Analysis

  • max time kernel
    129s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2022 06:14

General

  • Target

    26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe

  • Size

    72KB

  • MD5

    67710f83dad275e6e05937be8313e72d

  • SHA1

    7a830da63d877d95cc689df00078276ad6f620a6

  • SHA256

    26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349

  • SHA512

    17ed6cdc58ba9b99413d8a785c1d44c6ebace45f7b66436fcc682e9a2d30cdde02be8ef012ee884a808cfb136e589f41d7d88eb7e4998a687c13e530120936dc

  • SSDEEP

    768:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrTd3FAyBgCg:HeT7BVwxfvqguKRFALCg

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe
    "C:\Users\Admin\AppData\Local\Temp\26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Local\Temp\485290244\backup.exe
      C:\Users\Admin\AppData\Local\Temp\485290244\backup.exe C:\Users\Admin\AppData\Local\Temp\485290244\
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\backup.exe
        \backup.exe \
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:700
        • C:\PerfLogs\backup.exe
          C:\PerfLogs\backup.exe C:\PerfLogs\
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1564
          • C:\PerfLogs\Admin\backup.exe
            C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:972
        • C:\Program Files\backup.exe
          "C:\Program Files\backup.exe" C:\Program Files\
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1712
          • C:\Program Files\7-Zip\backup.exe
            "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
            5⤵
            • Modifies visibility of file extensions in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:688
            • C:\Program Files\7-Zip\Lang\backup.exe
              "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:1780
          • C:\Program Files\Common Files\backup.exe
            "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:108
            • C:\Program Files\Common Files\Microsoft Shared\backup.exe
              "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Program Files directory
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:308
              • C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
                "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:436
              • C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
                "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
                7⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                PID:592
                • C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1556
                • C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:824
                • C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:2028
                • C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1604
                • C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1512
                • C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1068
                • C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:772
                • C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:304
                • C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
                  8⤵
                    PID:1512
                  • C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
                    8⤵
                    • Modifies visibility of file extensions in Explorer
                    PID:1252
                  • C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
                    8⤵
                      PID:984
                    • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
                      8⤵
                      • Drops file in Program Files directory
                      PID:972
                      • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
                        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
                        9⤵
                          PID:928
                        • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
                          "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
                          9⤵
                          • Modifies visibility of file extensions in Explorer
                          • System policy modification
                          PID:1604
                        • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
                          "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
                          9⤵
                            PID:1576
                          • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
                            "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
                            9⤵
                            • Modifies visibility of file extensions in Explorer
                            PID:1484
                          • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
                            "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
                            9⤵
                            • Modifies visibility of file extensions in Explorer
                            • System policy modification
                            PID:612
                          • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\update.exe
                            "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
                            9⤵
                              PID:856
                            • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
                              "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
                              9⤵
                                PID:1588
                              • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
                                "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
                                9⤵
                                  PID:1596
                              • C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe
                                "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
                                8⤵
                                  PID:1832
                                • C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
                                  "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
                                  8⤵
                                    PID:1064
                                • C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
                                  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
                                  7⤵
                                  • Modifies visibility of file extensions in Explorer
                                  • Drops file in Program Files directory
                                  • System policy modification
                                  PID:1676
                                  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
                                    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
                                    8⤵
                                    • Modifies visibility of file extensions in Explorer
                                    • System policy modification
                                    PID:928
                                  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
                                    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
                                    8⤵
                                    • System policy modification
                                    PID:1324
                                  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
                                    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
                                    8⤵
                                      PID:912
                                    • C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
                                      "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
                                      8⤵
                                        PID:1068
                                      • C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
                                        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
                                        8⤵
                                        • Modifies visibility of file extensions in Explorer
                                        PID:1172
                                      • C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
                                        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
                                        8⤵
                                          PID:768
                                      • C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
                                        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
                                        7⤵
                                        • System policy modification
                                        PID:1472
                                        • C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
                                          "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
                                          8⤵
                                          • Modifies visibility of file extensions in Explorer
                                          • System policy modification
                                          PID:284
                                      • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
                                        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
                                        7⤵
                                          PID:1680
                                        • C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
                                          "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
                                          7⤵
                                            PID:556
                                          • C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
                                            "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
                                            7⤵
                                              PID:2000
                                          • C:\Program Files\Common Files\Services\backup.exe
                                            "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
                                            6⤵
                                            • Modifies visibility of file extensions in Explorer
                                            • Suspicious use of SetWindowsHookEx
                                            PID:1780
                                          • C:\Program Files\Common Files\SpeechEngines\backup.exe
                                            "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
                                            6⤵
                                              PID:1584
                                              • C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
                                                "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
                                                7⤵
                                                • System policy modification
                                                PID:1296
                                            • C:\Program Files\Common Files\System\backup.exe
                                              "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
                                              6⤵
                                              • System policy modification
                                              PID:1560
                                              • C:\Program Files\Common Files\System\ado\System Restore.exe
                                                "C:\Program Files\Common Files\System\ado\System Restore.exe" C:\Program Files\Common Files\System\ado\
                                                7⤵
                                                • Drops file in Program Files directory
                                                PID:804
                                                • C:\Program Files\Common Files\System\ado\de-DE\System Restore.exe
                                                  "C:\Program Files\Common Files\System\ado\de-DE\System Restore.exe" C:\Program Files\Common Files\System\ado\de-DE\
                                                  8⤵
                                                    PID:360
                                                  • C:\Program Files\Common Files\System\ado\en-US\backup.exe
                                                    "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
                                                    8⤵
                                                    • Modifies visibility of file extensions in Explorer
                                                    PID:912
                                                  • C:\Program Files\Common Files\System\ado\es-ES\backup.exe
                                                    "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
                                                    8⤵
                                                      PID:556
                                                    • C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
                                                      "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
                                                      8⤵
                                                      • Modifies visibility of file extensions in Explorer
                                                      • System policy modification
                                                      PID:1068
                                                    • C:\Program Files\Common Files\System\ado\it-IT\backup.exe
                                                      "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
                                                      8⤵
                                                        PID:1732
                                                      • C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
                                                        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
                                                        8⤵
                                                          PID:1736
                                                      • C:\Program Files\Common Files\System\de-DE\backup.exe
                                                        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
                                                        7⤵
                                                          PID:1484
                                                        • C:\Program Files\Common Files\System\en-US\data.exe
                                                          "C:\Program Files\Common Files\System\en-US\data.exe" C:\Program Files\Common Files\System\en-US\
                                                          7⤵
                                                            PID:1548
                                                      • C:\Program Files\DVD Maker\backup.exe
                                                        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
                                                        5⤵
                                                        • Executes dropped EXE
                                                        • Drops file in Program Files directory
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:1980
                                                        • C:\Program Files\DVD Maker\de-DE\backup.exe
                                                          "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
                                                          6⤵
                                                            PID:1720
                                                          • C:\Program Files\DVD Maker\en-US\backup.exe
                                                            "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
                                                            6⤵
                                                            • System policy modification
                                                            PID:1664
                                                          • C:\Program Files\DVD Maker\es-ES\backup.exe
                                                            "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
                                                            6⤵
                                                              PID:1576
                                                            • C:\Program Files\DVD Maker\fr-FR\backup.exe
                                                              "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
                                                              6⤵
                                                                PID:1484
                                                              • C:\Program Files\DVD Maker\it-IT\backup.exe
                                                                "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
                                                                6⤵
                                                                  PID:1380
                                                                • C:\Program Files\DVD Maker\ja-JP\backup.exe
                                                                  "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
                                                                  6⤵
                                                                    PID:1632
                                                                  • C:\Program Files\DVD Maker\Shared\backup.exe
                                                                    "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
                                                                    6⤵
                                                                    • Drops file in Program Files directory
                                                                    PID:304
                                                                    • C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
                                                                      "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
                                                                      7⤵
                                                                      • Modifies visibility of file extensions in Explorer
                                                                      • Drops file in Program Files directory
                                                                      PID:1296
                                                                      • C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
                                                                        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
                                                                        8⤵
                                                                          PID:1392
                                                                        • C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
                                                                          "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
                                                                          8⤵
                                                                            PID:1536
                                                                          • C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
                                                                            "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
                                                                            8⤵
                                                                              PID:2028
                                                                            • C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
                                                                              "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
                                                                              8⤵
                                                                                PID:2004
                                                                        • C:\Program Files\Google\backup.exe
                                                                          "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
                                                                          5⤵
                                                                          • Modifies visibility of file extensions in Explorer
                                                                          • System policy modification
                                                                          PID:1516
                                                                          • C:\Program Files\Google\Chrome\backup.exe
                                                                            "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
                                                                            6⤵
                                                                              PID:588
                                                                          • C:\Program Files\Internet Explorer\backup.exe
                                                                            "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
                                                                            5⤵
                                                                              PID:912
                                                                            • C:\Program Files\Java\System Restore.exe
                                                                              "C:\Program Files\Java\System Restore.exe" C:\Program Files\Java\
                                                                              5⤵
                                                                                PID:1676
                                                                            • C:\Program Files (x86)\backup.exe
                                                                              "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
                                                                              4⤵
                                                                              • Modifies visibility of file extensions in Explorer
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              • Drops file in Program Files directory
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              • Suspicious use of WriteProcessMemory
                                                                              PID:300
                                                                              • C:\Program Files (x86)\Adobe\backup.exe
                                                                                "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
                                                                                5⤵
                                                                                • Modifies visibility of file extensions in Explorer
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                • Drops file in Program Files directory
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:804
                                                                                • C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe
                                                                                  "C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
                                                                                  6⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  • Drops file in Program Files directory
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:1320
                                                                                  • C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
                                                                                    "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
                                                                                    7⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:1672
                                                                                  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
                                                                                    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
                                                                                    7⤵
                                                                                    • Executes dropped EXE
                                                                                    • Loads dropped DLL
                                                                                    • Drops file in Program Files directory
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    • System policy modification
                                                                                    PID:796
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
                                                                                      8⤵
                                                                                      • Modifies visibility of file extensions in Explorer
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:1252
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
                                                                                      8⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:1868
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
                                                                                      8⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:1500
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
                                                                                      8⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      • System policy modification
                                                                                      PID:524
                                                                                      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
                                                                                        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
                                                                                        9⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        • System policy modification
                                                                                        PID:588
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
                                                                                      8⤵
                                                                                      • Modifies visibility of file extensions in Explorer
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      • System policy modification
                                                                                      PID:676
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
                                                                                      8⤵
                                                                                      • Modifies visibility of file extensions in Explorer
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:1620
                                                                                      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
                                                                                        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
                                                                                        9⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:2044
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
                                                                                      8⤵
                                                                                      • Modifies visibility of file extensions in Explorer
                                                                                      PID:1340
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
                                                                                      8⤵
                                                                                        PID:904
                                                                                        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
                                                                                          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
                                                                                          9⤵
                                                                                            PID:1488
                                                                                            • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
                                                                                              "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
                                                                                              10⤵
                                                                                              • System policy modification
                                                                                              PID:1732
                                                                                          • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
                                                                                            "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
                                                                                            9⤵
                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                            PID:1668
                                                                                            • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
                                                                                              "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
                                                                                              10⤵
                                                                                                PID:1728
                                                                                                • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
                                                                                                  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
                                                                                                  11⤵
                                                                                                    PID:588
                                                                                              • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
                                                                                                "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
                                                                                                9⤵
                                                                                                • Drops file in Program Files directory
                                                                                                PID:1660
                                                                                                • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
                                                                                                  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
                                                                                                  10⤵
                                                                                                    PID:984
                                                                                                • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
                                                                                                  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
                                                                                                  9⤵
                                                                                                    PID:1576
                                                                                                • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\System Restore.exe
                                                                                                  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
                                                                                                  8⤵
                                                                                                    PID:1696
                                                                                                  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
                                                                                                    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
                                                                                                    8⤵
                                                                                                      PID:688
                                                                                                  • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
                                                                                                    "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
                                                                                                    7⤵
                                                                                                    • Modifies visibility of file extensions in Explorer
                                                                                                    • Drops file in Program Files directory
                                                                                                    • System policy modification
                                                                                                    PID:1240
                                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
                                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
                                                                                                      8⤵
                                                                                                        PID:1728
                                                                                                        • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
                                                                                                          "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
                                                                                                          9⤵
                                                                                                            PID:1516
                                                                                                        • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
                                                                                                          "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
                                                                                                          8⤵
                                                                                                            PID:676
                                                                                                          • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
                                                                                                            "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
                                                                                                            8⤵
                                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                                            • Drops file in Program Files directory
                                                                                                            • System policy modification
                                                                                                            PID:1508
                                                                                                            • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
                                                                                                              "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
                                                                                                              9⤵
                                                                                                              • Modifies visibility of file extensions in Explorer
                                                                                                              • System policy modification
                                                                                                              PID:1620
                                                                                                            • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
                                                                                                              "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
                                                                                                              9⤵
                                                                                                              • Modifies visibility of file extensions in Explorer
                                                                                                              • System policy modification
                                                                                                              PID:360
                                                                                                              • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
                                                                                                                "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
                                                                                                                10⤵
                                                                                                                • Drops file in Program Files directory
                                                                                                                PID:1632
                                                                                                                • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
                                                                                                                  "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
                                                                                                                  11⤵
                                                                                                                  • Modifies visibility of file extensions in Explorer
                                                                                                                  PID:1620
                                                                                                          • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\System Restore.exe
                                                                                                            "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
                                                                                                            8⤵
                                                                                                              PID:1392
                                                                                                          • C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
                                                                                                            "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
                                                                                                            7⤵
                                                                                                              PID:1472
                                                                                                        • C:\Program Files (x86)\Common Files\backup.exe
                                                                                                          "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
                                                                                                          5⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Loads dropped DLL
                                                                                                          • Drops file in Program Files directory
                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                          PID:1056
                                                                                                          • C:\Program Files (x86)\Common Files\Adobe\backup.exe
                                                                                                            "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
                                                                                                            6⤵
                                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                                            • Executes dropped EXE
                                                                                                            • Loads dropped DLL
                                                                                                            • Drops file in Program Files directory
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:904
                                                                                                            • C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
                                                                                                              "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
                                                                                                              7⤵
                                                                                                              • Modifies visibility of file extensions in Explorer
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:1660
                                                                                                            • C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
                                                                                                              "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
                                                                                                              7⤵
                                                                                                              • Modifies visibility of file extensions in Explorer
                                                                                                              • Executes dropped EXE
                                                                                                              • Loads dropped DLL
                                                                                                              • Drops file in Program Files directory
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:1004
                                                                                                              • C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
                                                                                                                "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
                                                                                                                8⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                • System policy modification
                                                                                                                PID:1568
                                                                                                                • C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\System Restore.exe
                                                                                                                  "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
                                                                                                                  9⤵
                                                                                                                  • Modifies visibility of file extensions in Explorer
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in Program Files directory
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:872
                                                                                                                  • C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
                                                                                                                    "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
                                                                                                                    10⤵
                                                                                                                    • Modifies visibility of file extensions in Explorer
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                    • System policy modification
                                                                                                                    PID:1272
                                                                                                            • C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
                                                                                                              "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
                                                                                                              7⤵
                                                                                                              • Modifies visibility of file extensions in Explorer
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              • System policy modification
                                                                                                              PID:268
                                                                                                          • C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
                                                                                                            "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
                                                                                                            6⤵
                                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in Program Files directory
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:748
                                                                                                            • C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
                                                                                                              "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
                                                                                                              7⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in Program Files directory
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              • System policy modification
                                                                                                              PID:1628
                                                                                                              • C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
                                                                                                                "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
                                                                                                                8⤵
                                                                                                                  PID:1596
                                                                                                            • C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
                                                                                                              "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
                                                                                                              6⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:1604
                                                                                                            • C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
                                                                                                              "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
                                                                                                              6⤵
                                                                                                              • Modifies visibility of file extensions in Explorer
                                                                                                              • Drops file in Program Files directory
                                                                                                              • System policy modification
                                                                                                              PID:976
                                                                                                              • C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
                                                                                                                "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
                                                                                                                7⤵
                                                                                                                • System policy modification
                                                                                                                PID:1568
                                                                                                              • C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
                                                                                                                "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
                                                                                                                7⤵
                                                                                                                • Modifies visibility of file extensions in Explorer
                                                                                                                PID:1548
                                                                                                              • C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
                                                                                                                "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
                                                                                                                7⤵
                                                                                                                • Modifies visibility of file extensions in Explorer
                                                                                                                • System policy modification
                                                                                                                PID:1628
                                                                                                                • C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
                                                                                                                  "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
                                                                                                                  8⤵
                                                                                                                  • System policy modification
                                                                                                                  PID:1524
                                                                                                              • C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
                                                                                                                "C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
                                                                                                                7⤵
                                                                                                                  PID:824
                                                                                                                • C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
                                                                                                                  "C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
                                                                                                                  7⤵
                                                                                                                    PID:1336
                                                                                                                  • C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
                                                                                                                    "C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
                                                                                                                    7⤵
                                                                                                                      PID:908
                                                                                                                    • C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe
                                                                                                                      "C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
                                                                                                                      7⤵
                                                                                                                      • Drops file in Program Files directory
                                                                                                                      PID:1556
                                                                                                                      • C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\System Restore.exe
                                                                                                                        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
                                                                                                                        8⤵
                                                                                                                        • Modifies visibility of file extensions in Explorer
                                                                                                                        • Drops file in Program Files directory
                                                                                                                        PID:1728
                                                                                                                      • C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
                                                                                                                        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
                                                                                                                        8⤵
                                                                                                                          PID:1812
                                                                                                                        • C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe
                                                                                                                          "C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
                                                                                                                          8⤵
                                                                                                                            PID:784
                                                                                                                        • C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe
                                                                                                                          "C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
                                                                                                                          7⤵
                                                                                                                            PID:776
                                                                                                                          • C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
                                                                                                                            "C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
                                                                                                                            7⤵
                                                                                                                              PID:1264
                                                                                                                          • C:\Program Files (x86)\Common Files\Services\backup.exe
                                                                                                                            "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
                                                                                                                            6⤵
                                                                                                                              PID:1672
                                                                                                                            • C:\Program Files (x86)\Common Files\SpeechEngines\System Restore.exe
                                                                                                                              "C:\Program Files (x86)\Common Files\SpeechEngines\System Restore.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
                                                                                                                              6⤵
                                                                                                                                PID:1780
                                                                                                                            • C:\Program Files (x86)\Google\backup.exe
                                                                                                                              "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
                                                                                                                              5⤵
                                                                                                                              • Drops file in Program Files directory
                                                                                                                              • System policy modification
                                                                                                                              PID:1048
                                                                                                                              • C:\Program Files (x86)\Google\CrashReports\backup.exe
                                                                                                                                "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
                                                                                                                                6⤵
                                                                                                                                  PID:1660
                                                                                                                                • C:\Program Files (x86)\Google\Policies\backup.exe
                                                                                                                                  "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
                                                                                                                                  6⤵
                                                                                                                                  • System policy modification
                                                                                                                                  PID:1832
                                                                                                                                • C:\Program Files (x86)\Google\Temp\backup.exe
                                                                                                                                  "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
                                                                                                                                  6⤵
                                                                                                                                    PID:1620
                                                                                                                                  • C:\Program Files (x86)\Google\Update\data.exe
                                                                                                                                    "C:\Program Files (x86)\Google\Update\data.exe" C:\Program Files (x86)\Google\Update\
                                                                                                                                    6⤵
                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                    PID:1388
                                                                                                                                    • C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
                                                                                                                                      "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
                                                                                                                                      7⤵
                                                                                                                                        PID:1556
                                                                                                                                      • C:\Program Files (x86)\Google\Update\Download\backup.exe
                                                                                                                                        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
                                                                                                                                        7⤵
                                                                                                                                        • Modifies visibility of file extensions in Explorer
                                                                                                                                        PID:524
                                                                                                                                        • C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
                                                                                                                                          "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
                                                                                                                                          8⤵
                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                          • System policy modification
                                                                                                                                          PID:1340
                                                                                                                                          • C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
                                                                                                                                            "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
                                                                                                                                            9⤵
                                                                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                                                                            • System policy modification
                                                                                                                                            PID:1488
                                                                                                                                      • C:\Program Files (x86)\Google\Update\Install\backup.exe
                                                                                                                                        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
                                                                                                                                        7⤵
                                                                                                                                          PID:284
                                                                                                                                        • C:\Program Files (x86)\Google\Update\Offline\backup.exe
                                                                                                                                          "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
                                                                                                                                          7⤵
                                                                                                                                            PID:1384
                                                                                                                                      • C:\Program Files (x86)\Internet Explorer\backup.exe
                                                                                                                                        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
                                                                                                                                        5⤵
                                                                                                                                        • Modifies visibility of file extensions in Explorer
                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                        • System policy modification
                                                                                                                                        PID:1984
                                                                                                                                        • C:\Program Files (x86)\Internet Explorer\de-DE\update.exe
                                                                                                                                          "C:\Program Files (x86)\Internet Explorer\de-DE\update.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
                                                                                                                                          6⤵
                                                                                                                                          • Modifies visibility of file extensions in Explorer
                                                                                                                                          • System policy modification
                                                                                                                                          PID:1064
                                                                                                                                        • C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
                                                                                                                                          "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
                                                                                                                                          6⤵
                                                                                                                                            PID:1132
                                                                                                                                          • C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
                                                                                                                                            "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
                                                                                                                                            6⤵
                                                                                                                                              PID:320
                                                                                                                                          • C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
                                                                                                                                            "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
                                                                                                                                            5⤵
                                                                                                                                              PID:1692
                                                                                                                                            • C:\Program Files (x86)\Microsoft Office\System Restore.exe
                                                                                                                                              "C:\Program Files (x86)\Microsoft Office\System Restore.exe" C:\Program Files (x86)\Microsoft Office\
                                                                                                                                              5⤵
                                                                                                                                                PID:676
                                                                                                                                            • C:\Users\backup.exe
                                                                                                                                              C:\Users\backup.exe C:\Users\
                                                                                                                                              4⤵
                                                                                                                                              • Modifies visibility of file extensions in Explorer
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Loads dropped DLL
                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                              PID:1700
                                                                                                                                              • C:\Users\Admin\backup.exe
                                                                                                                                                C:\Users\Admin\backup.exe C:\Users\Admin\
                                                                                                                                                5⤵
                                                                                                                                                • Modifies visibility of file extensions in Explorer
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Loads dropped DLL
                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                PID:1548
                                                                                                                                                • C:\Users\Admin\Contacts\backup.exe
                                                                                                                                                  C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
                                                                                                                                                  6⤵
                                                                                                                                                  • Modifies visibility of file extensions in Explorer
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  PID:1516
                                                                                                                                                • C:\Users\Admin\Desktop\backup.exe
                                                                                                                                                  C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
                                                                                                                                                  6⤵
                                                                                                                                                  • Modifies visibility of file extensions in Explorer
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  PID:280
                                                                                                                                                • C:\Users\Admin\Documents\backup.exe
                                                                                                                                                  C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
                                                                                                                                                  6⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  PID:1720
                                                                                                                                                • C:\Users\Admin\Downloads\backup.exe
                                                                                                                                                  C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
                                                                                                                                                  6⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  PID:1872
                                                                                                                                                • C:\Users\Admin\Favorites\backup.exe
                                                                                                                                                  C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
                                                                                                                                                  6⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  PID:1532
                                                                                                                                                • C:\Users\Admin\Links\backup.exe
                                                                                                                                                  C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
                                                                                                                                                  6⤵
                                                                                                                                                  • Modifies visibility of file extensions in Explorer
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  • System policy modification
                                                                                                                                                  PID:2044
                                                                                                                                                • C:\Users\Admin\Music\backup.exe
                                                                                                                                                  C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
                                                                                                                                                  6⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  PID:1812
                                                                                                                                                • C:\Users\Admin\Pictures\backup.exe
                                                                                                                                                  C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
                                                                                                                                                  6⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  PID:280
                                                                                                                                                • C:\Users\Admin\Saved Games\data.exe
                                                                                                                                                  "C:\Users\Admin\Saved Games\data.exe" C:\Users\Admin\Saved Games\
                                                                                                                                                  6⤵
                                                                                                                                                  • Modifies visibility of file extensions in Explorer
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  • System policy modification
                                                                                                                                                  PID:856
                                                                                                                                                • C:\Users\Admin\Searches\backup.exe
                                                                                                                                                  C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
                                                                                                                                                  6⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  • System policy modification
                                                                                                                                                  PID:864
                                                                                                                                                • C:\Users\Admin\Videos\backup.exe
                                                                                                                                                  C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
                                                                                                                                                  6⤵
                                                                                                                                                  • Modifies visibility of file extensions in Explorer
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  • System policy modification
                                                                                                                                                  PID:1500
                                                                                                                                              • C:\Users\Public\update.exe
                                                                                                                                                C:\Users\Public\update.exe C:\Users\Public\
                                                                                                                                                5⤵
                                                                                                                                                  PID:1124
                                                                                                                                                  • C:\Users\Public\Documents\backup.exe
                                                                                                                                                    C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
                                                                                                                                                    6⤵
                                                                                                                                                      PID:280
                                                                                                                                                    • C:\Users\Public\Downloads\backup.exe
                                                                                                                                                      C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
                                                                                                                                                      6⤵
                                                                                                                                                        PID:596
                                                                                                                                                      • C:\Users\Public\Music\backup.exe
                                                                                                                                                        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
                                                                                                                                                        6⤵
                                                                                                                                                          PID:1340
                                                                                                                                                          • C:\Users\Public\Music\Sample Music\backup.exe
                                                                                                                                                            "C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
                                                                                                                                                            7⤵
                                                                                                                                                            • System policy modification
                                                                                                                                                            PID:776
                                                                                                                                                        • C:\Users\Public\Pictures\backup.exe
                                                                                                                                                          C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
                                                                                                                                                          6⤵
                                                                                                                                                          • Modifies visibility of file extensions in Explorer
                                                                                                                                                          • System policy modification
                                                                                                                                                          PID:1252
                                                                                                                                                          • C:\Users\Public\Pictures\Sample Pictures\backup.exe
                                                                                                                                                            "C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
                                                                                                                                                            7⤵
                                                                                                                                                              PID:1324
                                                                                                                                                          • C:\Users\Public\Recorded TV\backup.exe
                                                                                                                                                            "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
                                                                                                                                                            6⤵
                                                                                                                                                              PID:1776
                                                                                                                                                            • C:\Users\Public\Videos\backup.exe
                                                                                                                                                              C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
                                                                                                                                                              6⤵
                                                                                                                                                                PID:436
                                                                                                                                                          • C:\Windows\backup.exe
                                                                                                                                                            C:\Windows\backup.exe C:\Windows\
                                                                                                                                                            4⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                            PID:1788
                                                                                                                                                            • C:\Windows\addins\backup.exe
                                                                                                                                                              C:\Windows\addins\backup.exe C:\Windows\addins\
                                                                                                                                                              5⤵
                                                                                                                                                              • System policy modification
                                                                                                                                                              PID:1068
                                                                                                                                                            • C:\Windows\AppCompat\backup.exe
                                                                                                                                                              C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
                                                                                                                                                              5⤵
                                                                                                                                                                PID:1612
                                                                                                                                                              • C:\Windows\AppPatch\backup.exe
                                                                                                                                                                C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
                                                                                                                                                                5⤵
                                                                                                                                                                • Modifies visibility of file extensions in Explorer
                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                PID:572
                                                                                                                                                                • C:\Windows\AppPatch\AppPatch64\backup.exe
                                                                                                                                                                  C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
                                                                                                                                                                  6⤵
                                                                                                                                                                  • Modifies visibility of file extensions in Explorer
                                                                                                                                                                  • System policy modification
                                                                                                                                                                  PID:1384
                                                                                                                                                                • C:\Windows\AppPatch\Custom\backup.exe
                                                                                                                                                                  C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
                                                                                                                                                                  6⤵
                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                  PID:1808
                                                                                                                                                                  • C:\Windows\AppPatch\Custom\Custom64\backup.exe
                                                                                                                                                                    C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
                                                                                                                                                                    7⤵
                                                                                                                                                                    • Modifies visibility of file extensions in Explorer
                                                                                                                                                                    • System policy modification
                                                                                                                                                                    PID:1736
                                                                                                                                                                • C:\Windows\AppPatch\de-DE\backup.exe
                                                                                                                                                                  C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
                                                                                                                                                                  6⤵
                                                                                                                                                                  • System policy modification
                                                                                                                                                                  PID:928
                                                                                                                                                                • C:\Windows\AppPatch\en-US\backup.exe
                                                                                                                                                                  C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
                                                                                                                                                                  6⤵
                                                                                                                                                                    PID:824
                                                                                                                                                                  • C:\Windows\AppPatch\es-ES\backup.exe
                                                                                                                                                                    C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
                                                                                                                                                                    6⤵
                                                                                                                                                                      PID:1720
                                                                                                                                                                    • C:\Windows\AppPatch\fr-FR\backup.exe
                                                                                                                                                                      C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
                                                                                                                                                                      6⤵
                                                                                                                                                                        PID:1684
                                                                                                                                                                    • C:\Windows\assembly\backup.exe
                                                                                                                                                                      C:\Windows\assembly\backup.exe C:\Windows\assembly\
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:908
                                                                                                                                                                      • C:\Windows\Branding\backup.exe
                                                                                                                                                                        C:\Windows\Branding\backup.exe C:\Windows\Branding\
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:1340
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
                                                                                                                                                                    2⤵
                                                                                                                                                                    • Modifies visibility of file extensions in Explorer
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                    • System policy modification
                                                                                                                                                                    PID:1388
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
                                                                                                                                                                    2⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                    PID:848
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
                                                                                                                                                                    2⤵
                                                                                                                                                                    • Modifies visibility of file extensions in Explorer
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                    • System policy modification
                                                                                                                                                                    PID:1516
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
                                                                                                                                                                    2⤵
                                                                                                                                                                    • Modifies visibility of file extensions in Explorer
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                    PID:1264
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
                                                                                                                                                                    2⤵
                                                                                                                                                                    • Modifies visibility of file extensions in Explorer
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                    • System policy modification
                                                                                                                                                                    PID:1984
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
                                                                                                                                                                    2⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                    PID:592

                                                                                                                                                                Network

                                                                                                                                                                MITRE ATT&CK Enterprise v6

                                                                                                                                                                Replay Monitor

                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                Downloads

                                                                                                                                                                • C:\PerfLogs\Admin\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  fd4b8bb9b87b885636c1ba6f18895c4f

                                                                                                                                                                  SHA1

                                                                                                                                                                  96ab1644501187e59c1e59fe103a175f3c309cee

                                                                                                                                                                  SHA256

                                                                                                                                                                  0ab70bec98a66c9ad31a31e39fd1179b0f42f5dbfddaf27e273c9c87a5d7cce6

                                                                                                                                                                  SHA512

                                                                                                                                                                  b375f75bcf523c488fd83fd3e9c3c450da13df68adc60177b315d47cb971905d420f30dab230bb199b30962d6a5449cf234df9ff2096a32bfec707d1e349bc27

                                                                                                                                                                • C:\PerfLogs\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  99621516c1d4e820a4dcbf0d55da9fe3

                                                                                                                                                                  SHA1

                                                                                                                                                                  7ba377a260156893106c3f5c9cd449a2dda3d7ff

                                                                                                                                                                  SHA256

                                                                                                                                                                  478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0

                                                                                                                                                                  SHA512

                                                                                                                                                                  8679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a

                                                                                                                                                                • C:\PerfLogs\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  99621516c1d4e820a4dcbf0d55da9fe3

                                                                                                                                                                  SHA1

                                                                                                                                                                  7ba377a260156893106c3f5c9cd449a2dda3d7ff

                                                                                                                                                                  SHA256

                                                                                                                                                                  478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0

                                                                                                                                                                  SHA512

                                                                                                                                                                  8679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a

                                                                                                                                                                • C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  2adf5963f10aa6bf78d7152a3c2d8acc

                                                                                                                                                                  SHA1

                                                                                                                                                                  faabf68194e79c2c67ebcf1117ef1b1a67ffb102

                                                                                                                                                                  SHA256

                                                                                                                                                                  a99643e51d51d82068cda5baa793dd2aa67f6c3096d39613e16dffc14049c6b6

                                                                                                                                                                  SHA512

                                                                                                                                                                  65cd6db9bdc4749feedc7d53b0fda3e58f9adf09cb981bb717f9b99404b9a88ec29f7221c2302ca6ebd26270cb5a8bd36c04a5772814ad132e57b766dcb34cbd

                                                                                                                                                                • C:\Program Files (x86)\Adobe\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  948da0cf7d46c19db7e0a3f828c1c49c

                                                                                                                                                                  SHA1

                                                                                                                                                                  530a2d880c0cba01d4d48ec4671e71bd1836c225

                                                                                                                                                                  SHA256

                                                                                                                                                                  80695acfd22eaf0b7fd1a1cf6d0f7a46713bb4619cd5fe28a86139449df158a8

                                                                                                                                                                  SHA512

                                                                                                                                                                  793a693c5d04a181b22a6745e0f65596069d7083308a47bd95fb4cd5ab36aa21377182bca7589f96f3034d32b751f7b8d0e7fc3755b42298833733e9e472fb1f

                                                                                                                                                                • C:\Program Files (x86)\Adobe\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  948da0cf7d46c19db7e0a3f828c1c49c

                                                                                                                                                                  SHA1

                                                                                                                                                                  530a2d880c0cba01d4d48ec4671e71bd1836c225

                                                                                                                                                                  SHA256

                                                                                                                                                                  80695acfd22eaf0b7fd1a1cf6d0f7a46713bb4619cd5fe28a86139449df158a8

                                                                                                                                                                  SHA512

                                                                                                                                                                  793a693c5d04a181b22a6745e0f65596069d7083308a47bd95fb4cd5ab36aa21377182bca7589f96f3034d32b751f7b8d0e7fc3755b42298833733e9e472fb1f

                                                                                                                                                                • C:\Program Files (x86)\Common Files\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  6b5f1af3869648071850cc7d4d7ce31a

                                                                                                                                                                  SHA1

                                                                                                                                                                  7592cedd45713d3199ba671552d418a4231446d7

                                                                                                                                                                  SHA256

                                                                                                                                                                  67da648e741384f3ce82388a3780426de21a6e3655a25786bb81909d6b4b3b44

                                                                                                                                                                  SHA512

                                                                                                                                                                  8076d4de6f3a7ffaf58208374cc417b75d229124def6c9b47057280e24125001ab7d241c4afe7742992fc218fdf560e23ea5095ccde8269e3d9007029170b2d0

                                                                                                                                                                • C:\Program Files (x86)\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  4f4df1ecde3d2e8ebfc868ed5248ccab

                                                                                                                                                                  SHA1

                                                                                                                                                                  c7d0fd5bbe6289af1b272391d7bac055fa19468d

                                                                                                                                                                  SHA256

                                                                                                                                                                  a826765dee2b01c1b5278fb4efa247d7e91b2e3db057ea34fb5f9857c2e6e2c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  82bba99ab8588025a02afdb028a8ed5075618c74a9bc93a0e5aada039af30e7e3ff3615b4f92f002a877063c1148c74aa6787061fafc8ad580f9e2d2686c1e93

                                                                                                                                                                • C:\Program Files (x86)\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  4f4df1ecde3d2e8ebfc868ed5248ccab

                                                                                                                                                                  SHA1

                                                                                                                                                                  c7d0fd5bbe6289af1b272391d7bac055fa19468d

                                                                                                                                                                  SHA256

                                                                                                                                                                  a826765dee2b01c1b5278fb4efa247d7e91b2e3db057ea34fb5f9857c2e6e2c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  82bba99ab8588025a02afdb028a8ed5075618c74a9bc93a0e5aada039af30e7e3ff3615b4f92f002a877063c1148c74aa6787061fafc8ad580f9e2d2686c1e93

                                                                                                                                                                • C:\Program Files\7-Zip\Lang\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  13b26374d52655034a7ed9954151d3ba

                                                                                                                                                                  SHA1

                                                                                                                                                                  4d7a99ff55bddcbd993992b57bcb3bfd5e1b22a7

                                                                                                                                                                  SHA256

                                                                                                                                                                  8362c1f1457103a9f3fa948bc03b67bfe7b3d3978207eb8ad885fb61c21a93e2

                                                                                                                                                                  SHA512

                                                                                                                                                                  3c55dfe3c32ec930bd813e339aa9c24aa2c7d1e51dd3b145539113b60c38194e5c5721e8ec2e736de3066f7b528e5d08250b92dce3637e9737fd080b7b3fd46d

                                                                                                                                                                • C:\Program Files\7-Zip\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  957e24969249e61a3371932e679bbad9

                                                                                                                                                                  SHA1

                                                                                                                                                                  d2e16502951280e0a79f45d09dbdda36153b0de9

                                                                                                                                                                  SHA256

                                                                                                                                                                  d5eb2ab9a401cbc1b615396f4b0d01bf1acd52270eb45c5821b94a34e2c978be

                                                                                                                                                                  SHA512

                                                                                                                                                                  8377a64031b7e121102fd3a471ce87cba59d0a4bd51ff36c4ab6efd9551bf8828c5e49e329e8640310d9fd9b6a5ee0ddbe4296a8ef0a4c697b959526e08b6f69

                                                                                                                                                                • C:\Program Files\7-Zip\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  957e24969249e61a3371932e679bbad9

                                                                                                                                                                  SHA1

                                                                                                                                                                  d2e16502951280e0a79f45d09dbdda36153b0de9

                                                                                                                                                                  SHA256

                                                                                                                                                                  d5eb2ab9a401cbc1b615396f4b0d01bf1acd52270eb45c5821b94a34e2c978be

                                                                                                                                                                  SHA512

                                                                                                                                                                  8377a64031b7e121102fd3a471ce87cba59d0a4bd51ff36c4ab6efd9551bf8828c5e49e329e8640310d9fd9b6a5ee0ddbe4296a8ef0a4c697b959526e08b6f69

                                                                                                                                                                • C:\Program Files\Common Files\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  06c8b750cf94bbde6d2307f457508093

                                                                                                                                                                  SHA1

                                                                                                                                                                  8153788af4c69e78cf47d01445350f36ee847697

                                                                                                                                                                  SHA256

                                                                                                                                                                  6ae4231ea9b199b20a22b82d5c6779ec5bc2eba2606243649fd829f8b931056f

                                                                                                                                                                  SHA512

                                                                                                                                                                  2695eaf41e33d86194521b5602400a641d1185dfb2ea8ac8f26c65991a8a05c22c1b68bd7c23caf5671bb9bc894eedda56f22c2840e3dda3134216f532f2d59c

                                                                                                                                                                • C:\Program Files\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  99621516c1d4e820a4dcbf0d55da9fe3

                                                                                                                                                                  SHA1

                                                                                                                                                                  7ba377a260156893106c3f5c9cd449a2dda3d7ff

                                                                                                                                                                  SHA256

                                                                                                                                                                  478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0

                                                                                                                                                                  SHA512

                                                                                                                                                                  8679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a

                                                                                                                                                                • C:\Program Files\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  99621516c1d4e820a4dcbf0d55da9fe3

                                                                                                                                                                  SHA1

                                                                                                                                                                  7ba377a260156893106c3f5c9cd449a2dda3d7ff

                                                                                                                                                                  SHA256

                                                                                                                                                                  478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0

                                                                                                                                                                  SHA512

                                                                                                                                                                  8679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a

                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\485290244\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  3c8b72f1f4e7b427ba91a90c024acf68

                                                                                                                                                                  SHA1

                                                                                                                                                                  b4d17d3cc9eec21fefc7d5b0f48d116d9e7c435d

                                                                                                                                                                  SHA256

                                                                                                                                                                  2b22ae13e10f525e679bd7fafe139113b9f7eec2ac2e269d2ebb3c1254debd10

                                                                                                                                                                  SHA512

                                                                                                                                                                  2bc9514c32cd90b6168352e3940f56117fbd41e77c60a6882807cb8420696d72723ee092049e063b1b370487d5ae56e7264195cca41b313ecb834ecf0b1cf899

                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\485290244\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  3c8b72f1f4e7b427ba91a90c024acf68

                                                                                                                                                                  SHA1

                                                                                                                                                                  b4d17d3cc9eec21fefc7d5b0f48d116d9e7c435d

                                                                                                                                                                  SHA256

                                                                                                                                                                  2b22ae13e10f525e679bd7fafe139113b9f7eec2ac2e269d2ebb3c1254debd10

                                                                                                                                                                  SHA512

                                                                                                                                                                  2bc9514c32cd90b6168352e3940f56117fbd41e77c60a6882807cb8420696d72723ee092049e063b1b370487d5ae56e7264195cca41b313ecb834ecf0b1cf899

                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  98cc41f2da013bcb2ac383ea97a8cc3a

                                                                                                                                                                  SHA1

                                                                                                                                                                  f9fb565fbe2299a09a03cd32a0d1bc5b831c836f

                                                                                                                                                                  SHA256

                                                                                                                                                                  570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797

                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  98cc41f2da013bcb2ac383ea97a8cc3a

                                                                                                                                                                  SHA1

                                                                                                                                                                  f9fb565fbe2299a09a03cd32a0d1bc5b831c836f

                                                                                                                                                                  SHA256

                                                                                                                                                                  570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797

                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  98cc41f2da013bcb2ac383ea97a8cc3a

                                                                                                                                                                  SHA1

                                                                                                                                                                  f9fb565fbe2299a09a03cd32a0d1bc5b831c836f

                                                                                                                                                                  SHA256

                                                                                                                                                                  570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797

                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  5c014ffcbac5986a556db088d621cfba

                                                                                                                                                                  SHA1

                                                                                                                                                                  82d79ff5d1fd37a76cebf1f9aad2e6b795d640da

                                                                                                                                                                  SHA256

                                                                                                                                                                  cb1427748901b013831404d239a14f226f44681604634922e38f72d9f80fbaec

                                                                                                                                                                  SHA512

                                                                                                                                                                  e78b5af9bd69d6ca9515bf543fbe2d699355e79ec97a8529381b6ed9612dddeaa85931c94fd9fb490683eb20d405aae001100017aed5e14d5c656d8781ccfb6a

                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  98cc41f2da013bcb2ac383ea97a8cc3a

                                                                                                                                                                  SHA1

                                                                                                                                                                  f9fb565fbe2299a09a03cd32a0d1bc5b831c836f

                                                                                                                                                                  SHA256

                                                                                                                                                                  570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797

                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  98cc41f2da013bcb2ac383ea97a8cc3a

                                                                                                                                                                  SHA1

                                                                                                                                                                  f9fb565fbe2299a09a03cd32a0d1bc5b831c836f

                                                                                                                                                                  SHA256

                                                                                                                                                                  570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797

                                                                                                                                                                • C:\Users\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  fa5463ac1c209d1eb4f12201672dd315

                                                                                                                                                                  SHA1

                                                                                                                                                                  a23a0d89443dbebc10d0fd30a98fff30799455c5

                                                                                                                                                                  SHA256

                                                                                                                                                                  d62e4c37c17d33b932c2af37ca369b7baf139e7818f985b359c6ef4d49b87dc4

                                                                                                                                                                  SHA512

                                                                                                                                                                  e91cb25152d083bb5ebaebdd248fdd27f3e318c9a5f9f1eb6af882d892ed56906dca97799bf374cf2300be2726e56a4a3ab00a35121e8ac348e0e27115ef8f59

                                                                                                                                                                • C:\Users\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  fa5463ac1c209d1eb4f12201672dd315

                                                                                                                                                                  SHA1

                                                                                                                                                                  a23a0d89443dbebc10d0fd30a98fff30799455c5

                                                                                                                                                                  SHA256

                                                                                                                                                                  d62e4c37c17d33b932c2af37ca369b7baf139e7818f985b359c6ef4d49b87dc4

                                                                                                                                                                  SHA512

                                                                                                                                                                  e91cb25152d083bb5ebaebdd248fdd27f3e318c9a5f9f1eb6af882d892ed56906dca97799bf374cf2300be2726e56a4a3ab00a35121e8ac348e0e27115ef8f59

                                                                                                                                                                • C:\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  adcd7238c514c04db52cb2f9b4ee54c1

                                                                                                                                                                  SHA1

                                                                                                                                                                  ffd893cbae6be282728717ac1e9ba05152b75d28

                                                                                                                                                                  SHA256

                                                                                                                                                                  e1b5f2956cda8bf49947b85b9a9c378808fa35017c1521763de874c461ffb978

                                                                                                                                                                  SHA512

                                                                                                                                                                  ce5c7091b685f7520bfe0e538e2605c7d21f3e6fb388233d959440c7a1a818d36f9e1ae92efd35217190df337751fe7e066382277f8d004a0c1f14c68dc1df62

                                                                                                                                                                • C:\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  adcd7238c514c04db52cb2f9b4ee54c1

                                                                                                                                                                  SHA1

                                                                                                                                                                  ffd893cbae6be282728717ac1e9ba05152b75d28

                                                                                                                                                                  SHA256

                                                                                                                                                                  e1b5f2956cda8bf49947b85b9a9c378808fa35017c1521763de874c461ffb978

                                                                                                                                                                  SHA512

                                                                                                                                                                  ce5c7091b685f7520bfe0e538e2605c7d21f3e6fb388233d959440c7a1a818d36f9e1ae92efd35217190df337751fe7e066382277f8d004a0c1f14c68dc1df62

                                                                                                                                                                • \PerfLogs\Admin\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  fd4b8bb9b87b885636c1ba6f18895c4f

                                                                                                                                                                  SHA1

                                                                                                                                                                  96ab1644501187e59c1e59fe103a175f3c309cee

                                                                                                                                                                  SHA256

                                                                                                                                                                  0ab70bec98a66c9ad31a31e39fd1179b0f42f5dbfddaf27e273c9c87a5d7cce6

                                                                                                                                                                  SHA512

                                                                                                                                                                  b375f75bcf523c488fd83fd3e9c3c450da13df68adc60177b315d47cb971905d420f30dab230bb199b30962d6a5449cf234df9ff2096a32bfec707d1e349bc27

                                                                                                                                                                • \PerfLogs\Admin\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  fd4b8bb9b87b885636c1ba6f18895c4f

                                                                                                                                                                  SHA1

                                                                                                                                                                  96ab1644501187e59c1e59fe103a175f3c309cee

                                                                                                                                                                  SHA256

                                                                                                                                                                  0ab70bec98a66c9ad31a31e39fd1179b0f42f5dbfddaf27e273c9c87a5d7cce6

                                                                                                                                                                  SHA512

                                                                                                                                                                  b375f75bcf523c488fd83fd3e9c3c450da13df68adc60177b315d47cb971905d420f30dab230bb199b30962d6a5449cf234df9ff2096a32bfec707d1e349bc27

                                                                                                                                                                • \PerfLogs\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  99621516c1d4e820a4dcbf0d55da9fe3

                                                                                                                                                                  SHA1

                                                                                                                                                                  7ba377a260156893106c3f5c9cd449a2dda3d7ff

                                                                                                                                                                  SHA256

                                                                                                                                                                  478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0

                                                                                                                                                                  SHA512

                                                                                                                                                                  8679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a

                                                                                                                                                                • \PerfLogs\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  99621516c1d4e820a4dcbf0d55da9fe3

                                                                                                                                                                  SHA1

                                                                                                                                                                  7ba377a260156893106c3f5c9cd449a2dda3d7ff

                                                                                                                                                                  SHA256

                                                                                                                                                                  478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0

                                                                                                                                                                  SHA512

                                                                                                                                                                  8679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a

                                                                                                                                                                • \Program Files (x86)\Adobe\Reader 9.0\System Restore.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  2adf5963f10aa6bf78d7152a3c2d8acc

                                                                                                                                                                  SHA1

                                                                                                                                                                  faabf68194e79c2c67ebcf1117ef1b1a67ffb102

                                                                                                                                                                  SHA256

                                                                                                                                                                  a99643e51d51d82068cda5baa793dd2aa67f6c3096d39613e16dffc14049c6b6

                                                                                                                                                                  SHA512

                                                                                                                                                                  65cd6db9bdc4749feedc7d53b0fda3e58f9adf09cb981bb717f9b99404b9a88ec29f7221c2302ca6ebd26270cb5a8bd36c04a5772814ad132e57b766dcb34cbd

                                                                                                                                                                • \Program Files (x86)\Adobe\Reader 9.0\System Restore.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  2adf5963f10aa6bf78d7152a3c2d8acc

                                                                                                                                                                  SHA1

                                                                                                                                                                  faabf68194e79c2c67ebcf1117ef1b1a67ffb102

                                                                                                                                                                  SHA256

                                                                                                                                                                  a99643e51d51d82068cda5baa793dd2aa67f6c3096d39613e16dffc14049c6b6

                                                                                                                                                                  SHA512

                                                                                                                                                                  65cd6db9bdc4749feedc7d53b0fda3e58f9adf09cb981bb717f9b99404b9a88ec29f7221c2302ca6ebd26270cb5a8bd36c04a5772814ad132e57b766dcb34cbd

                                                                                                                                                                • \Program Files (x86)\Adobe\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  948da0cf7d46c19db7e0a3f828c1c49c

                                                                                                                                                                  SHA1

                                                                                                                                                                  530a2d880c0cba01d4d48ec4671e71bd1836c225

                                                                                                                                                                  SHA256

                                                                                                                                                                  80695acfd22eaf0b7fd1a1cf6d0f7a46713bb4619cd5fe28a86139449df158a8

                                                                                                                                                                  SHA512

                                                                                                                                                                  793a693c5d04a181b22a6745e0f65596069d7083308a47bd95fb4cd5ab36aa21377182bca7589f96f3034d32b751f7b8d0e7fc3755b42298833733e9e472fb1f

                                                                                                                                                                • \Program Files (x86)\Adobe\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  948da0cf7d46c19db7e0a3f828c1c49c

                                                                                                                                                                  SHA1

                                                                                                                                                                  530a2d880c0cba01d4d48ec4671e71bd1836c225

                                                                                                                                                                  SHA256

                                                                                                                                                                  80695acfd22eaf0b7fd1a1cf6d0f7a46713bb4619cd5fe28a86139449df158a8

                                                                                                                                                                  SHA512

                                                                                                                                                                  793a693c5d04a181b22a6745e0f65596069d7083308a47bd95fb4cd5ab36aa21377182bca7589f96f3034d32b751f7b8d0e7fc3755b42298833733e9e472fb1f

                                                                                                                                                                • \Program Files (x86)\Common Files\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  6b5f1af3869648071850cc7d4d7ce31a

                                                                                                                                                                  SHA1

                                                                                                                                                                  7592cedd45713d3199ba671552d418a4231446d7

                                                                                                                                                                  SHA256

                                                                                                                                                                  67da648e741384f3ce82388a3780426de21a6e3655a25786bb81909d6b4b3b44

                                                                                                                                                                  SHA512

                                                                                                                                                                  8076d4de6f3a7ffaf58208374cc417b75d229124def6c9b47057280e24125001ab7d241c4afe7742992fc218fdf560e23ea5095ccde8269e3d9007029170b2d0

                                                                                                                                                                • \Program Files (x86)\Common Files\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  6b5f1af3869648071850cc7d4d7ce31a

                                                                                                                                                                  SHA1

                                                                                                                                                                  7592cedd45713d3199ba671552d418a4231446d7

                                                                                                                                                                  SHA256

                                                                                                                                                                  67da648e741384f3ce82388a3780426de21a6e3655a25786bb81909d6b4b3b44

                                                                                                                                                                  SHA512

                                                                                                                                                                  8076d4de6f3a7ffaf58208374cc417b75d229124def6c9b47057280e24125001ab7d241c4afe7742992fc218fdf560e23ea5095ccde8269e3d9007029170b2d0

                                                                                                                                                                • \Program Files (x86)\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  4f4df1ecde3d2e8ebfc868ed5248ccab

                                                                                                                                                                  SHA1

                                                                                                                                                                  c7d0fd5bbe6289af1b272391d7bac055fa19468d

                                                                                                                                                                  SHA256

                                                                                                                                                                  a826765dee2b01c1b5278fb4efa247d7e91b2e3db057ea34fb5f9857c2e6e2c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  82bba99ab8588025a02afdb028a8ed5075618c74a9bc93a0e5aada039af30e7e3ff3615b4f92f002a877063c1148c74aa6787061fafc8ad580f9e2d2686c1e93

                                                                                                                                                                • \Program Files (x86)\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  4f4df1ecde3d2e8ebfc868ed5248ccab

                                                                                                                                                                  SHA1

                                                                                                                                                                  c7d0fd5bbe6289af1b272391d7bac055fa19468d

                                                                                                                                                                  SHA256

                                                                                                                                                                  a826765dee2b01c1b5278fb4efa247d7e91b2e3db057ea34fb5f9857c2e6e2c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  82bba99ab8588025a02afdb028a8ed5075618c74a9bc93a0e5aada039af30e7e3ff3615b4f92f002a877063c1148c74aa6787061fafc8ad580f9e2d2686c1e93

                                                                                                                                                                • \Program Files\7-Zip\Lang\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  13b26374d52655034a7ed9954151d3ba

                                                                                                                                                                  SHA1

                                                                                                                                                                  4d7a99ff55bddcbd993992b57bcb3bfd5e1b22a7

                                                                                                                                                                  SHA256

                                                                                                                                                                  8362c1f1457103a9f3fa948bc03b67bfe7b3d3978207eb8ad885fb61c21a93e2

                                                                                                                                                                  SHA512

                                                                                                                                                                  3c55dfe3c32ec930bd813e339aa9c24aa2c7d1e51dd3b145539113b60c38194e5c5721e8ec2e736de3066f7b528e5d08250b92dce3637e9737fd080b7b3fd46d

                                                                                                                                                                • \Program Files\7-Zip\Lang\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  13b26374d52655034a7ed9954151d3ba

                                                                                                                                                                  SHA1

                                                                                                                                                                  4d7a99ff55bddcbd993992b57bcb3bfd5e1b22a7

                                                                                                                                                                  SHA256

                                                                                                                                                                  8362c1f1457103a9f3fa948bc03b67bfe7b3d3978207eb8ad885fb61c21a93e2

                                                                                                                                                                  SHA512

                                                                                                                                                                  3c55dfe3c32ec930bd813e339aa9c24aa2c7d1e51dd3b145539113b60c38194e5c5721e8ec2e736de3066f7b528e5d08250b92dce3637e9737fd080b7b3fd46d

                                                                                                                                                                • \Program Files\7-Zip\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  957e24969249e61a3371932e679bbad9

                                                                                                                                                                  SHA1

                                                                                                                                                                  d2e16502951280e0a79f45d09dbdda36153b0de9

                                                                                                                                                                  SHA256

                                                                                                                                                                  d5eb2ab9a401cbc1b615396f4b0d01bf1acd52270eb45c5821b94a34e2c978be

                                                                                                                                                                  SHA512

                                                                                                                                                                  8377a64031b7e121102fd3a471ce87cba59d0a4bd51ff36c4ab6efd9551bf8828c5e49e329e8640310d9fd9b6a5ee0ddbe4296a8ef0a4c697b959526e08b6f69

                                                                                                                                                                • \Program Files\7-Zip\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  957e24969249e61a3371932e679bbad9

                                                                                                                                                                  SHA1

                                                                                                                                                                  d2e16502951280e0a79f45d09dbdda36153b0de9

                                                                                                                                                                  SHA256

                                                                                                                                                                  d5eb2ab9a401cbc1b615396f4b0d01bf1acd52270eb45c5821b94a34e2c978be

                                                                                                                                                                  SHA512

                                                                                                                                                                  8377a64031b7e121102fd3a471ce87cba59d0a4bd51ff36c4ab6efd9551bf8828c5e49e329e8640310d9fd9b6a5ee0ddbe4296a8ef0a4c697b959526e08b6f69

                                                                                                                                                                • \Program Files\Common Files\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  06c8b750cf94bbde6d2307f457508093

                                                                                                                                                                  SHA1

                                                                                                                                                                  8153788af4c69e78cf47d01445350f36ee847697

                                                                                                                                                                  SHA256

                                                                                                                                                                  6ae4231ea9b199b20a22b82d5c6779ec5bc2eba2606243649fd829f8b931056f

                                                                                                                                                                  SHA512

                                                                                                                                                                  2695eaf41e33d86194521b5602400a641d1185dfb2ea8ac8f26c65991a8a05c22c1b68bd7c23caf5671bb9bc894eedda56f22c2840e3dda3134216f532f2d59c

                                                                                                                                                                • \Program Files\Common Files\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  06c8b750cf94bbde6d2307f457508093

                                                                                                                                                                  SHA1

                                                                                                                                                                  8153788af4c69e78cf47d01445350f36ee847697

                                                                                                                                                                  SHA256

                                                                                                                                                                  6ae4231ea9b199b20a22b82d5c6779ec5bc2eba2606243649fd829f8b931056f

                                                                                                                                                                  SHA512

                                                                                                                                                                  2695eaf41e33d86194521b5602400a641d1185dfb2ea8ac8f26c65991a8a05c22c1b68bd7c23caf5671bb9bc894eedda56f22c2840e3dda3134216f532f2d59c

                                                                                                                                                                • \Program Files\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  99621516c1d4e820a4dcbf0d55da9fe3

                                                                                                                                                                  SHA1

                                                                                                                                                                  7ba377a260156893106c3f5c9cd449a2dda3d7ff

                                                                                                                                                                  SHA256

                                                                                                                                                                  478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0

                                                                                                                                                                  SHA512

                                                                                                                                                                  8679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a

                                                                                                                                                                • \Program Files\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  99621516c1d4e820a4dcbf0d55da9fe3

                                                                                                                                                                  SHA1

                                                                                                                                                                  7ba377a260156893106c3f5c9cd449a2dda3d7ff

                                                                                                                                                                  SHA256

                                                                                                                                                                  478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0

                                                                                                                                                                  SHA512

                                                                                                                                                                  8679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a

                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\485290244\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  3c8b72f1f4e7b427ba91a90c024acf68

                                                                                                                                                                  SHA1

                                                                                                                                                                  b4d17d3cc9eec21fefc7d5b0f48d116d9e7c435d

                                                                                                                                                                  SHA256

                                                                                                                                                                  2b22ae13e10f525e679bd7fafe139113b9f7eec2ac2e269d2ebb3c1254debd10

                                                                                                                                                                  SHA512

                                                                                                                                                                  2bc9514c32cd90b6168352e3940f56117fbd41e77c60a6882807cb8420696d72723ee092049e063b1b370487d5ae56e7264195cca41b313ecb834ecf0b1cf899

                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\485290244\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  3c8b72f1f4e7b427ba91a90c024acf68

                                                                                                                                                                  SHA1

                                                                                                                                                                  b4d17d3cc9eec21fefc7d5b0f48d116d9e7c435d

                                                                                                                                                                  SHA256

                                                                                                                                                                  2b22ae13e10f525e679bd7fafe139113b9f7eec2ac2e269d2ebb3c1254debd10

                                                                                                                                                                  SHA512

                                                                                                                                                                  2bc9514c32cd90b6168352e3940f56117fbd41e77c60a6882807cb8420696d72723ee092049e063b1b370487d5ae56e7264195cca41b313ecb834ecf0b1cf899

                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\Low\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  98cc41f2da013bcb2ac383ea97a8cc3a

                                                                                                                                                                  SHA1

                                                                                                                                                                  f9fb565fbe2299a09a03cd32a0d1bc5b831c836f

                                                                                                                                                                  SHA256

                                                                                                                                                                  570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797

                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\Low\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  98cc41f2da013bcb2ac383ea97a8cc3a

                                                                                                                                                                  SHA1

                                                                                                                                                                  f9fb565fbe2299a09a03cd32a0d1bc5b831c836f

                                                                                                                                                                  SHA256

                                                                                                                                                                  570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797

                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  98cc41f2da013bcb2ac383ea97a8cc3a

                                                                                                                                                                  SHA1

                                                                                                                                                                  f9fb565fbe2299a09a03cd32a0d1bc5b831c836f

                                                                                                                                                                  SHA256

                                                                                                                                                                  570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797

                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  98cc41f2da013bcb2ac383ea97a8cc3a

                                                                                                                                                                  SHA1

                                                                                                                                                                  f9fb565fbe2299a09a03cd32a0d1bc5b831c836f

                                                                                                                                                                  SHA256

                                                                                                                                                                  570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797

                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  98cc41f2da013bcb2ac383ea97a8cc3a

                                                                                                                                                                  SHA1

                                                                                                                                                                  f9fb565fbe2299a09a03cd32a0d1bc5b831c836f

                                                                                                                                                                  SHA256

                                                                                                                                                                  570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797

                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  98cc41f2da013bcb2ac383ea97a8cc3a

                                                                                                                                                                  SHA1

                                                                                                                                                                  f9fb565fbe2299a09a03cd32a0d1bc5b831c836f

                                                                                                                                                                  SHA256

                                                                                                                                                                  570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797

                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  5c014ffcbac5986a556db088d621cfba

                                                                                                                                                                  SHA1

                                                                                                                                                                  82d79ff5d1fd37a76cebf1f9aad2e6b795d640da

                                                                                                                                                                  SHA256

                                                                                                                                                                  cb1427748901b013831404d239a14f226f44681604634922e38f72d9f80fbaec

                                                                                                                                                                  SHA512

                                                                                                                                                                  e78b5af9bd69d6ca9515bf543fbe2d699355e79ec97a8529381b6ed9612dddeaa85931c94fd9fb490683eb20d405aae001100017aed5e14d5c656d8781ccfb6a

                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  5c014ffcbac5986a556db088d621cfba

                                                                                                                                                                  SHA1

                                                                                                                                                                  82d79ff5d1fd37a76cebf1f9aad2e6b795d640da

                                                                                                                                                                  SHA256

                                                                                                                                                                  cb1427748901b013831404d239a14f226f44681604634922e38f72d9f80fbaec

                                                                                                                                                                  SHA512

                                                                                                                                                                  e78b5af9bd69d6ca9515bf543fbe2d699355e79ec97a8529381b6ed9612dddeaa85931c94fd9fb490683eb20d405aae001100017aed5e14d5c656d8781ccfb6a

                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  98cc41f2da013bcb2ac383ea97a8cc3a

                                                                                                                                                                  SHA1

                                                                                                                                                                  f9fb565fbe2299a09a03cd32a0d1bc5b831c836f

                                                                                                                                                                  SHA256

                                                                                                                                                                  570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797

                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  98cc41f2da013bcb2ac383ea97a8cc3a

                                                                                                                                                                  SHA1

                                                                                                                                                                  f9fb565fbe2299a09a03cd32a0d1bc5b831c836f

                                                                                                                                                                  SHA256

                                                                                                                                                                  570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797

                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  98cc41f2da013bcb2ac383ea97a8cc3a

                                                                                                                                                                  SHA1

                                                                                                                                                                  f9fb565fbe2299a09a03cd32a0d1bc5b831c836f

                                                                                                                                                                  SHA256

                                                                                                                                                                  570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797

                                                                                                                                                                • \Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  98cc41f2da013bcb2ac383ea97a8cc3a

                                                                                                                                                                  SHA1

                                                                                                                                                                  f9fb565fbe2299a09a03cd32a0d1bc5b831c836f

                                                                                                                                                                  SHA256

                                                                                                                                                                  570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5

                                                                                                                                                                  SHA512

                                                                                                                                                                  a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797

                                                                                                                                                                • \Users\Admin\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  5f88bc9a091aed3c2645a2bf72298eaf

                                                                                                                                                                  SHA1

                                                                                                                                                                  a59e2d7996217150479376c8c016d401d368edf8

                                                                                                                                                                  SHA256

                                                                                                                                                                  9249aa6fd7d0243dccf8f6b3871d7e9fd4248d02c0a19aee664ea60ee959901b

                                                                                                                                                                  SHA512

                                                                                                                                                                  a899d0e10cc2b316400c1247ea57178be55194bdcf6106e272edd64b1ea344dcb06324347014004d725bd61ba069b41156dcad3ed0203effa235726e594aacee

                                                                                                                                                                • \Users\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  fa5463ac1c209d1eb4f12201672dd315

                                                                                                                                                                  SHA1

                                                                                                                                                                  a23a0d89443dbebc10d0fd30a98fff30799455c5

                                                                                                                                                                  SHA256

                                                                                                                                                                  d62e4c37c17d33b932c2af37ca369b7baf139e7818f985b359c6ef4d49b87dc4

                                                                                                                                                                  SHA512

                                                                                                                                                                  e91cb25152d083bb5ebaebdd248fdd27f3e318c9a5f9f1eb6af882d892ed56906dca97799bf374cf2300be2726e56a4a3ab00a35121e8ac348e0e27115ef8f59

                                                                                                                                                                • \Users\backup.exe

                                                                                                                                                                  Filesize

                                                                                                                                                                  72KB

                                                                                                                                                                  MD5

                                                                                                                                                                  fa5463ac1c209d1eb4f12201672dd315

                                                                                                                                                                  SHA1

                                                                                                                                                                  a23a0d89443dbebc10d0fd30a98fff30799455c5

                                                                                                                                                                  SHA256

                                                                                                                                                                  d62e4c37c17d33b932c2af37ca369b7baf139e7818f985b359c6ef4d49b87dc4

                                                                                                                                                                  SHA512

                                                                                                                                                                  e91cb25152d083bb5ebaebdd248fdd27f3e318c9a5f9f1eb6af882d892ed56906dca97799bf374cf2300be2726e56a4a3ab00a35121e8ac348e0e27115ef8f59

                                                                                                                                                                • memory/2020-112-0x00000000751A1000-0x00000000751A3000-memory.dmp

                                                                                                                                                                  Filesize

                                                                                                                                                                  8KB

                                                                                                                                                                • memory/2020-139-0x00000000744F1000-0x00000000744F3000-memory.dmp

                                                                                                                                                                  Filesize

                                                                                                                                                                  8KB