ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/11/2024, 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
Size

2.0MB
MD5

e20eb29aa454b5381c11c68d875a6925
SHA1

930c635fbfffa29ff2c58c665a7e3404c932f2e0
SHA256

ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050
SHA512

4a491b89a7f186eda3efbfeeaefaa1ced0eeca39c987606648d7a1ae62b1939ddab79f48cd725221a36da948449833f868f1ab2aff992061f884893c3a0b6206
SSDEEP

49152:6EB87SJq3vxVDWRkwaxgtPtIorS0+Um6XyNPTVKejl:6EB81yXautPeorSGTSEex

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 23 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 30 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	System Restore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	backup.exe

Checks BIOS information in registry 2 TTPs 58 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	System Restore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	backup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	System Restore.exe

Executes dropped EXE 30 IoCs

pid	Process
2120	backup.exe
2144	backup.exe
2360	backup.exe
1604	backup.exe
1796	update.exe
1492	backup.exe
1868	backup.exe
580	backup.exe
1004	backup.exe
596	backup.exe
2732	backup.exe
552	backup.exe
3036	backup.exe
992	backup.exe
1376	backup.exe
2068	backup.exe
2568	update.exe
2044	backup.exe
796	backup.exe
2420	backup.exe
2588	System Restore.exe
1632	backup.exe
2636	backup.exe
560	backup.exe
1048	backup.exe
3156	backup.exe
3184	backup.exe
3236	backup.exe
3472	backup.exe
3776	System Restore.exe

Identifies Wine through registry keys 2 TTPs 30 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	System Restore.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	update.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	update.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2360	backup.exe
1796	update.exe
1796	update.exe
1796	update.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
1796	update.exe
1796	update.exe
1868	backup.exe
1868	backup.exe
1868	backup.exe
2360	backup.exe
2360	backup.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
580	backup.exe
580	backup.exe
2732	backup.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2732	backup.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
3036	backup.exe
3036	backup.exe
2360	backup.exe
2360	backup.exe
580	backup.exe
580	backup.exe
1376	backup.exe
2568	update.exe
2568	update.exe
2568	update.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2068	backup.exe
2068	backup.exe
2044	backup.exe
2044	backup.exe
2568	update.exe
2568	update.exe
2588	System Restore.exe
2588	System Restore.exe
2588	System Restore.exe
2360	backup.exe
2360	backup.exe
796	backup.exe
796	backup.exe
580	backup.exe
580	backup.exe
1376	backup.exe
1376	backup.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2068	backup.exe
2068	backup.exe
2588	System Restore.exe
2588	System Restore.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 27 IoCs

pid	Process
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2120	backup.exe
2144	backup.exe
2360	backup.exe
1604	backup.exe
1796	update.exe
1868	backup.exe
1492	backup.exe
1004	backup.exe
580	backup.exe
2732	backup.exe
596	backup.exe
3036	backup.exe
552	backup.exe
1376	backup.exe
992	backup.exe
2068	backup.exe
2568	update.exe
2044	backup.exe
796	backup.exe
2588	System Restore.exe
2420	backup.exe
2636	backup.exe
1632	backup.exe
560	backup.exe
1048	backup.exe
3184	backup.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System Restore.exe	backup.exe

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System Restore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System Restore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2120	backup.exe
2144	backup.exe
2360	backup.exe
1604	backup.exe
1796	update.exe
1868	backup.exe
1492	backup.exe
1004	backup.exe
580	backup.exe
2732	backup.exe
596	backup.exe
3036	backup.exe
552	backup.exe
1376	backup.exe
992	backup.exe
2068	backup.exe
2568	update.exe
2044	backup.exe
796	backup.exe
2588	System Restore.exe
2420	backup.exe
2636	backup.exe
1632	backup.exe
560	backup.exe
560	backup.exe
1048	backup.exe
1048	backup.exe
3184	backup.exe
3184	backup.exe
3156	backup.exe
3156	backup.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
2120	backup.exe
2144	backup.exe
2360	backup.exe
1604	backup.exe
1796	update.exe
1868	backup.exe
1492	backup.exe
1004	backup.exe
580	backup.exe
2732	backup.exe
596	backup.exe
3036	backup.exe
552	backup.exe
1376	backup.exe
992	backup.exe
2068	backup.exe
2044	backup.exe
2568	update.exe
796	backup.exe
2588	System Restore.exe
2636	backup.exe
2420	backup.exe
1632	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2120	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	31
PID 2308 wrote to memory of 2120	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	31
PID 2308 wrote to memory of 2120	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	31
PID 2308 wrote to memory of 2120	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	31
PID 2308 wrote to memory of 2144	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	32
PID 2308 wrote to memory of 2144	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	32
PID 2308 wrote to memory of 2144	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	32
PID 2308 wrote to memory of 2144	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	32
PID 2120 wrote to memory of 2360	2120	backup.exe	33
PID 2120 wrote to memory of 2360	2120	backup.exe	33
PID 2120 wrote to memory of 2360	2120	backup.exe	33
PID 2120 wrote to memory of 2360	2120	backup.exe	33
PID 2308 wrote to memory of 1604	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	34
PID 2308 wrote to memory of 1604	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	34
PID 2308 wrote to memory of 1604	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	34
PID 2308 wrote to memory of 1604	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	34
PID 2360 wrote to memory of 1796	2360	backup.exe	35
PID 2360 wrote to memory of 1796	2360	backup.exe	35
PID 2360 wrote to memory of 1796	2360	backup.exe	35
PID 2360 wrote to memory of 1796	2360	backup.exe	35
PID 2360 wrote to memory of 1796	2360	backup.exe	35
PID 2360 wrote to memory of 1796	2360	backup.exe	35
PID 2360 wrote to memory of 1796	2360	backup.exe	35
PID 2308 wrote to memory of 1492	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	36
PID 2308 wrote to memory of 1492	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	36
PID 2308 wrote to memory of 1492	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	36
PID 2308 wrote to memory of 1492	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	36
PID 1796 wrote to memory of 1868	1796	update.exe	37
PID 1796 wrote to memory of 1868	1796	update.exe	37
PID 1796 wrote to memory of 1868	1796	update.exe	37
PID 1796 wrote to memory of 1868	1796	update.exe	37
PID 1796 wrote to memory of 1868	1796	update.exe	37
PID 1796 wrote to memory of 1868	1796	update.exe	37
PID 1796 wrote to memory of 1868	1796	update.exe	37
PID 2360 wrote to memory of 580	2360	backup.exe	38
PID 2360 wrote to memory of 580	2360	backup.exe	38
PID 2360 wrote to memory of 580	2360	backup.exe	38
PID 2360 wrote to memory of 580	2360	backup.exe	38
PID 2308 wrote to memory of 1004	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	39
PID 2308 wrote to memory of 1004	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	39
PID 2308 wrote to memory of 1004	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	39
PID 2308 wrote to memory of 1004	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	39
PID 2308 wrote to memory of 596	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	40
PID 2308 wrote to memory of 596	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	40
PID 2308 wrote to memory of 596	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	40
PID 2308 wrote to memory of 596	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	40
PID 580 wrote to memory of 2732	580	backup.exe	41
PID 580 wrote to memory of 2732	580	backup.exe	41
PID 580 wrote to memory of 2732	580	backup.exe	41
PID 580 wrote to memory of 2732	580	backup.exe	41
PID 2732 wrote to memory of 552	2732	backup.exe	42
PID 2732 wrote to memory of 552	2732	backup.exe	42
PID 2732 wrote to memory of 552	2732	backup.exe	42
PID 2732 wrote to memory of 552	2732	backup.exe	42
PID 2308 wrote to memory of 3036	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	43
PID 2308 wrote to memory of 3036	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	43
PID 2308 wrote to memory of 3036	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	43
PID 2308 wrote to memory of 3036	2308	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe	43
PID 3036 wrote to memory of 992	3036	backup.exe	44
PID 3036 wrote to memory of 992	3036	backup.exe	44
PID 3036 wrote to memory of 992	3036	backup.exe	44
PID 3036 wrote to memory of 992	3036	backup.exe	44
PID 2360 wrote to memory of 1376	2360	backup.exe	45
PID 2360 wrote to memory of 1376	2360	backup.exe	45

System policy modification 1 TTPs 46 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe
"C:\Users\Admin\AppData\Local\Temp\ff01b5545fe20fa6de5ce06212a573e90451ddc2f5da8e7a0234285af729b050.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2308
- C:\Users\Admin\AppData\Local\Temp\3746781529\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3746781529\backup.exe C:\Users\Admin\AppData\Local\Temp\3746781529\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2120
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2360
  - - C:\PerfLogs\update.exe
      C:\PerfLogs\update.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1796
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1868
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:580
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2732
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:552
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2068
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:796
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Executes dropped EXE
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        
        PID:2056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        
        PID:4908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        
        PID:5848
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        
        PID:6856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:8220
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        
        PID:648
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:3860
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:4712
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:3532
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:6524
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:8736
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:9040
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:10680
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:4744
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:8140
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:5820
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:6256
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:7824
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:8852
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:6228
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3184
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:3728
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:5764
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:4584
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:8408
        
        C:\Program Files\Common Files\System\de-DE\update.exe
        
        "C:\Program Files\Common Files\System\de-DE\update.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2500
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:560
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:3968
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:1740
      - C:\Program Files\DVD Maker\es-ES\System Restore.exe
        
        "C:\Program Files\DVD Maker\es-ES\System Restore.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:5128
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:2188
      - C:\Program Files\DVD Maker\it-IT\update.exe
        
        "C:\Program Files\DVD Maker\it-IT\update.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:7192
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:8768
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:9836
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:3832
      - C:\Program Files\Google\Chrome\data.exe
        
        "C:\Program Files\Google\Chrome\data.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:4620
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:7092
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:372
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:6764
      - C:\Program Files\Internet Explorer\en-US\System Restore.exe
        
        "C:\Program Files\Internet Explorer\en-US\System Restore.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:8124
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:4956
      - C:\Program Files\Internet Explorer\fr-FR\update.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\update.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1812
    - - C:\Program Files\Java\System Restore.exe
        
        "C:\Program Files\Java\System Restore.exe" C:\Program Files\Java\
        5⤵
        
        PID:3600
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:5948
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:844
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:8668
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2040
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:9968
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1376
    - - C:\Program Files (x86)\Adobe\update.exe
        
        "C:\Program Files (x86)\Adobe\update.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2568
      - C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:2100
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:5116
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1512
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:7100
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:8840
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:10184
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:4652
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:8432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:5664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:11112
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:5708
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1048
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:3492
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:5156
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:5492
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:7292
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:4420
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:4528
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:5364
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:6200
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:7836
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:9200
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:10116
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:3608
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:4600
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:5828
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:6512
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:4136
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1036
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:7280
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:9208
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:10196
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1784
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:6168
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:7380
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:8784
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:9252
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1632
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:3744
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:4560
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:5732
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:6496
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:7872
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:8132
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:10096
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1364
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2000
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:7152
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:8372
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:9244
  - - C:\Windows\System Restore.exe
      "C:\Windows\System Restore.exe" C:\Windows\
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3776
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1224
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:2208
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:3556
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:6536
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:544
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:1664
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1604
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1004
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:596
- C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_1667198029\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_1667198029\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_1667198029\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_1667198029\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_1667198029\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_1667198029\CRX_INSTALL\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:992
- C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_817205846\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_817205846\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_817205846\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_817205846\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_817205846\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_817205846\CRX_INSTALL\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2420
- C:\Users\Admin\AppData\Local\Temp\VBE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\VBE\backup.exe C:\Users\Admin\AppData\Local\Temp\VBE\
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3156
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\update.exe

Filesize
2.0MB

MD5
c7f5b0c16620fdf15fcdb743a3a510f1

SHA1
f7138dc329bca33197a8b2abf4385fc687e5c590

SHA256
3537fe25c166e9a84b6c4226c83300af6f9c6331f964daa959606fca8d7b6c2c

SHA512
47b2d251609f144613c1fed92c237a64518a36ecac105c38dd90bfb72fb4b62928b75f3c2b19e4d62191bc3db91df48ae8d5555e085291eab940e816fd9c3835

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
2.0MB

MD5
be6e694fc3517e23de83e84a127eaa75

SHA1
c2ff153a9efc224026a5b1281777cc3cc117b49c

SHA256
be4a3775facf437edc439dd0febad1fe6d147b304d7e9f8fc77673a40894110b

SHA512
6b9958b2c69cb9a515adbe067c4b764640d58367dfcc4692a7dc3a3e3057d684fe549b0df29b0a73a3f344ccba721cac4bca1e8e7fe5344cd9b896d223a549b0

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
2.0MB

MD5
30b7b925cb635ef3e3e8b529af690173

SHA1
f83645b86fc084fc6f60b160a7dc743a09b59c94

SHA256
4c96669eaa004bc03bc59843793238e8e1e484478a01280c65355a5e00e3ec2d

SHA512
74e2dc958e8d497e88c5237699d4a20ed24ebf6f12c44f7067fb7f7132f6236769c46aa1619b29d860959039e5037990a89a0cbae78aaef4d69d0e4636b08357

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
2.0MB

MD5
0956e5642c27e708002e4bd22e4d7f39

SHA1
6fd610e1a66be9424dfe2df1900e03cb5c7775e0

SHA256
0bd02bca60826345f6d5f7d836980172f655b6a040085202779a4e55b4c6f878

SHA512
d5c21d968bf77bb60f2cb6917536e2e573263899280ae430c632f06e1731484e0051822c6fac1cca5c83815687a1d07d607893d2eec949611651b3248ed06987

Download Submit
C:\backup.exe

Filesize
2.0MB

MD5
5ab0ded9ee628b32ba2c69c35fe6ce50

SHA1
1809431b972bcec7e1c42430c6eb683505b1ad81

SHA256
bf1fe957f384f36d37d4bf304eddc50b935199fe96f778a68f7c5a406b627327

SHA512
c01acccd6d8287e40abe91ab70222a1e0843ec208979fad2fb4fa89fb69050c8b8c3dbdbf881a698fcf6038f84bc679a3e3dbde1e1e91e8bdb597d4d7b6993de

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
2.0MB

MD5
38b3c53afceb0fed3c0460a1ce8e7302

SHA1
9cf77b159e4b7f645beecc7dc4edf2158611ccf3

SHA256
94af1aa5acb912a9c11f36bdc58368f610483576e511859f365a4be792cac340

SHA512
dfbe1ed1202ffbd1279a6dead122efd7d06cd40508407b515f743c02a1de6e355f2d86b6d5ab74571a6ab12cdcc632c8b4e9a8e504018d0650e72e2c2208d588

Download Submit
\PerfLogs\update.exe

Filesize
2.0MB

MD5
4b12b2df12a026d3efe3ff6547b67ef0

SHA1
98e07e5e8ffe87dee4826f2d093365c065e1c5bd

SHA256
9b270d1849aee31d552f6b6df9a0a871013a4c88bc196ecfce454a6999e620ca

SHA512
e2a2536f16fb72f6a9ffa9e37c86fd3f7ed90fff40e83a72c534fc6b129c9de7b3ca162fcc26d7ac30d779ce1d42d03daa1ea5f29510dbd14157d2ce5abba6e1

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
2.0MB

MD5
1cdee426b23efda8c13416c334f9271e

SHA1
2cfa5714f0ce7f90d0b20f0648ba478192c66870

SHA256
d480a842a47db90185d180a83b2b5011f6fe150939023c8b802b6c88906718be

SHA512
d1dd298501bca539674029a6aca08181391be0c504f9c4deed8f888bcccbbf90f6bf1e919c436a48684ecb88cda68a6e8167e38f8a433ce8b94aa2d31dc0af6d

Download Submit
\Program Files\Common Files\backup.exe

Filesize
2.0MB

MD5
e959f6f20de3145e51aec137b06bd1b1

SHA1
b34bac8a94b4346b0ee571e03e125869921a2b96

SHA256
5173bfe1b763a9e4e81a0eb4a6b6bc98c72e362754bf9ff5c76aad1b2db804fc

SHA512
2e70fc652ba34a369b5b2a2ae79075810597ebe7009e5677964abd748002244b1020495fc9722ce8bc9c11eaa0414657d80465001afd0940bc88634e088e49b2

Download Submit
\Program Files\backup.exe

Filesize
2.0MB

MD5
0534319d9db0ae75830afc97f7ab64d9

SHA1
7a50e421f3411d5739eae51371a7e7d00136d2e5

SHA256
b41cd01e152db038b080e37e5933a8e6206a73c1450c5edc2e5816bdc7dc9af2

SHA512
b4c4bc35c1f658c6e985fefff7eeb52a9484ffcdbf73a9b1055c76ad4c2f9f63e715c336aa4c86c75c83ebd94ae560a6976f87f678af7415cbeb86b8dc986695

Download Submit
\Users\Admin\AppData\Local\Temp\3746781529\backup.exe

Filesize
2.0MB

MD5
5801adedd44f606d162b1b894bfbac90

SHA1
7d5d362b258c06ed0e3345f79d116e4a97c206f9

SHA256
dad107c10a3a4a1a230e5c7e851ed5aa521d14f452aaed6bbcf30556361d52cd

SHA512
16dfa9c7c29b04e3f82fe27d3b05652bfb8c253a9bc8d4753785824b9a300b331590f4b660bdcddecdb86f950fd18d39f443ba40237cef6fab734ef094228c20

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
2.0MB

MD5
ae92d444f91a1c9d1303467345a4d843

SHA1
d972e7e603d036604a106f5199ac9fad962c8d9a

SHA256
ff13a0e19988b7c520515e486c4130b450570b85975c35d34591a01ed8ddbe10

SHA512
66a5c286a05f9fc4676eee749c59b689d950b3ca8628cfe1477171738e4f8feb3e3856c4163aae59739168ad1090555f5ea7707f405bf7033777ee9df2a5a4db

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
2.0MB

MD5
a4448638fb22411298b2cc5c18964dee

SHA1
8b49fec320c556508af3cc5d62e756f0e7b3f82e

SHA256
b63c56425690244ade7819a1900fb341a1d05cf7cf4c43b4fa747b1f178d3c25

SHA512
7099f1f13f023c00dba02dc4f615e51ea2135689b22bcf0b13a647a3c4134c5bf7a26fff09d9b4a3c8bf92f994965aff1805affa58686aaafe08b8c4eb94c34a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
2.0MB

MD5
eec18a8263682e53b6a994fb6b9a1e92

SHA1
eb7b11633c6b2157897b778d0498335b3c407f4b

SHA256
bdd60aba45e777399268403700c26f6feb761a275a731e58887bfa3ae344b8fd

SHA512
d507c1892e0880609c7a2bb3babd21059f40c496048b3ca8c1a2faba648882af20bd16a366dfd2bbcb63cbe10fc833015467856bf28550ab2d34c2ee74603b6f

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
2.0MB

MD5
3b6e65b1907b9503c36cc1c19ba4ee58

SHA1
1be985e763166f0726a5abb22fa92e6a4a78c233

SHA256
d4d6d607b9f77303b99c914a6d9199c91208b93703cde2986695905c5f50aafa

SHA512
bc2c25191081dfca290aedb516f09f9c20b04c77900ca8ac5d30c5263222e8aa5082db3be2cd11647fc85f55214cb94f9db0120438e2f0300c8fac2f687dbc5f

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
2.0MB

MD5
78ec1153a5b483199e5be5d48f3e4e00

SHA1
4bfd099e9bb03c44433faac2b0db9410845487a5

SHA256
641b3ce46cb783dbf7a457c44a5f24a339e17aa3be3c1477baf163249f65ade1

SHA512
581d56ff04b4da6760c46d86e0cf8d5284737bafab8d3b359964392ed605bb2e4e4c588034be2c57bbaad584f696808350978cd669cc9f5db6b5ccb762ddead8

Download Submit
\Users\Admin\AppData\Local\Temp\scoped_dir2112_1667198029\CRX_INSTALL\backup.exe

Filesize
2.0MB

MD5
01a4c5489aa4271d9c827caa11e91077

SHA1
551f5165090f3b3ab7455c080ec090833c3c5636

SHA256
7702e6e1225e41f14ce53d42766ccc9ee18f3be2fd27274df4524a31cdde4970

SHA512
be7ebf8486140393a5f230867c76e370450aa3b62b0241f9ba232d2d698697551c41d79fabc7bdd9d59f4406658523ce75ff16c678e66ee2472551135c3a7b20

Download Submit
\Users\Admin\AppData\Local\Temp\scoped_dir2112_1667198029\backup.exe

Filesize
2.0MB

MD5
dd54f6a9e3cd160732ef8db1b1a774b7

SHA1
6ef7a0d66b62b2b14f9777e0042fac8c0f87c556

SHA256
8c18c2d46d45c0a10dc4d5d50b6c112675281a0733e69d0637d1f34d5581f77a

SHA512
ba1e52a8b92eaef77ff5d0b064dfb737b50f5a570b4f351981a86afed8651ecde986426b1f514ae28ee7f100ff076f42e05535cd7318373c7919590ef787c9e7

Download Submit
memory/552-204-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/560-344-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/560-408-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/580-315-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/580-392-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/580-478-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/580-257-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/580-200-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/596-179-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/796-435-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/796-363-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/796-293-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/992-229-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1004-145-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1048-352-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1048-436-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1376-393-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1376-258-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1376-316-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1492-90-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1492-131-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1604-102-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1604-52-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1604-133-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1632-331-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1632-405-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1796-69-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1796-72-0x0000000000E80000-0x0000000001317000-memory.dmp

Filesize
4.6MB

Download
memory/1796-106-0x0000000000E80000-0x0000000001317000-memory.dmp

Filesize
4.6MB

Download
memory/1796-71-0x0000000000E80000-0x0000000001317000-memory.dmp

Filesize
4.6MB

Download
memory/1796-70-0x0000000000E80000-0x0000000001317000-memory.dmp

Filesize
4.6MB

Download
memory/1796-104-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1796-112-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/1868-110-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2044-320-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2044-292-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2068-273-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2068-324-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2068-403-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2120-40-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2120-35-0x00000000054D0000-0x0000000005967000-memory.dmp

Filesize
4.6MB

Download
memory/2120-349-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2120-214-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2120-34-0x00000000054D0000-0x0000000005967000-memory.dmp

Filesize
4.6MB

Download
memory/2120-157-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2120-425-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2120-278-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2120-74-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2120-14-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2144-27-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2144-54-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2308-51-0x0000000005420000-0x00000000058B7000-memory.dmp

Filesize
4.6MB

Download
memory/2308-134-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2308-272-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2308-26-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2308-11-0x0000000005420000-0x00000000058B7000-memory.dmp

Filesize
4.6MB

Download
memory/2308-407-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2308-87-0x0000000005420000-0x00000000058B7000-memory.dmp

Filesize
4.6MB

Download
memory/2308-89-0x0000000005420000-0x00000000058B7000-memory.dmp

Filesize
4.6MB

Download
memory/2308-24-0x0000000005420000-0x00000000058B7000-memory.dmp

Filesize
4.6MB

Download
memory/2308-13-0x0000000005420000-0x00000000058B7000-memory.dmp

Filesize
4.6MB

Download
memory/2308-37-0x0000000005420000-0x00000000058B7000-memory.dmp

Filesize
4.6MB

Download
memory/2308-38-0x0000000005420000-0x00000000058B7000-memory.dmp

Filesize
4.6MB

Download
memory/2308-576-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2308-0-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2308-61-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2308-343-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2308-213-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2360-180-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2360-73-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2360-373-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2360-242-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2360-63-0x00000000056C0000-0x0000000005B57000-memory.dmp

Filesize
4.6MB

Download
memory/2360-39-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2360-312-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2360-105-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2360-411-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2360-103-0x00000000056C0000-0x0000000005B57000-memory.dmp

Filesize
4.6MB

Download
memory/2420-319-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2568-323-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2568-284-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2588-325-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2588-404-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2636-311-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2732-205-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/3036-230-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/3156-386-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/3184-374-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/3184-364-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/3236-406-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/3472-457-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/3776-409-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/3968-445-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download