ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630

Analysis

max time kernel
152s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 01:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
Size

72KB
MD5

4f07146c3c86e3a4152fc514dc2a672a
SHA1

c986bdd4291ae88a906fef3fd0381e74f3e33e57
SHA256

ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630
SHA512

8af28b4b0d90454b8b299ca18522009ff7afc3b19c5328eb6a5de76429b0d84894e8e581f62b0381d1aa351f504ee87f57fc531d75f71545b25c4f5cb80a47bb
SSDEEP

768:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrTd3FAyvi:HeT7BVwxfvqguKRFAH

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1984	backup.exe
1872	backup.exe
944	backup.exe
816	System Restore.exe
616	backup.exe
916	backup.exe
2016	backup.exe
1780	backup.exe
1040	backup.exe
1540	backup.exe
624	backup.exe
2012	backup.exe
1812	backup.exe
1480	data.exe
1624	data.exe
1404	backup.exe
560	backup.exe
1856	backup.exe
1056	backup.exe
1740	backup.exe
1416	backup.exe
1456	backup.exe
1872	backup.exe
1784	backup.exe
1776	data.exe
1076	backup.exe
904	backup.exe
1768	backup.exe
580	backup.exe
760	backup.exe
1064	backup.exe
2016	data.exe
1680	backup.exe
972	backup.exe
1180	data.exe
768	backup.exe
2008	backup.exe
280	backup.exe
1216	backup.exe
1620	backup.exe
1652	backup.exe
1100	backup.exe
284	System Restore.exe
992	backup.exe
1644	backup.exe
952	backup.exe
1832	backup.exe
1764	backup.exe
1668	backup.exe
1736	backup.exe
1956	backup.exe
940	backup.exe
1324	backup.exe
1784	backup.exe
2020	backup.exe
664	backup.exe
1396	update.exe
1884	backup.exe
1020	backup.exe
1792	backup.exe
1708	backup.exe
1868	backup.exe
1068	backup.exe
1040	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
816	System Restore.exe
1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
816	System Restore.exe
2016	backup.exe
2016	backup.exe
1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
816	System Restore.exe
816	System Restore.exe
624	backup.exe
624	backup.exe
2012	backup.exe
2012	backup.exe
624	backup.exe
624	backup.exe
1480	data.exe
1480	data.exe
1624	data.exe
1624	data.exe
1624	data.exe
1624	data.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
560	backup.exe
580	backup.exe
580	backup.exe
580	backup.exe
580	backup.exe
580	backup.exe
580	backup.exe
580	backup.exe
580	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	System Restore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
1984	backup.exe
1872	backup.exe
944	backup.exe
816	System Restore.exe
616	backup.exe
2016	backup.exe
916	backup.exe
1780	backup.exe
1040	backup.exe
1540	backup.exe
624	backup.exe
2012	backup.exe
1812	backup.exe
1480	data.exe
1624	data.exe
1404	backup.exe
560	backup.exe
1856	backup.exe
1740	backup.exe
1416	backup.exe
1456	backup.exe
1872	backup.exe
1784	backup.exe
1776	data.exe
1076	backup.exe
904	backup.exe
1768	backup.exe
580	backup.exe
760	backup.exe
1064	backup.exe
2016	data.exe
1680	backup.exe
972	backup.exe
1180	data.exe
768	backup.exe
2008	backup.exe
280	backup.exe
1216	backup.exe
1620	backup.exe
1652	backup.exe
1100	backup.exe
284	System Restore.exe
992	backup.exe
1644	backup.exe
952	backup.exe
1832	backup.exe
1764	backup.exe
1668	backup.exe
1736	backup.exe
1956	backup.exe
940	backup.exe
1324	backup.exe
1784	backup.exe
2020	backup.exe
664	backup.exe
1884	backup.exe
1020	backup.exe
1792	backup.exe
1396	update.exe
1708	backup.exe
1868	backup.exe
1068	backup.exe
1040	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1984	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	26
PID 1608 wrote to memory of 1984	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	26
PID 1608 wrote to memory of 1984	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	26
PID 1608 wrote to memory of 1984	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	26
PID 1608 wrote to memory of 1872	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	27
PID 1608 wrote to memory of 1872	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	27
PID 1608 wrote to memory of 1872	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	27
PID 1608 wrote to memory of 1872	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	27
PID 1608 wrote to memory of 944	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	28
PID 1608 wrote to memory of 944	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	28
PID 1608 wrote to memory of 944	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	28
PID 1608 wrote to memory of 944	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	28
PID 1984 wrote to memory of 816	1984	backup.exe	29
PID 1984 wrote to memory of 816	1984	backup.exe	29
PID 1984 wrote to memory of 816	1984	backup.exe	29
PID 1984 wrote to memory of 816	1984	backup.exe	29
PID 1608 wrote to memory of 616	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	30
PID 1608 wrote to memory of 616	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	30
PID 1608 wrote to memory of 616	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	30
PID 1608 wrote to memory of 616	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	30
PID 1608 wrote to memory of 916	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	32
PID 1608 wrote to memory of 916	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	32
PID 1608 wrote to memory of 916	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	32
PID 1608 wrote to memory of 916	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	32
PID 816 wrote to memory of 2016	816	System Restore.exe	31
PID 816 wrote to memory of 2016	816	System Restore.exe	31
PID 816 wrote to memory of 2016	816	System Restore.exe	31
PID 816 wrote to memory of 2016	816	System Restore.exe	31
PID 2016 wrote to memory of 1780	2016	backup.exe	33
PID 2016 wrote to memory of 1780	2016	backup.exe	33
PID 2016 wrote to memory of 1780	2016	backup.exe	33
PID 2016 wrote to memory of 1780	2016	backup.exe	33
PID 1608 wrote to memory of 1040	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	34
PID 1608 wrote to memory of 1040	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	34
PID 1608 wrote to memory of 1040	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	34
PID 1608 wrote to memory of 1040	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	34
PID 1608 wrote to memory of 1540	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	35
PID 1608 wrote to memory of 1540	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	35
PID 1608 wrote to memory of 1540	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	35
PID 1608 wrote to memory of 1540	1608	ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe	35
PID 816 wrote to memory of 624	816	System Restore.exe	36
PID 816 wrote to memory of 624	816	System Restore.exe	36
PID 816 wrote to memory of 624	816	System Restore.exe	36
PID 816 wrote to memory of 624	816	System Restore.exe	36
PID 624 wrote to memory of 2012	624	backup.exe	37
PID 624 wrote to memory of 2012	624	backup.exe	37
PID 624 wrote to memory of 2012	624	backup.exe	37
PID 624 wrote to memory of 2012	624	backup.exe	37
PID 2012 wrote to memory of 1812	2012	backup.exe	38
PID 2012 wrote to memory of 1812	2012	backup.exe	38
PID 2012 wrote to memory of 1812	2012	backup.exe	38
PID 2012 wrote to memory of 1812	2012	backup.exe	38
PID 624 wrote to memory of 1480	624	backup.exe	39
PID 624 wrote to memory of 1480	624	backup.exe	39
PID 624 wrote to memory of 1480	624	backup.exe	39
PID 624 wrote to memory of 1480	624	backup.exe	39
PID 1480 wrote to memory of 1624	1480	data.exe	40
PID 1480 wrote to memory of 1624	1480	data.exe	40
PID 1480 wrote to memory of 1624	1480	data.exe	40
PID 1480 wrote to memory of 1624	1480	data.exe	40
PID 1624 wrote to memory of 1404	1624	data.exe	41
PID 1624 wrote to memory of 1404	1624	data.exe	41
PID 1624 wrote to memory of 1404	1624	data.exe	41
PID 1624 wrote to memory of 1404	1624	data.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe
"C:\Users\Admin\AppData\Local\Temp\ebbe9375bedb89c8ccf9e1e06aa929bcf24cbc836740219259ff428c5837d630.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\1173599081\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1173599081\backup.exe C:\Users\Admin\AppData\Local\Temp\1173599081\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\System Restore.exe
    "\System Restore.exe" \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:816
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1780
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:624
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1812
    - - C:\Program Files\Common Files\data.exe
        
        "C:\Program Files\Common Files\data.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Program Files\Common Files\Microsoft Shared\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\data.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1404
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:1056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1416
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1076
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:280
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1216
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:284
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1148
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        
        PID:596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        System policy modification
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:896
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:952
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1976
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:616
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:760
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:972
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        System policy modification
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        System policy modification
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:916
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:868
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        System policy modification
        
        PID:2032
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1284
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Drops file in Program Files directory
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:760
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1052
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1392
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        System policy modification
        
        PID:1988
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:1944
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:520
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1780
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1316
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:2036
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:692
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Program Files\Common Files\System\ado\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1768
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        System policy modification
        
        PID:1944
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1464
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1488
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:280
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1100
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1404
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1856
        
        C:\Program Files\Common Files\System\ja-JP\update.exe
        
        "C:\Program Files\Common Files\System\ja-JP\update.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1832
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:796
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1768
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        System policy modification
        
        PID:1968
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1564
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1404
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1108
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1584
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:288
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1584
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        System policy modification
        
        PID:1544
      - C:\Program Files\DVD Maker\en-US\System Restore.exe
        
        "C:\Program Files\DVD Maker\en-US\System Restore.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        System policy modification
        
        PID:2004
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        System policy modification
        
        PID:1872
      - C:\Program Files\DVD Maker\fr-FR\update.exe
        
        "C:\Program Files\DVD Maker\fr-FR\update.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:268
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1708
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1068
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1216
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:1628
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:896
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:796
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        System policy modification
        
        PID:820
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1756
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:972
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1840
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1204
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:688
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1556
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:896
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:1788
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:1060
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:1616
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:912
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:640
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2028
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1180
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2000
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2004
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1812
    - - C:\Program Files\MSBuild\System Restore.exe
        
        "C:\Program Files\MSBuild\System Restore.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:580
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:816
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1324
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2020
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1040
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1180
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1488
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        System policy modification
        
        PID:1840
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        System policy modification
        
        PID:1628
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:772
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:992
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1876
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1740
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1440
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1168
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:584
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1148
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:280
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1728
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        System policy modification
        
        PID:984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1656
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1832
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1772
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        System policy modification
        
        PID:1784
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:1868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1168
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:952
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1392
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Drops file in Program Files directory
        
        PID:1644
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        System policy modification
        
        PID:1900
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        
        PID:616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        
        PID:1460
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:904
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1776
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:1116
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1168
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:976
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1944
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1800
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1708
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1280
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1568
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1148
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:284
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:984
    - - C:\Program Files (x86)\Microsoft Office\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Office\System Restore.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2036
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1548
    - - C:\Program Files (x86)\Microsoft Sync Framework\update.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\update.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1876
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2044
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1772
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2032
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1120
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1508
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:944
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:616
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:916
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1040
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
413228cb88efcafe57589731eba3820c

SHA1
b4a3e448bef62c43da882cf80af619ffafc77167

SHA256
567fda56437c378917d0161ffa72d0f201b295f4b687700b6ddd7cce4bb7451b

SHA512
61dffe216712b3030046785d2c7760bb8857ef2d0b9df080f9873f73a305f2d0421d3482f1778c079a1d7142a88f4332e599d18e2d3b84c5994246c32f26fdb1

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
2f13630cfeab4163f48c9578e4d69b7d

SHA1
a0503a84f981df32179e6b5b2a237585423fd4ce

SHA256
a050ada5fe82b950100e6432a5ab60c861ee60f766b19d17088e319834a2b08c

SHA512
06321f84b6939551f6cf20a15e27d84b6a533c2e803ac63bf2a6bd5a66f763eb64a9a733ff54cf71a7572361cb72cd4418d68bdf53f937850cf9898b792337b8

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
2f13630cfeab4163f48c9578e4d69b7d

SHA1
a0503a84f981df32179e6b5b2a237585423fd4ce

SHA256
a050ada5fe82b950100e6432a5ab60c861ee60f766b19d17088e319834a2b08c

SHA512
06321f84b6939551f6cf20a15e27d84b6a533c2e803ac63bf2a6bd5a66f763eb64a9a733ff54cf71a7572361cb72cd4418d68bdf53f937850cf9898b792337b8

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
d72344d28277d57452c21675a2c55fd4

SHA1
7ca3daecade2b0427acbd5c8aa4134bf118e2b33

SHA256
82c3d027f60ed72c2228ac1a6bce0101f8d4a372571aa99baa2970b53d4abb95

SHA512
55abeb27542991dab0d34136c1dd6989ecaccb238583333064f545ef0d6ef259b5749701cbe90abbe35e11dca03f8ee1dc37e906063624de7d60fd16454df4df

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2594e29c612f39a81602662691daca43

SHA1
e74e1c33881c934a1b7076d95d5c947c4bee14ed

SHA256
10f8ec51d1e9abfe4bbb6a10be9ac833087b1d23c8a903b58f87db23b6a7b096

SHA512
49b3296d29669c0d590ad498ec992f99895fac70b858062c7407ebc232d9d4fd7c2b6487a372352a62ce43df69baef552914b368b7fd1575e9060a515224765d

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2594e29c612f39a81602662691daca43

SHA1
e74e1c33881c934a1b7076d95d5c947c4bee14ed

SHA256
10f8ec51d1e9abfe4bbb6a10be9ac833087b1d23c8a903b58f87db23b6a7b096

SHA512
49b3296d29669c0d590ad498ec992f99895fac70b858062c7407ebc232d9d4fd7c2b6487a372352a62ce43df69baef552914b368b7fd1575e9060a515224765d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
0eaae697705938a86a87b2488245d6ef

SHA1
2f6ed58f7d0ac3dc47b003bfd709f5395ddc43ec

SHA256
91fe439ed1d70f06cdd3365ba5cf51bc0271916bf4ecfb97e3a3cd5e89dc8dd0

SHA512
6979870f3aaa2559caf74aaefafc8e40ed36dae82725a5aa221609fa0ab1a9d29d2b972564eded841a8aeb32f9bc72a9861cad17ce80e537315d238ac3d5a1e2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
165928b6435bde98ee1c3775dfc96fb9

SHA1
897739f0aeddaf66000c5304257706996b78e6f3

SHA256
967be996da43f7626c601123eca296b6a9c7a2988b5b38ab593dd18dcea14c53

SHA512
c42a80834157b8e1168bd4017f1b803d56e5c5e9041cb608c27303d4b573fbb0d4257789f6d8fe86e9194b2414d2018f8f5ae4a4b680c457a77eb95f5de82364

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
165928b6435bde98ee1c3775dfc96fb9

SHA1
897739f0aeddaf66000c5304257706996b78e6f3

SHA256
967be996da43f7626c601123eca296b6a9c7a2988b5b38ab593dd18dcea14c53

SHA512
c42a80834157b8e1168bd4017f1b803d56e5c5e9041cb608c27303d4b573fbb0d4257789f6d8fe86e9194b2414d2018f8f5ae4a4b680c457a77eb95f5de82364

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
0125141f660bf23e8546f50d024ba1da

SHA1
2bb34cd9cccabb7b7d980c5f6195d12f4641d0af

SHA256
a3a1b7ac3a5287d2b5a3ff07b9b776a184a7cbb1850d0e4d6ea32023dc103fa8

SHA512
ef86aadfc6ac2c7272a746ef2aafb57e6beb3d70a4d91dc78c4656e87cde8a2dd06d5fd0062f59d20e8ce4bd449b134608efdfdf5bdb7b06315d105bd8cfeb03

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
76fe01edfb011cd008f676f72758d6a4

SHA1
3581ff80b73737b679b34eec8f51535a0901c8f6

SHA256
f028ef60d6ce51fb70fc386e6a0a045aeadc61de6e23bd99df935a2c2956a5e3

SHA512
d95de03bed39374e55c3bcbde2b2ef501c03339d58023f38d5ec867594b042666e66eba4c2f9a3d4020210462a802c36e14d30323c99af89f182cce753a8d6ea

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
76fe01edfb011cd008f676f72758d6a4

SHA1
3581ff80b73737b679b34eec8f51535a0901c8f6

SHA256
f028ef60d6ce51fb70fc386e6a0a045aeadc61de6e23bd99df935a2c2956a5e3

SHA512
d95de03bed39374e55c3bcbde2b2ef501c03339d58023f38d5ec867594b042666e66eba4c2f9a3d4020210462a802c36e14d30323c99af89f182cce753a8d6ea

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
0125141f660bf23e8546f50d024ba1da

SHA1
2bb34cd9cccabb7b7d980c5f6195d12f4641d0af

SHA256
a3a1b7ac3a5287d2b5a3ff07b9b776a184a7cbb1850d0e4d6ea32023dc103fa8

SHA512
ef86aadfc6ac2c7272a746ef2aafb57e6beb3d70a4d91dc78c4656e87cde8a2dd06d5fd0062f59d20e8ce4bd449b134608efdfdf5bdb7b06315d105bd8cfeb03

Download Submit
C:\Program Files\Common Files\data.exe

Filesize
72KB

MD5
c05b9c53d91e9fb47726b626e8ea0219

SHA1
2ac1d24065a6b34a7af8bd8ca40b52da42ebd746

SHA256
552d359977720a6a14842f8739fbd0f255921613b0831da3229ff6d5d30e6bb0

SHA512
d67958b957f31044f377bca1c7085bb6b3b6018b6857068ff9d8c8c928311cf98029f3511730b93f52c8bdd1f31af2bd0785c6226bd49774635983ca45d4037b

Download Submit
C:\Program Files\Common Files\data.exe

Filesize
72KB

MD5
c05b9c53d91e9fb47726b626e8ea0219

SHA1
2ac1d24065a6b34a7af8bd8ca40b52da42ebd746

SHA256
552d359977720a6a14842f8739fbd0f255921613b0831da3229ff6d5d30e6bb0

SHA512
d67958b957f31044f377bca1c7085bb6b3b6018b6857068ff9d8c8c928311cf98029f3511730b93f52c8bdd1f31af2bd0785c6226bd49774635983ca45d4037b

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
7534818d46a6c0560e688989e2488b8b

SHA1
6253a8a2943383ef68d09f6f5b6210a0d17047f7

SHA256
ac1a9cf023896c3064fc389097848924720a341de6ac2fa067e71f93e7e1f53b

SHA512
08fa3c7e94fa7f10b311add520846a90f6d31bdc31ede2c989c5f1cf0f440cb774287ee284ecc87d299648603c9000b9c2b1d85f92c11d35895f623ec3f1e0cf

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
7534818d46a6c0560e688989e2488b8b

SHA1
6253a8a2943383ef68d09f6f5b6210a0d17047f7

SHA256
ac1a9cf023896c3064fc389097848924720a341de6ac2fa067e71f93e7e1f53b

SHA512
08fa3c7e94fa7f10b311add520846a90f6d31bdc31ede2c989c5f1cf0f440cb774287ee284ecc87d299648603c9000b9c2b1d85f92c11d35895f623ec3f1e0cf

Download Submit
C:\System Restore.exe

Filesize
72KB

MD5
879a58e8952bf6b5994d15f14c8c9892

SHA1
1d230a79f873dba061f158c3760dd1caefc02ce8

SHA256
c1880881f0a1c4f623f6d079d962761605f8dbab0b728f76dec59987ea4a739e

SHA512
d6f8ca60be18689c16f607b4df5dc737829b69bf88c71190c383a446746eb6dc147f7ec14dc754c684bc769d7a147c9554e40bb4463182a673a8214b6004b105

Download Submit
C:\System Restore.exe

Filesize
72KB

MD5
879a58e8952bf6b5994d15f14c8c9892

SHA1
1d230a79f873dba061f158c3760dd1caefc02ce8

SHA256
c1880881f0a1c4f623f6d079d962761605f8dbab0b728f76dec59987ea4a739e

SHA512
d6f8ca60be18689c16f607b4df5dc737829b69bf88c71190c383a446746eb6dc147f7ec14dc754c684bc769d7a147c9554e40bb4463182a673a8214b6004b105

Download Submit
C:\Users\Admin\AppData\Local\Temp\1173599081\backup.exe

Filesize
72KB

MD5
a774523545a13341f7936f660bf6f178

SHA1
ddbb3cf3d4c2ed58e17cdf702a2086e2544e67ea

SHA256
7d578a07026f6230d40e89d3453da4f4e00c371e3ed0402b80d2a8d127ecfd23

SHA512
c7a52e58967be128e6b168dae41cddd75d97505758dd28747459554e5b90a8c3f425826ef16b3596290ca75cc94bb5488599060d0000e82937fd15c744be7017

Download Submit
C:\Users\Admin\AppData\Local\Temp\1173599081\backup.exe

Filesize
72KB

MD5
a774523545a13341f7936f660bf6f178

SHA1
ddbb3cf3d4c2ed58e17cdf702a2086e2544e67ea

SHA256
7d578a07026f6230d40e89d3453da4f4e00c371e3ed0402b80d2a8d127ecfd23

SHA512
c7a52e58967be128e6b168dae41cddd75d97505758dd28747459554e5b90a8c3f425826ef16b3596290ca75cc94bb5488599060d0000e82937fd15c744be7017

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
c6cde3b7ae4ee017438e0bf45abb56be

SHA1
f6a27d31010d6d92dbb7792b964a229f58e1d567

SHA256
aec35e7c8610f5f4718579739d3685c397ab13f3ce56809f87b52a098ae23bc7

SHA512
5e553f360d7fc4e25a06d46f76abf90f4bb1487585b2b46387eee6c3d4e94d3a02342f2f2ac3bb3f3b949d7035c7b860538e1f475b50ff2aa6c0b6b64ab7f211

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
48d0371af7f6ce6da6a4393939bfa3d4

SHA1
d502dff9cb86fbd57c6ded195a8ffd8737fd340f

SHA256
b1fd787209df13d28ee163b1b117eded510f5da26f8992f195315a774760357e

SHA512
328bb746db89ee6bbac6e7c4b8ae07c17f40081b5abd4ae041fa89240162e6f2f938e9dfed09efa0472e17c8f83592b34ec75b077ff3bb7929be19587bb51ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1d09f37fea51ee837b33b53e23885492

SHA1
02b3fc83f2b1a5e2a0b4e118e20d8b5de2000eaf

SHA256
826fc63ce373a38ed7b497b7ba330766d5c4167869f2168971e057d0fba92e49

SHA512
8ed3b1370a0e46034366a4d4bcfd874bdc70ae8d4cad96c6c1a522e27d179e1c84b43329667120f4d3bd180549ac16012f553e39e5d1c5acd7f48415b90051ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
08e6a1745701df168e4f00f0ab4045c1

SHA1
b0f920afede89aa719c7841163180182f9b91440

SHA256
4a07fd37655183b0c34a8f36031fbb7d50b92b75e2e60ead2972d740f268e323

SHA512
3c0b74e902a12800b1df93815443f5ebe62823cc93dc9a9414e673de433f89bc7c0527f26dbc9bab1d13eee9f057d151ddc76bb1703e16574b9253c440d1b726

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
a774523545a13341f7936f660bf6f178

SHA1
ddbb3cf3d4c2ed58e17cdf702a2086e2544e67ea

SHA256
7d578a07026f6230d40e89d3453da4f4e00c371e3ed0402b80d2a8d127ecfd23

SHA512
c7a52e58967be128e6b168dae41cddd75d97505758dd28747459554e5b90a8c3f425826ef16b3596290ca75cc94bb5488599060d0000e82937fd15c744be7017

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
138844a0f4d45c63882738c569aa2d03

SHA1
33bdfa066a2c6461c7211cb30fcfb85264a1918b

SHA256
8c5c78c2fd460deabd0c246900b97667773164cd97b1f0a7106c4c59f7daa293

SHA512
55af8c8157adbf9c7221e29acc1fc7ae3d202cefebf1ecb58309665fd5199c108101e9e3785d7dbb70180f9bdc03aaa9dced54b25df090e3e9fe5caebf824444

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
413228cb88efcafe57589731eba3820c

SHA1
b4a3e448bef62c43da882cf80af619ffafc77167

SHA256
567fda56437c378917d0161ffa72d0f201b295f4b687700b6ddd7cce4bb7451b

SHA512
61dffe216712b3030046785d2c7760bb8857ef2d0b9df080f9873f73a305f2d0421d3482f1778c079a1d7142a88f4332e599d18e2d3b84c5994246c32f26fdb1

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
413228cb88efcafe57589731eba3820c

SHA1
b4a3e448bef62c43da882cf80af619ffafc77167

SHA256
567fda56437c378917d0161ffa72d0f201b295f4b687700b6ddd7cce4bb7451b

SHA512
61dffe216712b3030046785d2c7760bb8857ef2d0b9df080f9873f73a305f2d0421d3482f1778c079a1d7142a88f4332e599d18e2d3b84c5994246c32f26fdb1

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
2f13630cfeab4163f48c9578e4d69b7d

SHA1
a0503a84f981df32179e6b5b2a237585423fd4ce

SHA256
a050ada5fe82b950100e6432a5ab60c861ee60f766b19d17088e319834a2b08c

SHA512
06321f84b6939551f6cf20a15e27d84b6a533c2e803ac63bf2a6bd5a66f763eb64a9a733ff54cf71a7572361cb72cd4418d68bdf53f937850cf9898b792337b8

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
2f13630cfeab4163f48c9578e4d69b7d

SHA1
a0503a84f981df32179e6b5b2a237585423fd4ce

SHA256
a050ada5fe82b950100e6432a5ab60c861ee60f766b19d17088e319834a2b08c

SHA512
06321f84b6939551f6cf20a15e27d84b6a533c2e803ac63bf2a6bd5a66f763eb64a9a733ff54cf71a7572361cb72cd4418d68bdf53f937850cf9898b792337b8

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
d72344d28277d57452c21675a2c55fd4

SHA1
7ca3daecade2b0427acbd5c8aa4134bf118e2b33

SHA256
82c3d027f60ed72c2228ac1a6bce0101f8d4a372571aa99baa2970b53d4abb95

SHA512
55abeb27542991dab0d34136c1dd6989ecaccb238583333064f545ef0d6ef259b5749701cbe90abbe35e11dca03f8ee1dc37e906063624de7d60fd16454df4df

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
d72344d28277d57452c21675a2c55fd4

SHA1
7ca3daecade2b0427acbd5c8aa4134bf118e2b33

SHA256
82c3d027f60ed72c2228ac1a6bce0101f8d4a372571aa99baa2970b53d4abb95

SHA512
55abeb27542991dab0d34136c1dd6989ecaccb238583333064f545ef0d6ef259b5749701cbe90abbe35e11dca03f8ee1dc37e906063624de7d60fd16454df4df

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2594e29c612f39a81602662691daca43

SHA1
e74e1c33881c934a1b7076d95d5c947c4bee14ed

SHA256
10f8ec51d1e9abfe4bbb6a10be9ac833087b1d23c8a903b58f87db23b6a7b096

SHA512
49b3296d29669c0d590ad498ec992f99895fac70b858062c7407ebc232d9d4fd7c2b6487a372352a62ce43df69baef552914b368b7fd1575e9060a515224765d

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2594e29c612f39a81602662691daca43

SHA1
e74e1c33881c934a1b7076d95d5c947c4bee14ed

SHA256
10f8ec51d1e9abfe4bbb6a10be9ac833087b1d23c8a903b58f87db23b6a7b096

SHA512
49b3296d29669c0d590ad498ec992f99895fac70b858062c7407ebc232d9d4fd7c2b6487a372352a62ce43df69baef552914b368b7fd1575e9060a515224765d

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
0eaae697705938a86a87b2488245d6ef

SHA1
2f6ed58f7d0ac3dc47b003bfd709f5395ddc43ec

SHA256
91fe439ed1d70f06cdd3365ba5cf51bc0271916bf4ecfb97e3a3cd5e89dc8dd0

SHA512
6979870f3aaa2559caf74aaefafc8e40ed36dae82725a5aa221609fa0ab1a9d29d2b972564eded841a8aeb32f9bc72a9861cad17ce80e537315d238ac3d5a1e2

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
0eaae697705938a86a87b2488245d6ef

SHA1
2f6ed58f7d0ac3dc47b003bfd709f5395ddc43ec

SHA256
91fe439ed1d70f06cdd3365ba5cf51bc0271916bf4ecfb97e3a3cd5e89dc8dd0

SHA512
6979870f3aaa2559caf74aaefafc8e40ed36dae82725a5aa221609fa0ab1a9d29d2b972564eded841a8aeb32f9bc72a9861cad17ce80e537315d238ac3d5a1e2

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
165928b6435bde98ee1c3775dfc96fb9

SHA1
897739f0aeddaf66000c5304257706996b78e6f3

SHA256
967be996da43f7626c601123eca296b6a9c7a2988b5b38ab593dd18dcea14c53

SHA512
c42a80834157b8e1168bd4017f1b803d56e5c5e9041cb608c27303d4b573fbb0d4257789f6d8fe86e9194b2414d2018f8f5ae4a4b680c457a77eb95f5de82364

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
165928b6435bde98ee1c3775dfc96fb9

SHA1
897739f0aeddaf66000c5304257706996b78e6f3

SHA256
967be996da43f7626c601123eca296b6a9c7a2988b5b38ab593dd18dcea14c53

SHA512
c42a80834157b8e1168bd4017f1b803d56e5c5e9041cb608c27303d4b573fbb0d4257789f6d8fe86e9194b2414d2018f8f5ae4a4b680c457a77eb95f5de82364

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
0125141f660bf23e8546f50d024ba1da

SHA1
2bb34cd9cccabb7b7d980c5f6195d12f4641d0af

SHA256
a3a1b7ac3a5287d2b5a3ff07b9b776a184a7cbb1850d0e4d6ea32023dc103fa8

SHA512
ef86aadfc6ac2c7272a746ef2aafb57e6beb3d70a4d91dc78c4656e87cde8a2dd06d5fd0062f59d20e8ce4bd449b134608efdfdf5bdb7b06315d105bd8cfeb03

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
0125141f660bf23e8546f50d024ba1da

SHA1
2bb34cd9cccabb7b7d980c5f6195d12f4641d0af

SHA256
a3a1b7ac3a5287d2b5a3ff07b9b776a184a7cbb1850d0e4d6ea32023dc103fa8

SHA512
ef86aadfc6ac2c7272a746ef2aafb57e6beb3d70a4d91dc78c4656e87cde8a2dd06d5fd0062f59d20e8ce4bd449b134608efdfdf5bdb7b06315d105bd8cfeb03

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
76fe01edfb011cd008f676f72758d6a4

SHA1
3581ff80b73737b679b34eec8f51535a0901c8f6

SHA256
f028ef60d6ce51fb70fc386e6a0a045aeadc61de6e23bd99df935a2c2956a5e3

SHA512
d95de03bed39374e55c3bcbde2b2ef501c03339d58023f38d5ec867594b042666e66eba4c2f9a3d4020210462a802c36e14d30323c99af89f182cce753a8d6ea

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
76fe01edfb011cd008f676f72758d6a4

SHA1
3581ff80b73737b679b34eec8f51535a0901c8f6

SHA256
f028ef60d6ce51fb70fc386e6a0a045aeadc61de6e23bd99df935a2c2956a5e3

SHA512
d95de03bed39374e55c3bcbde2b2ef501c03339d58023f38d5ec867594b042666e66eba4c2f9a3d4020210462a802c36e14d30323c99af89f182cce753a8d6ea

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
0125141f660bf23e8546f50d024ba1da

SHA1
2bb34cd9cccabb7b7d980c5f6195d12f4641d0af

SHA256
a3a1b7ac3a5287d2b5a3ff07b9b776a184a7cbb1850d0e4d6ea32023dc103fa8

SHA512
ef86aadfc6ac2c7272a746ef2aafb57e6beb3d70a4d91dc78c4656e87cde8a2dd06d5fd0062f59d20e8ce4bd449b134608efdfdf5bdb7b06315d105bd8cfeb03

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
0125141f660bf23e8546f50d024ba1da

SHA1
2bb34cd9cccabb7b7d980c5f6195d12f4641d0af

SHA256
a3a1b7ac3a5287d2b5a3ff07b9b776a184a7cbb1850d0e4d6ea32023dc103fa8

SHA512
ef86aadfc6ac2c7272a746ef2aafb57e6beb3d70a4d91dc78c4656e87cde8a2dd06d5fd0062f59d20e8ce4bd449b134608efdfdf5bdb7b06315d105bd8cfeb03

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
223ef92cbcc8c71c971be343913b98d6

SHA1
ec05b2e3a7d749c002445565c9bf6cf2fbbbe9ba

SHA256
7ade2209c29f7ba3f4d13f87ef4dd3632160eaf180fdbabb5e1e0d5e69540639

SHA512
6a2333e3594804a1d86e6ebe5b8fa76b5ae0ed409ecc0e9acebf15ef62ca85ff42426184e475a4b041ae94415e6d170f8ab84483fa8741b9d5f759e342d24399

Download Submit
\Program Files\Common Files\data.exe

Filesize
72KB

MD5
c05b9c53d91e9fb47726b626e8ea0219

SHA1
2ac1d24065a6b34a7af8bd8ca40b52da42ebd746

SHA256
552d359977720a6a14842f8739fbd0f255921613b0831da3229ff6d5d30e6bb0

SHA512
d67958b957f31044f377bca1c7085bb6b3b6018b6857068ff9d8c8c928311cf98029f3511730b93f52c8bdd1f31af2bd0785c6226bd49774635983ca45d4037b

Download Submit
\Program Files\Common Files\data.exe

Filesize
72KB

MD5
c05b9c53d91e9fb47726b626e8ea0219

SHA1
2ac1d24065a6b34a7af8bd8ca40b52da42ebd746

SHA256
552d359977720a6a14842f8739fbd0f255921613b0831da3229ff6d5d30e6bb0

SHA512
d67958b957f31044f377bca1c7085bb6b3b6018b6857068ff9d8c8c928311cf98029f3511730b93f52c8bdd1f31af2bd0785c6226bd49774635983ca45d4037b

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
7534818d46a6c0560e688989e2488b8b

SHA1
6253a8a2943383ef68d09f6f5b6210a0d17047f7

SHA256
ac1a9cf023896c3064fc389097848924720a341de6ac2fa067e71f93e7e1f53b

SHA512
08fa3c7e94fa7f10b311add520846a90f6d31bdc31ede2c989c5f1cf0f440cb774287ee284ecc87d299648603c9000b9c2b1d85f92c11d35895f623ec3f1e0cf

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
7534818d46a6c0560e688989e2488b8b

SHA1
6253a8a2943383ef68d09f6f5b6210a0d17047f7

SHA256
ac1a9cf023896c3064fc389097848924720a341de6ac2fa067e71f93e7e1f53b

SHA512
08fa3c7e94fa7f10b311add520846a90f6d31bdc31ede2c989c5f1cf0f440cb774287ee284ecc87d299648603c9000b9c2b1d85f92c11d35895f623ec3f1e0cf

Download Submit
\Users\Admin\AppData\Local\Temp\1173599081\backup.exe

Filesize
72KB

MD5
a774523545a13341f7936f660bf6f178

SHA1
ddbb3cf3d4c2ed58e17cdf702a2086e2544e67ea

SHA256
7d578a07026f6230d40e89d3453da4f4e00c371e3ed0402b80d2a8d127ecfd23

SHA512
c7a52e58967be128e6b168dae41cddd75d97505758dd28747459554e5b90a8c3f425826ef16b3596290ca75cc94bb5488599060d0000e82937fd15c744be7017

Download Submit
\Users\Admin\AppData\Local\Temp\1173599081\backup.exe

Filesize
72KB

MD5
a774523545a13341f7936f660bf6f178

SHA1
ddbb3cf3d4c2ed58e17cdf702a2086e2544e67ea

SHA256
7d578a07026f6230d40e89d3453da4f4e00c371e3ed0402b80d2a8d127ecfd23

SHA512
c7a52e58967be128e6b168dae41cddd75d97505758dd28747459554e5b90a8c3f425826ef16b3596290ca75cc94bb5488599060d0000e82937fd15c744be7017

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
c6cde3b7ae4ee017438e0bf45abb56be

SHA1
f6a27d31010d6d92dbb7792b964a229f58e1d567

SHA256
aec35e7c8610f5f4718579739d3685c397ab13f3ce56809f87b52a098ae23bc7

SHA512
5e553f360d7fc4e25a06d46f76abf90f4bb1487585b2b46387eee6c3d4e94d3a02342f2f2ac3bb3f3b949d7035c7b860538e1f475b50ff2aa6c0b6b64ab7f211

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
c6cde3b7ae4ee017438e0bf45abb56be

SHA1
f6a27d31010d6d92dbb7792b964a229f58e1d567

SHA256
aec35e7c8610f5f4718579739d3685c397ab13f3ce56809f87b52a098ae23bc7

SHA512
5e553f360d7fc4e25a06d46f76abf90f4bb1487585b2b46387eee6c3d4e94d3a02342f2f2ac3bb3f3b949d7035c7b860538e1f475b50ff2aa6c0b6b64ab7f211

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
48d0371af7f6ce6da6a4393939bfa3d4

SHA1
d502dff9cb86fbd57c6ded195a8ffd8737fd340f

SHA256
b1fd787209df13d28ee163b1b117eded510f5da26f8992f195315a774760357e

SHA512
328bb746db89ee6bbac6e7c4b8ae07c17f40081b5abd4ae041fa89240162e6f2f938e9dfed09efa0472e17c8f83592b34ec75b077ff3bb7929be19587bb51ece

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
48d0371af7f6ce6da6a4393939bfa3d4

SHA1
d502dff9cb86fbd57c6ded195a8ffd8737fd340f

SHA256
b1fd787209df13d28ee163b1b117eded510f5da26f8992f195315a774760357e

SHA512
328bb746db89ee6bbac6e7c4b8ae07c17f40081b5abd4ae041fa89240162e6f2f938e9dfed09efa0472e17c8f83592b34ec75b077ff3bb7929be19587bb51ece

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1d09f37fea51ee837b33b53e23885492

SHA1
02b3fc83f2b1a5e2a0b4e118e20d8b5de2000eaf

SHA256
826fc63ce373a38ed7b497b7ba330766d5c4167869f2168971e057d0fba92e49

SHA512
8ed3b1370a0e46034366a4d4bcfd874bdc70ae8d4cad96c6c1a522e27d179e1c84b43329667120f4d3bd180549ac16012f553e39e5d1c5acd7f48415b90051ae

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1d09f37fea51ee837b33b53e23885492

SHA1
02b3fc83f2b1a5e2a0b4e118e20d8b5de2000eaf

SHA256
826fc63ce373a38ed7b497b7ba330766d5c4167869f2168971e057d0fba92e49

SHA512
8ed3b1370a0e46034366a4d4bcfd874bdc70ae8d4cad96c6c1a522e27d179e1c84b43329667120f4d3bd180549ac16012f553e39e5d1c5acd7f48415b90051ae

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
08e6a1745701df168e4f00f0ab4045c1

SHA1
b0f920afede89aa719c7841163180182f9b91440

SHA256
4a07fd37655183b0c34a8f36031fbb7d50b92b75e2e60ead2972d740f268e323

SHA512
3c0b74e902a12800b1df93815443f5ebe62823cc93dc9a9414e673de433f89bc7c0527f26dbc9bab1d13eee9f057d151ddc76bb1703e16574b9253c440d1b726

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
08e6a1745701df168e4f00f0ab4045c1

SHA1
b0f920afede89aa719c7841163180182f9b91440

SHA256
4a07fd37655183b0c34a8f36031fbb7d50b92b75e2e60ead2972d740f268e323

SHA512
3c0b74e902a12800b1df93815443f5ebe62823cc93dc9a9414e673de433f89bc7c0527f26dbc9bab1d13eee9f057d151ddc76bb1703e16574b9253c440d1b726

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
a774523545a13341f7936f660bf6f178

SHA1
ddbb3cf3d4c2ed58e17cdf702a2086e2544e67ea

SHA256
7d578a07026f6230d40e89d3453da4f4e00c371e3ed0402b80d2a8d127ecfd23

SHA512
c7a52e58967be128e6b168dae41cddd75d97505758dd28747459554e5b90a8c3f425826ef16b3596290ca75cc94bb5488599060d0000e82937fd15c744be7017

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
a774523545a13341f7936f660bf6f178

SHA1
ddbb3cf3d4c2ed58e17cdf702a2086e2544e67ea

SHA256
7d578a07026f6230d40e89d3453da4f4e00c371e3ed0402b80d2a8d127ecfd23

SHA512
c7a52e58967be128e6b168dae41cddd75d97505758dd28747459554e5b90a8c3f425826ef16b3596290ca75cc94bb5488599060d0000e82937fd15c744be7017

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
138844a0f4d45c63882738c569aa2d03

SHA1
33bdfa066a2c6461c7211cb30fcfb85264a1918b

SHA256
8c5c78c2fd460deabd0c246900b97667773164cd97b1f0a7106c4c59f7daa293

SHA512
55af8c8157adbf9c7221e29acc1fc7ae3d202cefebf1ecb58309665fd5199c108101e9e3785d7dbb70180f9bdc03aaa9dced54b25df090e3e9fe5caebf824444

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
138844a0f4d45c63882738c569aa2d03

SHA1
33bdfa066a2c6461c7211cb30fcfb85264a1918b

SHA256
8c5c78c2fd460deabd0c246900b97667773164cd97b1f0a7106c4c59f7daa293

SHA512
55af8c8157adbf9c7221e29acc1fc7ae3d202cefebf1ecb58309665fd5199c108101e9e3785d7dbb70180f9bdc03aaa9dced54b25df090e3e9fe5caebf824444

Download Submit
memory/1608-130-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.