Analysis
-
max time kernel
129s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 06:14
Static task
static1
Behavioral task
behavioral1
Sample
26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe
Resource
win10v2004-20220901-en
General
-
Target
26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe
-
Size
72KB
-
MD5
67710f83dad275e6e05937be8313e72d
-
SHA1
7a830da63d877d95cc689df00078276ad6f620a6
-
SHA256
26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349
-
SHA512
17ed6cdc58ba9b99413d8a785c1d44c6ebace45f7b66436fcc682e9a2d30cdde02be8ef012ee884a808cfb136e589f41d7d88eb7e4998a687c13e530120936dc
-
SSDEEP
768:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrTd3FAyBgCg:HeT7BVwxfvqguKRFALCg
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" update.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe -
Executes dropped EXE 64 IoCs
pid Process 1724 backup.exe 1388 backup.exe 848 backup.exe 1516 backup.exe 1264 backup.exe 1984 backup.exe 700 backup.exe 592 backup.exe 1564 backup.exe 972 backup.exe 1712 backup.exe 300 backup.exe 804 backup.exe 688 backup.exe 1700 backup.exe 108 backup.exe 1056 backup.exe 1320 System Restore.exe 1780 backup.exe 1548 backup.exe 1672 backup.exe 1516 backup.exe 904 backup.exe 308 backup.exe 436 backup.exe 1660 backup.exe 280 backup.exe 796 backup.exe 1252 backup.exe 1720 backup.exe 592 backup.exe 1004 backup.exe 1568 backup.exe 1868 backup.exe 1872 backup.exe 1556 backup.exe 824 backup.exe 2028 backup.exe 1604 data.exe 872 System Restore.exe 1532 backup.exe 1512 backup.exe 1500 backup.exe 2044 backup.exe 1272 backup.exe 1812 backup.exe 524 backup.exe 588 backup.exe 1068 backup.exe 280 backup.exe 268 backup.exe 676 backup.exe 772 data.exe 856 data.exe 748 backup.exe 304 backup.exe 1620 backup.exe 864 backup.exe 1604 backup.exe 1628 backup.exe 1788 backup.exe 2044 backup.exe 1980 backup.exe 1500 backup.exe -
Loads dropped DLL 64 IoCs
pid Process 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 700 backup.exe 700 backup.exe 1564 backup.exe 1564 backup.exe 700 backup.exe 700 backup.exe 700 backup.exe 700 backup.exe 300 backup.exe 300 backup.exe 1712 backup.exe 1712 backup.exe 700 backup.exe 700 backup.exe 300 backup.exe 1712 backup.exe 300 backup.exe 1712 backup.exe 804 backup.exe 688 backup.exe 804 backup.exe 688 backup.exe 1700 backup.exe 1700 backup.exe 1320 System Restore.exe 1320 System Restore.exe 1548 backup.exe 1056 backup.exe 1548 backup.exe 1056 backup.exe 108 backup.exe 108 backup.exe 308 backup.exe 308 backup.exe 904 backup.exe 1548 backup.exe 904 backup.exe 1548 backup.exe 1320 System Restore.exe 1320 System Restore.exe 308 backup.exe 796 backup.exe 796 backup.exe 1548 backup.exe 1548 backup.exe 308 backup.exe 904 backup.exe 904 backup.exe 1004 backup.exe 1004 backup.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\System Restore.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe System Restore.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe backup.exe File opened for modification C:\Program Files\Google\backup.exe backup.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe backup.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Internet Explorer\de-DE\update.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\backup.exe data.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\System\ado\it-IT\backup.exe System Restore.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Google\Policies\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\System Restore.exe backup.exe File opened for modification C:\Program Files (x86)\Google\Temp\backup.exe backup.exe File opened for modification C:\Program Files\DVD Maker\fr-FR\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Google\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe System Restore.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\backup.exe System Restore.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Services\backup.exe backup.exe File opened for modification C:\Program Files\DVD Maker\en-US\backup.exe backup.exe File opened for modification C:\Program Files\DVD Maker\es-ES\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Google\Update\data.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\DESIGNER\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\System\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe System Restore.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe data.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\update.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Services\backup.exe backup.exe File opened for modification C:\Program Files\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe backup.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\AppPatch\es-ES\backup.exe backup.exe File opened for modification C:\Windows\backup.exe backup.exe File opened for modification C:\Windows\AppCompat\backup.exe backup.exe File opened for modification C:\Windows\AppPatch\backup.exe backup.exe File opened for modification C:\Windows\AppPatch\AppPatch64\backup.exe backup.exe File opened for modification C:\Windows\AppPatch\Custom\backup.exe backup.exe File opened for modification C:\Windows\AppPatch\Custom\Custom64\backup.exe backup.exe File opened for modification C:\Windows\AppPatch\de-DE\backup.exe backup.exe File opened for modification C:\Windows\addins\backup.exe backup.exe File opened for modification C:\Windows\AppPatch\en-US\backup.exe backup.exe File opened for modification C:\Windows\assembly\backup.exe backup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 1724 backup.exe 1388 backup.exe 848 backup.exe 1516 backup.exe 1264 backup.exe 1984 backup.exe 700 backup.exe 592 backup.exe 1564 backup.exe 972 backup.exe 1712 backup.exe 300 backup.exe 804 backup.exe 688 backup.exe 1700 backup.exe 1056 backup.exe 108 backup.exe 1320 System Restore.exe 1780 backup.exe 1548 backup.exe 1672 backup.exe 1516 backup.exe 904 backup.exe 308 backup.exe 436 backup.exe 1660 backup.exe 280 backup.exe 796 backup.exe 1252 backup.exe 1720 backup.exe 592 backup.exe 1004 backup.exe 1568 backup.exe 1872 backup.exe 1868 backup.exe 1556 backup.exe 824 backup.exe 2028 backup.exe 1604 data.exe 872 System Restore.exe 1532 backup.exe 1512 backup.exe 1500 backup.exe 2044 backup.exe 1272 backup.exe 1812 backup.exe 524 backup.exe 588 backup.exe 280 backup.exe 1068 backup.exe 268 backup.exe 676 backup.exe 772 data.exe 748 backup.exe 856 data.exe 1620 backup.exe 304 backup.exe 864 backup.exe 1628 backup.exe 1500 backup.exe 1980 backup.exe 1604 backup.exe 1780 backup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1724 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 28 PID 2020 wrote to memory of 1724 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 28 PID 2020 wrote to memory of 1724 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 28 PID 2020 wrote to memory of 1724 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 28 PID 2020 wrote to memory of 1388 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 29 PID 2020 wrote to memory of 1388 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 29 PID 2020 wrote to memory of 1388 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 29 PID 2020 wrote to memory of 1388 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 29 PID 2020 wrote to memory of 848 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 30 PID 2020 wrote to memory of 848 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 30 PID 2020 wrote to memory of 848 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 30 PID 2020 wrote to memory of 848 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 30 PID 2020 wrote to memory of 1516 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 31 PID 2020 wrote to memory of 1516 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 31 PID 2020 wrote to memory of 1516 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 31 PID 2020 wrote to memory of 1516 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 31 PID 2020 wrote to memory of 1264 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 32 PID 2020 wrote to memory of 1264 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 32 PID 2020 wrote to memory of 1264 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 32 PID 2020 wrote to memory of 1264 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 32 PID 2020 wrote to memory of 1984 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 33 PID 2020 wrote to memory of 1984 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 33 PID 2020 wrote to memory of 1984 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 33 PID 2020 wrote to memory of 1984 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 33 PID 1724 wrote to memory of 700 1724 backup.exe 34 PID 1724 wrote to memory of 700 1724 backup.exe 34 PID 1724 wrote to memory of 700 1724 backup.exe 34 PID 1724 wrote to memory of 700 1724 backup.exe 34 PID 2020 wrote to memory of 592 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 35 PID 2020 wrote to memory of 592 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 35 PID 2020 wrote to memory of 592 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 35 PID 2020 wrote to memory of 592 2020 26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe 35 PID 700 wrote to memory of 1564 700 backup.exe 36 PID 700 wrote to memory of 1564 700 backup.exe 36 PID 700 wrote to memory of 1564 700 backup.exe 36 PID 700 wrote to memory of 1564 700 backup.exe 36 PID 1564 wrote to memory of 972 1564 backup.exe 37 PID 1564 wrote to memory of 972 1564 backup.exe 37 PID 1564 wrote to memory of 972 1564 backup.exe 37 PID 1564 wrote to memory of 972 1564 backup.exe 37 PID 700 wrote to memory of 1712 700 backup.exe 38 PID 700 wrote to memory of 1712 700 backup.exe 38 PID 700 wrote to memory of 1712 700 backup.exe 38 PID 700 wrote to memory of 1712 700 backup.exe 38 PID 700 wrote to memory of 300 700 backup.exe 39 PID 700 wrote to memory of 300 700 backup.exe 39 PID 700 wrote to memory of 300 700 backup.exe 39 PID 700 wrote to memory of 300 700 backup.exe 39 PID 300 wrote to memory of 804 300 backup.exe 40 PID 300 wrote to memory of 804 300 backup.exe 40 PID 300 wrote to memory of 804 300 backup.exe 40 PID 300 wrote to memory of 804 300 backup.exe 40 PID 1712 wrote to memory of 688 1712 backup.exe 41 PID 1712 wrote to memory of 688 1712 backup.exe 41 PID 1712 wrote to memory of 688 1712 backup.exe 41 PID 1712 wrote to memory of 688 1712 backup.exe 41 PID 700 wrote to memory of 1700 700 backup.exe 42 PID 700 wrote to memory of 1700 700 backup.exe 42 PID 700 wrote to memory of 1700 700 backup.exe 42 PID 700 wrote to memory of 1700 700 backup.exe 42 PID 300 wrote to memory of 1056 300 backup.exe 44 PID 300 wrote to memory of 1056 300 backup.exe 44 PID 300 wrote to memory of 1056 300 backup.exe 44 PID 300 wrote to memory of 1056 300 backup.exe 44 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer data.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" data.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer data.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe"C:\Users\Admin\AppData\Local\Temp\26ac3a48341973b7e16eb3f835e72940854aaddcbf391ad04e8411cb5fac7349.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\485290244\backup.exeC:\Users\Admin\AppData\Local\Temp\485290244\backup.exe C:\Users\Admin\AppData\Local\Temp\485290244\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\backup.exe\backup.exe \3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:700 -
C:\PerfLogs\backup.exeC:\PerfLogs\backup.exe C:\PerfLogs\4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\PerfLogs\Admin\backup.exeC:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:972
-
-
-
C:\Program Files\backup.exe"C:\Program Files\backup.exe" C:\Program Files\4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Program Files\7-Zip\backup.exe"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:688 -
C:\Program Files\7-Zip\Lang\backup.exe"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1780
-
-
-
C:\Program Files\Common Files\backup.exe"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:108 -
C:\Program Files\Common Files\Microsoft Shared\backup.exe"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:308 -
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:436
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:592 -
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1556
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:824
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2028
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1604
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1512
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1068
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:772
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:304
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\8⤵PID:1512
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\8⤵
- Modifies visibility of file extensions in Explorer
PID:1252
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\8⤵PID:984
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\8⤵
- Drops file in Program Files directory
PID:972 -
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\9⤵PID:928
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1604
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\9⤵PID:1576
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\9⤵
- Modifies visibility of file extensions in Explorer
PID:1484
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:612
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\update.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\9⤵PID:856
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\9⤵PID:1588
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\9⤵PID:1596
-
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\8⤵PID:1832
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\8⤵PID:1064
-
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1676 -
C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:928
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\8⤵
- System policy modification
PID:1324
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\8⤵PID:912
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\8⤵PID:1068
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\8⤵
- Modifies visibility of file extensions in Explorer
PID:1172
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\8⤵PID:768
-
-
-
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\7⤵
- System policy modification
PID:1472 -
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:284
-
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\7⤵PID:1680
-
-
C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\7⤵PID:556
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\7⤵PID:2000
-
-
-
C:\Program Files\Common Files\Services\backup.exe"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\6⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of SetWindowsHookEx
PID:1780
-
-
C:\Program Files\Common Files\SpeechEngines\backup.exe"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\6⤵PID:1584
-
C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\7⤵
- System policy modification
PID:1296
-
-
-
C:\Program Files\Common Files\System\backup.exe"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\6⤵
- System policy modification
PID:1560 -
C:\Program Files\Common Files\System\ado\System Restore.exe"C:\Program Files\Common Files\System\ado\System Restore.exe" C:\Program Files\Common Files\System\ado\7⤵
- Drops file in Program Files directory
PID:804 -
C:\Program Files\Common Files\System\ado\de-DE\System Restore.exe"C:\Program Files\Common Files\System\ado\de-DE\System Restore.exe" C:\Program Files\Common Files\System\ado\de-DE\8⤵PID:360
-
-
C:\Program Files\Common Files\System\ado\en-US\backup.exe"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\8⤵
- Modifies visibility of file extensions in Explorer
PID:912
-
-
C:\Program Files\Common Files\System\ado\es-ES\backup.exe"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\8⤵PID:556
-
-
C:\Program Files\Common Files\System\ado\fr-FR\backup.exe"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1068
-
-
C:\Program Files\Common Files\System\ado\it-IT\backup.exe"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\8⤵PID:1732
-
-
C:\Program Files\Common Files\System\ado\ja-JP\backup.exe"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\8⤵PID:1736
-
-
-
C:\Program Files\Common Files\System\de-DE\backup.exe"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\7⤵PID:1484
-
-
C:\Program Files\Common Files\System\en-US\data.exe"C:\Program Files\Common Files\System\en-US\data.exe" C:\Program Files\Common Files\System\en-US\7⤵PID:1548
-
-
-
-
C:\Program Files\DVD Maker\backup.exe"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1980 -
C:\Program Files\DVD Maker\de-DE\backup.exe"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\6⤵PID:1720
-
-
C:\Program Files\DVD Maker\en-US\backup.exe"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\6⤵
- System policy modification
PID:1664
-
-
C:\Program Files\DVD Maker\es-ES\backup.exe"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\6⤵PID:1576
-
-
C:\Program Files\DVD Maker\fr-FR\backup.exe"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\6⤵PID:1484
-
-
C:\Program Files\DVD Maker\it-IT\backup.exe"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\6⤵PID:1380
-
-
C:\Program Files\DVD Maker\ja-JP\backup.exe"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\6⤵PID:1632
-
-
C:\Program Files\DVD Maker\Shared\backup.exe"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\6⤵
- Drops file in Program Files directory
PID:304 -
C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1296 -
C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\8⤵PID:1392
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\8⤵PID:1536
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\8⤵PID:2028
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\8⤵PID:2004
-
-
-
-
-
C:\Program Files\Google\backup.exe"C:\Program Files\Google\backup.exe" C:\Program Files\Google\5⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1516 -
C:\Program Files\Google\Chrome\backup.exe"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\6⤵PID:588
-
-
-
C:\Program Files\Internet Explorer\backup.exe"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\5⤵PID:912
-
-
C:\Program Files\Java\System Restore.exe"C:\Program Files\Java\System Restore.exe" C:\Program Files\Java\5⤵PID:1676
-
-
-
C:\Program Files (x86)\backup.exe"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Program Files (x86)\Adobe\backup.exe"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:804 -
C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe"C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1320 -
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1672
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:796 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1252
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1868
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1500
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:524 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:588
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:676
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1620 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\9⤵
- Executes dropped EXE
PID:2044
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\8⤵
- Modifies visibility of file extensions in Explorer
PID:1340
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\8⤵PID:904
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\9⤵PID:1488
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\10⤵
- System policy modification
PID:1732
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\9⤵
- Modifies visibility of file extensions in Explorer
PID:1668 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\10⤵PID:1728
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\11⤵PID:588
-
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\9⤵
- Drops file in Program Files directory
PID:1660 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\10⤵PID:984
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\9⤵PID:1576
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\System Restore.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\8⤵PID:1696
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\8⤵PID:688
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1240 -
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\8⤵PID:1728
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\9⤵PID:1516
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\8⤵PID:676
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\8⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1508 -
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1620
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:360 -
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\10⤵
- Drops file in Program Files directory
PID:1632 -
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\11⤵
- Modifies visibility of file extensions in Explorer
PID:1620
-
-
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\System Restore.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\8⤵PID:1392
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\7⤵PID:1472
-
-
-
-
C:\Program Files (x86)\Common Files\backup.exe"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1056 -
C:\Program Files (x86)\Common Files\Adobe\backup.exe"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:904 -
C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1660
-
-
C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1004 -
C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1568 -
C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\System Restore.exe"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:872 -
C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\10⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1272
-
-
-
-
-
C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:268
-
-
-
C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:748 -
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1628 -
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\8⤵PID:1596
-
-
-
-
C:\Program Files (x86)\Common Files\DESIGNER\backup.exe"C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1604
-
-
C:\Program Files (x86)\Common Files\microsoft shared\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:976 -
C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\7⤵
- System policy modification
PID:1568
-
-
C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\7⤵
- Modifies visibility of file extensions in Explorer
PID:1548
-
-
C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1628 -
C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\8⤵
- System policy modification
PID:1524
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\7⤵PID:824
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\7⤵PID:1336
-
-
C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\7⤵PID:908
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\7⤵
- Drops file in Program Files directory
PID:1556 -
C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\System Restore.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\8⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1728
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\8⤵PID:1812
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\8⤵PID:784
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\7⤵PID:776
-
-
C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\7⤵PID:1264
-
-
-
C:\Program Files (x86)\Common Files\Services\backup.exe"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\6⤵PID:1672
-
-
C:\Program Files (x86)\Common Files\SpeechEngines\System Restore.exe"C:\Program Files (x86)\Common Files\SpeechEngines\System Restore.exe" C:\Program Files (x86)\Common Files\SpeechEngines\6⤵PID:1780
-
-
-
C:\Program Files (x86)\Google\backup.exe"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\5⤵
- Drops file in Program Files directory
- System policy modification
PID:1048 -
C:\Program Files (x86)\Google\CrashReports\backup.exe"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\6⤵PID:1660
-
-
C:\Program Files (x86)\Google\Policies\backup.exe"C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\6⤵
- System policy modification
PID:1832
-
-
C:\Program Files (x86)\Google\Temp\backup.exe"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\6⤵PID:1620
-
-
C:\Program Files (x86)\Google\Update\data.exe"C:\Program Files (x86)\Google\Update\data.exe" C:\Program Files (x86)\Google\Update\6⤵
- Drops file in Program Files directory
PID:1388 -
C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe"C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\7⤵PID:1556
-
-
C:\Program Files (x86)\Google\Update\Download\backup.exe"C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\7⤵
- Modifies visibility of file extensions in Explorer
PID:524 -
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\8⤵
- Drops file in Program Files directory
- System policy modification
PID:1340 -
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1488
-
-
-
-
C:\Program Files (x86)\Google\Update\Install\backup.exe"C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\7⤵PID:284
-
-
C:\Program Files (x86)\Google\Update\Offline\backup.exe"C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\7⤵PID:1384
-
-
-
-
C:\Program Files (x86)\Internet Explorer\backup.exe"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1984 -
C:\Program Files (x86)\Internet Explorer\de-DE\update.exe"C:\Program Files (x86)\Internet Explorer\de-DE\update.exe" C:\Program Files (x86)\Internet Explorer\de-DE\6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1064
-
-
C:\Program Files (x86)\Internet Explorer\en-US\backup.exe"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\6⤵PID:1132
-
-
C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe"C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\6⤵PID:320
-
-
-
C:\Program Files (x86)\Microsoft Analysis Services\backup.exe"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\5⤵PID:1692
-
-
C:\Program Files (x86)\Microsoft Office\System Restore.exe"C:\Program Files (x86)\Microsoft Office\System Restore.exe" C:\Program Files (x86)\Microsoft Office\5⤵PID:676
-
-
-
C:\Users\backup.exeC:\Users\backup.exe C:\Users\4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1700 -
C:\Users\Admin\backup.exeC:\Users\Admin\backup.exe C:\Users\Admin\5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1548 -
C:\Users\Admin\Contacts\backup.exeC:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1516
-
-
C:\Users\Admin\Desktop\backup.exeC:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:280
-
-
C:\Users\Admin\Documents\backup.exeC:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1720
-
-
C:\Users\Admin\Downloads\backup.exeC:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1872
-
-
C:\Users\Admin\Favorites\backup.exeC:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1532
-
-
C:\Users\Admin\Links\backup.exeC:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2044
-
-
C:\Users\Admin\Music\backup.exeC:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1812
-
-
C:\Users\Admin\Pictures\backup.exeC:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:280
-
-
C:\Users\Admin\Saved Games\data.exe"C:\Users\Admin\Saved Games\data.exe" C:\Users\Admin\Saved Games\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:856
-
-
C:\Users\Admin\Searches\backup.exeC:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:864
-
-
C:\Users\Admin\Videos\backup.exeC:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1500
-
-
-
C:\Users\Public\update.exeC:\Users\Public\update.exe C:\Users\Public\5⤵PID:1124
-
C:\Users\Public\Documents\backup.exeC:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\6⤵PID:280
-
-
C:\Users\Public\Downloads\backup.exeC:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\6⤵PID:596
-
-
C:\Users\Public\Music\backup.exeC:\Users\Public\Music\backup.exe C:\Users\Public\Music\6⤵PID:1340
-
C:\Users\Public\Music\Sample Music\backup.exe"C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\7⤵
- System policy modification
PID:776
-
-
-
C:\Users\Public\Pictures\backup.exeC:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1252 -
C:\Users\Public\Pictures\Sample Pictures\backup.exe"C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\7⤵PID:1324
-
-
-
C:\Users\Public\Recorded TV\backup.exe"C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\6⤵PID:1776
-
-
C:\Users\Public\Videos\backup.exeC:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\6⤵PID:436
-
-
-
-
C:\Windows\backup.exeC:\Windows\backup.exe C:\Windows\4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1788 -
C:\Windows\addins\backup.exeC:\Windows\addins\backup.exe C:\Windows\addins\5⤵
- System policy modification
PID:1068
-
-
C:\Windows\AppCompat\backup.exeC:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\5⤵PID:1612
-
-
C:\Windows\AppPatch\backup.exeC:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Windows directory
PID:572 -
C:\Windows\AppPatch\AppPatch64\backup.exeC:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1384
-
-
C:\Windows\AppPatch\Custom\backup.exeC:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\6⤵
- Drops file in Windows directory
PID:1808 -
C:\Windows\AppPatch\Custom\Custom64\backup.exeC:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1736
-
-
-
C:\Windows\AppPatch\de-DE\backup.exeC:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\6⤵
- System policy modification
PID:928
-
-
C:\Windows\AppPatch\en-US\backup.exeC:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\6⤵PID:824
-
-
C:\Windows\AppPatch\es-ES\backup.exeC:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\6⤵PID:1720
-
-
C:\Windows\AppPatch\fr-FR\backup.exeC:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\6⤵PID:1684
-
-
-
C:\Windows\assembly\backup.exeC:\Windows\assembly\backup.exe C:\Windows\assembly\5⤵PID:908
-
-
C:\Windows\Branding\backup.exeC:\Windows\Branding\backup.exe C:\Windows\Branding\5⤵PID:1340
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exeC:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1388
-
-
C:\Users\Admin\AppData\Local\Temp\Low\backup.exeC:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:848
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1516
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1264
-
-
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exeC:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1984
-
-
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exeC:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:592
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5fd4b8bb9b87b885636c1ba6f18895c4f
SHA196ab1644501187e59c1e59fe103a175f3c309cee
SHA2560ab70bec98a66c9ad31a31e39fd1179b0f42f5dbfddaf27e273c9c87a5d7cce6
SHA512b375f75bcf523c488fd83fd3e9c3c450da13df68adc60177b315d47cb971905d420f30dab230bb199b30962d6a5449cf234df9ff2096a32bfec707d1e349bc27
-
Filesize
72KB
MD599621516c1d4e820a4dcbf0d55da9fe3
SHA17ba377a260156893106c3f5c9cd449a2dda3d7ff
SHA256478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0
SHA5128679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a
-
Filesize
72KB
MD599621516c1d4e820a4dcbf0d55da9fe3
SHA17ba377a260156893106c3f5c9cd449a2dda3d7ff
SHA256478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0
SHA5128679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a
-
Filesize
72KB
MD52adf5963f10aa6bf78d7152a3c2d8acc
SHA1faabf68194e79c2c67ebcf1117ef1b1a67ffb102
SHA256a99643e51d51d82068cda5baa793dd2aa67f6c3096d39613e16dffc14049c6b6
SHA51265cd6db9bdc4749feedc7d53b0fda3e58f9adf09cb981bb717f9b99404b9a88ec29f7221c2302ca6ebd26270cb5a8bd36c04a5772814ad132e57b766dcb34cbd
-
Filesize
72KB
MD5948da0cf7d46c19db7e0a3f828c1c49c
SHA1530a2d880c0cba01d4d48ec4671e71bd1836c225
SHA25680695acfd22eaf0b7fd1a1cf6d0f7a46713bb4619cd5fe28a86139449df158a8
SHA512793a693c5d04a181b22a6745e0f65596069d7083308a47bd95fb4cd5ab36aa21377182bca7589f96f3034d32b751f7b8d0e7fc3755b42298833733e9e472fb1f
-
Filesize
72KB
MD5948da0cf7d46c19db7e0a3f828c1c49c
SHA1530a2d880c0cba01d4d48ec4671e71bd1836c225
SHA25680695acfd22eaf0b7fd1a1cf6d0f7a46713bb4619cd5fe28a86139449df158a8
SHA512793a693c5d04a181b22a6745e0f65596069d7083308a47bd95fb4cd5ab36aa21377182bca7589f96f3034d32b751f7b8d0e7fc3755b42298833733e9e472fb1f
-
Filesize
72KB
MD56b5f1af3869648071850cc7d4d7ce31a
SHA17592cedd45713d3199ba671552d418a4231446d7
SHA25667da648e741384f3ce82388a3780426de21a6e3655a25786bb81909d6b4b3b44
SHA5128076d4de6f3a7ffaf58208374cc417b75d229124def6c9b47057280e24125001ab7d241c4afe7742992fc218fdf560e23ea5095ccde8269e3d9007029170b2d0
-
Filesize
72KB
MD54f4df1ecde3d2e8ebfc868ed5248ccab
SHA1c7d0fd5bbe6289af1b272391d7bac055fa19468d
SHA256a826765dee2b01c1b5278fb4efa247d7e91b2e3db057ea34fb5f9857c2e6e2c5
SHA51282bba99ab8588025a02afdb028a8ed5075618c74a9bc93a0e5aada039af30e7e3ff3615b4f92f002a877063c1148c74aa6787061fafc8ad580f9e2d2686c1e93
-
Filesize
72KB
MD54f4df1ecde3d2e8ebfc868ed5248ccab
SHA1c7d0fd5bbe6289af1b272391d7bac055fa19468d
SHA256a826765dee2b01c1b5278fb4efa247d7e91b2e3db057ea34fb5f9857c2e6e2c5
SHA51282bba99ab8588025a02afdb028a8ed5075618c74a9bc93a0e5aada039af30e7e3ff3615b4f92f002a877063c1148c74aa6787061fafc8ad580f9e2d2686c1e93
-
Filesize
72KB
MD513b26374d52655034a7ed9954151d3ba
SHA14d7a99ff55bddcbd993992b57bcb3bfd5e1b22a7
SHA2568362c1f1457103a9f3fa948bc03b67bfe7b3d3978207eb8ad885fb61c21a93e2
SHA5123c55dfe3c32ec930bd813e339aa9c24aa2c7d1e51dd3b145539113b60c38194e5c5721e8ec2e736de3066f7b528e5d08250b92dce3637e9737fd080b7b3fd46d
-
Filesize
72KB
MD5957e24969249e61a3371932e679bbad9
SHA1d2e16502951280e0a79f45d09dbdda36153b0de9
SHA256d5eb2ab9a401cbc1b615396f4b0d01bf1acd52270eb45c5821b94a34e2c978be
SHA5128377a64031b7e121102fd3a471ce87cba59d0a4bd51ff36c4ab6efd9551bf8828c5e49e329e8640310d9fd9b6a5ee0ddbe4296a8ef0a4c697b959526e08b6f69
-
Filesize
72KB
MD5957e24969249e61a3371932e679bbad9
SHA1d2e16502951280e0a79f45d09dbdda36153b0de9
SHA256d5eb2ab9a401cbc1b615396f4b0d01bf1acd52270eb45c5821b94a34e2c978be
SHA5128377a64031b7e121102fd3a471ce87cba59d0a4bd51ff36c4ab6efd9551bf8828c5e49e329e8640310d9fd9b6a5ee0ddbe4296a8ef0a4c697b959526e08b6f69
-
Filesize
72KB
MD506c8b750cf94bbde6d2307f457508093
SHA18153788af4c69e78cf47d01445350f36ee847697
SHA2566ae4231ea9b199b20a22b82d5c6779ec5bc2eba2606243649fd829f8b931056f
SHA5122695eaf41e33d86194521b5602400a641d1185dfb2ea8ac8f26c65991a8a05c22c1b68bd7c23caf5671bb9bc894eedda56f22c2840e3dda3134216f532f2d59c
-
Filesize
72KB
MD599621516c1d4e820a4dcbf0d55da9fe3
SHA17ba377a260156893106c3f5c9cd449a2dda3d7ff
SHA256478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0
SHA5128679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a
-
Filesize
72KB
MD599621516c1d4e820a4dcbf0d55da9fe3
SHA17ba377a260156893106c3f5c9cd449a2dda3d7ff
SHA256478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0
SHA5128679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a
-
Filesize
72KB
MD53c8b72f1f4e7b427ba91a90c024acf68
SHA1b4d17d3cc9eec21fefc7d5b0f48d116d9e7c435d
SHA2562b22ae13e10f525e679bd7fafe139113b9f7eec2ac2e269d2ebb3c1254debd10
SHA5122bc9514c32cd90b6168352e3940f56117fbd41e77c60a6882807cb8420696d72723ee092049e063b1b370487d5ae56e7264195cca41b313ecb834ecf0b1cf899
-
Filesize
72KB
MD53c8b72f1f4e7b427ba91a90c024acf68
SHA1b4d17d3cc9eec21fefc7d5b0f48d116d9e7c435d
SHA2562b22ae13e10f525e679bd7fafe139113b9f7eec2ac2e269d2ebb3c1254debd10
SHA5122bc9514c32cd90b6168352e3940f56117fbd41e77c60a6882807cb8420696d72723ee092049e063b1b370487d5ae56e7264195cca41b313ecb834ecf0b1cf899
-
Filesize
72KB
MD598cc41f2da013bcb2ac383ea97a8cc3a
SHA1f9fb565fbe2299a09a03cd32a0d1bc5b831c836f
SHA256570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5
SHA512a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD598cc41f2da013bcb2ac383ea97a8cc3a
SHA1f9fb565fbe2299a09a03cd32a0d1bc5b831c836f
SHA256570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5
SHA512a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD598cc41f2da013bcb2ac383ea97a8cc3a
SHA1f9fb565fbe2299a09a03cd32a0d1bc5b831c836f
SHA256570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5
SHA512a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797
-
Filesize
72KB
MD55c014ffcbac5986a556db088d621cfba
SHA182d79ff5d1fd37a76cebf1f9aad2e6b795d640da
SHA256cb1427748901b013831404d239a14f226f44681604634922e38f72d9f80fbaec
SHA512e78b5af9bd69d6ca9515bf543fbe2d699355e79ec97a8529381b6ed9612dddeaa85931c94fd9fb490683eb20d405aae001100017aed5e14d5c656d8781ccfb6a
-
Filesize
72KB
MD598cc41f2da013bcb2ac383ea97a8cc3a
SHA1f9fb565fbe2299a09a03cd32a0d1bc5b831c836f
SHA256570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5
SHA512a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797
-
Filesize
72KB
MD598cc41f2da013bcb2ac383ea97a8cc3a
SHA1f9fb565fbe2299a09a03cd32a0d1bc5b831c836f
SHA256570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5
SHA512a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797
-
Filesize
72KB
MD5fa5463ac1c209d1eb4f12201672dd315
SHA1a23a0d89443dbebc10d0fd30a98fff30799455c5
SHA256d62e4c37c17d33b932c2af37ca369b7baf139e7818f985b359c6ef4d49b87dc4
SHA512e91cb25152d083bb5ebaebdd248fdd27f3e318c9a5f9f1eb6af882d892ed56906dca97799bf374cf2300be2726e56a4a3ab00a35121e8ac348e0e27115ef8f59
-
Filesize
72KB
MD5fa5463ac1c209d1eb4f12201672dd315
SHA1a23a0d89443dbebc10d0fd30a98fff30799455c5
SHA256d62e4c37c17d33b932c2af37ca369b7baf139e7818f985b359c6ef4d49b87dc4
SHA512e91cb25152d083bb5ebaebdd248fdd27f3e318c9a5f9f1eb6af882d892ed56906dca97799bf374cf2300be2726e56a4a3ab00a35121e8ac348e0e27115ef8f59
-
Filesize
72KB
MD5adcd7238c514c04db52cb2f9b4ee54c1
SHA1ffd893cbae6be282728717ac1e9ba05152b75d28
SHA256e1b5f2956cda8bf49947b85b9a9c378808fa35017c1521763de874c461ffb978
SHA512ce5c7091b685f7520bfe0e538e2605c7d21f3e6fb388233d959440c7a1a818d36f9e1ae92efd35217190df337751fe7e066382277f8d004a0c1f14c68dc1df62
-
Filesize
72KB
MD5adcd7238c514c04db52cb2f9b4ee54c1
SHA1ffd893cbae6be282728717ac1e9ba05152b75d28
SHA256e1b5f2956cda8bf49947b85b9a9c378808fa35017c1521763de874c461ffb978
SHA512ce5c7091b685f7520bfe0e538e2605c7d21f3e6fb388233d959440c7a1a818d36f9e1ae92efd35217190df337751fe7e066382277f8d004a0c1f14c68dc1df62
-
Filesize
72KB
MD5fd4b8bb9b87b885636c1ba6f18895c4f
SHA196ab1644501187e59c1e59fe103a175f3c309cee
SHA2560ab70bec98a66c9ad31a31e39fd1179b0f42f5dbfddaf27e273c9c87a5d7cce6
SHA512b375f75bcf523c488fd83fd3e9c3c450da13df68adc60177b315d47cb971905d420f30dab230bb199b30962d6a5449cf234df9ff2096a32bfec707d1e349bc27
-
Filesize
72KB
MD5fd4b8bb9b87b885636c1ba6f18895c4f
SHA196ab1644501187e59c1e59fe103a175f3c309cee
SHA2560ab70bec98a66c9ad31a31e39fd1179b0f42f5dbfddaf27e273c9c87a5d7cce6
SHA512b375f75bcf523c488fd83fd3e9c3c450da13df68adc60177b315d47cb971905d420f30dab230bb199b30962d6a5449cf234df9ff2096a32bfec707d1e349bc27
-
Filesize
72KB
MD599621516c1d4e820a4dcbf0d55da9fe3
SHA17ba377a260156893106c3f5c9cd449a2dda3d7ff
SHA256478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0
SHA5128679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a
-
Filesize
72KB
MD599621516c1d4e820a4dcbf0d55da9fe3
SHA17ba377a260156893106c3f5c9cd449a2dda3d7ff
SHA256478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0
SHA5128679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a
-
Filesize
72KB
MD52adf5963f10aa6bf78d7152a3c2d8acc
SHA1faabf68194e79c2c67ebcf1117ef1b1a67ffb102
SHA256a99643e51d51d82068cda5baa793dd2aa67f6c3096d39613e16dffc14049c6b6
SHA51265cd6db9bdc4749feedc7d53b0fda3e58f9adf09cb981bb717f9b99404b9a88ec29f7221c2302ca6ebd26270cb5a8bd36c04a5772814ad132e57b766dcb34cbd
-
Filesize
72KB
MD52adf5963f10aa6bf78d7152a3c2d8acc
SHA1faabf68194e79c2c67ebcf1117ef1b1a67ffb102
SHA256a99643e51d51d82068cda5baa793dd2aa67f6c3096d39613e16dffc14049c6b6
SHA51265cd6db9bdc4749feedc7d53b0fda3e58f9adf09cb981bb717f9b99404b9a88ec29f7221c2302ca6ebd26270cb5a8bd36c04a5772814ad132e57b766dcb34cbd
-
Filesize
72KB
MD5948da0cf7d46c19db7e0a3f828c1c49c
SHA1530a2d880c0cba01d4d48ec4671e71bd1836c225
SHA25680695acfd22eaf0b7fd1a1cf6d0f7a46713bb4619cd5fe28a86139449df158a8
SHA512793a693c5d04a181b22a6745e0f65596069d7083308a47bd95fb4cd5ab36aa21377182bca7589f96f3034d32b751f7b8d0e7fc3755b42298833733e9e472fb1f
-
Filesize
72KB
MD5948da0cf7d46c19db7e0a3f828c1c49c
SHA1530a2d880c0cba01d4d48ec4671e71bd1836c225
SHA25680695acfd22eaf0b7fd1a1cf6d0f7a46713bb4619cd5fe28a86139449df158a8
SHA512793a693c5d04a181b22a6745e0f65596069d7083308a47bd95fb4cd5ab36aa21377182bca7589f96f3034d32b751f7b8d0e7fc3755b42298833733e9e472fb1f
-
Filesize
72KB
MD56b5f1af3869648071850cc7d4d7ce31a
SHA17592cedd45713d3199ba671552d418a4231446d7
SHA25667da648e741384f3ce82388a3780426de21a6e3655a25786bb81909d6b4b3b44
SHA5128076d4de6f3a7ffaf58208374cc417b75d229124def6c9b47057280e24125001ab7d241c4afe7742992fc218fdf560e23ea5095ccde8269e3d9007029170b2d0
-
Filesize
72KB
MD56b5f1af3869648071850cc7d4d7ce31a
SHA17592cedd45713d3199ba671552d418a4231446d7
SHA25667da648e741384f3ce82388a3780426de21a6e3655a25786bb81909d6b4b3b44
SHA5128076d4de6f3a7ffaf58208374cc417b75d229124def6c9b47057280e24125001ab7d241c4afe7742992fc218fdf560e23ea5095ccde8269e3d9007029170b2d0
-
Filesize
72KB
MD54f4df1ecde3d2e8ebfc868ed5248ccab
SHA1c7d0fd5bbe6289af1b272391d7bac055fa19468d
SHA256a826765dee2b01c1b5278fb4efa247d7e91b2e3db057ea34fb5f9857c2e6e2c5
SHA51282bba99ab8588025a02afdb028a8ed5075618c74a9bc93a0e5aada039af30e7e3ff3615b4f92f002a877063c1148c74aa6787061fafc8ad580f9e2d2686c1e93
-
Filesize
72KB
MD54f4df1ecde3d2e8ebfc868ed5248ccab
SHA1c7d0fd5bbe6289af1b272391d7bac055fa19468d
SHA256a826765dee2b01c1b5278fb4efa247d7e91b2e3db057ea34fb5f9857c2e6e2c5
SHA51282bba99ab8588025a02afdb028a8ed5075618c74a9bc93a0e5aada039af30e7e3ff3615b4f92f002a877063c1148c74aa6787061fafc8ad580f9e2d2686c1e93
-
Filesize
72KB
MD513b26374d52655034a7ed9954151d3ba
SHA14d7a99ff55bddcbd993992b57bcb3bfd5e1b22a7
SHA2568362c1f1457103a9f3fa948bc03b67bfe7b3d3978207eb8ad885fb61c21a93e2
SHA5123c55dfe3c32ec930bd813e339aa9c24aa2c7d1e51dd3b145539113b60c38194e5c5721e8ec2e736de3066f7b528e5d08250b92dce3637e9737fd080b7b3fd46d
-
Filesize
72KB
MD513b26374d52655034a7ed9954151d3ba
SHA14d7a99ff55bddcbd993992b57bcb3bfd5e1b22a7
SHA2568362c1f1457103a9f3fa948bc03b67bfe7b3d3978207eb8ad885fb61c21a93e2
SHA5123c55dfe3c32ec930bd813e339aa9c24aa2c7d1e51dd3b145539113b60c38194e5c5721e8ec2e736de3066f7b528e5d08250b92dce3637e9737fd080b7b3fd46d
-
Filesize
72KB
MD5957e24969249e61a3371932e679bbad9
SHA1d2e16502951280e0a79f45d09dbdda36153b0de9
SHA256d5eb2ab9a401cbc1b615396f4b0d01bf1acd52270eb45c5821b94a34e2c978be
SHA5128377a64031b7e121102fd3a471ce87cba59d0a4bd51ff36c4ab6efd9551bf8828c5e49e329e8640310d9fd9b6a5ee0ddbe4296a8ef0a4c697b959526e08b6f69
-
Filesize
72KB
MD5957e24969249e61a3371932e679bbad9
SHA1d2e16502951280e0a79f45d09dbdda36153b0de9
SHA256d5eb2ab9a401cbc1b615396f4b0d01bf1acd52270eb45c5821b94a34e2c978be
SHA5128377a64031b7e121102fd3a471ce87cba59d0a4bd51ff36c4ab6efd9551bf8828c5e49e329e8640310d9fd9b6a5ee0ddbe4296a8ef0a4c697b959526e08b6f69
-
Filesize
72KB
MD506c8b750cf94bbde6d2307f457508093
SHA18153788af4c69e78cf47d01445350f36ee847697
SHA2566ae4231ea9b199b20a22b82d5c6779ec5bc2eba2606243649fd829f8b931056f
SHA5122695eaf41e33d86194521b5602400a641d1185dfb2ea8ac8f26c65991a8a05c22c1b68bd7c23caf5671bb9bc894eedda56f22c2840e3dda3134216f532f2d59c
-
Filesize
72KB
MD506c8b750cf94bbde6d2307f457508093
SHA18153788af4c69e78cf47d01445350f36ee847697
SHA2566ae4231ea9b199b20a22b82d5c6779ec5bc2eba2606243649fd829f8b931056f
SHA5122695eaf41e33d86194521b5602400a641d1185dfb2ea8ac8f26c65991a8a05c22c1b68bd7c23caf5671bb9bc894eedda56f22c2840e3dda3134216f532f2d59c
-
Filesize
72KB
MD599621516c1d4e820a4dcbf0d55da9fe3
SHA17ba377a260156893106c3f5c9cd449a2dda3d7ff
SHA256478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0
SHA5128679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a
-
Filesize
72KB
MD599621516c1d4e820a4dcbf0d55da9fe3
SHA17ba377a260156893106c3f5c9cd449a2dda3d7ff
SHA256478ec135eddcb2b0a181f20eb6b90abb558639e84a8a15e4e9dddef05a5297a0
SHA5128679d6b3203126fa76ac3d001ca68088786e48c6e66286c0cedfc86fa0642c7b1e081ee299b72e3861628fc19d6d9be990f9ca1442c7e28d079e1c8d287f8d5a
-
Filesize
72KB
MD53c8b72f1f4e7b427ba91a90c024acf68
SHA1b4d17d3cc9eec21fefc7d5b0f48d116d9e7c435d
SHA2562b22ae13e10f525e679bd7fafe139113b9f7eec2ac2e269d2ebb3c1254debd10
SHA5122bc9514c32cd90b6168352e3940f56117fbd41e77c60a6882807cb8420696d72723ee092049e063b1b370487d5ae56e7264195cca41b313ecb834ecf0b1cf899
-
Filesize
72KB
MD53c8b72f1f4e7b427ba91a90c024acf68
SHA1b4d17d3cc9eec21fefc7d5b0f48d116d9e7c435d
SHA2562b22ae13e10f525e679bd7fafe139113b9f7eec2ac2e269d2ebb3c1254debd10
SHA5122bc9514c32cd90b6168352e3940f56117fbd41e77c60a6882807cb8420696d72723ee092049e063b1b370487d5ae56e7264195cca41b313ecb834ecf0b1cf899
-
Filesize
72KB
MD598cc41f2da013bcb2ac383ea97a8cc3a
SHA1f9fb565fbe2299a09a03cd32a0d1bc5b831c836f
SHA256570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5
SHA512a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797
-
Filesize
72KB
MD598cc41f2da013bcb2ac383ea97a8cc3a
SHA1f9fb565fbe2299a09a03cd32a0d1bc5b831c836f
SHA256570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5
SHA512a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD598cc41f2da013bcb2ac383ea97a8cc3a
SHA1f9fb565fbe2299a09a03cd32a0d1bc5b831c836f
SHA256570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5
SHA512a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD598cc41f2da013bcb2ac383ea97a8cc3a
SHA1f9fb565fbe2299a09a03cd32a0d1bc5b831c836f
SHA256570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5
SHA512a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD598cc41f2da013bcb2ac383ea97a8cc3a
SHA1f9fb565fbe2299a09a03cd32a0d1bc5b831c836f
SHA256570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5
SHA512a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize72KB
MD598cc41f2da013bcb2ac383ea97a8cc3a
SHA1f9fb565fbe2299a09a03cd32a0d1bc5b831c836f
SHA256570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5
SHA512a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797
-
Filesize
72KB
MD55c014ffcbac5986a556db088d621cfba
SHA182d79ff5d1fd37a76cebf1f9aad2e6b795d640da
SHA256cb1427748901b013831404d239a14f226f44681604634922e38f72d9f80fbaec
SHA512e78b5af9bd69d6ca9515bf543fbe2d699355e79ec97a8529381b6ed9612dddeaa85931c94fd9fb490683eb20d405aae001100017aed5e14d5c656d8781ccfb6a
-
Filesize
72KB
MD55c014ffcbac5986a556db088d621cfba
SHA182d79ff5d1fd37a76cebf1f9aad2e6b795d640da
SHA256cb1427748901b013831404d239a14f226f44681604634922e38f72d9f80fbaec
SHA512e78b5af9bd69d6ca9515bf543fbe2d699355e79ec97a8529381b6ed9612dddeaa85931c94fd9fb490683eb20d405aae001100017aed5e14d5c656d8781ccfb6a
-
Filesize
72KB
MD598cc41f2da013bcb2ac383ea97a8cc3a
SHA1f9fb565fbe2299a09a03cd32a0d1bc5b831c836f
SHA256570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5
SHA512a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797
-
Filesize
72KB
MD598cc41f2da013bcb2ac383ea97a8cc3a
SHA1f9fb565fbe2299a09a03cd32a0d1bc5b831c836f
SHA256570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5
SHA512a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797
-
Filesize
72KB
MD598cc41f2da013bcb2ac383ea97a8cc3a
SHA1f9fb565fbe2299a09a03cd32a0d1bc5b831c836f
SHA256570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5
SHA512a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797
-
Filesize
72KB
MD598cc41f2da013bcb2ac383ea97a8cc3a
SHA1f9fb565fbe2299a09a03cd32a0d1bc5b831c836f
SHA256570a95779ad04d6570f0227af0cd29fe6fbeab7df0f2f42d55d4a21818d259c5
SHA512a5821b68aeb966c6199b7708dad0a2864d777c6d4f5d0d5b6650fc96c9d9b77191d4f625847dd8b1f445406d0acefa308f44c3fdc92f1813ff0be5359bb1d797
-
Filesize
72KB
MD55f88bc9a091aed3c2645a2bf72298eaf
SHA1a59e2d7996217150479376c8c016d401d368edf8
SHA2569249aa6fd7d0243dccf8f6b3871d7e9fd4248d02c0a19aee664ea60ee959901b
SHA512a899d0e10cc2b316400c1247ea57178be55194bdcf6106e272edd64b1ea344dcb06324347014004d725bd61ba069b41156dcad3ed0203effa235726e594aacee
-
Filesize
72KB
MD5fa5463ac1c209d1eb4f12201672dd315
SHA1a23a0d89443dbebc10d0fd30a98fff30799455c5
SHA256d62e4c37c17d33b932c2af37ca369b7baf139e7818f985b359c6ef4d49b87dc4
SHA512e91cb25152d083bb5ebaebdd248fdd27f3e318c9a5f9f1eb6af882d892ed56906dca97799bf374cf2300be2726e56a4a3ab00a35121e8ac348e0e27115ef8f59
-
Filesize
72KB
MD5fa5463ac1c209d1eb4f12201672dd315
SHA1a23a0d89443dbebc10d0fd30a98fff30799455c5
SHA256d62e4c37c17d33b932c2af37ca369b7baf139e7818f985b359c6ef4d49b87dc4
SHA512e91cb25152d083bb5ebaebdd248fdd27f3e318c9a5f9f1eb6af882d892ed56906dca97799bf374cf2300be2726e56a4a3ab00a35121e8ac348e0e27115ef8f59