315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7

Analysis

max time kernel
18s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
Size

72KB
MD5

a2276cf9d4b31ff3fc10953429782e50
SHA1

f4f3991752f9d169cfa4f8f335f582ac979f1525
SHA256

315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7
SHA512

9ff4d2350ee18ce19a47e5d088065caaeb0b37e34caa452c159884e1236272ce8bc02301b0587d6550c322ab2dede3b06502bebaf7d85f0d214fe6e54b62da56
SSDEEP

384:06wayA+1mwnA353BXR+oGfPmfm4MlcTGXdhjwroyY2rebV5O6KgxWb/83BXR+oGF:0pQNwC3BESe4Vqth+0V5vKlE3BEJwRrw

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
572	backup.exe
332	backup.exe
952	backup.exe
1780	backup.exe
764	backup.exe
1012	backup.exe
1508	backup.exe
1088	backup.exe
1504	update.exe
1964	backup.exe
1892	backup.exe
1524	backup.exe
792	update.exe
956	backup.exe
1772	backup.exe
1584	backup.exe
320	backup.exe
1828	backup.exe
1780	backup.exe
788	backup.exe
1704	backup.exe
1552	backup.exe
2032	backup.exe
1836	backup.exe
1612	backup.exe
1568	backup.exe
1560	backup.exe
1488	backup.exe
1960	backup.exe
1060	backup.exe
112	backup.exe
1444	backup.exe
2044	backup.exe
736	backup.exe
636	backup.exe
1000	backup.exe
1956	backup.exe
1640	backup.exe
1176	backup.exe
1284	backup.exe
520	backup.exe
332	backup.exe
1776	data.exe
1084	backup.exe
1884	update.exe
304	backup.exe
1388	backup.exe
820	backup.exe
1508	update.exe
1784	backup.exe
1700	backup.exe
1564	backup.exe
1492	backup.exe
1556	backup.exe
1044	backup.exe
1420	backup.exe
1380	backup.exe
1212	System Restore.exe
1192	backup.exe
1976	backup.exe
1696	backup.exe
1368	backup.exe
1768	backup.exe
1640	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
1088	backup.exe
1504	update.exe
1504	update.exe
1504	update.exe
1504	update.exe
1504	update.exe
1964	backup.exe
1964	backup.exe
1964	backup.exe
1088	backup.exe
1088	backup.exe
1892	backup.exe
1892	backup.exe
1524	backup.exe
792	update.exe
792	update.exe
792	update.exe
1892	backup.exe
1892	backup.exe
956	backup.exe
956	backup.exe
1772	backup.exe
1772	backup.exe
1772	backup.exe
1772	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
320	backup.exe
1960	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
572	backup.exe
332	backup.exe
952	backup.exe
1780	backup.exe
764	backup.exe
1012	backup.exe
1508	backup.exe
1088	backup.exe
1504	update.exe
1964	backup.exe
1892	backup.exe
1524	backup.exe
792	update.exe
956	backup.exe
1772	backup.exe
1584	backup.exe
320	backup.exe
1828	backup.exe
1780	backup.exe
788	backup.exe
1704	backup.exe
1552	backup.exe
2032	backup.exe
1836	backup.exe
1612	backup.exe
1568	backup.exe
1560	backup.exe
1488	backup.exe
1960	backup.exe
1060	backup.exe
112	backup.exe
1444	backup.exe
2044	backup.exe
736	backup.exe
636	backup.exe
1000	backup.exe
1956	backup.exe
1640	backup.exe
1176	backup.exe
1284	backup.exe
520	backup.exe
332	backup.exe
1776	data.exe
1084	backup.exe
1884	update.exe
304	backup.exe
1388	backup.exe
820	backup.exe
1508	update.exe
1784	backup.exe
1700	backup.exe
1564	backup.exe
1492	backup.exe
1556	backup.exe
1044	backup.exe
1420	backup.exe
1380	backup.exe
1212	System Restore.exe
1192	backup.exe
1976	backup.exe
1696	backup.exe
1368	backup.exe
1768	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 572	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	27
PID 592 wrote to memory of 572	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	27
PID 592 wrote to memory of 572	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	27
PID 592 wrote to memory of 572	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	27
PID 592 wrote to memory of 332	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	28
PID 592 wrote to memory of 332	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	28
PID 592 wrote to memory of 332	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	28
PID 592 wrote to memory of 332	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	28
PID 592 wrote to memory of 952	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	29
PID 592 wrote to memory of 952	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	29
PID 592 wrote to memory of 952	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	29
PID 592 wrote to memory of 952	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	29
PID 592 wrote to memory of 1780	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	30
PID 592 wrote to memory of 1780	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	30
PID 592 wrote to memory of 1780	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	30
PID 592 wrote to memory of 1780	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	30
PID 592 wrote to memory of 764	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	31
PID 592 wrote to memory of 764	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	31
PID 592 wrote to memory of 764	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	31
PID 592 wrote to memory of 764	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	31
PID 592 wrote to memory of 1012	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	32
PID 592 wrote to memory of 1012	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	32
PID 592 wrote to memory of 1012	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	32
PID 592 wrote to memory of 1012	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	32
PID 592 wrote to memory of 1508	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	33
PID 592 wrote to memory of 1508	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	33
PID 592 wrote to memory of 1508	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	33
PID 592 wrote to memory of 1508	592	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe	33
PID 572 wrote to memory of 1088	572	backup.exe	34
PID 572 wrote to memory of 1088	572	backup.exe	34
PID 572 wrote to memory of 1088	572	backup.exe	34
PID 572 wrote to memory of 1088	572	backup.exe	34
PID 1088 wrote to memory of 1504	1088	backup.exe	35
PID 1088 wrote to memory of 1504	1088	backup.exe	35
PID 1088 wrote to memory of 1504	1088	backup.exe	35
PID 1088 wrote to memory of 1504	1088	backup.exe	35
PID 1088 wrote to memory of 1504	1088	backup.exe	35
PID 1088 wrote to memory of 1504	1088	backup.exe	35
PID 1088 wrote to memory of 1504	1088	backup.exe	35
PID 1504 wrote to memory of 1964	1504	update.exe	36
PID 1504 wrote to memory of 1964	1504	update.exe	36
PID 1504 wrote to memory of 1964	1504	update.exe	36
PID 1504 wrote to memory of 1964	1504	update.exe	36
PID 1504 wrote to memory of 1964	1504	update.exe	36
PID 1504 wrote to memory of 1964	1504	update.exe	36
PID 1504 wrote to memory of 1964	1504	update.exe	36
PID 1088 wrote to memory of 1892	1088	backup.exe	37
PID 1088 wrote to memory of 1892	1088	backup.exe	37
PID 1088 wrote to memory of 1892	1088	backup.exe	37
PID 1088 wrote to memory of 1892	1088	backup.exe	37
PID 1892 wrote to memory of 1524	1892	backup.exe	38
PID 1892 wrote to memory of 1524	1892	backup.exe	38
PID 1892 wrote to memory of 1524	1892	backup.exe	38
PID 1892 wrote to memory of 1524	1892	backup.exe	38
PID 1524 wrote to memory of 792	1524	backup.exe	39
PID 1524 wrote to memory of 792	1524	backup.exe	39
PID 1524 wrote to memory of 792	1524	backup.exe	39
PID 1524 wrote to memory of 792	1524	backup.exe	39
PID 1524 wrote to memory of 792	1524	backup.exe	39
PID 1524 wrote to memory of 792	1524	backup.exe	39
PID 1524 wrote to memory of 792	1524	backup.exe	39
PID 1892 wrote to memory of 956	1892	backup.exe	40
PID 1892 wrote to memory of 956	1892	backup.exe	40
PID 1892 wrote to memory of 956	1892	backup.exe	40

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe
"C:\Users\Admin\AppData\Local\Temp\315cae43f07ccc153ced626bbf6e7f457c9da866571704692f3ff87b7515a8b7.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:592
- C:\Users\Admin\AppData\Local\Temp\741407144\backup.exe
  C:\Users\Admin\AppData\Local\Temp\741407144\backup.exe C:\Users\Admin\AppData\Local\Temp\741407144\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:572
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1088
  - - C:\PerfLogs\update.exe
      C:\PerfLogs\update.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1964
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1892
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1524
      - C:\Program Files\7-Zip\Lang\update.exe
        
        "C:\Program Files\7-Zip\Lang\update.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:792
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:956
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1060
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1444
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:736
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1176
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1388
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1420
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1380
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1212
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1368
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:1392
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:328
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        System policy modification
        
        PID:756
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        System policy modification
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        System policy modification
        
        PID:1056
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1800
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        System policy modification
        
        PID:304
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1008
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2032
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:552
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:1792
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:608
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:680
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:1420
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        System policy modification
        
        PID:2004
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1000
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:320
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:928
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:1780
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        System policy modification
        
        PID:1552
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1612
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1556
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:112
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:908
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:832
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:656
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1868
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1764
        
        C:\Program Files\Common Files\System\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:756
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1884
        
        C:\Program Files\Common Files\System\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\System\ja-JP\System Restore.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:552
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1588
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:1092
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:956
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1388
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1668
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:568
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:1200
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:1660
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:1800
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:1376
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\System Restore.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:736
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1312
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:432
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:1596
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1676
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        System policy modification
        
        PID:1640
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1704
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1788
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:1008
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:864
    - - C:\Program Files\Google\update.exe
        
        "C:\Program Files\Google\update.exe" C:\Program Files\Google\
        5⤵
        
        PID:2028
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:740
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1956
    - - C:\Program Files\Internet Explorer\data.exe
        
        "C:\Program Files\Internet Explorer\data.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1752
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1216
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:960
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1284
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1944
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:944
      - C:\Program Files\Internet Explorer\it-IT\update.exe
        
        "C:\Program Files\Internet Explorer\it-IT\update.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1804
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:1080
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1960
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1020
    - - C:\Program Files\Microsoft Office\update.exe
        
        "C:\Program Files\Microsoft Office\update.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1976
      - C:\Program Files\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        
        PID:1672
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1760
      - C:\Program Files\Mozilla Firefox\browser\data.exe
        
        "C:\Program Files\Mozilla Firefox\browser\data.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:1176
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:888
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:560
    - - C:\Program Files\MSBuild\System Restore.exe
        
        "C:\Program Files\MSBuild\System Restore.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1512
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1756
      - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        
        PID:1008
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1604
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Program Files directory
      PID:1564
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1228
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1940
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1444
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:1968
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:828
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        System policy modification
        
        PID:1584
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1084
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:820
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1792
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1212
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:1648
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:328
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:828
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1776
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:1648
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:1764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:816
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        
        PID:1784
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1368
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:680
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1356
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:820
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:308
    - - C:\Program Files (x86)\Common Files\data.exe
        
        "C:\Program Files (x86)\Common Files\data.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1828
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1704
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1768
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:784
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:332
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1940
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:736
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:332
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        
        PID:1644
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1596
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1192
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        7⤵
        
        PID:1776
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        7⤵
        
        PID:328
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        7⤵
        
        PID:1560
        
        C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
        7⤵
        
        PID:908
        
        C:\Program Files (x86)\Common Files\microsoft shared\Filters\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Filters\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
        7⤵
        
        PID:1072
      - C:\Program Files (x86)\Common Files\Services\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Services\System Restore.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1868
      - C:\Program Files (x86)\Common Files\SpeechEngines\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\System Restore.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1852
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:740
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1792
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:320
      - C:\Program Files (x86)\Internet Explorer\de-DE\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\data.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1492
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1096
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:860
      - C:\Program Files (x86)\Internet Explorer\fr-FR\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\System Restore.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:792
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:1972
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:1716
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2044
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:656
      - C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        6⤵
        
        PID:928
      - C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
        6⤵
        
        PID:1488
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1084
      - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
        6⤵
        
        PID:1212
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\
        7⤵
        
        PID:1188
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1044
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1884
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1576
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1880
  - - C:\Windows\System Restore.exe
      "C:\Windows\System Restore.exe" C:\Windows\
      4⤵
      PID:1824
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:332
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:952
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:764
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1012
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
12183dfc0990b8d4b84e485ce794afe8

SHA1
140a5df33d2a0d83429511307f3bbaf06313b23e

SHA256
dcaa1d33d523ed13bd533dd7b873a43f44b5f15c04a9413a26fc9c8bd2f7fa08

SHA512
87fd1f4956f67a69c3a2b9903b1bcce2968c7dd09cb95c636735247338bde803232aa948ac3bb4c6817397844406cf95f2227b4180eed0b817ade41e479deb85

Download Submit
C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
12183dfc0990b8d4b84e485ce794afe8

SHA1
140a5df33d2a0d83429511307f3bbaf06313b23e

SHA256
dcaa1d33d523ed13bd533dd7b873a43f44b5f15c04a9413a26fc9c8bd2f7fa08

SHA512
87fd1f4956f67a69c3a2b9903b1bcce2968c7dd09cb95c636735247338bde803232aa948ac3bb4c6817397844406cf95f2227b4180eed0b817ade41e479deb85

Download Submit
C:\PerfLogs\update.exe

Filesize
72KB

MD5
30fbc079c00eaf464c019e34d2938f85

SHA1
2e3db90524b12cc7fc7183ef8c3503b22d4460cd

SHA256
223892cb90939f97932b89f98e1697578be5f97ff901edad5e79b7a62550678d

SHA512
8977aac13c02f308a1d52a24c4b50dcfe616ef44f938db7c2e32083d5b472465e0fd7fddc355b400f939c48a18665278f2ebde7593a43be24b40374d65fbddb7

Download Submit
C:\PerfLogs\update.exe

Filesize
72KB

MD5
30fbc079c00eaf464c019e34d2938f85

SHA1
2e3db90524b12cc7fc7183ef8c3503b22d4460cd

SHA256
223892cb90939f97932b89f98e1697578be5f97ff901edad5e79b7a62550678d

SHA512
8977aac13c02f308a1d52a24c4b50dcfe616ef44f938db7c2e32083d5b472465e0fd7fddc355b400f939c48a18665278f2ebde7593a43be24b40374d65fbddb7

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
600c2fa7d50595a60b7c57de240706ac

SHA1
75b8782b95664615f2c99bb480d354109a88ae7e

SHA256
285e454e61a160214dab606af23c3ca991dc6991c990be157a8c303b8f24a28b

SHA512
6b0463ef302ae5d53ffca985acefa4c1efbfac05f8cf51bcc490f4d9888de5e67a73b2075d361faca3855d1b8e9dfdb666d46f1bb0afa00e434e44162ba4a187

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
600c2fa7d50595a60b7c57de240706ac

SHA1
75b8782b95664615f2c99bb480d354109a88ae7e

SHA256
285e454e61a160214dab606af23c3ca991dc6991c990be157a8c303b8f24a28b

SHA512
6b0463ef302ae5d53ffca985acefa4c1efbfac05f8cf51bcc490f4d9888de5e67a73b2075d361faca3855d1b8e9dfdb666d46f1bb0afa00e434e44162ba4a187

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
9e1460d43258a10a59177e03619b131d

SHA1
fecf746b027af9a580609f59aeb4eea04944f70c

SHA256
c94886fc6e56a798bf8af1f11bcfdf2ab36711291057910f7f1a1c45cc6964a4

SHA512
a9a9e9588e6479f71f8a557058cba5c56cd6fd98a42880de268038408b1633d278b6543e8630ebe0d066c92b1bc74e555c245ff2a6faa1fe5a3eb73af9e409ec

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
9e1460d43258a10a59177e03619b131d

SHA1
fecf746b027af9a580609f59aeb4eea04944f70c

SHA256
c94886fc6e56a798bf8af1f11bcfdf2ab36711291057910f7f1a1c45cc6964a4

SHA512
a9a9e9588e6479f71f8a557058cba5c56cd6fd98a42880de268038408b1633d278b6543e8630ebe0d066c92b1bc74e555c245ff2a6faa1fe5a3eb73af9e409ec

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d4aeb19d53ce7e13e2ebc42047bd1547

SHA1
0606ad815dd0e9d2bfbda3bb427139a97f84dab5

SHA256
3a5c80a37338900fb3953adf710999c421e2d60c7fd2612f9bcd2b41ee2ce4d5

SHA512
34ce91c2e7f8757c79fdbe5d7177a3f99924f0af5cf9979e6054191f5634482812da6da1c566a01a9417deeb242ec392c91920aeefa9e70f0ded63fefbfcc43b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
7e448521ce5a975e425ba9ac6eeb2202

SHA1
e2f61e94e3145c9315e61944546753d7cafcb56d

SHA256
24ee168019ddf16fd80ccf7d0b7e30ed8b3e33b7f8e73f412f7cdbea3a2f7990

SHA512
d22863e06f1d6445352129a8aa643037c29680d5dfbed2fa532969be044cf1c4f544e80bfeebee1eef21bc6da7c99bf7a493f79a3cb79bfa6a042aca9eacdefb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
7e448521ce5a975e425ba9ac6eeb2202

SHA1
e2f61e94e3145c9315e61944546753d7cafcb56d

SHA256
24ee168019ddf16fd80ccf7d0b7e30ed8b3e33b7f8e73f412f7cdbea3a2f7990

SHA512
d22863e06f1d6445352129a8aa643037c29680d5dfbed2fa532969be044cf1c4f544e80bfeebee1eef21bc6da7c99bf7a493f79a3cb79bfa6a042aca9eacdefb

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
9e1460d43258a10a59177e03619b131d

SHA1
fecf746b027af9a580609f59aeb4eea04944f70c

SHA256
c94886fc6e56a798bf8af1f11bcfdf2ab36711291057910f7f1a1c45cc6964a4

SHA512
a9a9e9588e6479f71f8a557058cba5c56cd6fd98a42880de268038408b1633d278b6543e8630ebe0d066c92b1bc74e555c245ff2a6faa1fe5a3eb73af9e409ec

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
9e1460d43258a10a59177e03619b131d

SHA1
fecf746b027af9a580609f59aeb4eea04944f70c

SHA256
c94886fc6e56a798bf8af1f11bcfdf2ab36711291057910f7f1a1c45cc6964a4

SHA512
a9a9e9588e6479f71f8a557058cba5c56cd6fd98a42880de268038408b1633d278b6543e8630ebe0d066c92b1bc74e555c245ff2a6faa1fe5a3eb73af9e409ec

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
f21374fae22922e43ad00c85d03b3f8e

SHA1
61ed5093cac2ae9124400e7243a449e93f8924e9

SHA256
16851b102fdcd20de2bd7f6d598a46b28814e55bad5da0f39e3ec9f4311bc817

SHA512
299d23199d80887a3a732e9a0b84b230a90c610fa0116d8af603c16737ff9e76dc9eb5edcdc6f7b2fb2f16bc0e32045817e7b29fa5a495c6cfaae669755d61eb

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
f21374fae22922e43ad00c85d03b3f8e

SHA1
61ed5093cac2ae9124400e7243a449e93f8924e9

SHA256
16851b102fdcd20de2bd7f6d598a46b28814e55bad5da0f39e3ec9f4311bc817

SHA512
299d23199d80887a3a732e9a0b84b230a90c610fa0116d8af603c16737ff9e76dc9eb5edcdc6f7b2fb2f16bc0e32045817e7b29fa5a495c6cfaae669755d61eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\741407144\backup.exe

Filesize
72KB

MD5
a38cd8f0d621e6657bc73a1ee03559e5

SHA1
8d601c71fd48bbf553b430c18567d9f63d4fc999

SHA256
92fea53283704b610b88ab52290e4825086f8ae49adf25fd8301d23d07294887

SHA512
4ba7839cb2306c9c470f0abb320133de46cd90fc8bc28e70b3cc7d449726be03d366dafd238b372bbd94edda2fdee619380c75c7b2434378a98b5628965ccd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\741407144\backup.exe

Filesize
72KB

MD5
a38cd8f0d621e6657bc73a1ee03559e5

SHA1
8d601c71fd48bbf553b430c18567d9f63d4fc999

SHA256
92fea53283704b610b88ab52290e4825086f8ae49adf25fd8301d23d07294887

SHA512
4ba7839cb2306c9c470f0abb320133de46cd90fc8bc28e70b3cc7d449726be03d366dafd238b372bbd94edda2fdee619380c75c7b2434378a98b5628965ccd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
a38cd8f0d621e6657bc73a1ee03559e5

SHA1
8d601c71fd48bbf553b430c18567d9f63d4fc999

SHA256
92fea53283704b610b88ab52290e4825086f8ae49adf25fd8301d23d07294887

SHA512
4ba7839cb2306c9c470f0abb320133de46cd90fc8bc28e70b3cc7d449726be03d366dafd238b372bbd94edda2fdee619380c75c7b2434378a98b5628965ccd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b8147872c72c26a6738ec09d945a0bd7

SHA1
b9eba7cedb3b252dddfe0e3e5ea9636893c98ec4

SHA256
6f6ab29f00d986c44d56bb9cfc6033c58140974ae14f21793695d15e342e7cdc

SHA512
40f0f4636e86cd5834ae6874177cfb5716948a06f75f09388568a43578dca0db18e265f264d6a262037fcbffbf1ac3c401a070286391c7aa77d8e05447186356

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b8147872c72c26a6738ec09d945a0bd7

SHA1
b9eba7cedb3b252dddfe0e3e5ea9636893c98ec4

SHA256
6f6ab29f00d986c44d56bb9cfc6033c58140974ae14f21793695d15e342e7cdc

SHA512
40f0f4636e86cd5834ae6874177cfb5716948a06f75f09388568a43578dca0db18e265f264d6a262037fcbffbf1ac3c401a070286391c7aa77d8e05447186356

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
b8147872c72c26a6738ec09d945a0bd7

SHA1
b9eba7cedb3b252dddfe0e3e5ea9636893c98ec4

SHA256
6f6ab29f00d986c44d56bb9cfc6033c58140974ae14f21793695d15e342e7cdc

SHA512
40f0f4636e86cd5834ae6874177cfb5716948a06f75f09388568a43578dca0db18e265f264d6a262037fcbffbf1ac3c401a070286391c7aa77d8e05447186356

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
a38cd8f0d621e6657bc73a1ee03559e5

SHA1
8d601c71fd48bbf553b430c18567d9f63d4fc999

SHA256
92fea53283704b610b88ab52290e4825086f8ae49adf25fd8301d23d07294887

SHA512
4ba7839cb2306c9c470f0abb320133de46cd90fc8bc28e70b3cc7d449726be03d366dafd238b372bbd94edda2fdee619380c75c7b2434378a98b5628965ccd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b8147872c72c26a6738ec09d945a0bd7

SHA1
b9eba7cedb3b252dddfe0e3e5ea9636893c98ec4

SHA256
6f6ab29f00d986c44d56bb9cfc6033c58140974ae14f21793695d15e342e7cdc

SHA512
40f0f4636e86cd5834ae6874177cfb5716948a06f75f09388568a43578dca0db18e265f264d6a262037fcbffbf1ac3c401a070286391c7aa77d8e05447186356

Download Submit
C:\backup.exe

Filesize
72KB

MD5
9c599006f294b93ee6783900f61bf000

SHA1
97c4c8baee1b45f2aae0d51f0bf76dafa9ba9031

SHA256
32ae1b266d297015aef1bcd99ec92a35dc230ffe6183271ac7d3f1d7ac26ab39

SHA512
1791c6e1a4652a2a53d275e05f3f37d9349129e26bcf54e74d33cb367313a5a06d117c8be4b373649ec1a4ca23581a0d5269df66591116c9406969fd5f6c2c9c

Download Submit
C:\backup.exe

Filesize
72KB

MD5
9c599006f294b93ee6783900f61bf000

SHA1
97c4c8baee1b45f2aae0d51f0bf76dafa9ba9031

SHA256
32ae1b266d297015aef1bcd99ec92a35dc230ffe6183271ac7d3f1d7ac26ab39

SHA512
1791c6e1a4652a2a53d275e05f3f37d9349129e26bcf54e74d33cb367313a5a06d117c8be4b373649ec1a4ca23581a0d5269df66591116c9406969fd5f6c2c9c

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
12183dfc0990b8d4b84e485ce794afe8

SHA1
140a5df33d2a0d83429511307f3bbaf06313b23e

SHA256
dcaa1d33d523ed13bd533dd7b873a43f44b5f15c04a9413a26fc9c8bd2f7fa08

SHA512
87fd1f4956f67a69c3a2b9903b1bcce2968c7dd09cb95c636735247338bde803232aa948ac3bb4c6817397844406cf95f2227b4180eed0b817ade41e479deb85

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
12183dfc0990b8d4b84e485ce794afe8

SHA1
140a5df33d2a0d83429511307f3bbaf06313b23e

SHA256
dcaa1d33d523ed13bd533dd7b873a43f44b5f15c04a9413a26fc9c8bd2f7fa08

SHA512
87fd1f4956f67a69c3a2b9903b1bcce2968c7dd09cb95c636735247338bde803232aa948ac3bb4c6817397844406cf95f2227b4180eed0b817ade41e479deb85

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
12183dfc0990b8d4b84e485ce794afe8

SHA1
140a5df33d2a0d83429511307f3bbaf06313b23e

SHA256
dcaa1d33d523ed13bd533dd7b873a43f44b5f15c04a9413a26fc9c8bd2f7fa08

SHA512
87fd1f4956f67a69c3a2b9903b1bcce2968c7dd09cb95c636735247338bde803232aa948ac3bb4c6817397844406cf95f2227b4180eed0b817ade41e479deb85

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
12183dfc0990b8d4b84e485ce794afe8

SHA1
140a5df33d2a0d83429511307f3bbaf06313b23e

SHA256
dcaa1d33d523ed13bd533dd7b873a43f44b5f15c04a9413a26fc9c8bd2f7fa08

SHA512
87fd1f4956f67a69c3a2b9903b1bcce2968c7dd09cb95c636735247338bde803232aa948ac3bb4c6817397844406cf95f2227b4180eed0b817ade41e479deb85

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
12183dfc0990b8d4b84e485ce794afe8

SHA1
140a5df33d2a0d83429511307f3bbaf06313b23e

SHA256
dcaa1d33d523ed13bd533dd7b873a43f44b5f15c04a9413a26fc9c8bd2f7fa08

SHA512
87fd1f4956f67a69c3a2b9903b1bcce2968c7dd09cb95c636735247338bde803232aa948ac3bb4c6817397844406cf95f2227b4180eed0b817ade41e479deb85

Download Submit
\PerfLogs\update.exe

Filesize
72KB

MD5
30fbc079c00eaf464c019e34d2938f85

SHA1
2e3db90524b12cc7fc7183ef8c3503b22d4460cd

SHA256
223892cb90939f97932b89f98e1697578be5f97ff901edad5e79b7a62550678d

SHA512
8977aac13c02f308a1d52a24c4b50dcfe616ef44f938db7c2e32083d5b472465e0fd7fddc355b400f939c48a18665278f2ebde7593a43be24b40374d65fbddb7

Download Submit
\PerfLogs\update.exe

Filesize
72KB

MD5
30fbc079c00eaf464c019e34d2938f85

SHA1
2e3db90524b12cc7fc7183ef8c3503b22d4460cd

SHA256
223892cb90939f97932b89f98e1697578be5f97ff901edad5e79b7a62550678d

SHA512
8977aac13c02f308a1d52a24c4b50dcfe616ef44f938db7c2e32083d5b472465e0fd7fddc355b400f939c48a18665278f2ebde7593a43be24b40374d65fbddb7

Download Submit
\PerfLogs\update.exe

Filesize
72KB

MD5
30fbc079c00eaf464c019e34d2938f85

SHA1
2e3db90524b12cc7fc7183ef8c3503b22d4460cd

SHA256
223892cb90939f97932b89f98e1697578be5f97ff901edad5e79b7a62550678d

SHA512
8977aac13c02f308a1d52a24c4b50dcfe616ef44f938db7c2e32083d5b472465e0fd7fddc355b400f939c48a18665278f2ebde7593a43be24b40374d65fbddb7

Download Submit
\PerfLogs\update.exe

Filesize
72KB

MD5
30fbc079c00eaf464c019e34d2938f85

SHA1
2e3db90524b12cc7fc7183ef8c3503b22d4460cd

SHA256
223892cb90939f97932b89f98e1697578be5f97ff901edad5e79b7a62550678d

SHA512
8977aac13c02f308a1d52a24c4b50dcfe616ef44f938db7c2e32083d5b472465e0fd7fddc355b400f939c48a18665278f2ebde7593a43be24b40374d65fbddb7

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
600c2fa7d50595a60b7c57de240706ac

SHA1
75b8782b95664615f2c99bb480d354109a88ae7e

SHA256
285e454e61a160214dab606af23c3ca991dc6991c990be157a8c303b8f24a28b

SHA512
6b0463ef302ae5d53ffca985acefa4c1efbfac05f8cf51bcc490f4d9888de5e67a73b2075d361faca3855d1b8e9dfdb666d46f1bb0afa00e434e44162ba4a187

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
600c2fa7d50595a60b7c57de240706ac

SHA1
75b8782b95664615f2c99bb480d354109a88ae7e

SHA256
285e454e61a160214dab606af23c3ca991dc6991c990be157a8c303b8f24a28b

SHA512
6b0463ef302ae5d53ffca985acefa4c1efbfac05f8cf51bcc490f4d9888de5e67a73b2075d361faca3855d1b8e9dfdb666d46f1bb0afa00e434e44162ba4a187

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
600c2fa7d50595a60b7c57de240706ac

SHA1
75b8782b95664615f2c99bb480d354109a88ae7e

SHA256
285e454e61a160214dab606af23c3ca991dc6991c990be157a8c303b8f24a28b

SHA512
6b0463ef302ae5d53ffca985acefa4c1efbfac05f8cf51bcc490f4d9888de5e67a73b2075d361faca3855d1b8e9dfdb666d46f1bb0afa00e434e44162ba4a187

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
600c2fa7d50595a60b7c57de240706ac

SHA1
75b8782b95664615f2c99bb480d354109a88ae7e

SHA256
285e454e61a160214dab606af23c3ca991dc6991c990be157a8c303b8f24a28b

SHA512
6b0463ef302ae5d53ffca985acefa4c1efbfac05f8cf51bcc490f4d9888de5e67a73b2075d361faca3855d1b8e9dfdb666d46f1bb0afa00e434e44162ba4a187

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
9e1460d43258a10a59177e03619b131d

SHA1
fecf746b027af9a580609f59aeb4eea04944f70c

SHA256
c94886fc6e56a798bf8af1f11bcfdf2ab36711291057910f7f1a1c45cc6964a4

SHA512
a9a9e9588e6479f71f8a557058cba5c56cd6fd98a42880de268038408b1633d278b6543e8630ebe0d066c92b1bc74e555c245ff2a6faa1fe5a3eb73af9e409ec

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
9e1460d43258a10a59177e03619b131d

SHA1
fecf746b027af9a580609f59aeb4eea04944f70c

SHA256
c94886fc6e56a798bf8af1f11bcfdf2ab36711291057910f7f1a1c45cc6964a4

SHA512
a9a9e9588e6479f71f8a557058cba5c56cd6fd98a42880de268038408b1633d278b6543e8630ebe0d066c92b1bc74e555c245ff2a6faa1fe5a3eb73af9e409ec

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d4aeb19d53ce7e13e2ebc42047bd1547

SHA1
0606ad815dd0e9d2bfbda3bb427139a97f84dab5

SHA256
3a5c80a37338900fb3953adf710999c421e2d60c7fd2612f9bcd2b41ee2ce4d5

SHA512
34ce91c2e7f8757c79fdbe5d7177a3f99924f0af5cf9979e6054191f5634482812da6da1c566a01a9417deeb242ec392c91920aeefa9e70f0ded63fefbfcc43b

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d4aeb19d53ce7e13e2ebc42047bd1547

SHA1
0606ad815dd0e9d2bfbda3bb427139a97f84dab5

SHA256
3a5c80a37338900fb3953adf710999c421e2d60c7fd2612f9bcd2b41ee2ce4d5

SHA512
34ce91c2e7f8757c79fdbe5d7177a3f99924f0af5cf9979e6054191f5634482812da6da1c566a01a9417deeb242ec392c91920aeefa9e70f0ded63fefbfcc43b

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
7e448521ce5a975e425ba9ac6eeb2202

SHA1
e2f61e94e3145c9315e61944546753d7cafcb56d

SHA256
24ee168019ddf16fd80ccf7d0b7e30ed8b3e33b7f8e73f412f7cdbea3a2f7990

SHA512
d22863e06f1d6445352129a8aa643037c29680d5dfbed2fa532969be044cf1c4f544e80bfeebee1eef21bc6da7c99bf7a493f79a3cb79bfa6a042aca9eacdefb

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
7e448521ce5a975e425ba9ac6eeb2202

SHA1
e2f61e94e3145c9315e61944546753d7cafcb56d

SHA256
24ee168019ddf16fd80ccf7d0b7e30ed8b3e33b7f8e73f412f7cdbea3a2f7990

SHA512
d22863e06f1d6445352129a8aa643037c29680d5dfbed2fa532969be044cf1c4f544e80bfeebee1eef21bc6da7c99bf7a493f79a3cb79bfa6a042aca9eacdefb

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
d4aeb19d53ce7e13e2ebc42047bd1547

SHA1
0606ad815dd0e9d2bfbda3bb427139a97f84dab5

SHA256
3a5c80a37338900fb3953adf710999c421e2d60c7fd2612f9bcd2b41ee2ce4d5

SHA512
34ce91c2e7f8757c79fdbe5d7177a3f99924f0af5cf9979e6054191f5634482812da6da1c566a01a9417deeb242ec392c91920aeefa9e70f0ded63fefbfcc43b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
d4aeb19d53ce7e13e2ebc42047bd1547

SHA1
0606ad815dd0e9d2bfbda3bb427139a97f84dab5

SHA256
3a5c80a37338900fb3953adf710999c421e2d60c7fd2612f9bcd2b41ee2ce4d5

SHA512
34ce91c2e7f8757c79fdbe5d7177a3f99924f0af5cf9979e6054191f5634482812da6da1c566a01a9417deeb242ec392c91920aeefa9e70f0ded63fefbfcc43b

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
9e1460d43258a10a59177e03619b131d

SHA1
fecf746b027af9a580609f59aeb4eea04944f70c

SHA256
c94886fc6e56a798bf8af1f11bcfdf2ab36711291057910f7f1a1c45cc6964a4

SHA512
a9a9e9588e6479f71f8a557058cba5c56cd6fd98a42880de268038408b1633d278b6543e8630ebe0d066c92b1bc74e555c245ff2a6faa1fe5a3eb73af9e409ec

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
9e1460d43258a10a59177e03619b131d

SHA1
fecf746b027af9a580609f59aeb4eea04944f70c

SHA256
c94886fc6e56a798bf8af1f11bcfdf2ab36711291057910f7f1a1c45cc6964a4

SHA512
a9a9e9588e6479f71f8a557058cba5c56cd6fd98a42880de268038408b1633d278b6543e8630ebe0d066c92b1bc74e555c245ff2a6faa1fe5a3eb73af9e409ec

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
f21374fae22922e43ad00c85d03b3f8e

SHA1
61ed5093cac2ae9124400e7243a449e93f8924e9

SHA256
16851b102fdcd20de2bd7f6d598a46b28814e55bad5da0f39e3ec9f4311bc817

SHA512
299d23199d80887a3a732e9a0b84b230a90c610fa0116d8af603c16737ff9e76dc9eb5edcdc6f7b2fb2f16bc0e32045817e7b29fa5a495c6cfaae669755d61eb

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
f21374fae22922e43ad00c85d03b3f8e

SHA1
61ed5093cac2ae9124400e7243a449e93f8924e9

SHA256
16851b102fdcd20de2bd7f6d598a46b28814e55bad5da0f39e3ec9f4311bc817

SHA512
299d23199d80887a3a732e9a0b84b230a90c610fa0116d8af603c16737ff9e76dc9eb5edcdc6f7b2fb2f16bc0e32045817e7b29fa5a495c6cfaae669755d61eb

Download Submit
\Users\Admin\AppData\Local\Temp\741407144\backup.exe

Filesize
72KB

MD5
a38cd8f0d621e6657bc73a1ee03559e5

SHA1
8d601c71fd48bbf553b430c18567d9f63d4fc999

SHA256
92fea53283704b610b88ab52290e4825086f8ae49adf25fd8301d23d07294887

SHA512
4ba7839cb2306c9c470f0abb320133de46cd90fc8bc28e70b3cc7d449726be03d366dafd238b372bbd94edda2fdee619380c75c7b2434378a98b5628965ccd0d

Download Submit
\Users\Admin\AppData\Local\Temp\741407144\backup.exe

Filesize
72KB

MD5
a38cd8f0d621e6657bc73a1ee03559e5

SHA1
8d601c71fd48bbf553b430c18567d9f63d4fc999

SHA256
92fea53283704b610b88ab52290e4825086f8ae49adf25fd8301d23d07294887

SHA512
4ba7839cb2306c9c470f0abb320133de46cd90fc8bc28e70b3cc7d449726be03d366dafd238b372bbd94edda2fdee619380c75c7b2434378a98b5628965ccd0d

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
a38cd8f0d621e6657bc73a1ee03559e5

SHA1
8d601c71fd48bbf553b430c18567d9f63d4fc999

SHA256
92fea53283704b610b88ab52290e4825086f8ae49adf25fd8301d23d07294887

SHA512
4ba7839cb2306c9c470f0abb320133de46cd90fc8bc28e70b3cc7d449726be03d366dafd238b372bbd94edda2fdee619380c75c7b2434378a98b5628965ccd0d

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
a38cd8f0d621e6657bc73a1ee03559e5

SHA1
8d601c71fd48bbf553b430c18567d9f63d4fc999

SHA256
92fea53283704b610b88ab52290e4825086f8ae49adf25fd8301d23d07294887

SHA512
4ba7839cb2306c9c470f0abb320133de46cd90fc8bc28e70b3cc7d449726be03d366dafd238b372bbd94edda2fdee619380c75c7b2434378a98b5628965ccd0d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b8147872c72c26a6738ec09d945a0bd7

SHA1
b9eba7cedb3b252dddfe0e3e5ea9636893c98ec4

SHA256
6f6ab29f00d986c44d56bb9cfc6033c58140974ae14f21793695d15e342e7cdc

SHA512
40f0f4636e86cd5834ae6874177cfb5716948a06f75f09388568a43578dca0db18e265f264d6a262037fcbffbf1ac3c401a070286391c7aa77d8e05447186356

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b8147872c72c26a6738ec09d945a0bd7

SHA1
b9eba7cedb3b252dddfe0e3e5ea9636893c98ec4

SHA256
6f6ab29f00d986c44d56bb9cfc6033c58140974ae14f21793695d15e342e7cdc

SHA512
40f0f4636e86cd5834ae6874177cfb5716948a06f75f09388568a43578dca0db18e265f264d6a262037fcbffbf1ac3c401a070286391c7aa77d8e05447186356

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b8147872c72c26a6738ec09d945a0bd7

SHA1
b9eba7cedb3b252dddfe0e3e5ea9636893c98ec4

SHA256
6f6ab29f00d986c44d56bb9cfc6033c58140974ae14f21793695d15e342e7cdc

SHA512
40f0f4636e86cd5834ae6874177cfb5716948a06f75f09388568a43578dca0db18e265f264d6a262037fcbffbf1ac3c401a070286391c7aa77d8e05447186356

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b8147872c72c26a6738ec09d945a0bd7

SHA1
b9eba7cedb3b252dddfe0e3e5ea9636893c98ec4

SHA256
6f6ab29f00d986c44d56bb9cfc6033c58140974ae14f21793695d15e342e7cdc

SHA512
40f0f4636e86cd5834ae6874177cfb5716948a06f75f09388568a43578dca0db18e265f264d6a262037fcbffbf1ac3c401a070286391c7aa77d8e05447186356

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
b8147872c72c26a6738ec09d945a0bd7

SHA1
b9eba7cedb3b252dddfe0e3e5ea9636893c98ec4

SHA256
6f6ab29f00d986c44d56bb9cfc6033c58140974ae14f21793695d15e342e7cdc

SHA512
40f0f4636e86cd5834ae6874177cfb5716948a06f75f09388568a43578dca0db18e265f264d6a262037fcbffbf1ac3c401a070286391c7aa77d8e05447186356

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
b8147872c72c26a6738ec09d945a0bd7

SHA1
b9eba7cedb3b252dddfe0e3e5ea9636893c98ec4

SHA256
6f6ab29f00d986c44d56bb9cfc6033c58140974ae14f21793695d15e342e7cdc

SHA512
40f0f4636e86cd5834ae6874177cfb5716948a06f75f09388568a43578dca0db18e265f264d6a262037fcbffbf1ac3c401a070286391c7aa77d8e05447186356

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
a38cd8f0d621e6657bc73a1ee03559e5

SHA1
8d601c71fd48bbf553b430c18567d9f63d4fc999

SHA256
92fea53283704b610b88ab52290e4825086f8ae49adf25fd8301d23d07294887

SHA512
4ba7839cb2306c9c470f0abb320133de46cd90fc8bc28e70b3cc7d449726be03d366dafd238b372bbd94edda2fdee619380c75c7b2434378a98b5628965ccd0d

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
a38cd8f0d621e6657bc73a1ee03559e5

SHA1
8d601c71fd48bbf553b430c18567d9f63d4fc999

SHA256
92fea53283704b610b88ab52290e4825086f8ae49adf25fd8301d23d07294887

SHA512
4ba7839cb2306c9c470f0abb320133de46cd90fc8bc28e70b3cc7d449726be03d366dafd238b372bbd94edda2fdee619380c75c7b2434378a98b5628965ccd0d

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b8147872c72c26a6738ec09d945a0bd7

SHA1
b9eba7cedb3b252dddfe0e3e5ea9636893c98ec4

SHA256
6f6ab29f00d986c44d56bb9cfc6033c58140974ae14f21793695d15e342e7cdc

SHA512
40f0f4636e86cd5834ae6874177cfb5716948a06f75f09388568a43578dca0db18e265f264d6a262037fcbffbf1ac3c401a070286391c7aa77d8e05447186356

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b8147872c72c26a6738ec09d945a0bd7

SHA1
b9eba7cedb3b252dddfe0e3e5ea9636893c98ec4

SHA256
6f6ab29f00d986c44d56bb9cfc6033c58140974ae14f21793695d15e342e7cdc

SHA512
40f0f4636e86cd5834ae6874177cfb5716948a06f75f09388568a43578dca0db18e265f264d6a262037fcbffbf1ac3c401a070286391c7aa77d8e05447186356

Download Submit
memory/112-215-0x0000000000000000-mapping.dmp

Download
memory/304-261-0x0000000000000000-mapping.dmp

Download
memory/320-173-0x0000000000000000-mapping.dmp

Download
memory/332-64-0x0000000000000000-mapping.dmp

Download
memory/332-248-0x0000000000000000-mapping.dmp

Download
memory/520-245-0x0000000000000000-mapping.dmp

Download
memory/572-58-0x0000000000000000-mapping.dmp

Download
memory/592-98-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/592-113-0x0000000074221000-0x0000000074223000-memory.dmp

Filesize
8KB

Download
memory/636-227-0x0000000000000000-mapping.dmp

Download
memory/736-224-0x0000000000000000-mapping.dmp

Download
memory/764-82-0x0000000000000000-mapping.dmp

Download
memory/788-182-0x0000000000000000-mapping.dmp

Download
memory/792-142-0x0000000000000000-mapping.dmp

Download
memory/820-267-0x0000000000000000-mapping.dmp

Download
memory/952-70-0x0000000000000000-mapping.dmp

Download
memory/956-153-0x0000000000000000-mapping.dmp

Download
memory/1000-230-0x0000000000000000-mapping.dmp

Download
memory/1012-88-0x0000000000000000-mapping.dmp

Download
memory/1044-289-0x0000000000000000-mapping.dmp

Download
memory/1060-212-0x0000000000000000-mapping.dmp

Download
memory/1084-254-0x0000000000000000-mapping.dmp

Download
memory/1088-100-0x0000000000000000-mapping.dmp

Download
memory/1176-239-0x0000000000000000-mapping.dmp

Download
memory/1192-301-0x0000000000000000-mapping.dmp

Download
memory/1212-298-0x0000000000000000-mapping.dmp

Download
memory/1284-242-0x0000000000000000-mapping.dmp

Download
memory/1368-310-0x0000000000000000-mapping.dmp

Download
memory/1380-295-0x0000000000000000-mapping.dmp

Download
memory/1388-264-0x0000000000000000-mapping.dmp

Download
memory/1420-292-0x0000000000000000-mapping.dmp

Download
memory/1444-218-0x0000000000000000-mapping.dmp

Download
memory/1488-206-0x0000000000000000-mapping.dmp

Download
memory/1492-283-0x0000000000000000-mapping.dmp

Download
memory/1504-106-0x0000000000000000-mapping.dmp

Download
memory/1508-270-0x0000000000000000-mapping.dmp

Download
memory/1508-94-0x0000000000000000-mapping.dmp

Download
memory/1524-136-0x0000000000000000-mapping.dmp

Download
memory/1552-188-0x0000000000000000-mapping.dmp

Download
memory/1556-286-0x0000000000000000-mapping.dmp

Download
memory/1560-203-0x0000000000000000-mapping.dmp

Download
memory/1564-280-0x0000000000000000-mapping.dmp

Download
memory/1568-200-0x0000000000000000-mapping.dmp

Download
memory/1584-167-0x0000000000000000-mapping.dmp

Download
memory/1612-197-0x0000000000000000-mapping.dmp

Download
memory/1640-236-0x0000000000000000-mapping.dmp

Download
memory/1640-316-0x0000000000000000-mapping.dmp

Download
memory/1696-307-0x0000000000000000-mapping.dmp

Download
memory/1700-277-0x0000000000000000-mapping.dmp

Download
memory/1704-185-0x0000000000000000-mapping.dmp

Download
memory/1768-313-0x0000000000000000-mapping.dmp

Download
memory/1772-160-0x0000000000000000-mapping.dmp

Download
memory/1776-251-0x0000000000000000-mapping.dmp

Download
memory/1780-179-0x0000000000000000-mapping.dmp

Download
memory/1780-76-0x0000000000000000-mapping.dmp

Download
memory/1784-274-0x0000000000000000-mapping.dmp

Download
memory/1828-176-0x0000000000000000-mapping.dmp

Download
memory/1836-194-0x0000000000000000-mapping.dmp

Download
memory/1884-257-0x0000000000000000-mapping.dmp

Download
memory/1892-129-0x0000000000000000-mapping.dmp

Download
memory/1956-233-0x0000000000000000-mapping.dmp

Download
memory/1960-209-0x0000000000000000-mapping.dmp

Download
memory/1964-118-0x0000000000000000-mapping.dmp

Download
memory/1976-304-0x0000000000000000-mapping.dmp

Download
memory/2032-191-0x0000000000000000-mapping.dmp

Download
memory/2044-221-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads