2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 01:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
Size

72KB
MD5

7d1be24d6bb221d5ea7b914e7b685210
SHA1

ceeb3ff44374a7cb3713deda6c35101fea9cb6e2
SHA256

2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05
SHA512

7c72a3a8206b91cfb98d74c7b8911b5b32e5158e74723bfe1f0824520bd1df0e58659d69e1b42590eab96e38355eaabf6f1be65b140147499d0b3cd41bc95260
SSDEEP

384:N6wayA+1mwnA353BXR+oGfPmfm4MlcTGXdhjwroyY2rebV5O6KgxWb/83BXR+oG7:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrW

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe

Executes dropped EXE 64 IoCs

pid	Process
1800	backup.exe
276	backup.exe
2016	backup.exe
1740	backup.exe
996	backup.exe
908	backup.exe
584	backup.exe
1120	backup.exe
1200	backup.exe
1580	backup.exe
1940	backup.exe
616	backup.exe
1556	backup.exe
1520	backup.exe
1312	backup.exe
872	backup.exe
1652	backup.exe
1788	backup.exe
1112	backup.exe
2036	backup.exe
1996	backup.exe
368	backup.exe
988	backup.exe
904	System Restore.exe
908	data.exe
1912	backup.exe
1596	backup.exe
1624	backup.exe
1380	backup.exe
1132	backup.exe
704	backup.exe
672	backup.exe
1356	backup.exe
1084	backup.exe
1036	backup.exe
1236	backup.exe
2012	backup.exe
544	backup.exe
1300	backup.exe
1048	backup.exe
788	backup.exe
1780	backup.exe
872	backup.exe
1864	backup.exe
1216	System Restore.exe
1788	backup.exe
2028	backup.exe
1988	backup.exe
1740	backup.exe
1824	backup.exe
1004	backup.exe
1364	backup.exe
524	backup.exe
584	backup.exe
1912	backup.exe
1596	backup.exe
1624	data.exe
1384	backup.exe
1328	backup.exe
1352	backup.exe
1200	backup.exe
472	backup.exe
1756	backup.exe
1348	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
1120	backup.exe
1120	backup.exe
1200	backup.exe
1200	backup.exe
1120	backup.exe
1120	backup.exe
1940	backup.exe
1940	backup.exe
616	backup.exe
616	backup.exe
1940	backup.exe
1940	backup.exe
1520	backup.exe
1520	backup.exe
1312	backup.exe
1312	backup.exe
1312	backup.exe
1312	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1652	backup.exe
1380	backup.exe
1380	backup.exe
1380	backup.exe
1380	backup.exe
1380	backup.exe
1380	backup.exe
1380	backup.exe
1380	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\update.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\CSC\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
1800	backup.exe
276	backup.exe
2016	backup.exe
1740	backup.exe
996	backup.exe
908	backup.exe
584	backup.exe
1120	backup.exe
1200	backup.exe
1580	backup.exe
1940	backup.exe
616	backup.exe
1556	backup.exe
1520	backup.exe
1312	backup.exe
872	backup.exe
1652	backup.exe
1788	backup.exe
1112	backup.exe
2036	backup.exe
1996	backup.exe
368	backup.exe
988	backup.exe
904	System Restore.exe
908	data.exe
1912	backup.exe
1596	backup.exe
1624	backup.exe
1380	backup.exe
1132	backup.exe
704	backup.exe
672	backup.exe
1356	backup.exe
1084	backup.exe
1036	backup.exe
1236	backup.exe
2012	backup.exe
544	backup.exe
1300	backup.exe
1048	backup.exe
788	backup.exe
1780	backup.exe
872	backup.exe
1864	backup.exe
1216	System Restore.exe
1788	backup.exe
2028	backup.exe
1988	backup.exe
1740	backup.exe
1824	backup.exe
1004	backup.exe
1364	backup.exe
524	backup.exe
584	backup.exe
1912	backup.exe
1596	backup.exe
1624	data.exe
1384	backup.exe
1328	backup.exe
1352	backup.exe
1200	backup.exe
472	backup.exe
1756	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1800	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	28
PID 1088 wrote to memory of 1800	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	28
PID 1088 wrote to memory of 1800	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	28
PID 1088 wrote to memory of 1800	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	28
PID 1088 wrote to memory of 276	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	29
PID 1088 wrote to memory of 276	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	29
PID 1088 wrote to memory of 276	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	29
PID 1088 wrote to memory of 276	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	29
PID 1088 wrote to memory of 2016	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	30
PID 1088 wrote to memory of 2016	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	30
PID 1088 wrote to memory of 2016	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	30
PID 1088 wrote to memory of 2016	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	30
PID 1088 wrote to memory of 1740	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	31
PID 1088 wrote to memory of 1740	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	31
PID 1088 wrote to memory of 1740	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	31
PID 1088 wrote to memory of 1740	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	31
PID 1088 wrote to memory of 996	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	32
PID 1088 wrote to memory of 996	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	32
PID 1088 wrote to memory of 996	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	32
PID 1088 wrote to memory of 996	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	32
PID 1088 wrote to memory of 908	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	33
PID 1088 wrote to memory of 908	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	33
PID 1088 wrote to memory of 908	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	33
PID 1088 wrote to memory of 908	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	33
PID 1088 wrote to memory of 584	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	34
PID 1088 wrote to memory of 584	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	34
PID 1088 wrote to memory of 584	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	34
PID 1088 wrote to memory of 584	1088	2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe	34
PID 1800 wrote to memory of 1120	1800	backup.exe	35
PID 1800 wrote to memory of 1120	1800	backup.exe	35
PID 1800 wrote to memory of 1120	1800	backup.exe	35
PID 1800 wrote to memory of 1120	1800	backup.exe	35
PID 1120 wrote to memory of 1200	1120	backup.exe	36
PID 1120 wrote to memory of 1200	1120	backup.exe	36
PID 1120 wrote to memory of 1200	1120	backup.exe	36
PID 1120 wrote to memory of 1200	1120	backup.exe	36
PID 1200 wrote to memory of 1580	1200	backup.exe	37
PID 1200 wrote to memory of 1580	1200	backup.exe	37
PID 1200 wrote to memory of 1580	1200	backup.exe	37
PID 1200 wrote to memory of 1580	1200	backup.exe	37
PID 1120 wrote to memory of 1940	1120	backup.exe	38
PID 1120 wrote to memory of 1940	1120	backup.exe	38
PID 1120 wrote to memory of 1940	1120	backup.exe	38
PID 1120 wrote to memory of 1940	1120	backup.exe	38
PID 1940 wrote to memory of 616	1940	backup.exe	39
PID 1940 wrote to memory of 616	1940	backup.exe	39
PID 1940 wrote to memory of 616	1940	backup.exe	39
PID 1940 wrote to memory of 616	1940	backup.exe	39
PID 616 wrote to memory of 1556	616	backup.exe	40
PID 616 wrote to memory of 1556	616	backup.exe	40
PID 616 wrote to memory of 1556	616	backup.exe	40
PID 616 wrote to memory of 1556	616	backup.exe	40
PID 1940 wrote to memory of 1520	1940	backup.exe	41
PID 1940 wrote to memory of 1520	1940	backup.exe	41
PID 1940 wrote to memory of 1520	1940	backup.exe	41
PID 1940 wrote to memory of 1520	1940	backup.exe	41
PID 1520 wrote to memory of 1312	1520	backup.exe	42
PID 1520 wrote to memory of 1312	1520	backup.exe	42
PID 1520 wrote to memory of 1312	1520	backup.exe	42
PID 1520 wrote to memory of 1312	1520	backup.exe	42
PID 1312 wrote to memory of 872	1312	backup.exe	43
PID 1312 wrote to memory of 872	1312	backup.exe	43
PID 1312 wrote to memory of 872	1312	backup.exe	43
PID 1312 wrote to memory of 872	1312	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe
"C:\Users\Admin\AppData\Local\Temp\2bc84ce19d506f70574bf15c0aea5ccd9c3c290e3963946086e063cef4962a05.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\2492428818\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2492428818\backup.exe C:\Users\Admin\AppData\Local\Temp\2492428818\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1200
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:616
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1556
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:368
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1132
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1356
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1084
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1036
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1236
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1216
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1384
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1200
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1348
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:616
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        System policy modification
        
        PID:544
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:588
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\update.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:788
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1848
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:368
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        
        PID:1392
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1184
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1436
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        System policy modification
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        System policy modification
        
        PID:1084
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:696
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1348
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:872
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        System policy modification
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        System policy modification
        
        PID:672
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:1200
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1084
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1392
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        System policy modification
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:368
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:872
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2032
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1332
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1620
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1052
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:592
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        System policy modification
        
        PID:1872
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1408
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        System policy modification
        
        PID:616
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1420
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1864
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        System policy modification
        
        PID:2040
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1824
        
        C:\Program Files\Common Files\System\es-ES\data.exe
        
        "C:\Program Files\Common Files\System\es-ES\data.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        System policy modification
        
        PID:964
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1160
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1872
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1408
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Program Files\Common Files\System\msadc\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\System Restore.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        System policy modification
        
        PID:1832
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1936
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1112
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        System policy modification
        
        PID:1372
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1764
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:856
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:1184
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        System policy modification
        
        PID:704
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:592
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\data.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\data.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        System policy modification
        
        PID:928
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:1860
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\System Restore.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:1712
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:636
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:1788
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1984
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1136
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1720
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:612
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:824
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1352
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1188
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1556
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        System policy modification
        
        PID:1832
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1976
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1748
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        System policy modification
        
        PID:1980
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1364
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2036
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:584
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1180
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:332
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:1532
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:1300
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:548
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        System policy modification
        
        PID:1592
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        
        PID:2020
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        
        PID:1052
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        8⤵
        
        PID:988
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
        8⤵
        
        PID:1388
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1332
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Drops file in Program Files directory
        
        PID:964
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1992
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Drops file in Program Files directory
        
        PID:1552
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Drops file in Program Files directory
        
        PID:536
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        System policy modification
        
        PID:1784
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:572
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:1956
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1084
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:1920
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:904
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:1300
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        System policy modification
        
        PID:276
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:872
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1996
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1592
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:536
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2044
    - - C:\Program Files\Java\update.exe
        
        "C:\Program Files\Java\update.exe" C:\Program Files\Java\
        5⤵
        
        PID:1080
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1136
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1632
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1084
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:788
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1068
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:1396
    - - C:\Program Files (x86)\Adobe\data.exe
        
        "C:\Program Files (x86)\Adobe\data.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:2028
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:548
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1180
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1036
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:588
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1720
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2032
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1824
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:572
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1556
      - C:\Program Files (x86)\Google\Temp\update.exe
        
        "C:\Program Files (x86)\Google\Temp\update.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1484
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:472
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:560
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1408
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1160
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1288
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1392
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:704
  - - C:\Users\System Restore.exe
      "C:\Users\System Restore.exe" C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      System policy modification
      PID:1652
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1600
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1052
      - C:\Users\Admin\Desktop\update.exe
        
        C:\Users\Admin\Desktop\update.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1716
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1764
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:564
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:616
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1056
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:672
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1924
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:904
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1864
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1348
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:952
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1388
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1252
    - - C:\Windows\AppPatch\data.exe
        
        C:\Windows\AppPatch\data.exe C:\Windows\AppPatch\
        5⤵
        
        PID:576
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:976
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1936
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:1516
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:276
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:996
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:908
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
5dece1e53043be30f9305bf301766e2f

SHA1
5a47367024e3372cf8a963a516a17051c5311ede

SHA256
3b158d7ffac5b5120270f4db1522ce85ac39c3415e2997610317d777147e955b

SHA512
88f6de2fd1414f152f69e9b6f54d70cd487458f44a2c7f808d3840eba45778d3a156fed721d1caa020ff2c8413de4b11ee0cfe82a7f0449602f620ced55926e0

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
5854c9be91735feaace8c65396ec74fc

SHA1
68829eadafedd4fcce853be9fb2f8de80a4ed34d

SHA256
bc8c1cc8493c63477faa3c9d0aa44bd4e1560e8ed21c42bd5bcb6fec582e977d

SHA512
2fae6018db7dcb1f7d9f4ed5dfce5a54e9d1ec09e824a17ea604351abdbf218459d9d729a003b312639929302391b7d64ce4d4a735918aff03efb44ba7c9658d

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
5854c9be91735feaace8c65396ec74fc

SHA1
68829eadafedd4fcce853be9fb2f8de80a4ed34d

SHA256
bc8c1cc8493c63477faa3c9d0aa44bd4e1560e8ed21c42bd5bcb6fec582e977d

SHA512
2fae6018db7dcb1f7d9f4ed5dfce5a54e9d1ec09e824a17ea604351abdbf218459d9d729a003b312639929302391b7d64ce4d4a735918aff03efb44ba7c9658d

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
050fb5dd59d9a98eda90607ad4534461

SHA1
7ac33fe67500dc7ac3027c4dd682ec7ea29271de

SHA256
6d663f767ed9f59675e60d7e91d88e63b26a7d6cbb94b9e484f4adb4e26df283

SHA512
d514bc2a96f8001993f643ca0bbf38a02eedd9ca29d2692f46c1d2a1048a551d4e705612482f758a73904d852ec147bcec671e8f199c53b9e0dcc901c6ec8e00

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5dece1e53043be30f9305bf301766e2f

SHA1
5a47367024e3372cf8a963a516a17051c5311ede

SHA256
3b158d7ffac5b5120270f4db1522ce85ac39c3415e2997610317d777147e955b

SHA512
88f6de2fd1414f152f69e9b6f54d70cd487458f44a2c7f808d3840eba45778d3a156fed721d1caa020ff2c8413de4b11ee0cfe82a7f0449602f620ced55926e0

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5dece1e53043be30f9305bf301766e2f

SHA1
5a47367024e3372cf8a963a516a17051c5311ede

SHA256
3b158d7ffac5b5120270f4db1522ce85ac39c3415e2997610317d777147e955b

SHA512
88f6de2fd1414f152f69e9b6f54d70cd487458f44a2c7f808d3840eba45778d3a156fed721d1caa020ff2c8413de4b11ee0cfe82a7f0449602f620ced55926e0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
4a4d19da76bba059744340a06d82701e

SHA1
c182f9aa369bf5d67496073e41751c956c7f9727

SHA256
7a3c5a4cf708f24db9ab45f1e8a1e60d1417f7a617ea154ad59973d93a948983

SHA512
7e4b9b462c6545cc3913bd35af0f847a4c54e175c8c2ce371bab6e4385912e13a1b7218c18eb163ca664a8d160d62ceb8c58057b1857e87ddc8133e7c1ace14e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
871fb421bbc783b4f6a01e29816b5fdb

SHA1
1b9de665754211fd78a4dcbb34773b8244177d94

SHA256
c7d6746360ff8ab5190be972b52383e76a1d37c83cd1d00ff7afdbe86af5c2be

SHA512
1c17786d6086be145815f4077f4a47807da8d194d0efa78ad751456e736559dce549e2554ee1f422fa82c914f48ca5437460806a5102bd6cca966c51e71c496e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
871fb421bbc783b4f6a01e29816b5fdb

SHA1
1b9de665754211fd78a4dcbb34773b8244177d94

SHA256
c7d6746360ff8ab5190be972b52383e76a1d37c83cd1d00ff7afdbe86af5c2be

SHA512
1c17786d6086be145815f4077f4a47807da8d194d0efa78ad751456e736559dce549e2554ee1f422fa82c914f48ca5437460806a5102bd6cca966c51e71c496e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
da1cb9ec2de00cfee5246e37a81f9abc

SHA1
2726ac7439c667752c6db86d02fd4b60d7b9cee3

SHA256
de8389b7af65aa834a917016aa614948e7422a0a439e2c24b868353a8258f43a

SHA512
6684ef87fbb9954c88886e8bc73f96b9e897c48a541906caf607344f3a1cb3510bf5086fedc693ae7c5ae642a83d486456f59a372b29141a3c20e02a84edfa89

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
4a4d19da76bba059744340a06d82701e

SHA1
c182f9aa369bf5d67496073e41751c956c7f9727

SHA256
7a3c5a4cf708f24db9ab45f1e8a1e60d1417f7a617ea154ad59973d93a948983

SHA512
7e4b9b462c6545cc3913bd35af0f847a4c54e175c8c2ce371bab6e4385912e13a1b7218c18eb163ca664a8d160d62ceb8c58057b1857e87ddc8133e7c1ace14e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
4a4d19da76bba059744340a06d82701e

SHA1
c182f9aa369bf5d67496073e41751c956c7f9727

SHA256
7a3c5a4cf708f24db9ab45f1e8a1e60d1417f7a617ea154ad59973d93a948983

SHA512
7e4b9b462c6545cc3913bd35af0f847a4c54e175c8c2ce371bab6e4385912e13a1b7218c18eb163ca664a8d160d62ceb8c58057b1857e87ddc8133e7c1ace14e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
da1cb9ec2de00cfee5246e37a81f9abc

SHA1
2726ac7439c667752c6db86d02fd4b60d7b9cee3

SHA256
de8389b7af65aa834a917016aa614948e7422a0a439e2c24b868353a8258f43a

SHA512
6684ef87fbb9954c88886e8bc73f96b9e897c48a541906caf607344f3a1cb3510bf5086fedc693ae7c5ae642a83d486456f59a372b29141a3c20e02a84edfa89

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
11f3ba5ccb9237fda52e2f0b1c15771b

SHA1
4d5f546f460b4603a09c84318ffa038c3e6a3c6e

SHA256
92ce3e015654b1c3f1ef53ceebf7ecfb6cb4d5db851e10a972d306344b1bdeef

SHA512
54247020e26e9de5fe08461bc975dd61712ce2511e14fb95451f26310001050125793b6e99777731c66bffef3ac04d554477090568a5404551bc979a2cd0c2b6

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
11f3ba5ccb9237fda52e2f0b1c15771b

SHA1
4d5f546f460b4603a09c84318ffa038c3e6a3c6e

SHA256
92ce3e015654b1c3f1ef53ceebf7ecfb6cb4d5db851e10a972d306344b1bdeef

SHA512
54247020e26e9de5fe08461bc975dd61712ce2511e14fb95451f26310001050125793b6e99777731c66bffef3ac04d554477090568a5404551bc979a2cd0c2b6

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
5854c9be91735feaace8c65396ec74fc

SHA1
68829eadafedd4fcce853be9fb2f8de80a4ed34d

SHA256
bc8c1cc8493c63477faa3c9d0aa44bd4e1560e8ed21c42bd5bcb6fec582e977d

SHA512
2fae6018db7dcb1f7d9f4ed5dfce5a54e9d1ec09e824a17ea604351abdbf218459d9d729a003b312639929302391b7d64ce4d4a735918aff03efb44ba7c9658d

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
5854c9be91735feaace8c65396ec74fc

SHA1
68829eadafedd4fcce853be9fb2f8de80a4ed34d

SHA256
bc8c1cc8493c63477faa3c9d0aa44bd4e1560e8ed21c42bd5bcb6fec582e977d

SHA512
2fae6018db7dcb1f7d9f4ed5dfce5a54e9d1ec09e824a17ea604351abdbf218459d9d729a003b312639929302391b7d64ce4d4a735918aff03efb44ba7c9658d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2492428818\backup.exe

Filesize
72KB

MD5
65c348fcbaf03fa7ce468a77b50ff522

SHA1
a3985817eacd7691f314dea9ff7e22d8a6355453

SHA256
7b88f6e3524c0f7f31f9a7c223bf14346a7b97d47733722b809fd21b7a501225

SHA512
a8771ff51b803b44da340176c6acb8a8c25d392a363936418c87639e8f6a96cebbed4e4ee8176bba5894ccc2e60d10faa6d7d7ff2ed097144e2137a5377ea916

Download Submit
C:\Users\Admin\AppData\Local\Temp\2492428818\backup.exe

Filesize
72KB

MD5
65c348fcbaf03fa7ce468a77b50ff522

SHA1
a3985817eacd7691f314dea9ff7e22d8a6355453

SHA256
7b88f6e3524c0f7f31f9a7c223bf14346a7b97d47733722b809fd21b7a501225

SHA512
a8771ff51b803b44da340176c6acb8a8c25d392a363936418c87639e8f6a96cebbed4e4ee8176bba5894ccc2e60d10faa6d7d7ff2ed097144e2137a5377ea916

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
65c348fcbaf03fa7ce468a77b50ff522

SHA1
a3985817eacd7691f314dea9ff7e22d8a6355453

SHA256
7b88f6e3524c0f7f31f9a7c223bf14346a7b97d47733722b809fd21b7a501225

SHA512
a8771ff51b803b44da340176c6acb8a8c25d392a363936418c87639e8f6a96cebbed4e4ee8176bba5894ccc2e60d10faa6d7d7ff2ed097144e2137a5377ea916

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
65c348fcbaf03fa7ce468a77b50ff522

SHA1
a3985817eacd7691f314dea9ff7e22d8a6355453

SHA256
7b88f6e3524c0f7f31f9a7c223bf14346a7b97d47733722b809fd21b7a501225

SHA512
a8771ff51b803b44da340176c6acb8a8c25d392a363936418c87639e8f6a96cebbed4e4ee8176bba5894ccc2e60d10faa6d7d7ff2ed097144e2137a5377ea916

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
8324d7eb3f28f976f6777032b050b84a

SHA1
7f31a28d95330124c641328dfd8ba9492f619aa5

SHA256
44f2c244f305111ba6cff56bd8b5ae1e19da6b4874c8b267b49f33d596986adb

SHA512
b7410f02331551bb09a12fa7deb0b528a76808cfc9b67b428d5d2c0db8ee3467ee6bd5977365982caba1fd47e1cf895ff6e086e772ecbfb5f74775b7cbaff088

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
8324d7eb3f28f976f6777032b050b84a

SHA1
7f31a28d95330124c641328dfd8ba9492f619aa5

SHA256
44f2c244f305111ba6cff56bd8b5ae1e19da6b4874c8b267b49f33d596986adb

SHA512
b7410f02331551bb09a12fa7deb0b528a76808cfc9b67b428d5d2c0db8ee3467ee6bd5977365982caba1fd47e1cf895ff6e086e772ecbfb5f74775b7cbaff088

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
65c348fcbaf03fa7ce468a77b50ff522

SHA1
a3985817eacd7691f314dea9ff7e22d8a6355453

SHA256
7b88f6e3524c0f7f31f9a7c223bf14346a7b97d47733722b809fd21b7a501225

SHA512
a8771ff51b803b44da340176c6acb8a8c25d392a363936418c87639e8f6a96cebbed4e4ee8176bba5894ccc2e60d10faa6d7d7ff2ed097144e2137a5377ea916

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
8324d7eb3f28f976f6777032b050b84a

SHA1
7f31a28d95330124c641328dfd8ba9492f619aa5

SHA256
44f2c244f305111ba6cff56bd8b5ae1e19da6b4874c8b267b49f33d596986adb

SHA512
b7410f02331551bb09a12fa7deb0b528a76808cfc9b67b428d5d2c0db8ee3467ee6bd5977365982caba1fd47e1cf895ff6e086e772ecbfb5f74775b7cbaff088

Download Submit
C:\backup.exe

Filesize
72KB

MD5
0485681452ccb4c1a3b4ea2d2e4a8f41

SHA1
ad26908ccacccaf1ff4aebd8bbe0d33fd4bdd53d

SHA256
7057c28a722fc837c351d98b89a27b755d345fff5496b496438ec7b8ceda6f4d

SHA512
f6ea8ebee18f1caee5576ffbc01a64cb4054f5d5466a994425c22cd97889a76e8287d9082b3e183da06c51838988c4f087ac07e9fd77a345527d605d04009c70

Download Submit
C:\backup.exe

Filesize
72KB

MD5
0485681452ccb4c1a3b4ea2d2e4a8f41

SHA1
ad26908ccacccaf1ff4aebd8bbe0d33fd4bdd53d

SHA256
7057c28a722fc837c351d98b89a27b755d345fff5496b496438ec7b8ceda6f4d

SHA512
f6ea8ebee18f1caee5576ffbc01a64cb4054f5d5466a994425c22cd97889a76e8287d9082b3e183da06c51838988c4f087ac07e9fd77a345527d605d04009c70

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
5dece1e53043be30f9305bf301766e2f

SHA1
5a47367024e3372cf8a963a516a17051c5311ede

SHA256
3b158d7ffac5b5120270f4db1522ce85ac39c3415e2997610317d777147e955b

SHA512
88f6de2fd1414f152f69e9b6f54d70cd487458f44a2c7f808d3840eba45778d3a156fed721d1caa020ff2c8413de4b11ee0cfe82a7f0449602f620ced55926e0

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
5dece1e53043be30f9305bf301766e2f

SHA1
5a47367024e3372cf8a963a516a17051c5311ede

SHA256
3b158d7ffac5b5120270f4db1522ce85ac39c3415e2997610317d777147e955b

SHA512
88f6de2fd1414f152f69e9b6f54d70cd487458f44a2c7f808d3840eba45778d3a156fed721d1caa020ff2c8413de4b11ee0cfe82a7f0449602f620ced55926e0

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
5854c9be91735feaace8c65396ec74fc

SHA1
68829eadafedd4fcce853be9fb2f8de80a4ed34d

SHA256
bc8c1cc8493c63477faa3c9d0aa44bd4e1560e8ed21c42bd5bcb6fec582e977d

SHA512
2fae6018db7dcb1f7d9f4ed5dfce5a54e9d1ec09e824a17ea604351abdbf218459d9d729a003b312639929302391b7d64ce4d4a735918aff03efb44ba7c9658d

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
5854c9be91735feaace8c65396ec74fc

SHA1
68829eadafedd4fcce853be9fb2f8de80a4ed34d

SHA256
bc8c1cc8493c63477faa3c9d0aa44bd4e1560e8ed21c42bd5bcb6fec582e977d

SHA512
2fae6018db7dcb1f7d9f4ed5dfce5a54e9d1ec09e824a17ea604351abdbf218459d9d729a003b312639929302391b7d64ce4d4a735918aff03efb44ba7c9658d

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
050fb5dd59d9a98eda90607ad4534461

SHA1
7ac33fe67500dc7ac3027c4dd682ec7ea29271de

SHA256
6d663f767ed9f59675e60d7e91d88e63b26a7d6cbb94b9e484f4adb4e26df283

SHA512
d514bc2a96f8001993f643ca0bbf38a02eedd9ca29d2692f46c1d2a1048a551d4e705612482f758a73904d852ec147bcec671e8f199c53b9e0dcc901c6ec8e00

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
050fb5dd59d9a98eda90607ad4534461

SHA1
7ac33fe67500dc7ac3027c4dd682ec7ea29271de

SHA256
6d663f767ed9f59675e60d7e91d88e63b26a7d6cbb94b9e484f4adb4e26df283

SHA512
d514bc2a96f8001993f643ca0bbf38a02eedd9ca29d2692f46c1d2a1048a551d4e705612482f758a73904d852ec147bcec671e8f199c53b9e0dcc901c6ec8e00

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5dece1e53043be30f9305bf301766e2f

SHA1
5a47367024e3372cf8a963a516a17051c5311ede

SHA256
3b158d7ffac5b5120270f4db1522ce85ac39c3415e2997610317d777147e955b

SHA512
88f6de2fd1414f152f69e9b6f54d70cd487458f44a2c7f808d3840eba45778d3a156fed721d1caa020ff2c8413de4b11ee0cfe82a7f0449602f620ced55926e0

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5dece1e53043be30f9305bf301766e2f

SHA1
5a47367024e3372cf8a963a516a17051c5311ede

SHA256
3b158d7ffac5b5120270f4db1522ce85ac39c3415e2997610317d777147e955b

SHA512
88f6de2fd1414f152f69e9b6f54d70cd487458f44a2c7f808d3840eba45778d3a156fed721d1caa020ff2c8413de4b11ee0cfe82a7f0449602f620ced55926e0

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
4a4d19da76bba059744340a06d82701e

SHA1
c182f9aa369bf5d67496073e41751c956c7f9727

SHA256
7a3c5a4cf708f24db9ab45f1e8a1e60d1417f7a617ea154ad59973d93a948983

SHA512
7e4b9b462c6545cc3913bd35af0f847a4c54e175c8c2ce371bab6e4385912e13a1b7218c18eb163ca664a8d160d62ceb8c58057b1857e87ddc8133e7c1ace14e

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
4a4d19da76bba059744340a06d82701e

SHA1
c182f9aa369bf5d67496073e41751c956c7f9727

SHA256
7a3c5a4cf708f24db9ab45f1e8a1e60d1417f7a617ea154ad59973d93a948983

SHA512
7e4b9b462c6545cc3913bd35af0f847a4c54e175c8c2ce371bab6e4385912e13a1b7218c18eb163ca664a8d160d62ceb8c58057b1857e87ddc8133e7c1ace14e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
871fb421bbc783b4f6a01e29816b5fdb

SHA1
1b9de665754211fd78a4dcbb34773b8244177d94

SHA256
c7d6746360ff8ab5190be972b52383e76a1d37c83cd1d00ff7afdbe86af5c2be

SHA512
1c17786d6086be145815f4077f4a47807da8d194d0efa78ad751456e736559dce549e2554ee1f422fa82c914f48ca5437460806a5102bd6cca966c51e71c496e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
871fb421bbc783b4f6a01e29816b5fdb

SHA1
1b9de665754211fd78a4dcbb34773b8244177d94

SHA256
c7d6746360ff8ab5190be972b52383e76a1d37c83cd1d00ff7afdbe86af5c2be

SHA512
1c17786d6086be145815f4077f4a47807da8d194d0efa78ad751456e736559dce549e2554ee1f422fa82c914f48ca5437460806a5102bd6cca966c51e71c496e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
da1cb9ec2de00cfee5246e37a81f9abc

SHA1
2726ac7439c667752c6db86d02fd4b60d7b9cee3

SHA256
de8389b7af65aa834a917016aa614948e7422a0a439e2c24b868353a8258f43a

SHA512
6684ef87fbb9954c88886e8bc73f96b9e897c48a541906caf607344f3a1cb3510bf5086fedc693ae7c5ae642a83d486456f59a372b29141a3c20e02a84edfa89

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
da1cb9ec2de00cfee5246e37a81f9abc

SHA1
2726ac7439c667752c6db86d02fd4b60d7b9cee3

SHA256
de8389b7af65aa834a917016aa614948e7422a0a439e2c24b868353a8258f43a

SHA512
6684ef87fbb9954c88886e8bc73f96b9e897c48a541906caf607344f3a1cb3510bf5086fedc693ae7c5ae642a83d486456f59a372b29141a3c20e02a84edfa89

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
4a4d19da76bba059744340a06d82701e

SHA1
c182f9aa369bf5d67496073e41751c956c7f9727

SHA256
7a3c5a4cf708f24db9ab45f1e8a1e60d1417f7a617ea154ad59973d93a948983

SHA512
7e4b9b462c6545cc3913bd35af0f847a4c54e175c8c2ce371bab6e4385912e13a1b7218c18eb163ca664a8d160d62ceb8c58057b1857e87ddc8133e7c1ace14e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
4a4d19da76bba059744340a06d82701e

SHA1
c182f9aa369bf5d67496073e41751c956c7f9727

SHA256
7a3c5a4cf708f24db9ab45f1e8a1e60d1417f7a617ea154ad59973d93a948983

SHA512
7e4b9b462c6545cc3913bd35af0f847a4c54e175c8c2ce371bab6e4385912e13a1b7218c18eb163ca664a8d160d62ceb8c58057b1857e87ddc8133e7c1ace14e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
da1cb9ec2de00cfee5246e37a81f9abc

SHA1
2726ac7439c667752c6db86d02fd4b60d7b9cee3

SHA256
de8389b7af65aa834a917016aa614948e7422a0a439e2c24b868353a8258f43a

SHA512
6684ef87fbb9954c88886e8bc73f96b9e897c48a541906caf607344f3a1cb3510bf5086fedc693ae7c5ae642a83d486456f59a372b29141a3c20e02a84edfa89

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
da1cb9ec2de00cfee5246e37a81f9abc

SHA1
2726ac7439c667752c6db86d02fd4b60d7b9cee3

SHA256
de8389b7af65aa834a917016aa614948e7422a0a439e2c24b868353a8258f43a

SHA512
6684ef87fbb9954c88886e8bc73f96b9e897c48a541906caf607344f3a1cb3510bf5086fedc693ae7c5ae642a83d486456f59a372b29141a3c20e02a84edfa89

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
da1cb9ec2de00cfee5246e37a81f9abc

SHA1
2726ac7439c667752c6db86d02fd4b60d7b9cee3

SHA256
de8389b7af65aa834a917016aa614948e7422a0a439e2c24b868353a8258f43a

SHA512
6684ef87fbb9954c88886e8bc73f96b9e897c48a541906caf607344f3a1cb3510bf5086fedc693ae7c5ae642a83d486456f59a372b29141a3c20e02a84edfa89

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
11f3ba5ccb9237fda52e2f0b1c15771b

SHA1
4d5f546f460b4603a09c84318ffa038c3e6a3c6e

SHA256
92ce3e015654b1c3f1ef53ceebf7ecfb6cb4d5db851e10a972d306344b1bdeef

SHA512
54247020e26e9de5fe08461bc975dd61712ce2511e14fb95451f26310001050125793b6e99777731c66bffef3ac04d554477090568a5404551bc979a2cd0c2b6

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
11f3ba5ccb9237fda52e2f0b1c15771b

SHA1
4d5f546f460b4603a09c84318ffa038c3e6a3c6e

SHA256
92ce3e015654b1c3f1ef53ceebf7ecfb6cb4d5db851e10a972d306344b1bdeef

SHA512
54247020e26e9de5fe08461bc975dd61712ce2511e14fb95451f26310001050125793b6e99777731c66bffef3ac04d554477090568a5404551bc979a2cd0c2b6

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
5854c9be91735feaace8c65396ec74fc

SHA1
68829eadafedd4fcce853be9fb2f8de80a4ed34d

SHA256
bc8c1cc8493c63477faa3c9d0aa44bd4e1560e8ed21c42bd5bcb6fec582e977d

SHA512
2fae6018db7dcb1f7d9f4ed5dfce5a54e9d1ec09e824a17ea604351abdbf218459d9d729a003b312639929302391b7d64ce4d4a735918aff03efb44ba7c9658d

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
5854c9be91735feaace8c65396ec74fc

SHA1
68829eadafedd4fcce853be9fb2f8de80a4ed34d

SHA256
bc8c1cc8493c63477faa3c9d0aa44bd4e1560e8ed21c42bd5bcb6fec582e977d

SHA512
2fae6018db7dcb1f7d9f4ed5dfce5a54e9d1ec09e824a17ea604351abdbf218459d9d729a003b312639929302391b7d64ce4d4a735918aff03efb44ba7c9658d

Download Submit
\Users\Admin\AppData\Local\Temp\2492428818\backup.exe

Filesize
72KB

MD5
65c348fcbaf03fa7ce468a77b50ff522

SHA1
a3985817eacd7691f314dea9ff7e22d8a6355453

SHA256
7b88f6e3524c0f7f31f9a7c223bf14346a7b97d47733722b809fd21b7a501225

SHA512
a8771ff51b803b44da340176c6acb8a8c25d392a363936418c87639e8f6a96cebbed4e4ee8176bba5894ccc2e60d10faa6d7d7ff2ed097144e2137a5377ea916

Download Submit
\Users\Admin\AppData\Local\Temp\2492428818\backup.exe

Filesize
72KB

MD5
65c348fcbaf03fa7ce468a77b50ff522

SHA1
a3985817eacd7691f314dea9ff7e22d8a6355453

SHA256
7b88f6e3524c0f7f31f9a7c223bf14346a7b97d47733722b809fd21b7a501225

SHA512
a8771ff51b803b44da340176c6acb8a8c25d392a363936418c87639e8f6a96cebbed4e4ee8176bba5894ccc2e60d10faa6d7d7ff2ed097144e2137a5377ea916

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
65c348fcbaf03fa7ce468a77b50ff522

SHA1
a3985817eacd7691f314dea9ff7e22d8a6355453

SHA256
7b88f6e3524c0f7f31f9a7c223bf14346a7b97d47733722b809fd21b7a501225

SHA512
a8771ff51b803b44da340176c6acb8a8c25d392a363936418c87639e8f6a96cebbed4e4ee8176bba5894ccc2e60d10faa6d7d7ff2ed097144e2137a5377ea916

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
65c348fcbaf03fa7ce468a77b50ff522

SHA1
a3985817eacd7691f314dea9ff7e22d8a6355453

SHA256
7b88f6e3524c0f7f31f9a7c223bf14346a7b97d47733722b809fd21b7a501225

SHA512
a8771ff51b803b44da340176c6acb8a8c25d392a363936418c87639e8f6a96cebbed4e4ee8176bba5894ccc2e60d10faa6d7d7ff2ed097144e2137a5377ea916

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
65c348fcbaf03fa7ce468a77b50ff522

SHA1
a3985817eacd7691f314dea9ff7e22d8a6355453

SHA256
7b88f6e3524c0f7f31f9a7c223bf14346a7b97d47733722b809fd21b7a501225

SHA512
a8771ff51b803b44da340176c6acb8a8c25d392a363936418c87639e8f6a96cebbed4e4ee8176bba5894ccc2e60d10faa6d7d7ff2ed097144e2137a5377ea916

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
65c348fcbaf03fa7ce468a77b50ff522

SHA1
a3985817eacd7691f314dea9ff7e22d8a6355453

SHA256
7b88f6e3524c0f7f31f9a7c223bf14346a7b97d47733722b809fd21b7a501225

SHA512
a8771ff51b803b44da340176c6acb8a8c25d392a363936418c87639e8f6a96cebbed4e4ee8176bba5894ccc2e60d10faa6d7d7ff2ed097144e2137a5377ea916

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
8324d7eb3f28f976f6777032b050b84a

SHA1
7f31a28d95330124c641328dfd8ba9492f619aa5

SHA256
44f2c244f305111ba6cff56bd8b5ae1e19da6b4874c8b267b49f33d596986adb

SHA512
b7410f02331551bb09a12fa7deb0b528a76808cfc9b67b428d5d2c0db8ee3467ee6bd5977365982caba1fd47e1cf895ff6e086e772ecbfb5f74775b7cbaff088

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
8324d7eb3f28f976f6777032b050b84a

SHA1
7f31a28d95330124c641328dfd8ba9492f619aa5

SHA256
44f2c244f305111ba6cff56bd8b5ae1e19da6b4874c8b267b49f33d596986adb

SHA512
b7410f02331551bb09a12fa7deb0b528a76808cfc9b67b428d5d2c0db8ee3467ee6bd5977365982caba1fd47e1cf895ff6e086e772ecbfb5f74775b7cbaff088

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
8324d7eb3f28f976f6777032b050b84a

SHA1
7f31a28d95330124c641328dfd8ba9492f619aa5

SHA256
44f2c244f305111ba6cff56bd8b5ae1e19da6b4874c8b267b49f33d596986adb

SHA512
b7410f02331551bb09a12fa7deb0b528a76808cfc9b67b428d5d2c0db8ee3467ee6bd5977365982caba1fd47e1cf895ff6e086e772ecbfb5f74775b7cbaff088

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
8324d7eb3f28f976f6777032b050b84a

SHA1
7f31a28d95330124c641328dfd8ba9492f619aa5

SHA256
44f2c244f305111ba6cff56bd8b5ae1e19da6b4874c8b267b49f33d596986adb

SHA512
b7410f02331551bb09a12fa7deb0b528a76808cfc9b67b428d5d2c0db8ee3467ee6bd5977365982caba1fd47e1cf895ff6e086e772ecbfb5f74775b7cbaff088

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
65c348fcbaf03fa7ce468a77b50ff522

SHA1
a3985817eacd7691f314dea9ff7e22d8a6355453

SHA256
7b88f6e3524c0f7f31f9a7c223bf14346a7b97d47733722b809fd21b7a501225

SHA512
a8771ff51b803b44da340176c6acb8a8c25d392a363936418c87639e8f6a96cebbed4e4ee8176bba5894ccc2e60d10faa6d7d7ff2ed097144e2137a5377ea916

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
65c348fcbaf03fa7ce468a77b50ff522

SHA1
a3985817eacd7691f314dea9ff7e22d8a6355453

SHA256
7b88f6e3524c0f7f31f9a7c223bf14346a7b97d47733722b809fd21b7a501225

SHA512
a8771ff51b803b44da340176c6acb8a8c25d392a363936418c87639e8f6a96cebbed4e4ee8176bba5894ccc2e60d10faa6d7d7ff2ed097144e2137a5377ea916

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
8324d7eb3f28f976f6777032b050b84a

SHA1
7f31a28d95330124c641328dfd8ba9492f619aa5

SHA256
44f2c244f305111ba6cff56bd8b5ae1e19da6b4874c8b267b49f33d596986adb

SHA512
b7410f02331551bb09a12fa7deb0b528a76808cfc9b67b428d5d2c0db8ee3467ee6bd5977365982caba1fd47e1cf895ff6e086e772ecbfb5f74775b7cbaff088

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
8324d7eb3f28f976f6777032b050b84a

SHA1
7f31a28d95330124c641328dfd8ba9492f619aa5

SHA256
44f2c244f305111ba6cff56bd8b5ae1e19da6b4874c8b267b49f33d596986adb

SHA512
b7410f02331551bb09a12fa7deb0b528a76808cfc9b67b428d5d2c0db8ee3467ee6bd5977365982caba1fd47e1cf895ff6e086e772ecbfb5f74775b7cbaff088

Download Submit
memory/1088-100-0x00000000747E1000-0x00000000747E3000-memory.dmp

Filesize
8KB

Download
memory/1088-98-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads