805903c9602c18d748bae4381d0597f6520d9853875a5774348ff92

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
168KB

MD5
af3991f020c4cf60a4fcb7320e984a4b

SHA1
4e13b7f90ccf9bcbf92f5725bb0ca099de060953

SHA256
8e99d934ee7db5eef2b255c47f33cbffbf5b9783a773faa4bd79aa28a1dd769c

SHA512
55cc63c42b4a7d7294d281fd02af4c4ab4048e436a9905d99559b0336429279bed50aaef78926309401fc200f739c8f434867001e593af5925db3a35c01daaa3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
168KB

MD5
af3991f020c4cf60a4fcb7320e984a4b

SHA1
4e13b7f90ccf9bcbf92f5725bb0ca099de060953

SHA256
8e99d934ee7db5eef2b255c47f33cbffbf5b9783a773faa4bd79aa28a1dd769c

SHA512
55cc63c42b4a7d7294d281fd02af4c4ab4048e436a9905d99559b0336429279bed50aaef78926309401fc200f739c8f434867001e593af5925db3a35c01daaa3

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
168KB

MD5
5399d6e056d8003a6d9db47a83853d2c

SHA1
e248f3d4178b52e7a0cf2bf846e4f9945d264f05

SHA256
2564f576cd6e232ca3b6436cfbd88a2f325b1757a81958da3c2738e550f0feb7

SHA512
9a58c1c9b20549cf452d102494b3f78f3d5be26d9658e287b31e98469c781e3ba344a8a20805903c9602c18d748bae4381d0597f6520d9853875a5774348ff92

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
168KB

MD5
5399d6e056d8003a6d9db47a83853d2c

SHA1
e248f3d4178b52e7a0cf2bf846e4f9945d264f05

SHA256
2564f576cd6e232ca3b6436cfbd88a2f325b1757a81958da3c2738e550f0feb7

SHA512
9a58c1c9b20549cf452d102494b3f78f3d5be26d9658e287b31e98469c781e3ba344a8a20805903c9602c18d748bae4381d0597f6520d9853875a5774348ff92

Download Submit
C:\Program Files\DVD Maker\backup.exe

Filesize
168KB

MD5
875f70b214f94ef79ce51e8eb48e7857

SHA1
976fbed32520696cc46c0c1cfe072b63ede54eb4

SHA256
880e00c16878a2631a40743d2cafff32eb9fff19a11b8dd27c6ea6584cd9e973

SHA512
a341c63a37d7e43c769a496162ad50688d1d6fc336bef1bd20ca7c47ca8dbb0589da8ce567746a58fc1f443e975fa71b3cb8e6ded58097f9e47b8a5548819fa5

Download Submit
C:\Program Files\DVD Maker\backup.exe

Filesize
168KB

MD5
875f70b214f94ef79ce51e8eb48e7857

SHA1
976fbed32520696cc46c0c1cfe072b63ede54eb4

SHA256
880e00c16878a2631a40743d2cafff32eb9fff19a11b8dd27c6ea6584cd9e973

SHA512
a341c63a37d7e43c769a496162ad50688d1d6fc336bef1bd20ca7c47ca8dbb0589da8ce567746a58fc1f443e975fa71b3cb8e6ded58097f9e47b8a5548819fa5

Download Submit
C:\Program Files\backup.exe

Filesize
168KB

MD5
92dc3e820825a5d55fea16b8abc79eb7

SHA1
d4fa42a23ce88dc70b0642e3ccb3f49a54109034

SHA256
ae53c977706e84ce0144f6041faf0a4e5933a87999b02295209dc22b90321403

SHA512
422312201a35ff07c3cd96c6c27f32df197e7c102d0a20acbb4892ab9dcfa620376609ea793ccbf49ce903a13806c589e20e5bb056043fcbc0a90481600b62c4

Download Submit
C:\Program Files\backup.exe

Filesize
168KB

MD5
92dc3e820825a5d55fea16b8abc79eb7

SHA1
d4fa42a23ce88dc70b0642e3ccb3f49a54109034

SHA256
ae53c977706e84ce0144f6041faf0a4e5933a87999b02295209dc22b90321403

SHA512
422312201a35ff07c3cd96c6c27f32df197e7c102d0a20acbb4892ab9dcfa620376609ea793ccbf49ce903a13806c589e20e5bb056043fcbc0a90481600b62c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2341099562\backup.exe

Filesize
168KB

MD5
068c5b5ba55236faef5788365a931b79

SHA1
5c432b6833938a69b40d1071ef5331ec641efabb

SHA256
9a47341f50300d5ad38545dc91bad6360dde1c5001c2e048d20386d68ff16160

SHA512
2b8ff6b7073b03d74e798ad69f466615968ce38d86427fd64c07978b008bc87dcd97eae01a4cb4b6f301186467b990e5d8e8cec5bcefafaf3f03960c156b9664

Download Submit
C:\Users\Admin\AppData\Local\Temp\2341099562\backup.exe

Filesize
168KB

MD5
068c5b5ba55236faef5788365a931b79

SHA1
5c432b6833938a69b40d1071ef5331ec641efabb

SHA256
9a47341f50300d5ad38545dc91bad6360dde1c5001c2e048d20386d68ff16160

SHA512
2b8ff6b7073b03d74e798ad69f466615968ce38d86427fd64c07978b008bc87dcd97eae01a4cb4b6f301186467b990e5d8e8cec5bcefafaf3f03960c156b9664

Download Submit
C:\Users\Admin\AppData\Local\Temp\2341099562\backup.exe

Filesize
168KB

MD5
068c5b5ba55236faef5788365a931b79

SHA1
5c432b6833938a69b40d1071ef5331ec641efabb

SHA256
9a47341f50300d5ad38545dc91bad6360dde1c5001c2e048d20386d68ff16160

SHA512
2b8ff6b7073b03d74e798ad69f466615968ce38d86427fd64c07978b008bc87dcd97eae01a4cb4b6f301186467b990e5d8e8cec5bcefafaf3f03960c156b9664

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
168KB

MD5
068c5b5ba55236faef5788365a931b79

SHA1
5c432b6833938a69b40d1071ef5331ec641efabb

SHA256
9a47341f50300d5ad38545dc91bad6360dde1c5001c2e048d20386d68ff16160

SHA512
2b8ff6b7073b03d74e798ad69f466615968ce38d86427fd64c07978b008bc87dcd97eae01a4cb4b6f301186467b990e5d8e8cec5bcefafaf3f03960c156b9664

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
168KB

MD5
ba8a6fb1d87163cca6755e97156f8218

SHA1
95a71ad636c0617c2b05c78024704f5cc1c7c444

SHA256
078253ccb03e29e67735d066ce787e5132c88acd315061cf8c152ee2a28f6654

SHA512
e19b906694f321b22d531bf741f02d9d68485bd9d2931a9eb5e6599f1b257880bdcc7d1f4e06d0fc347ba149443775ce642fa0a2b163aeaf0c5cb610115dd7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
168KB

MD5
ba8a6fb1d87163cca6755e97156f8218

SHA1
95a71ad636c0617c2b05c78024704f5cc1c7c444

SHA256
078253ccb03e29e67735d066ce787e5132c88acd315061cf8c152ee2a28f6654

SHA512
e19b906694f321b22d531bf741f02d9d68485bd9d2931a9eb5e6599f1b257880bdcc7d1f4e06d0fc347ba149443775ce642fa0a2b163aeaf0c5cb610115dd7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
168KB

MD5
ba8a6fb1d87163cca6755e97156f8218

SHA1
95a71ad636c0617c2b05c78024704f5cc1c7c444

SHA256
078253ccb03e29e67735d066ce787e5132c88acd315061cf8c152ee2a28f6654

SHA512
e19b906694f321b22d531bf741f02d9d68485bd9d2931a9eb5e6599f1b257880bdcc7d1f4e06d0fc347ba149443775ce642fa0a2b163aeaf0c5cb610115dd7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
168KB

MD5
068c5b5ba55236faef5788365a931b79

SHA1
5c432b6833938a69b40d1071ef5331ec641efabb

SHA256
9a47341f50300d5ad38545dc91bad6360dde1c5001c2e048d20386d68ff16160

SHA512
2b8ff6b7073b03d74e798ad69f466615968ce38d86427fd64c07978b008bc87dcd97eae01a4cb4b6f301186467b990e5d8e8cec5bcefafaf3f03960c156b9664

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
168KB

MD5
ba8a6fb1d87163cca6755e97156f8218

SHA1
95a71ad636c0617c2b05c78024704f5cc1c7c444

SHA256
078253ccb03e29e67735d066ce787e5132c88acd315061cf8c152ee2a28f6654

SHA512
e19b906694f321b22d531bf741f02d9d68485bd9d2931a9eb5e6599f1b257880bdcc7d1f4e06d0fc347ba149443775ce642fa0a2b163aeaf0c5cb610115dd7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
48KB

MD5
70d7b2ff01183285202fea107cf8a40f

SHA1
2397f59d8d579b44909487a3bebf3eaa54e275e6

SHA256
f5d40a23575ca96b3e6554f0e6e9cdda4ab6c544488d4c69b951f880cc859199

SHA512
71c5368e116c3827b9a1c626fdae6669aac51bcb2e7b489144976a239b06a5ca64f59d9d358dafb912a61931e84322f48a47a39906200bf7fc4817b65b70ca12

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
168KB

MD5
dbb2db9941f298af419e63e40403c673

SHA1
5f825dfe909ed0e2fe8071d7345532450cf98047

SHA256
49ade2f8dfb976b3113d8e6e38900f4c846663942912b2ab0e4b0bb0cb617693

SHA512
06e26c952c3c29b175d12bb0f56895faf139e8ca21da3503d2baaae8a23eb139d5c5ad4325a1e8ba4c4b1dcad6b7c738d16a30f9e7dd3a9684b40417a8342f7d

Download Submit
C:\backup.exe

Filesize
168KB

MD5
dbb2db9941f298af419e63e40403c673

SHA1
5f825dfe909ed0e2fe8071d7345532450cf98047

SHA256
49ade2f8dfb976b3113d8e6e38900f4c846663942912b2ab0e4b0bb0cb617693

SHA512
06e26c952c3c29b175d12bb0f56895faf139e8ca21da3503d2baaae8a23eb139d5c5ad4325a1e8ba4c4b1dcad6b7c738d16a30f9e7dd3a9684b40417a8342f7d

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
168KB

MD5
9daf7d621aad7bddbdf1c55cd85fd0f6

SHA1
fc9c20996c031a4ff85cd22d2812f2aa28f38cee

SHA256
234ac3bc1973b8d86e7dc6f187acad8b052434349e0aed925a1cee2e4afeffd1

SHA512
05987776c83f3e9f03451ed5f16c6f8a001721eeab2f55ed95907d2820ddfa19289179f48e20daa37f9daf3340bd5cc5de905087d4cfafef32c1b4b9f845ba3b

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
168KB

MD5
9daf7d621aad7bddbdf1c55cd85fd0f6

SHA1
fc9c20996c031a4ff85cd22d2812f2aa28f38cee

SHA256
234ac3bc1973b8d86e7dc6f187acad8b052434349e0aed925a1cee2e4afeffd1

SHA512
05987776c83f3e9f03451ed5f16c6f8a001721eeab2f55ed95907d2820ddfa19289179f48e20daa37f9daf3340bd5cc5de905087d4cfafef32c1b4b9f845ba3b

Download Submit
\PerfLogs\backup.exe

Filesize
168KB

MD5
b1470659da5e32535b2010e8c3d3d675

SHA1
8336ac378b73c856d6fd74aa66ad54173c6ae319

SHA256
e02726320e929693b8a0da1aea83e0800ce9f3f786df907783946ce00b4a3857

SHA512
cf42707c39e32fe94aa0fafb830805c83f65cfa6786a49bea4651f598330624a391f58ffa11626287c043ca0772b6b9796c10a4fc739dba85e5f6ad7d78becc2

Download Submit
\PerfLogs\backup.exe

Filesize
168KB

MD5
b1470659da5e32535b2010e8c3d3d675

SHA1
8336ac378b73c856d6fd74aa66ad54173c6ae319

SHA256
e02726320e929693b8a0da1aea83e0800ce9f3f786df907783946ce00b4a3857

SHA512
cf42707c39e32fe94aa0fafb830805c83f65cfa6786a49bea4651f598330624a391f58ffa11626287c043ca0772b6b9796c10a4fc739dba85e5f6ad7d78becc2

Download Submit
\Program Files (x86)\Adobe\backup.exe

Filesize
168KB

MD5
3b18ac28d75e906ee83ba390b0f535e1

SHA1
fb644fba703ef9536d412c768ae0ab3ea5ef3b44

SHA256
ba3f89655a2b983f50343906ffa8fbc91863fc8f4cbf956296c85f167f1b2e93

SHA512
dd540b5c9ddf0e9284205c1712fd9f4ec59a18a6e838e1b4b8f117b82294e1fa21a025d769d76a4fae6527b12c677b6e137f480644ab5a54835aac5806866cc7

Download Submit
\Program Files (x86)\Adobe\backup.exe

Filesize
168KB

MD5
3b18ac28d75e906ee83ba390b0f535e1

SHA1
fb644fba703ef9536d412c768ae0ab3ea5ef3b44

SHA256
ba3f89655a2b983f50343906ffa8fbc91863fc8f4cbf956296c85f167f1b2e93

SHA512
dd540b5c9ddf0e9284205c1712fd9f4ec59a18a6e838e1b4b8f117b82294e1fa21a025d769d76a4fae6527b12c677b6e137f480644ab5a54835aac5806866cc7

Download Submit
\Program Files (x86)\backup.exe

Filesize
168KB

MD5
cd2f29d62a477f482c30dc76537e98c6

SHA1
65d821c601fbd0618ecb53d4e64f2208e148bbfd

SHA256
2f0c6cb6c85effb585b8cd00c37438b2e9105be022695c6a503202706e52adc1

SHA512
899ebdf5e920543f6b9e6c23d0137fabe9be4fa1b1e36fd7df30868d092f6181a987e24e1e4bc9247ea45a0d7a8fc3be99a637042719d25b7379f5422785ce52

Download Submit
\Program Files (x86)\backup.exe

Filesize
168KB

MD5
cd2f29d62a477f482c30dc76537e98c6

SHA1
65d821c601fbd0618ecb53d4e64f2208e148bbfd

SHA256
2f0c6cb6c85effb585b8cd00c37438b2e9105be022695c6a503202706e52adc1

SHA512
899ebdf5e920543f6b9e6c23d0137fabe9be4fa1b1e36fd7df30868d092f6181a987e24e1e4bc9247ea45a0d7a8fc3be99a637042719d25b7379f5422785ce52

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
168KB

MD5
dcefa97404f682b15898ca2061f68096

SHA1
d45cec1cb60c237b75b76ab15c8405ae5d248fec

SHA256
d794bd65b055102edb1ca4401ed7dd0e3785d6e9d2bf6e09027a5b5b4c913c52

SHA512
d299a8e36ff3f2af4732db6c9c679d8f201c20613af7bb02eeb5bbb9a4a5a4dbaf35360bd5a9a9efaad2565dd3ca5f35e3f3aca9cfa8914b64e34e4da3ef8508

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
168KB

MD5
dcefa97404f682b15898ca2061f68096

SHA1
d45cec1cb60c237b75b76ab15c8405ae5d248fec

SHA256
d794bd65b055102edb1ca4401ed7dd0e3785d6e9d2bf6e09027a5b5b4c913c52

SHA512
d299a8e36ff3f2af4732db6c9c679d8f201c20613af7bb02eeb5bbb9a4a5a4dbaf35360bd5a9a9efaad2565dd3ca5f35e3f3aca9cfa8914b64e34e4da3ef8508

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
168KB

MD5
5399d6e056d8003a6d9db47a83853d2c

SHA1
e248f3d4178b52e7a0cf2bf846e4f9945d264f05

SHA256
2564f576cd6e232ca3b6436cfbd88a2f325b1757a81958da3c2738e550f0feb7

SHA512
9a58c1c9b20549cf452d102494b3f78f3d5be26d9658e287b31e98469c781e3ba344a8a20805903c9602c18d748bae4381d0597f6520d9853875a5774348ff92

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
168KB

MD5
5399d6e056d8003a6d9db47a83853d2c

SHA1
e248f3d4178b52e7a0cf2bf846e4f9945d264f05

SHA256
2564f576cd6e232ca3b6436cfbd88a2f325b1757a81958da3c2738e550f0feb7

SHA512
9a58c1c9b20549cf452d102494b3f78f3d5be26d9658e287b31e98469c781e3ba344a8a20805903c9602c18d748bae4381d0597f6520d9853875a5774348ff92

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
168KB

MD5
fe01cb467849ffde671a510598ecdabe

SHA1
56e2d31d9debe73b3e44429825c2e1f1658057c8

SHA256
c7f2cd08809645a49f27728464eb3943dbf922f4e5789470805ef207ac7cc831

SHA512
0ab1d863f795367c0b47d479a10eecf0f03cd7ddfbe7bc0e88a1e032d26dd2ec4ebed52e719ea8cebb062f007093734d944e92a9a0c07aa36522cc5786ea0f34

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
168KB

MD5
fe01cb467849ffde671a510598ecdabe

SHA1
56e2d31d9debe73b3e44429825c2e1f1658057c8

SHA256
c7f2cd08809645a49f27728464eb3943dbf922f4e5789470805ef207ac7cc831

SHA512
0ab1d863f795367c0b47d479a10eecf0f03cd7ddfbe7bc0e88a1e032d26dd2ec4ebed52e719ea8cebb062f007093734d944e92a9a0c07aa36522cc5786ea0f34

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
168KB

MD5
af3991f020c4cf60a4fcb7320e984a4b

SHA1
4e13b7f90ccf9bcbf92f5725bb0ca099de060953

SHA256
8e99d934ee7db5eef2b255c47f33cbffbf5b9783a773faa4bd79aa28a1dd769c

SHA512
55cc63c42b4a7d7294d281fd02af4c4ab4048e436a9905d99559b0336429279bed50aaef78926309401fc200f739c8f434867001e593af5925db3a35c01daaa3

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
168KB

MD5
af3991f020c4cf60a4fcb7320e984a4b

SHA1
4e13b7f90ccf9bcbf92f5725bb0ca099de060953

SHA256
8e99d934ee7db5eef2b255c47f33cbffbf5b9783a773faa4bd79aa28a1dd769c

SHA512
55cc63c42b4a7d7294d281fd02af4c4ab4048e436a9905d99559b0336429279bed50aaef78926309401fc200f739c8f434867001e593af5925db3a35c01daaa3

Download Submit
\Program Files\Common Files\backup.exe

Filesize
168KB

MD5
5399d6e056d8003a6d9db47a83853d2c

SHA1
e248f3d4178b52e7a0cf2bf846e4f9945d264f05

SHA256
2564f576cd6e232ca3b6436cfbd88a2f325b1757a81958da3c2738e550f0feb7

SHA512
9a58c1c9b20549cf452d102494b3f78f3d5be26d9658e287b31e98469c781e3ba344a8a20805903c9602c18d748bae4381d0597f6520d9853875a5774348ff92

Download Submit
\Program Files\Common Files\backup.exe

Filesize
168KB

MD5
5399d6e056d8003a6d9db47a83853d2c

SHA1
e248f3d4178b52e7a0cf2bf846e4f9945d264f05

SHA256
2564f576cd6e232ca3b6436cfbd88a2f325b1757a81958da3c2738e550f0feb7

SHA512
9a58c1c9b20549cf452d102494b3f78f3d5be26d9658e287b31e98469c781e3ba344a8a20805903c9602c18d748bae4381d0597f6520d9853875a5774348ff92

Download Submit
\Program Files\DVD Maker\backup.exe

Filesize
168KB

MD5
875f70b214f94ef79ce51e8eb48e7857

SHA1
976fbed32520696cc46c0c1cfe072b63ede54eb4

SHA256
880e00c16878a2631a40743d2cafff32eb9fff19a11b8dd27c6ea6584cd9e973

SHA512
a341c63a37d7e43c769a496162ad50688d1d6fc336bef1bd20ca7c47ca8dbb0589da8ce567746a58fc1f443e975fa71b3cb8e6ded58097f9e47b8a5548819fa5

Download Submit
\Program Files\DVD Maker\backup.exe

Filesize
168KB

MD5
875f70b214f94ef79ce51e8eb48e7857

SHA1
976fbed32520696cc46c0c1cfe072b63ede54eb4

SHA256
880e00c16878a2631a40743d2cafff32eb9fff19a11b8dd27c6ea6584cd9e973

SHA512
a341c63a37d7e43c769a496162ad50688d1d6fc336bef1bd20ca7c47ca8dbb0589da8ce567746a58fc1f443e975fa71b3cb8e6ded58097f9e47b8a5548819fa5

Download Submit
\Program Files\DVD Maker\de-DE\backup.exe

Filesize
168KB

MD5
83618d9f1bde3f939d264327a119b742

SHA1
0e41fbcd08e7eba61705d2889235aac30545fdae

SHA256
d7d1ea0242f2777d97e94fdd137006f16096dc0e0b81a861ea27fc6f48a0f1c4

SHA512
0c92ce7050927671ba3e605b44eb41c70261ac41d9b764d1fcb5c800e775c75920cf754fd707478c464a548aed2b1f34ccf1d258e54f45a58fef0f5a0cc45a62

Download Submit
\Program Files\DVD Maker\de-DE\backup.exe

Filesize
168KB

MD5
83618d9f1bde3f939d264327a119b742

SHA1
0e41fbcd08e7eba61705d2889235aac30545fdae

SHA256
d7d1ea0242f2777d97e94fdd137006f16096dc0e0b81a861ea27fc6f48a0f1c4

SHA512
0c92ce7050927671ba3e605b44eb41c70261ac41d9b764d1fcb5c800e775c75920cf754fd707478c464a548aed2b1f34ccf1d258e54f45a58fef0f5a0cc45a62

Download Submit
\Program Files\backup.exe

Filesize
168KB

MD5
92dc3e820825a5d55fea16b8abc79eb7

SHA1
d4fa42a23ce88dc70b0642e3ccb3f49a54109034

SHA256
ae53c977706e84ce0144f6041faf0a4e5933a87999b02295209dc22b90321403

SHA512
422312201a35ff07c3cd96c6c27f32df197e7c102d0a20acbb4892ab9dcfa620376609ea793ccbf49ce903a13806c589e20e5bb056043fcbc0a90481600b62c4

Download Submit
\Program Files\backup.exe

Filesize
168KB

MD5
92dc3e820825a5d55fea16b8abc79eb7

SHA1
d4fa42a23ce88dc70b0642e3ccb3f49a54109034

SHA256
ae53c977706e84ce0144f6041faf0a4e5933a87999b02295209dc22b90321403

SHA512
422312201a35ff07c3cd96c6c27f32df197e7c102d0a20acbb4892ab9dcfa620376609ea793ccbf49ce903a13806c589e20e5bb056043fcbc0a90481600b62c4

Download Submit
\Users\Admin\AppData\Local\Temp\2341099562\backup.exe

Filesize
168KB

MD5
068c5b5ba55236faef5788365a931b79

SHA1
5c432b6833938a69b40d1071ef5331ec641efabb

SHA256
9a47341f50300d5ad38545dc91bad6360dde1c5001c2e048d20386d68ff16160

SHA512
2b8ff6b7073b03d74e798ad69f466615968ce38d86427fd64c07978b008bc87dcd97eae01a4cb4b6f301186467b990e5d8e8cec5bcefafaf3f03960c156b9664

Download Submit
\Users\Admin\AppData\Local\Temp\2341099562\backup.exe

Filesize
168KB

MD5
068c5b5ba55236faef5788365a931b79

SHA1
5c432b6833938a69b40d1071ef5331ec641efabb

SHA256
9a47341f50300d5ad38545dc91bad6360dde1c5001c2e048d20386d68ff16160

SHA512
2b8ff6b7073b03d74e798ad69f466615968ce38d86427fd64c07978b008bc87dcd97eae01a4cb4b6f301186467b990e5d8e8cec5bcefafaf3f03960c156b9664

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
168KB

MD5
068c5b5ba55236faef5788365a931b79

SHA1
5c432b6833938a69b40d1071ef5331ec641efabb

SHA256
9a47341f50300d5ad38545dc91bad6360dde1c5001c2e048d20386d68ff16160

SHA512
2b8ff6b7073b03d74e798ad69f466615968ce38d86427fd64c07978b008bc87dcd97eae01a4cb4b6f301186467b990e5d8e8cec5bcefafaf3f03960c156b9664

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
168KB

MD5
068c5b5ba55236faef5788365a931b79

SHA1
5c432b6833938a69b40d1071ef5331ec641efabb

SHA256
9a47341f50300d5ad38545dc91bad6360dde1c5001c2e048d20386d68ff16160

SHA512
2b8ff6b7073b03d74e798ad69f466615968ce38d86427fd64c07978b008bc87dcd97eae01a4cb4b6f301186467b990e5d8e8cec5bcefafaf3f03960c156b9664

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
168KB

MD5
ba8a6fb1d87163cca6755e97156f8218

SHA1
95a71ad636c0617c2b05c78024704f5cc1c7c444

SHA256
078253ccb03e29e67735d066ce787e5132c88acd315061cf8c152ee2a28f6654

SHA512
e19b906694f321b22d531bf741f02d9d68485bd9d2931a9eb5e6599f1b257880bdcc7d1f4e06d0fc347ba149443775ce642fa0a2b163aeaf0c5cb610115dd7cd

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
168KB

MD5
ba8a6fb1d87163cca6755e97156f8218

SHA1
95a71ad636c0617c2b05c78024704f5cc1c7c444

SHA256
078253ccb03e29e67735d066ce787e5132c88acd315061cf8c152ee2a28f6654

SHA512
e19b906694f321b22d531bf741f02d9d68485bd9d2931a9eb5e6599f1b257880bdcc7d1f4e06d0fc347ba149443775ce642fa0a2b163aeaf0c5cb610115dd7cd

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
168KB

MD5
ba8a6fb1d87163cca6755e97156f8218

SHA1
95a71ad636c0617c2b05c78024704f5cc1c7c444

SHA256
078253ccb03e29e67735d066ce787e5132c88acd315061cf8c152ee2a28f6654

SHA512
e19b906694f321b22d531bf741f02d9d68485bd9d2931a9eb5e6599f1b257880bdcc7d1f4e06d0fc347ba149443775ce642fa0a2b163aeaf0c5cb610115dd7cd

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
168KB

MD5
ba8a6fb1d87163cca6755e97156f8218

SHA1
95a71ad636c0617c2b05c78024704f5cc1c7c444

SHA256
078253ccb03e29e67735d066ce787e5132c88acd315061cf8c152ee2a28f6654

SHA512
e19b906694f321b22d531bf741f02d9d68485bd9d2931a9eb5e6599f1b257880bdcc7d1f4e06d0fc347ba149443775ce642fa0a2b163aeaf0c5cb610115dd7cd

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
168KB

MD5
ba8a6fb1d87163cca6755e97156f8218

SHA1
95a71ad636c0617c2b05c78024704f5cc1c7c444

SHA256
078253ccb03e29e67735d066ce787e5132c88acd315061cf8c152ee2a28f6654

SHA512
e19b906694f321b22d531bf741f02d9d68485bd9d2931a9eb5e6599f1b257880bdcc7d1f4e06d0fc347ba149443775ce642fa0a2b163aeaf0c5cb610115dd7cd

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
168KB

MD5
ba8a6fb1d87163cca6755e97156f8218

SHA1
95a71ad636c0617c2b05c78024704f5cc1c7c444

SHA256
078253ccb03e29e67735d066ce787e5132c88acd315061cf8c152ee2a28f6654

SHA512
e19b906694f321b22d531bf741f02d9d68485bd9d2931a9eb5e6599f1b257880bdcc7d1f4e06d0fc347ba149443775ce642fa0a2b163aeaf0c5cb610115dd7cd

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
168KB

MD5
068c5b5ba55236faef5788365a931b79

SHA1
5c432b6833938a69b40d1071ef5331ec641efabb

SHA256
9a47341f50300d5ad38545dc91bad6360dde1c5001c2e048d20386d68ff16160

SHA512
2b8ff6b7073b03d74e798ad69f466615968ce38d86427fd64c07978b008bc87dcd97eae01a4cb4b6f301186467b990e5d8e8cec5bcefafaf3f03960c156b9664

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
168KB

MD5
068c5b5ba55236faef5788365a931b79

SHA1
5c432b6833938a69b40d1071ef5331ec641efabb

SHA256
9a47341f50300d5ad38545dc91bad6360dde1c5001c2e048d20386d68ff16160

SHA512
2b8ff6b7073b03d74e798ad69f466615968ce38d86427fd64c07978b008bc87dcd97eae01a4cb4b6f301186467b990e5d8e8cec5bcefafaf3f03960c156b9664

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
168KB

MD5
ba8a6fb1d87163cca6755e97156f8218

SHA1
95a71ad636c0617c2b05c78024704f5cc1c7c444

SHA256
078253ccb03e29e67735d066ce787e5132c88acd315061cf8c152ee2a28f6654

SHA512
e19b906694f321b22d531bf741f02d9d68485bd9d2931a9eb5e6599f1b257880bdcc7d1f4e06d0fc347ba149443775ce642fa0a2b163aeaf0c5cb610115dd7cd

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
168KB

MD5
ba8a6fb1d87163cca6755e97156f8218

SHA1
95a71ad636c0617c2b05c78024704f5cc1c7c444

SHA256
078253ccb03e29e67735d066ce787e5132c88acd315061cf8c152ee2a28f6654

SHA512
e19b906694f321b22d531bf741f02d9d68485bd9d2931a9eb5e6599f1b257880bdcc7d1f4e06d0fc347ba149443775ce642fa0a2b163aeaf0c5cb610115dd7cd

Download Submit
memory/580-186-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/580-184-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/764-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/764-175-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/764-70-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/764-100-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/764-98-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/828-328-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/868-239-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/868-116-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/868-99-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/868-145-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/868-181-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/868-199-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/1012-341-0x00000000024B0000-0x00000000024DA000-memory.dmp

Filesize
168KB

Download
memory/1012-320-0x00000000024B0000-0x00000000024DA000-memory.dmp

Filesize
168KB

Download
memory/1104-87-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1240-187-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1252-279-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1420-63-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1468-230-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1692-219-0x0000000000360000-0x000000000038A000-memory.dmp

Filesize
168KB

Download
memory/1692-201-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1692-319-0x0000000000360000-0x000000000038A000-memory.dmp

Filesize
168KB

Download
memory/1828-276-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1920-342-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1920-263-0x0000000000300000-0x000000000032A000-memory.dmp

Filesize
168KB

Download
memory/2072-290-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/2072-345-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/2072-268-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/2072-350-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/2072-322-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2080-312-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2204-297-0x0000000000390000-0x00000000003BA000-memory.dmp

Filesize
168KB

Download
memory/2204-281-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2328-106-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2328-200-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2456-29-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2472-291-0x0000000000510000-0x000000000053A000-memory.dmp

Filesize
168KB

Download
memory/2664-336-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2752-79-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2784-50-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2916-117-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2916-128-0x00000000002D0000-0x00000000002FA000-memory.dmp

Filesize
168KB

Download
memory/2916-132-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2948-133-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3036-331-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3060-73-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/3060-143-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/3060-169-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/3060-74-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/3060-228-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3060-53-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3060-157-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/3060-101-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/3060-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3060-58-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/3060-211-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/3060-47-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/3060-126-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/3060-45-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/3060-112-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/3060-12-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/3060-114-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads