Analysis

  • max time kernel
    160s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2022 12:40

General

  • Target

    46204ac621143b0444adf7ecb6b821afd410e918587767306eeab3926159e510.exe

  • Size

    72KB

  • MD5

    0d32b76d80249c10ce935b8643dd1b7c

  • SHA1

    c7429893ca99b561501f66578b41641785661f6f

  • SHA256

    46204ac621143b0444adf7ecb6b821afd410e918587767306eeab3926159e510

  • SHA512

    00466f59b2e16bb6415b6f4b8143bf081c9cf48839d6476bac599feda857078ab4e53b3e290209270479534d30e1da8a91ea35aaf9b3b53e0e2cd6dc9a636d4a

  • SSDEEP

    384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2Z:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrV

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
  • Disables RegEdit via registry modification 64 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46204ac621143b0444adf7ecb6b821afd410e918587767306eeab3926159e510.exe
    "C:\Users\Admin\AppData\Local\Temp\46204ac621143b0444adf7ecb6b821afd410e918587767306eeab3926159e510.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:884
    • C:\Users\Admin\AppData\Local\Temp\1794728039\backup.exe
      C:\Users\Admin\AppData\Local\Temp\1794728039\backup.exe C:\Users\Admin\AppData\Local\Temp\1794728039\
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:112
      • C:\backup.exe
        \backup.exe \
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:948
        • C:\PerfLogs\backup.exe
          C:\PerfLogs\backup.exe C:\PerfLogs\
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1776
          • C:\PerfLogs\Admin\backup.exe
            C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
            5⤵
            • Modifies visibility of file extensions in Explorer
            • Disables RegEdit via registry modification
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1664
        • C:\Program Files\backup.exe
          "C:\Program Files\backup.exe" C:\Program Files\
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1548
          • C:\Program Files\7-Zip\data.exe
            "C:\Program Files\7-Zip\data.exe" C:\Program Files\7-Zip\
            5⤵
            • Modifies visibility of file extensions in Explorer
            • Disables RegEdit via registry modification
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2028
            • C:\Program Files\7-Zip\Lang\update.exe
              "C:\Program Files\7-Zip\Lang\update.exe" C:\Program Files\7-Zip\Lang\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:1280
          • C:\Program Files\Common Files\backup.exe
            "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:776
            • C:\Program Files\Common Files\Microsoft Shared\backup.exe
              "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Program Files directory
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1928
              • C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
                "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:740
              • C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
                "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
                7⤵
                • Modifies visibility of file extensions in Explorer
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:1864
                • C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
                  8⤵
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1752
                • C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1424
                • C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1152
                • C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1460
                • C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
                  8⤵
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1780
                • C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:2044
                • C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1756
                • C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
                  8⤵
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1776
                • C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1936
                • C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
                  8⤵
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:2016
                • C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1952
                • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:336
                  • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
                    9⤵
                    • Modifies visibility of file extensions in Explorer
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:612
                  • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
                    9⤵
                    • Disables RegEdit via registry modification
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:920
                  • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
                    9⤵
                    • Disables RegEdit via registry modification
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:1580
                  • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
                    9⤵
                    • Modifies visibility of file extensions in Explorer
                    • Disables RegEdit via registry modification
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:1732
                  • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\update.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
                    9⤵
                    • Modifies visibility of file extensions in Explorer
                    • Disables RegEdit via registry modification
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:1324
                  • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
                    9⤵
                    • Modifies visibility of file extensions in Explorer
                    • Disables RegEdit via registry modification
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:1800
                  • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\data.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:1784
                  • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
                    9⤵
                    • Modifies visibility of file extensions in Explorer
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    • System policy modification
                    PID:1616
                  • C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
                    9⤵
                    • Disables RegEdit via registry modification
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:912
                • C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1976
                • C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
                  "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
                  8⤵
                    PID:664
                  • C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\data.exe
                    "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
                    8⤵
                      PID:1800
                    • C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
                      8⤵
                      • Modifies visibility of file extensions in Explorer
                      • System policy modification
                      PID:896
                    • C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
                      8⤵
                        PID:968
                      • C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
                        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
                        8⤵
                        • Modifies visibility of file extensions in Explorer
                        • Disables RegEdit via registry modification
                        • System policy modification
                        PID:1676
                      • C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
                        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
                        8⤵
                          PID:560
                        • C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
                          "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
                          8⤵
                            PID:2064
                          • C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
                            "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
                            8⤵
                              PID:2184
                            • C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
                              "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
                              8⤵
                                PID:2292
                              • C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
                                "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
                                8⤵
                                  PID:2448
                              • C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
                                "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
                                7⤵
                                • Modifies visibility of file extensions in Explorer
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • Suspicious use of SetWindowsHookEx
                                PID:1768
                                • C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
                                  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
                                  8⤵
                                  • Modifies visibility of file extensions in Explorer
                                  PID:1464
                                • C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
                                  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
                                  8⤵
                                  • Modifies visibility of file extensions in Explorer
                                  • Disables RegEdit via registry modification
                                  • System policy modification
                                  PID:1808
                                • C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
                                  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
                                  8⤵
                                    PID:1660
                                  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
                                    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
                                    8⤵
                                    • Disables RegEdit via registry modification
                                    • System policy modification
                                    PID:2032
                                  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
                                    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
                                    8⤵
                                      PID:1440
                                    • C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe
                                      "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
                                      8⤵
                                      • Modifies visibility of file extensions in Explorer
                                      • Disables RegEdit via registry modification
                                      PID:1792
                                  • C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
                                    "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
                                    7⤵
                                    • Disables RegEdit via registry modification
                                    PID:648
                                    • C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
                                      "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
                                      8⤵
                                        PID:776
                                    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
                                      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
                                      7⤵
                                        PID:552
                                      • C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
                                        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
                                        7⤵
                                        • Modifies visibility of file extensions in Explorer
                                        • System policy modification
                                        PID:1056
                                      • C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
                                        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
                                        7⤵
                                          PID:1536
                                        • C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
                                          "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
                                          7⤵
                                            PID:2156
                                          • C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
                                            "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
                                            7⤵
                                              PID:2308
                                            • C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
                                              "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
                                              7⤵
                                                PID:2456
                                            • C:\Program Files\Common Files\Services\backup.exe
                                              "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
                                              6⤵
                                              • Disables RegEdit via registry modification
                                              • Executes dropped EXE
                                              • Suspicious use of SetWindowsHookEx
                                              PID:756
                                            • C:\Program Files\Common Files\SpeechEngines\backup.exe
                                              "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
                                              6⤵
                                              • Disables RegEdit via registry modification
                                              • Executes dropped EXE
                                              • Suspicious use of SetWindowsHookEx
                                              PID:2020
                                              • C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
                                                "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
                                                7⤵
                                                • Modifies visibility of file extensions in Explorer
                                                • Disables RegEdit via registry modification
                                                • System policy modification
                                                PID:2000
                                            • C:\Program Files\Common Files\System\backup.exe
                                              "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
                                              6⤵
                                              • Disables RegEdit via registry modification
                                              • Drops file in Program Files directory
                                              PID:1632
                                              • C:\Program Files\Common Files\System\ado\backup.exe
                                                "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
                                                7⤵
                                                • Drops file in Program Files directory
                                                PID:1812
                                                • C:\Program Files\Common Files\System\ado\de-DE\backup.exe
                                                  "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
                                                  8⤵
                                                  • Modifies visibility of file extensions in Explorer
                                                  • Disables RegEdit via registry modification
                                                  PID:1676
                                                • C:\Program Files\Common Files\System\ado\en-US\update.exe
                                                  "C:\Program Files\Common Files\System\ado\en-US\update.exe" C:\Program Files\Common Files\System\ado\en-US\
                                                  8⤵
                                                  • Modifies visibility of file extensions in Explorer
                                                  • Disables RegEdit via registry modification
                                                  • System policy modification
                                                  PID:1460
                                                • C:\Program Files\Common Files\System\ado\es-ES\backup.exe
                                                  "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
                                                  8⤵
                                                  • Modifies visibility of file extensions in Explorer
                                                  PID:1972
                                                • C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
                                                  "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
                                                  8⤵
                                                  • System policy modification
                                                  PID:1324
                                                • C:\Program Files\Common Files\System\ado\it-IT\backup.exe
                                                  "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
                                                  8⤵
                                                  • Modifies visibility of file extensions in Explorer
                                                  • Disables RegEdit via registry modification
                                                  • System policy modification
                                                  PID:1712
                                                • C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
                                                  "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
                                                  8⤵
                                                  • Modifies visibility of file extensions in Explorer
                                                  PID:268
                                              • C:\Program Files\Common Files\System\de-DE\backup.exe
                                                "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
                                                7⤵
                                                • Modifies visibility of file extensions in Explorer
                                                • System policy modification
                                                PID:1932
                                              • C:\Program Files\Common Files\System\en-US\backup.exe
                                                "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
                                                7⤵
                                                • System policy modification
                                                PID:1236
                                              • C:\Program Files\Common Files\System\es-ES\backup.exe
                                                "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
                                                7⤵
                                                • Disables RegEdit via registry modification
                                                PID:1048
                                              • C:\Program Files\Common Files\System\fr-FR\backup.exe
                                                "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
                                                7⤵
                                                  PID:1052
                                                • C:\Program Files\Common Files\System\it-IT\backup.exe
                                                  "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
                                                  7⤵
                                                    PID:2148
                                                  • C:\Program Files\Common Files\System\ja-JP\backup.exe
                                                    "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
                                                    7⤵
                                                      PID:2284
                                                    • C:\Program Files\Common Files\System\msadc\backup.exe
                                                      "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
                                                      7⤵
                                                        PID:2464
                                                  • C:\Program Files\DVD Maker\backup.exe
                                                    "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Drops file in Program Files directory
                                                    • Suspicious use of SetWindowsHookEx
                                                    • System policy modification
                                                    PID:1164
                                                    • C:\Program Files\DVD Maker\de-DE\backup.exe
                                                      "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
                                                      6⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:952
                                                    • C:\Program Files\DVD Maker\en-US\backup.exe
                                                      "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
                                                      6⤵
                                                      • Modifies visibility of file extensions in Explorer
                                                      PID:612
                                                    • C:\Program Files\DVD Maker\es-ES\backup.exe
                                                      "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
                                                      6⤵
                                                      • Disables RegEdit via registry modification
                                                      • System policy modification
                                                      PID:1996
                                                    • C:\Program Files\DVD Maker\fr-FR\backup.exe
                                                      "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
                                                      6⤵
                                                      • Modifies visibility of file extensions in Explorer
                                                      • System policy modification
                                                      PID:912
                                                    • C:\Program Files\DVD Maker\it-IT\backup.exe
                                                      "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
                                                      6⤵
                                                      • Modifies visibility of file extensions in Explorer
                                                      • System policy modification
                                                      PID:1268
                                                    • C:\Program Files\DVD Maker\ja-JP\update.exe
                                                      "C:\Program Files\DVD Maker\ja-JP\update.exe" C:\Program Files\DVD Maker\ja-JP\
                                                      6⤵
                                                      • System policy modification
                                                      PID:1628
                                                    • C:\Program Files\DVD Maker\Shared\System Restore.exe
                                                      "C:\Program Files\DVD Maker\Shared\System Restore.exe" C:\Program Files\DVD Maker\Shared\
                                                      6⤵
                                                      • Modifies visibility of file extensions in Explorer
                                                      • System policy modification
                                                      PID:948
                                                      • C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
                                                        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
                                                        7⤵
                                                          PID:1440
                                                    • C:\Program Files\Google\backup.exe
                                                      "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
                                                      5⤵
                                                      • Disables RegEdit via registry modification
                                                      PID:2028
                                                      • C:\Program Files\Google\Chrome\backup.exe
                                                        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
                                                        6⤵
                                                          PID:1560
                                                      • C:\Program Files\Internet Explorer\backup.exe
                                                        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
                                                        5⤵
                                                        • Disables RegEdit via registry modification
                                                        • Drops file in Program Files directory
                                                        • System policy modification
                                                        PID:1788
                                                        • C:\Program Files\Internet Explorer\de-DE\backup.exe
                                                          "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
                                                          6⤵
                                                            PID:1228
                                                          • C:\Program Files\Internet Explorer\en-US\backup.exe
                                                            "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
                                                            6⤵
                                                              PID:2124
                                                            • C:\Program Files\Internet Explorer\es-ES\backup.exe
                                                              "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
                                                              6⤵
                                                                PID:2216
                                                              • C:\Program Files\Internet Explorer\fr-FR\backup.exe
                                                                "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
                                                                6⤵
                                                                  PID:2324
                                                                • C:\Program Files\Internet Explorer\images\backup.exe
                                                                  "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
                                                                  6⤵
                                                                    PID:2500
                                                                • C:\Program Files\Java\backup.exe
                                                                  "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
                                                                  5⤵
                                                                  • Modifies visibility of file extensions in Explorer
                                                                  • Drops file in Program Files directory
                                                                  PID:1220
                                                                  • C:\Program Files\Java\jdk1.7.0_80\backup.exe
                                                                    "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
                                                                    6⤵
                                                                      PID:2056
                                                                    • C:\Program Files\Java\jre7\backup.exe
                                                                      "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
                                                                      6⤵
                                                                        PID:2200
                                                                    • C:\Program Files\Microsoft Games\backup.exe
                                                                      "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
                                                                      5⤵
                                                                        PID:1772
                                                                      • C:\Program Files\Microsoft Office\backup.exe
                                                                        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
                                                                        5⤵
                                                                          PID:2100
                                                                        • C:\Program Files\Mozilla Firefox\backup.exe
                                                                          "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
                                                                          5⤵
                                                                            PID:2240
                                                                          • C:\Program Files\MSBuild\backup.exe
                                                                            "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
                                                                            5⤵
                                                                              PID:2372
                                                                            • C:\Program Files\Reference Assemblies\backup.exe
                                                                              "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
                                                                              5⤵
                                                                                PID:2484
                                                                            • C:\Program Files (x86)\backup.exe
                                                                              "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
                                                                              4⤵
                                                                              • Modifies visibility of file extensions in Explorer
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              • Drops file in Program Files directory
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              • System policy modification
                                                                              PID:1240
                                                                              • C:\Program Files (x86)\Adobe\backup.exe
                                                                                "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
                                                                                5⤵
                                                                                • Modifies visibility of file extensions in Explorer
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:1620
                                                                                • C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
                                                                                  "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
                                                                                  6⤵
                                                                                  • Disables RegEdit via registry modification
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  • Drops file in Program Files directory
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:1228
                                                                                  • C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
                                                                                    "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
                                                                                    7⤵
                                                                                    • Modifies visibility of file extensions in Explorer
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    • System policy modification
                                                                                    PID:1508
                                                                                  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
                                                                                    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
                                                                                    7⤵
                                                                                    • Modifies visibility of file extensions in Explorer
                                                                                    • Executes dropped EXE
                                                                                    • Loads dropped DLL
                                                                                    • Drops file in Program Files directory
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:1700
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
                                                                                      8⤵
                                                                                      • Disables RegEdit via registry modification
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      • System policy modification
                                                                                      PID:560
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
                                                                                      8⤵
                                                                                      • Modifies visibility of file extensions in Explorer
                                                                                      • Disables RegEdit via registry modification
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      • System policy modification
                                                                                      PID:756
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
                                                                                      8⤵
                                                                                      • Modifies visibility of file extensions in Explorer
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:752
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
                                                                                      8⤵
                                                                                      • Disables RegEdit via registry modification
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in Program Files directory
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      • System policy modification
                                                                                      PID:1268
                                                                                      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
                                                                                        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
                                                                                        9⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        • System policy modification
                                                                                        PID:648
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
                                                                                      8⤵
                                                                                      • Disables RegEdit via registry modification
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      • System policy modification
                                                                                      PID:1464
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
                                                                                      8⤵
                                                                                      • Modifies visibility of file extensions in Explorer
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in Program Files directory
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      • System policy modification
                                                                                      PID:1632
                                                                                      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
                                                                                        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
                                                                                        9⤵
                                                                                        • Disables RegEdit via registry modification
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:604
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
                                                                                      8⤵
                                                                                      • Modifies visibility of file extensions in Explorer
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:1444
                                                                                    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
                                                                                      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
                                                                                      8⤵
                                                                                      • Modifies visibility of file extensions in Explorer
                                                                                      • Disables RegEdit via registry modification
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in Program Files directory
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:840
                                                                                      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
                                                                                        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
                                                                                        9⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:1096
                                                                                        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
                                                                                          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
                                                                                          10⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:1236
                                                                                      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
                                                                                        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
                                                                                        9⤵
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in Program Files directory
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        • System policy modification
                                                                                        PID:1560
                                                                                        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
                                                                                          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
                                                                                          10⤵
                                                                                          • Disables RegEdit via registry modification
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in Program Files directory
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          • System policy modification
                                                                                          PID:2024
                                                                                          • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
                                                                                            "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
                                                                                            11⤵
                                                                                            • Executes dropped EXE
                                                                                            • System policy modification
                                                                                            PID:2028
                                                                                      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
                                                                                        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
                                                                                        9⤵
                                                                                          PID:1196
                                                                                          • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\data.exe
                                                                                            "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
                                                                                            10⤵
                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                            • System policy modification
                                                                                            PID:1752
                                                                                        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
                                                                                          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
                                                                                          9⤵
                                                                                          • Modifies visibility of file extensions in Explorer
                                                                                          PID:560
                                                                                          • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
                                                                                            "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
                                                                                            10⤵
                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                            PID:1456
                                                                                      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
                                                                                        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
                                                                                        8⤵
                                                                                        • Disables RegEdit via registry modification
                                                                                        • Drops file in Program Files directory
                                                                                        PID:2016
                                                                                        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
                                                                                          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
                                                                                          9⤵
                                                                                            PID:2032
                                                                                        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\System Restore.exe
                                                                                          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
                                                                                          8⤵
                                                                                          • System policy modification
                                                                                          PID:1780
                                                                                        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
                                                                                          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
                                                                                          8⤵
                                                                                          • Modifies visibility of file extensions in Explorer
                                                                                          • System policy modification
                                                                                          PID:1996
                                                                                      • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\update.exe
                                                                                        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
                                                                                        7⤵
                                                                                        • Modifies visibility of file extensions in Explorer
                                                                                        • System policy modification
                                                                                        PID:900
                                                                                        • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
                                                                                          "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
                                                                                          8⤵
                                                                                          • Modifies visibility of file extensions in Explorer
                                                                                          PID:1416
                                                                                          • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
                                                                                            "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
                                                                                            9⤵
                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                            • Disables RegEdit via registry modification
                                                                                            PID:976
                                                                                        • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
                                                                                          "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
                                                                                          8⤵
                                                                                          • Modifies visibility of file extensions in Explorer
                                                                                          • System policy modification
                                                                                          PID:1116
                                                                                        • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
                                                                                          "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
                                                                                          8⤵
                                                                                          • Modifies visibility of file extensions in Explorer
                                                                                          • Drops file in Program Files directory
                                                                                          • System policy modification
                                                                                          PID:1660
                                                                                          • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
                                                                                            "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
                                                                                            9⤵
                                                                                              PID:1936
                                                                                            • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
                                                                                              "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
                                                                                              9⤵
                                                                                                PID:2116
                                                                                            • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
                                                                                              "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
                                                                                              8⤵
                                                                                              • Disables RegEdit via registry modification
                                                                                              • System policy modification
                                                                                              PID:520
                                                                                            • C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
                                                                                              "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
                                                                                              8⤵
                                                                                                PID:1096
                                                                                            • C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
                                                                                              "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
                                                                                              7⤵
                                                                                              • Modifies visibility of file extensions in Explorer
                                                                                              • System policy modification
                                                                                              PID:1992
                                                                                              • C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
                                                                                                "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
                                                                                                8⤵
                                                                                                  PID:1584
                                                                                          • C:\Program Files (x86)\Common Files\backup.exe
                                                                                            "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
                                                                                            5⤵
                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                            • Disables RegEdit via registry modification
                                                                                            • Drops file in Program Files directory
                                                                                            PID:1592
                                                                                            • C:\Program Files (x86)\Common Files\Adobe\System Restore.exe
                                                                                              "C:\Program Files (x86)\Common Files\Adobe\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\
                                                                                              6⤵
                                                                                              • Disables RegEdit via registry modification
                                                                                              PID:984
                                                                                              • C:\Program Files (x86)\Common Files\Adobe\Acrobat\System Restore.exe
                                                                                                "C:\Program Files (x86)\Common Files\Adobe\Acrobat\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
                                                                                                7⤵
                                                                                                  PID:1488
                                                                                                • C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
                                                                                                  "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
                                                                                                  7⤵
                                                                                                  • System policy modification
                                                                                                  PID:1448
                                                                                                  • C:\Program Files (x86)\Common Files\Adobe\Help\en_US\System Restore.exe
                                                                                                    "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
                                                                                                    8⤵
                                                                                                      PID:896
                                                                                                  • C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
                                                                                                    "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
                                                                                                    7⤵
                                                                                                    • Disables RegEdit via registry modification
                                                                                                    PID:568
                                                                                                • C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
                                                                                                  "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
                                                                                                  6⤵
                                                                                                  • Disables RegEdit via registry modification
                                                                                                  • Drops file in Program Files directory
                                                                                                  PID:612
                                                                                                  • C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
                                                                                                    "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
                                                                                                    7⤵
                                                                                                    • Disables RegEdit via registry modification
                                                                                                    • Drops file in Program Files directory
                                                                                                    • System policy modification
                                                                                                    PID:1952
                                                                                                    • C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
                                                                                                      "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
                                                                                                      8⤵
                                                                                                        PID:1768
                                                                                                  • C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
                                                                                                    "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
                                                                                                    6⤵
                                                                                                    • Modifies visibility of file extensions in Explorer
                                                                                                    • System policy modification
                                                                                                    PID:856
                                                                                                  • C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
                                                                                                    "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
                                                                                                    6⤵
                                                                                                      PID:1028
                                                                                                      • C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
                                                                                                        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
                                                                                                        7⤵
                                                                                                          PID:2264
                                                                                                        • C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
                                                                                                          "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
                                                                                                          7⤵
                                                                                                            PID:2420
                                                                                                        • C:\Program Files (x86)\Common Files\Services\backup.exe
                                                                                                          "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
                                                                                                          6⤵
                                                                                                            PID:1976
                                                                                                          • C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
                                                                                                            "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
                                                                                                            6⤵
                                                                                                              PID:2176
                                                                                                            • C:\Program Files (x86)\Common Files\System\backup.exe
                                                                                                              "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
                                                                                                              6⤵
                                                                                                                PID:2316
                                                                                                            • C:\Program Files (x86)\Google\backup.exe
                                                                                                              "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
                                                                                                              5⤵
                                                                                                              • Modifies visibility of file extensions in Explorer
                                                                                                              • Drops file in Program Files directory
                                                                                                              PID:944
                                                                                                              • C:\Program Files (x86)\Google\CrashReports\backup.exe
                                                                                                                "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
                                                                                                                6⤵
                                                                                                                  PID:984
                                                                                                                • C:\Program Files (x86)\Google\Policies\backup.exe
                                                                                                                  "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
                                                                                                                  6⤵
                                                                                                                    PID:2108
                                                                                                                  • C:\Program Files (x86)\Google\Temp\data.exe
                                                                                                                    "C:\Program Files (x86)\Google\Temp\data.exe" C:\Program Files (x86)\Google\Temp\
                                                                                                                    6⤵
                                                                                                                      PID:2232
                                                                                                                    • C:\Program Files (x86)\Google\Update\backup.exe
                                                                                                                      "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
                                                                                                                      6⤵
                                                                                                                        PID:2340
                                                                                                                    • C:\Program Files (x86)\Internet Explorer\backup.exe
                                                                                                                      "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
                                                                                                                      5⤵
                                                                                                                      • Modifies visibility of file extensions in Explorer
                                                                                                                      • System policy modification
                                                                                                                      PID:1656
                                                                                                                    • C:\Program Files (x86)\Microsoft Analysis Services\update.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft Analysis Services\update.exe" C:\Program Files (x86)\Microsoft Analysis Services\
                                                                                                                      5⤵
                                                                                                                      • Modifies visibility of file extensions in Explorer
                                                                                                                      PID:864
                                                                                                                    • C:\Program Files (x86)\Microsoft Office\backup.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
                                                                                                                      5⤵
                                                                                                                        PID:524
                                                                                                                      • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\System Restore.exe
                                                                                                                        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\System Restore.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
                                                                                                                        5⤵
                                                                                                                          PID:2164
                                                                                                                        • C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
                                                                                                                          "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
                                                                                                                          5⤵
                                                                                                                            PID:2276
                                                                                                                          • C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
                                                                                                                            "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
                                                                                                                            5⤵
                                                                                                                              PID:2432
                                                                                                                          • C:\Users\data.exe
                                                                                                                            C:\Users\data.exe C:\Users\
                                                                                                                            4⤵
                                                                                                                            • Disables RegEdit via registry modification
                                                                                                                            • System policy modification
                                                                                                                            PID:1584
                                                                                                                            • C:\Users\Admin\backup.exe
                                                                                                                              C:\Users\Admin\backup.exe C:\Users\Admin\
                                                                                                                              5⤵
                                                                                                                              • Modifies visibility of file extensions in Explorer
                                                                                                                              • Disables RegEdit via registry modification
                                                                                                                              PID:1748
                                                                                                                              • C:\Users\Admin\Contacts\System Restore.exe
                                                                                                                                "C:\Users\Admin\Contacts\System Restore.exe" C:\Users\Admin\Contacts\
                                                                                                                                6⤵
                                                                                                                                • Disables RegEdit via registry modification
                                                                                                                                • System policy modification
                                                                                                                                PID:1048
                                                                                                                              • C:\Users\Admin\Desktop\backup.exe
                                                                                                                                C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
                                                                                                                                6⤵
                                                                                                                                  PID:992
                                                                                                                                • C:\Users\Admin\Documents\backup.exe
                                                                                                                                  C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
                                                                                                                                  6⤵
                                                                                                                                  • Disables RegEdit via registry modification
                                                                                                                                  PID:1524
                                                                                                                                • C:\Users\Admin\Downloads\backup.exe
                                                                                                                                  C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
                                                                                                                                  6⤵
                                                                                                                                    PID:1196
                                                                                                                                  • C:\Users\Admin\Favorites\data.exe
                                                                                                                                    C:\Users\Admin\Favorites\data.exe C:\Users\Admin\Favorites\
                                                                                                                                    6⤵
                                                                                                                                      PID:1868
                                                                                                                                    • C:\Users\Admin\Links\backup.exe
                                                                                                                                      C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
                                                                                                                                      6⤵
                                                                                                                                        PID:1100
                                                                                                                                      • C:\Users\Admin\Music\backup.exe
                                                                                                                                        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
                                                                                                                                        6⤵
                                                                                                                                          PID:2084
                                                                                                                                        • C:\Users\Admin\Pictures\backup.exe
                                                                                                                                          C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
                                                                                                                                          6⤵
                                                                                                                                            PID:2224
                                                                                                                                          • C:\Users\Admin\Saved Games\backup.exe
                                                                                                                                            "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
                                                                                                                                            6⤵
                                                                                                                                              PID:2332
                                                                                                                                            • C:\Users\Admin\Searches\backup.exe
                                                                                                                                              C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
                                                                                                                                              6⤵
                                                                                                                                                PID:2492
                                                                                                                                            • C:\Users\Public\update.exe
                                                                                                                                              C:\Users\Public\update.exe C:\Users\Public\
                                                                                                                                              5⤵
                                                                                                                                              • Modifies visibility of file extensions in Explorer
                                                                                                                                              PID:1272
                                                                                                                                              • C:\Users\Public\Documents\backup.exe
                                                                                                                                                C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
                                                                                                                                                6⤵
                                                                                                                                                  PID:1416
                                                                                                                                                • C:\Users\Public\Downloads\backup.exe
                                                                                                                                                  C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
                                                                                                                                                  6⤵
                                                                                                                                                    PID:2092
                                                                                                                                                  • C:\Users\Public\Music\backup.exe
                                                                                                                                                    C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
                                                                                                                                                    6⤵
                                                                                                                                                      PID:2208
                                                                                                                                                    • C:\Users\Public\Pictures\backup.exe
                                                                                                                                                      C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
                                                                                                                                                      6⤵
                                                                                                                                                        PID:2348
                                                                                                                                                      • C:\Users\Public\Recorded TV\backup.exe
                                                                                                                                                        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
                                                                                                                                                        6⤵
                                                                                                                                                          PID:2508
                                                                                                                                                    • C:\Windows\backup.exe
                                                                                                                                                      C:\Windows\backup.exe C:\Windows\
                                                                                                                                                      4⤵
                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                      PID:1532
                                                                                                                                                      • C:\Windows\addins\data.exe
                                                                                                                                                        C:\Windows\addins\data.exe C:\Windows\addins\
                                                                                                                                                        5⤵
                                                                                                                                                          PID:1152
                                                                                                                                                        • C:\Windows\AppCompat\backup.exe
                                                                                                                                                          C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
                                                                                                                                                          5⤵
                                                                                                                                                            PID:2072
                                                                                                                                                          • C:\Windows\AppPatch\backup.exe
                                                                                                                                                            C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
                                                                                                                                                            5⤵
                                                                                                                                                              PID:2192
                                                                                                                                                            • C:\Windows\assembly\backup.exe
                                                                                                                                                              C:\Windows\assembly\backup.exe C:\Windows\assembly\
                                                                                                                                                              5⤵
                                                                                                                                                                PID:2300
                                                                                                                                                              • C:\Windows\Branding\backup.exe
                                                                                                                                                                C:\Windows\Branding\backup.exe C:\Windows\Branding\
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:2440
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
                                                                                                                                                            2⤵
                                                                                                                                                            • Disables RegEdit via registry modification
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                            PID:1224
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
                                                                                                                                                            2⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                            PID:1348
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
                                                                                                                                                            2⤵
                                                                                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                            • System policy modification
                                                                                                                                                            PID:1812
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
                                                                                                                                                            2⤵
                                                                                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                            • System policy modification
                                                                                                                                                            PID:1692
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
                                                                                                                                                            2⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                            PID:1164
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
                                                                                                                                                            2⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                            PID:1952

                                                                                                                                                        Network

                                                                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                                                                        Replay Monitor

                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                        Downloads

                                                                                                                                                        • C:\PerfLogs\Admin\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          967a89a6ab9a6a2b34369557ce2442ac

                                                                                                                                                          SHA1

                                                                                                                                                          18daa93adde2b563bec325dcde6a74ef7689c446

                                                                                                                                                          SHA256

                                                                                                                                                          2dd5f5de87aff2ad83fba6bf3014bfcb2e6eab291de53437b9c0e706eb3454dc

                                                                                                                                                          SHA512

                                                                                                                                                          91d16393f4f768180eae0d4596d197d714200731e83f0e3eac786f0ad04c5db70cd2ef52635e10b6f1acac512f55f7a77518c3916ccfe795a4ee243d1a4ce53e

                                                                                                                                                        • C:\PerfLogs\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          3ce1c312caa88b5bdb9e750620911929

                                                                                                                                                          SHA1

                                                                                                                                                          b9c6ecf172612373d60ede090932b7475fe752ea

                                                                                                                                                          SHA256

                                                                                                                                                          a9fd27c5c97f223e72076872c583d0460a7270f8caaa95d0a2246bc62a20900c

                                                                                                                                                          SHA512

                                                                                                                                                          392f0785358190b2a109d90e569705be9b053eb7f21e47c2030ed394b46b9cab6a4539beb9ca0c68ebdbbb9f43489013e01329bcb63d282cd99009d01737445a

                                                                                                                                                        • C:\PerfLogs\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          3ce1c312caa88b5bdb9e750620911929

                                                                                                                                                          SHA1

                                                                                                                                                          b9c6ecf172612373d60ede090932b7475fe752ea

                                                                                                                                                          SHA256

                                                                                                                                                          a9fd27c5c97f223e72076872c583d0460a7270f8caaa95d0a2246bc62a20900c

                                                                                                                                                          SHA512

                                                                                                                                                          392f0785358190b2a109d90e569705be9b053eb7f21e47c2030ed394b46b9cab6a4539beb9ca0c68ebdbbb9f43489013e01329bcb63d282cd99009d01737445a

                                                                                                                                                        • C:\Program Files\7-Zip\Lang\update.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          0b35bcfac0e09d268888711bb3261f28

                                                                                                                                                          SHA1

                                                                                                                                                          9d123c77bc5eed8e9d9e8bf1f7a1f0342ba557bb

                                                                                                                                                          SHA256

                                                                                                                                                          a58861b2910d78525a7c032dcb3eb4114deaf8af6c03f75beeaf0c62458c7c94

                                                                                                                                                          SHA512

                                                                                                                                                          8e46920d544d0330e16fb158ed21842b823ca1ea219c3fd2f419a9fd4fda9863df3fb0eb392ce5ec5753f32a5cd5bee9838913cc4aa5c136274e51e11c81b45b

                                                                                                                                                        • C:\Program Files\7-Zip\Lang\update.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          0b35bcfac0e09d268888711bb3261f28

                                                                                                                                                          SHA1

                                                                                                                                                          9d123c77bc5eed8e9d9e8bf1f7a1f0342ba557bb

                                                                                                                                                          SHA256

                                                                                                                                                          a58861b2910d78525a7c032dcb3eb4114deaf8af6c03f75beeaf0c62458c7c94

                                                                                                                                                          SHA512

                                                                                                                                                          8e46920d544d0330e16fb158ed21842b823ca1ea219c3fd2f419a9fd4fda9863df3fb0eb392ce5ec5753f32a5cd5bee9838913cc4aa5c136274e51e11c81b45b

                                                                                                                                                        • C:\Program Files\7-Zip\data.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          8f6ad198e25abe5dd66688d8d6ed92ba

                                                                                                                                                          SHA1

                                                                                                                                                          0adaf7eae72fe24eea8276ee68839175227f30db

                                                                                                                                                          SHA256

                                                                                                                                                          cd4502d11ae3d14f1ab648c8c3af662aacbdad0ce5ea768a60ad5a2fc6c392fe

                                                                                                                                                          SHA512

                                                                                                                                                          17fe9c952fdf17a5c41694e09a4e180d8280f6201bdb914d3bc26eab2202537900a35206cb8a270822f3af7ad118742d053f7969568c299a27200cfb532d5522

                                                                                                                                                        • C:\Program Files\7-Zip\data.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          8f6ad198e25abe5dd66688d8d6ed92ba

                                                                                                                                                          SHA1

                                                                                                                                                          0adaf7eae72fe24eea8276ee68839175227f30db

                                                                                                                                                          SHA256

                                                                                                                                                          cd4502d11ae3d14f1ab648c8c3af662aacbdad0ce5ea768a60ad5a2fc6c392fe

                                                                                                                                                          SHA512

                                                                                                                                                          17fe9c952fdf17a5c41694e09a4e180d8280f6201bdb914d3bc26eab2202537900a35206cb8a270822f3af7ad118742d053f7969568c299a27200cfb532d5522

                                                                                                                                                        • C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          354306f8f83e52ff209e9a052ae86557

                                                                                                                                                          SHA1

                                                                                                                                                          cc91c8b5b658d4647bc7113bf9e7074c25093b44

                                                                                                                                                          SHA256

                                                                                                                                                          4a7ad6caa8b3183b1c715fcc56e975264892b3aca470620b6e3317e31b907e55

                                                                                                                                                          SHA512

                                                                                                                                                          724ea53f5d76a4b99daf8a358e1525f3e6463c22b280e35c4cdd1562dfac1fcd61013d813ad2de87bf3a049e482491b50c62157939d004cc518da4875f07b437

                                                                                                                                                        • C:\Program Files\Common Files\Microsoft Shared\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          30b8e81514cc7e5dc74ff33c8bec2cb7

                                                                                                                                                          SHA1

                                                                                                                                                          8302edbbf24f7b07e37ec827fa4345d2b4f9c1cd

                                                                                                                                                          SHA256

                                                                                                                                                          6cd0b25970329a39e007f4154f958bee8c68222e86fe402d314f9bcc680ca08c

                                                                                                                                                          SHA512

                                                                                                                                                          c1b4174ffa5c530037952d3f297d1616c22a57ee30a085dff44f3a3e04f63a60a450483e9252941e2908f47273e8fcf588e0a8fa2e5d2eb98e9869bb3e2e76ee

                                                                                                                                                        • C:\Program Files\Common Files\Microsoft Shared\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          30b8e81514cc7e5dc74ff33c8bec2cb7

                                                                                                                                                          SHA1

                                                                                                                                                          8302edbbf24f7b07e37ec827fa4345d2b4f9c1cd

                                                                                                                                                          SHA256

                                                                                                                                                          6cd0b25970329a39e007f4154f958bee8c68222e86fe402d314f9bcc680ca08c

                                                                                                                                                          SHA512

                                                                                                                                                          c1b4174ffa5c530037952d3f297d1616c22a57ee30a085dff44f3a3e04f63a60a450483e9252941e2908f47273e8fcf588e0a8fa2e5d2eb98e9869bb3e2e76ee

                                                                                                                                                        • C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          058496586fb4d97e3b9dc6068ed389cf

                                                                                                                                                          SHA1

                                                                                                                                                          682276464c850f0ad6c86240919e37f4a00e8038

                                                                                                                                                          SHA256

                                                                                                                                                          ce604247b40244e1dcf0a5ba86378e968059edadcddef82d1ff359783dc6ec21

                                                                                                                                                          SHA512

                                                                                                                                                          657a0d78737acea6b9fa41c1a96ec5353ea334a2d02bbaa057d606db549ad6e88577142fe2dc62ba324dc3f71d7fae5c96966a498d335fce586b9dc05325b2b0

                                                                                                                                                        • C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          354306f8f83e52ff209e9a052ae86557

                                                                                                                                                          SHA1

                                                                                                                                                          cc91c8b5b658d4647bc7113bf9e7074c25093b44

                                                                                                                                                          SHA256

                                                                                                                                                          4a7ad6caa8b3183b1c715fcc56e975264892b3aca470620b6e3317e31b907e55

                                                                                                                                                          SHA512

                                                                                                                                                          724ea53f5d76a4b99daf8a358e1525f3e6463c22b280e35c4cdd1562dfac1fcd61013d813ad2de87bf3a049e482491b50c62157939d004cc518da4875f07b437

                                                                                                                                                        • C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          354306f8f83e52ff209e9a052ae86557

                                                                                                                                                          SHA1

                                                                                                                                                          cc91c8b5b658d4647bc7113bf9e7074c25093b44

                                                                                                                                                          SHA256

                                                                                                                                                          4a7ad6caa8b3183b1c715fcc56e975264892b3aca470620b6e3317e31b907e55

                                                                                                                                                          SHA512

                                                                                                                                                          724ea53f5d76a4b99daf8a358e1525f3e6463c22b280e35c4cdd1562dfac1fcd61013d813ad2de87bf3a049e482491b50c62157939d004cc518da4875f07b437

                                                                                                                                                        • C:\Program Files\Common Files\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b83b3db2452d12f3f840b032337b8526

                                                                                                                                                          SHA1

                                                                                                                                                          b8bd37c17922a86597e91773f0a984b5fd52ca54

                                                                                                                                                          SHA256

                                                                                                                                                          b402ce645782dd2ec3b0f3eaf322a24df1655c202a90d1f81737b308ed1e8939

                                                                                                                                                          SHA512

                                                                                                                                                          7f11c37e97e8d41048b55d752f98e10897361d78aafcaddecf2a9a866c2e93c6ed890dcc9f2a391c2f0fcd2ceb22b18362af79e5b900049db8da3a43b63e9933

                                                                                                                                                        • C:\Program Files\Common Files\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b83b3db2452d12f3f840b032337b8526

                                                                                                                                                          SHA1

                                                                                                                                                          b8bd37c17922a86597e91773f0a984b5fd52ca54

                                                                                                                                                          SHA256

                                                                                                                                                          b402ce645782dd2ec3b0f3eaf322a24df1655c202a90d1f81737b308ed1e8939

                                                                                                                                                          SHA512

                                                                                                                                                          7f11c37e97e8d41048b55d752f98e10897361d78aafcaddecf2a9a866c2e93c6ed890dcc9f2a391c2f0fcd2ceb22b18362af79e5b900049db8da3a43b63e9933

                                                                                                                                                        • C:\Program Files\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          24c4d1adc4493e2500d5375e6d156814

                                                                                                                                                          SHA1

                                                                                                                                                          fb117a7fe0ce7592eb7de0021283db8f1b578519

                                                                                                                                                          SHA256

                                                                                                                                                          f168e1fa7d7765707c0f4331003877ebf5636405b3f87493262fb685fe20d654

                                                                                                                                                          SHA512

                                                                                                                                                          84c48f49828746fcdd91ea655b6b59c077c5fe81024c92a927f021bd2e936dddf676e3531960b99c7464dbf8d844e64cee10356d4ea9bee05012425186ab0ff1

                                                                                                                                                        • C:\Program Files\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          24c4d1adc4493e2500d5375e6d156814

                                                                                                                                                          SHA1

                                                                                                                                                          fb117a7fe0ce7592eb7de0021283db8f1b578519

                                                                                                                                                          SHA256

                                                                                                                                                          f168e1fa7d7765707c0f4331003877ebf5636405b3f87493262fb685fe20d654

                                                                                                                                                          SHA512

                                                                                                                                                          84c48f49828746fcdd91ea655b6b59c077c5fe81024c92a927f021bd2e936dddf676e3531960b99c7464dbf8d844e64cee10356d4ea9bee05012425186ab0ff1

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1794728039\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          4a46d2b430d215da791aa906fa0be943

                                                                                                                                                          SHA1

                                                                                                                                                          4910ad5c720343b03fcd3eef232babb250657c52

                                                                                                                                                          SHA256

                                                                                                                                                          8748c91cdb25c629c87fc010b7633a9b69cd29cd28802aa6bee8774b79b80876

                                                                                                                                                          SHA512

                                                                                                                                                          271f7cb8ef9fe9ae2490398d8c229e1dd4c71abef8c37588ea9b3a6d67e181cfc6509f4b25708d745ff63216521851b7a6f86bfb8eec3fffe028d11d5aeaacac

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1794728039\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          4a46d2b430d215da791aa906fa0be943

                                                                                                                                                          SHA1

                                                                                                                                                          4910ad5c720343b03fcd3eef232babb250657c52

                                                                                                                                                          SHA256

                                                                                                                                                          8748c91cdb25c629c87fc010b7633a9b69cd29cd28802aa6bee8774b79b80876

                                                                                                                                                          SHA512

                                                                                                                                                          271f7cb8ef9fe9ae2490398d8c229e1dd4c71abef8c37588ea9b3a6d67e181cfc6509f4b25708d745ff63216521851b7a6f86bfb8eec3fffe028d11d5aeaacac

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b5027fefb55a35792a2a5597654ba222

                                                                                                                                                          SHA1

                                                                                                                                                          674b9855ba26be7c8e9cb5b5ce0666934595ceb2

                                                                                                                                                          SHA256

                                                                                                                                                          49836d5ac8bffcec9307f4deef868a21e09a55f229755a20ba67910bdf7af98e

                                                                                                                                                          SHA512

                                                                                                                                                          b0fed9a5704fa80ca4e30c30ae25c475f7611a1f59bfe64f7e6066f55f241739ca5950970f73e5f8bd82a486c9692c172aba212c25bdce70b751e047be090c17

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b5027fefb55a35792a2a5597654ba222

                                                                                                                                                          SHA1

                                                                                                                                                          674b9855ba26be7c8e9cb5b5ce0666934595ceb2

                                                                                                                                                          SHA256

                                                                                                                                                          49836d5ac8bffcec9307f4deef868a21e09a55f229755a20ba67910bdf7af98e

                                                                                                                                                          SHA512

                                                                                                                                                          b0fed9a5704fa80ca4e30c30ae25c475f7611a1f59bfe64f7e6066f55f241739ca5950970f73e5f8bd82a486c9692c172aba212c25bdce70b751e047be090c17

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b024cad26cb3f0b15826908127acdca9

                                                                                                                                                          SHA1

                                                                                                                                                          750492a8bb0add76124135aded10951285e6f3f8

                                                                                                                                                          SHA256

                                                                                                                                                          4163a3ed06480e468ebd42ac1e58248c811de901ae2c043e522e1636765218e9

                                                                                                                                                          SHA512

                                                                                                                                                          c1eb9c55a3e3e17aee53745c9fb83ac9587364ab019e06dd887e92559ce4c7fa1cf44da2d45ba87d430a755e18748f72f2bccc79015adfe2ce693926129c5ff5

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b024cad26cb3f0b15826908127acdca9

                                                                                                                                                          SHA1

                                                                                                                                                          750492a8bb0add76124135aded10951285e6f3f8

                                                                                                                                                          SHA256

                                                                                                                                                          4163a3ed06480e468ebd42ac1e58248c811de901ae2c043e522e1636765218e9

                                                                                                                                                          SHA512

                                                                                                                                                          c1eb9c55a3e3e17aee53745c9fb83ac9587364ab019e06dd887e92559ce4c7fa1cf44da2d45ba87d430a755e18748f72f2bccc79015adfe2ce693926129c5ff5

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          234118d1c389859563cfcf08b6ecbe7a

                                                                                                                                                          SHA1

                                                                                                                                                          73e74604e4e84706e4aaaae18c650bc21fda426e

                                                                                                                                                          SHA256

                                                                                                                                                          24e97cd9ea4f30ea992013874e81a78caf855584e6e8b0e473ef435d24a7719e

                                                                                                                                                          SHA512

                                                                                                                                                          c9ed7cb7ce245fd9afad1e40591126a3c09c9da5611963b545328988a1a9481097ec8e32dac27e4e0250192a7437e1eb52ac02992c7d96579cc9688641da88a9

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b024cad26cb3f0b15826908127acdca9

                                                                                                                                                          SHA1

                                                                                                                                                          750492a8bb0add76124135aded10951285e6f3f8

                                                                                                                                                          SHA256

                                                                                                                                                          4163a3ed06480e468ebd42ac1e58248c811de901ae2c043e522e1636765218e9

                                                                                                                                                          SHA512

                                                                                                                                                          c1eb9c55a3e3e17aee53745c9fb83ac9587364ab019e06dd887e92559ce4c7fa1cf44da2d45ba87d430a755e18748f72f2bccc79015adfe2ce693926129c5ff5

                                                                                                                                                        • C:\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          d6377e3194cfcc99c62fab67b0f94f80

                                                                                                                                                          SHA1

                                                                                                                                                          cee62510167939f14a1bc47aa12403e50f6b2e86

                                                                                                                                                          SHA256

                                                                                                                                                          238956b990850fde3aa6d8e0466c8d911405a5f7e75d7be169928b62710b884a

                                                                                                                                                          SHA512

                                                                                                                                                          beda892d8bf5839f4f8320419f9bcf43441be72c9e21bde9932d1fe77b220bd40d5a90832cc570886452d18104f5c7ac722adf06c4bc9b6b671508d0e564df76

                                                                                                                                                        • C:\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          d6377e3194cfcc99c62fab67b0f94f80

                                                                                                                                                          SHA1

                                                                                                                                                          cee62510167939f14a1bc47aa12403e50f6b2e86

                                                                                                                                                          SHA256

                                                                                                                                                          238956b990850fde3aa6d8e0466c8d911405a5f7e75d7be169928b62710b884a

                                                                                                                                                          SHA512

                                                                                                                                                          beda892d8bf5839f4f8320419f9bcf43441be72c9e21bde9932d1fe77b220bd40d5a90832cc570886452d18104f5c7ac722adf06c4bc9b6b671508d0e564df76

                                                                                                                                                        • \PerfLogs\Admin\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          967a89a6ab9a6a2b34369557ce2442ac

                                                                                                                                                          SHA1

                                                                                                                                                          18daa93adde2b563bec325dcde6a74ef7689c446

                                                                                                                                                          SHA256

                                                                                                                                                          2dd5f5de87aff2ad83fba6bf3014bfcb2e6eab291de53437b9c0e706eb3454dc

                                                                                                                                                          SHA512

                                                                                                                                                          91d16393f4f768180eae0d4596d197d714200731e83f0e3eac786f0ad04c5db70cd2ef52635e10b6f1acac512f55f7a77518c3916ccfe795a4ee243d1a4ce53e

                                                                                                                                                        • \PerfLogs\Admin\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          967a89a6ab9a6a2b34369557ce2442ac

                                                                                                                                                          SHA1

                                                                                                                                                          18daa93adde2b563bec325dcde6a74ef7689c446

                                                                                                                                                          SHA256

                                                                                                                                                          2dd5f5de87aff2ad83fba6bf3014bfcb2e6eab291de53437b9c0e706eb3454dc

                                                                                                                                                          SHA512

                                                                                                                                                          91d16393f4f768180eae0d4596d197d714200731e83f0e3eac786f0ad04c5db70cd2ef52635e10b6f1acac512f55f7a77518c3916ccfe795a4ee243d1a4ce53e

                                                                                                                                                        • \PerfLogs\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          3ce1c312caa88b5bdb9e750620911929

                                                                                                                                                          SHA1

                                                                                                                                                          b9c6ecf172612373d60ede090932b7475fe752ea

                                                                                                                                                          SHA256

                                                                                                                                                          a9fd27c5c97f223e72076872c583d0460a7270f8caaa95d0a2246bc62a20900c

                                                                                                                                                          SHA512

                                                                                                                                                          392f0785358190b2a109d90e569705be9b053eb7f21e47c2030ed394b46b9cab6a4539beb9ca0c68ebdbbb9f43489013e01329bcb63d282cd99009d01737445a

                                                                                                                                                        • \PerfLogs\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          3ce1c312caa88b5bdb9e750620911929

                                                                                                                                                          SHA1

                                                                                                                                                          b9c6ecf172612373d60ede090932b7475fe752ea

                                                                                                                                                          SHA256

                                                                                                                                                          a9fd27c5c97f223e72076872c583d0460a7270f8caaa95d0a2246bc62a20900c

                                                                                                                                                          SHA512

                                                                                                                                                          392f0785358190b2a109d90e569705be9b053eb7f21e47c2030ed394b46b9cab6a4539beb9ca0c68ebdbbb9f43489013e01329bcb63d282cd99009d01737445a

                                                                                                                                                        • \Program Files\7-Zip\Lang\update.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          0b35bcfac0e09d268888711bb3261f28

                                                                                                                                                          SHA1

                                                                                                                                                          9d123c77bc5eed8e9d9e8bf1f7a1f0342ba557bb

                                                                                                                                                          SHA256

                                                                                                                                                          a58861b2910d78525a7c032dcb3eb4114deaf8af6c03f75beeaf0c62458c7c94

                                                                                                                                                          SHA512

                                                                                                                                                          8e46920d544d0330e16fb158ed21842b823ca1ea219c3fd2f419a9fd4fda9863df3fb0eb392ce5ec5753f32a5cd5bee9838913cc4aa5c136274e51e11c81b45b

                                                                                                                                                        • \Program Files\7-Zip\Lang\update.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          0b35bcfac0e09d268888711bb3261f28

                                                                                                                                                          SHA1

                                                                                                                                                          9d123c77bc5eed8e9d9e8bf1f7a1f0342ba557bb

                                                                                                                                                          SHA256

                                                                                                                                                          a58861b2910d78525a7c032dcb3eb4114deaf8af6c03f75beeaf0c62458c7c94

                                                                                                                                                          SHA512

                                                                                                                                                          8e46920d544d0330e16fb158ed21842b823ca1ea219c3fd2f419a9fd4fda9863df3fb0eb392ce5ec5753f32a5cd5bee9838913cc4aa5c136274e51e11c81b45b

                                                                                                                                                        • \Program Files\7-Zip\Lang\update.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          0b35bcfac0e09d268888711bb3261f28

                                                                                                                                                          SHA1

                                                                                                                                                          9d123c77bc5eed8e9d9e8bf1f7a1f0342ba557bb

                                                                                                                                                          SHA256

                                                                                                                                                          a58861b2910d78525a7c032dcb3eb4114deaf8af6c03f75beeaf0c62458c7c94

                                                                                                                                                          SHA512

                                                                                                                                                          8e46920d544d0330e16fb158ed21842b823ca1ea219c3fd2f419a9fd4fda9863df3fb0eb392ce5ec5753f32a5cd5bee9838913cc4aa5c136274e51e11c81b45b

                                                                                                                                                        • \Program Files\7-Zip\Lang\update.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          0b35bcfac0e09d268888711bb3261f28

                                                                                                                                                          SHA1

                                                                                                                                                          9d123c77bc5eed8e9d9e8bf1f7a1f0342ba557bb

                                                                                                                                                          SHA256

                                                                                                                                                          a58861b2910d78525a7c032dcb3eb4114deaf8af6c03f75beeaf0c62458c7c94

                                                                                                                                                          SHA512

                                                                                                                                                          8e46920d544d0330e16fb158ed21842b823ca1ea219c3fd2f419a9fd4fda9863df3fb0eb392ce5ec5753f32a5cd5bee9838913cc4aa5c136274e51e11c81b45b

                                                                                                                                                        • \Program Files\7-Zip\data.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          8f6ad198e25abe5dd66688d8d6ed92ba

                                                                                                                                                          SHA1

                                                                                                                                                          0adaf7eae72fe24eea8276ee68839175227f30db

                                                                                                                                                          SHA256

                                                                                                                                                          cd4502d11ae3d14f1ab648c8c3af662aacbdad0ce5ea768a60ad5a2fc6c392fe

                                                                                                                                                          SHA512

                                                                                                                                                          17fe9c952fdf17a5c41694e09a4e180d8280f6201bdb914d3bc26eab2202537900a35206cb8a270822f3af7ad118742d053f7969568c299a27200cfb532d5522

                                                                                                                                                        • \Program Files\7-Zip\data.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          8f6ad198e25abe5dd66688d8d6ed92ba

                                                                                                                                                          SHA1

                                                                                                                                                          0adaf7eae72fe24eea8276ee68839175227f30db

                                                                                                                                                          SHA256

                                                                                                                                                          cd4502d11ae3d14f1ab648c8c3af662aacbdad0ce5ea768a60ad5a2fc6c392fe

                                                                                                                                                          SHA512

                                                                                                                                                          17fe9c952fdf17a5c41694e09a4e180d8280f6201bdb914d3bc26eab2202537900a35206cb8a270822f3af7ad118742d053f7969568c299a27200cfb532d5522

                                                                                                                                                        • \Program Files\Common Files\Microsoft Shared\Filters\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          354306f8f83e52ff209e9a052ae86557

                                                                                                                                                          SHA1

                                                                                                                                                          cc91c8b5b658d4647bc7113bf9e7074c25093b44

                                                                                                                                                          SHA256

                                                                                                                                                          4a7ad6caa8b3183b1c715fcc56e975264892b3aca470620b6e3317e31b907e55

                                                                                                                                                          SHA512

                                                                                                                                                          724ea53f5d76a4b99daf8a358e1525f3e6463c22b280e35c4cdd1562dfac1fcd61013d813ad2de87bf3a049e482491b50c62157939d004cc518da4875f07b437

                                                                                                                                                        • \Program Files\Common Files\Microsoft Shared\Filters\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          354306f8f83e52ff209e9a052ae86557

                                                                                                                                                          SHA1

                                                                                                                                                          cc91c8b5b658d4647bc7113bf9e7074c25093b44

                                                                                                                                                          SHA256

                                                                                                                                                          4a7ad6caa8b3183b1c715fcc56e975264892b3aca470620b6e3317e31b907e55

                                                                                                                                                          SHA512

                                                                                                                                                          724ea53f5d76a4b99daf8a358e1525f3e6463c22b280e35c4cdd1562dfac1fcd61013d813ad2de87bf3a049e482491b50c62157939d004cc518da4875f07b437

                                                                                                                                                        • \Program Files\Common Files\Microsoft Shared\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          30b8e81514cc7e5dc74ff33c8bec2cb7

                                                                                                                                                          SHA1

                                                                                                                                                          8302edbbf24f7b07e37ec827fa4345d2b4f9c1cd

                                                                                                                                                          SHA256

                                                                                                                                                          6cd0b25970329a39e007f4154f958bee8c68222e86fe402d314f9bcc680ca08c

                                                                                                                                                          SHA512

                                                                                                                                                          c1b4174ffa5c530037952d3f297d1616c22a57ee30a085dff44f3a3e04f63a60a450483e9252941e2908f47273e8fcf588e0a8fa2e5d2eb98e9869bb3e2e76ee

                                                                                                                                                        • \Program Files\Common Files\Microsoft Shared\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          30b8e81514cc7e5dc74ff33c8bec2cb7

                                                                                                                                                          SHA1

                                                                                                                                                          8302edbbf24f7b07e37ec827fa4345d2b4f9c1cd

                                                                                                                                                          SHA256

                                                                                                                                                          6cd0b25970329a39e007f4154f958bee8c68222e86fe402d314f9bcc680ca08c

                                                                                                                                                          SHA512

                                                                                                                                                          c1b4174ffa5c530037952d3f297d1616c22a57ee30a085dff44f3a3e04f63a60a450483e9252941e2908f47273e8fcf588e0a8fa2e5d2eb98e9869bb3e2e76ee

                                                                                                                                                        • \Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          058496586fb4d97e3b9dc6068ed389cf

                                                                                                                                                          SHA1

                                                                                                                                                          682276464c850f0ad6c86240919e37f4a00e8038

                                                                                                                                                          SHA256

                                                                                                                                                          ce604247b40244e1dcf0a5ba86378e968059edadcddef82d1ff359783dc6ec21

                                                                                                                                                          SHA512

                                                                                                                                                          657a0d78737acea6b9fa41c1a96ec5353ea334a2d02bbaa057d606db549ad6e88577142fe2dc62ba324dc3f71d7fae5c96966a498d335fce586b9dc05325b2b0

                                                                                                                                                        • \Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          058496586fb4d97e3b9dc6068ed389cf

                                                                                                                                                          SHA1

                                                                                                                                                          682276464c850f0ad6c86240919e37f4a00e8038

                                                                                                                                                          SHA256

                                                                                                                                                          ce604247b40244e1dcf0a5ba86378e968059edadcddef82d1ff359783dc6ec21

                                                                                                                                                          SHA512

                                                                                                                                                          657a0d78737acea6b9fa41c1a96ec5353ea334a2d02bbaa057d606db549ad6e88577142fe2dc62ba324dc3f71d7fae5c96966a498d335fce586b9dc05325b2b0

                                                                                                                                                        • \Program Files\Common Files\Microsoft Shared\ink\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          354306f8f83e52ff209e9a052ae86557

                                                                                                                                                          SHA1

                                                                                                                                                          cc91c8b5b658d4647bc7113bf9e7074c25093b44

                                                                                                                                                          SHA256

                                                                                                                                                          4a7ad6caa8b3183b1c715fcc56e975264892b3aca470620b6e3317e31b907e55

                                                                                                                                                          SHA512

                                                                                                                                                          724ea53f5d76a4b99daf8a358e1525f3e6463c22b280e35c4cdd1562dfac1fcd61013d813ad2de87bf3a049e482491b50c62157939d004cc518da4875f07b437

                                                                                                                                                        • \Program Files\Common Files\Microsoft Shared\ink\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          354306f8f83e52ff209e9a052ae86557

                                                                                                                                                          SHA1

                                                                                                                                                          cc91c8b5b658d4647bc7113bf9e7074c25093b44

                                                                                                                                                          SHA256

                                                                                                                                                          4a7ad6caa8b3183b1c715fcc56e975264892b3aca470620b6e3317e31b907e55

                                                                                                                                                          SHA512

                                                                                                                                                          724ea53f5d76a4b99daf8a358e1525f3e6463c22b280e35c4cdd1562dfac1fcd61013d813ad2de87bf3a049e482491b50c62157939d004cc518da4875f07b437

                                                                                                                                                        • \Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          058496586fb4d97e3b9dc6068ed389cf

                                                                                                                                                          SHA1

                                                                                                                                                          682276464c850f0ad6c86240919e37f4a00e8038

                                                                                                                                                          SHA256

                                                                                                                                                          ce604247b40244e1dcf0a5ba86378e968059edadcddef82d1ff359783dc6ec21

                                                                                                                                                          SHA512

                                                                                                                                                          657a0d78737acea6b9fa41c1a96ec5353ea334a2d02bbaa057d606db549ad6e88577142fe2dc62ba324dc3f71d7fae5c96966a498d335fce586b9dc05325b2b0

                                                                                                                                                        • \Program Files\Common Files\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b83b3db2452d12f3f840b032337b8526

                                                                                                                                                          SHA1

                                                                                                                                                          b8bd37c17922a86597e91773f0a984b5fd52ca54

                                                                                                                                                          SHA256

                                                                                                                                                          b402ce645782dd2ec3b0f3eaf322a24df1655c202a90d1f81737b308ed1e8939

                                                                                                                                                          SHA512

                                                                                                                                                          7f11c37e97e8d41048b55d752f98e10897361d78aafcaddecf2a9a866c2e93c6ed890dcc9f2a391c2f0fcd2ceb22b18362af79e5b900049db8da3a43b63e9933

                                                                                                                                                        • \Program Files\Common Files\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b83b3db2452d12f3f840b032337b8526

                                                                                                                                                          SHA1

                                                                                                                                                          b8bd37c17922a86597e91773f0a984b5fd52ca54

                                                                                                                                                          SHA256

                                                                                                                                                          b402ce645782dd2ec3b0f3eaf322a24df1655c202a90d1f81737b308ed1e8939

                                                                                                                                                          SHA512

                                                                                                                                                          7f11c37e97e8d41048b55d752f98e10897361d78aafcaddecf2a9a866c2e93c6ed890dcc9f2a391c2f0fcd2ceb22b18362af79e5b900049db8da3a43b63e9933

                                                                                                                                                        • \Program Files\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          24c4d1adc4493e2500d5375e6d156814

                                                                                                                                                          SHA1

                                                                                                                                                          fb117a7fe0ce7592eb7de0021283db8f1b578519

                                                                                                                                                          SHA256

                                                                                                                                                          f168e1fa7d7765707c0f4331003877ebf5636405b3f87493262fb685fe20d654

                                                                                                                                                          SHA512

                                                                                                                                                          84c48f49828746fcdd91ea655b6b59c077c5fe81024c92a927f021bd2e936dddf676e3531960b99c7464dbf8d844e64cee10356d4ea9bee05012425186ab0ff1

                                                                                                                                                        • \Program Files\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          24c4d1adc4493e2500d5375e6d156814

                                                                                                                                                          SHA1

                                                                                                                                                          fb117a7fe0ce7592eb7de0021283db8f1b578519

                                                                                                                                                          SHA256

                                                                                                                                                          f168e1fa7d7765707c0f4331003877ebf5636405b3f87493262fb685fe20d654

                                                                                                                                                          SHA512

                                                                                                                                                          84c48f49828746fcdd91ea655b6b59c077c5fe81024c92a927f021bd2e936dddf676e3531960b99c7464dbf8d844e64cee10356d4ea9bee05012425186ab0ff1

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\1794728039\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          4a46d2b430d215da791aa906fa0be943

                                                                                                                                                          SHA1

                                                                                                                                                          4910ad5c720343b03fcd3eef232babb250657c52

                                                                                                                                                          SHA256

                                                                                                                                                          8748c91cdb25c629c87fc010b7633a9b69cd29cd28802aa6bee8774b79b80876

                                                                                                                                                          SHA512

                                                                                                                                                          271f7cb8ef9fe9ae2490398d8c229e1dd4c71abef8c37588ea9b3a6d67e181cfc6509f4b25708d745ff63216521851b7a6f86bfb8eec3fffe028d11d5aeaacac

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\1794728039\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          4a46d2b430d215da791aa906fa0be943

                                                                                                                                                          SHA1

                                                                                                                                                          4910ad5c720343b03fcd3eef232babb250657c52

                                                                                                                                                          SHA256

                                                                                                                                                          8748c91cdb25c629c87fc010b7633a9b69cd29cd28802aa6bee8774b79b80876

                                                                                                                                                          SHA512

                                                                                                                                                          271f7cb8ef9fe9ae2490398d8c229e1dd4c71abef8c37588ea9b3a6d67e181cfc6509f4b25708d745ff63216521851b7a6f86bfb8eec3fffe028d11d5aeaacac

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\Low\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b5027fefb55a35792a2a5597654ba222

                                                                                                                                                          SHA1

                                                                                                                                                          674b9855ba26be7c8e9cb5b5ce0666934595ceb2

                                                                                                                                                          SHA256

                                                                                                                                                          49836d5ac8bffcec9307f4deef868a21e09a55f229755a20ba67910bdf7af98e

                                                                                                                                                          SHA512

                                                                                                                                                          b0fed9a5704fa80ca4e30c30ae25c475f7611a1f59bfe64f7e6066f55f241739ca5950970f73e5f8bd82a486c9692c172aba212c25bdce70b751e047be090c17

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\Low\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b5027fefb55a35792a2a5597654ba222

                                                                                                                                                          SHA1

                                                                                                                                                          674b9855ba26be7c8e9cb5b5ce0666934595ceb2

                                                                                                                                                          SHA256

                                                                                                                                                          49836d5ac8bffcec9307f4deef868a21e09a55f229755a20ba67910bdf7af98e

                                                                                                                                                          SHA512

                                                                                                                                                          b0fed9a5704fa80ca4e30c30ae25c475f7611a1f59bfe64f7e6066f55f241739ca5950970f73e5f8bd82a486c9692c172aba212c25bdce70b751e047be090c17

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b5027fefb55a35792a2a5597654ba222

                                                                                                                                                          SHA1

                                                                                                                                                          674b9855ba26be7c8e9cb5b5ce0666934595ceb2

                                                                                                                                                          SHA256

                                                                                                                                                          49836d5ac8bffcec9307f4deef868a21e09a55f229755a20ba67910bdf7af98e

                                                                                                                                                          SHA512

                                                                                                                                                          b0fed9a5704fa80ca4e30c30ae25c475f7611a1f59bfe64f7e6066f55f241739ca5950970f73e5f8bd82a486c9692c172aba212c25bdce70b751e047be090c17

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b5027fefb55a35792a2a5597654ba222

                                                                                                                                                          SHA1

                                                                                                                                                          674b9855ba26be7c8e9cb5b5ce0666934595ceb2

                                                                                                                                                          SHA256

                                                                                                                                                          49836d5ac8bffcec9307f4deef868a21e09a55f229755a20ba67910bdf7af98e

                                                                                                                                                          SHA512

                                                                                                                                                          b0fed9a5704fa80ca4e30c30ae25c475f7611a1f59bfe64f7e6066f55f241739ca5950970f73e5f8bd82a486c9692c172aba212c25bdce70b751e047be090c17

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b024cad26cb3f0b15826908127acdca9

                                                                                                                                                          SHA1

                                                                                                                                                          750492a8bb0add76124135aded10951285e6f3f8

                                                                                                                                                          SHA256

                                                                                                                                                          4163a3ed06480e468ebd42ac1e58248c811de901ae2c043e522e1636765218e9

                                                                                                                                                          SHA512

                                                                                                                                                          c1eb9c55a3e3e17aee53745c9fb83ac9587364ab019e06dd887e92559ce4c7fa1cf44da2d45ba87d430a755e18748f72f2bccc79015adfe2ce693926129c5ff5

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b024cad26cb3f0b15826908127acdca9

                                                                                                                                                          SHA1

                                                                                                                                                          750492a8bb0add76124135aded10951285e6f3f8

                                                                                                                                                          SHA256

                                                                                                                                                          4163a3ed06480e468ebd42ac1e58248c811de901ae2c043e522e1636765218e9

                                                                                                                                                          SHA512

                                                                                                                                                          c1eb9c55a3e3e17aee53745c9fb83ac9587364ab019e06dd887e92559ce4c7fa1cf44da2d45ba87d430a755e18748f72f2bccc79015adfe2ce693926129c5ff5

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b024cad26cb3f0b15826908127acdca9

                                                                                                                                                          SHA1

                                                                                                                                                          750492a8bb0add76124135aded10951285e6f3f8

                                                                                                                                                          SHA256

                                                                                                                                                          4163a3ed06480e468ebd42ac1e58248c811de901ae2c043e522e1636765218e9

                                                                                                                                                          SHA512

                                                                                                                                                          c1eb9c55a3e3e17aee53745c9fb83ac9587364ab019e06dd887e92559ce4c7fa1cf44da2d45ba87d430a755e18748f72f2bccc79015adfe2ce693926129c5ff5

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b024cad26cb3f0b15826908127acdca9

                                                                                                                                                          SHA1

                                                                                                                                                          750492a8bb0add76124135aded10951285e6f3f8

                                                                                                                                                          SHA256

                                                                                                                                                          4163a3ed06480e468ebd42ac1e58248c811de901ae2c043e522e1636765218e9

                                                                                                                                                          SHA512

                                                                                                                                                          c1eb9c55a3e3e17aee53745c9fb83ac9587364ab019e06dd887e92559ce4c7fa1cf44da2d45ba87d430a755e18748f72f2bccc79015adfe2ce693926129c5ff5

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          234118d1c389859563cfcf08b6ecbe7a

                                                                                                                                                          SHA1

                                                                                                                                                          73e74604e4e84706e4aaaae18c650bc21fda426e

                                                                                                                                                          SHA256

                                                                                                                                                          24e97cd9ea4f30ea992013874e81a78caf855584e6e8b0e473ef435d24a7719e

                                                                                                                                                          SHA512

                                                                                                                                                          c9ed7cb7ce245fd9afad1e40591126a3c09c9da5611963b545328988a1a9481097ec8e32dac27e4e0250192a7437e1eb52ac02992c7d96579cc9688641da88a9

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          234118d1c389859563cfcf08b6ecbe7a

                                                                                                                                                          SHA1

                                                                                                                                                          73e74604e4e84706e4aaaae18c650bc21fda426e

                                                                                                                                                          SHA256

                                                                                                                                                          24e97cd9ea4f30ea992013874e81a78caf855584e6e8b0e473ef435d24a7719e

                                                                                                                                                          SHA512

                                                                                                                                                          c9ed7cb7ce245fd9afad1e40591126a3c09c9da5611963b545328988a1a9481097ec8e32dac27e4e0250192a7437e1eb52ac02992c7d96579cc9688641da88a9

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b024cad26cb3f0b15826908127acdca9

                                                                                                                                                          SHA1

                                                                                                                                                          750492a8bb0add76124135aded10951285e6f3f8

                                                                                                                                                          SHA256

                                                                                                                                                          4163a3ed06480e468ebd42ac1e58248c811de901ae2c043e522e1636765218e9

                                                                                                                                                          SHA512

                                                                                                                                                          c1eb9c55a3e3e17aee53745c9fb83ac9587364ab019e06dd887e92559ce4c7fa1cf44da2d45ba87d430a755e18748f72f2bccc79015adfe2ce693926129c5ff5

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          72KB

                                                                                                                                                          MD5

                                                                                                                                                          b024cad26cb3f0b15826908127acdca9

                                                                                                                                                          SHA1

                                                                                                                                                          750492a8bb0add76124135aded10951285e6f3f8

                                                                                                                                                          SHA256

                                                                                                                                                          4163a3ed06480e468ebd42ac1e58248c811de901ae2c043e522e1636765218e9

                                                                                                                                                          SHA512

                                                                                                                                                          c1eb9c55a3e3e17aee53745c9fb83ac9587364ab019e06dd887e92559ce4c7fa1cf44da2d45ba87d430a755e18748f72f2bccc79015adfe2ce693926129c5ff5

                                                                                                                                                        • memory/112-58-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/336-230-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/560-212-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/604-257-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/612-236-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/648-239-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/740-158-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/752-224-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/756-218-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/756-300-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/776-144-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/840-265-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/884-131-0x0000000075E51000-0x0000000075E53000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          8KB

                                                                                                                                                        • memory/912-288-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/920-248-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/948-75-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/952-301-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1096-270-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1152-179-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1164-291-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1164-107-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1224-64-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1228-197-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1236-282-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1240-181-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1268-233-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1280-133-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1324-263-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1348-70-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1424-176-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1444-260-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1460-184-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1464-242-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1508-203-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1548-113-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1560-285-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1580-251-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1616-279-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1620-188-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1632-245-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1664-99-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1692-95-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1700-206-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1732-254-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1752-171-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1756-199-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1768-306-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1776-86-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1776-209-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1780-189-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1784-276-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1800-273-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1812-82-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1864-164-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1928-151-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1936-215-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1952-225-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1952-121-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/1976-297-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/2016-219-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/2020-307-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/2024-294-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/2028-123-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/2028-312-0x0000000000000000-mapping.dmp

                                                                                                                                                        • memory/2044-194-0x0000000000000000-mapping.dmp