45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541

Analysis

max time kernel
162s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
Size

72KB
MD5

0e55e9f3ef653f3d283f99ce04757ca3
SHA1

ce7fa6d367f792152b10f63646ed9b04af59b25a
SHA256

45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541
SHA512

ce6a8704ddbe357cfcedaea3a3df46bd96853b6bf9765256a1ceca349b6ebc85005caef613c31ca57e56925d9d4fc3d531f76c4e0e1b6eea0b891c092009bf15
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr3kqD:teThavEjDWguKU4

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1136	backup.exe
704	backup.exe
1000	backup.exe
1724	backup.exe
1660	backup.exe
1100	backup.exe
1336	backup.exe
1520	backup.exe
636	backup.exe
1572	backup.exe
1008	backup.exe
1968	backup.exe
1352	backup.exe
832	backup.exe
764	backup.exe
1496	backup.exe
1504	backup.exe
2004	backup.exe
1644	backup.exe
912	backup.exe
1064	backup.exe
856	data.exe
952	backup.exe
1596	backup.exe
1680	backup.exe
1096	backup.exe
1116	backup.exe
696	backup.exe
532	backup.exe
872	backup.exe
1772	backup.exe
108	data.exe
636	backup.exe
1080	backup.exe
992	backup.exe
1964	backup.exe
1508	backup.exe
560	backup.exe
1828	backup.exe
1968	backup.exe
1140	backup.exe
1332	backup.exe
2044	backup.exe
980	backup.exe
1260	backup.exe
1640	backup.exe
2004	backup.exe
1068	backup.exe
1972	update.exe
1056	backup.exe
908	System Restore.exe
1712	backup.exe
1668	backup.exe
1636	backup.exe
1680	backup.exe
1544	backup.exe
1288	backup.exe
800	backup.exe
984	backup.exe
988	backup.exe
868	backup.exe
108	System Restore.exe
1416	backup.exe
432	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
1660	backup.exe
1660	backup.exe
1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
1336	backup.exe
1336	backup.exe
1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
1660	backup.exe
1660	backup.exe
1008	backup.exe
1008	backup.exe
1968	backup.exe
1968	backup.exe
1008	backup.exe
1008	backup.exe
832	backup.exe
832	backup.exe
764	backup.exe
764	backup.exe
764	backup.exe
764	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
532	backup.exe
532	backup.exe
1660	backup.exe
1660	backup.exe
532	backup.exe
532	backup.exe
1772	backup.exe
1772	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\update.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
1136	backup.exe
704	backup.exe
1000	backup.exe
1724	backup.exe
1660	backup.exe
1100	backup.exe
1336	backup.exe
1520	backup.exe
636	backup.exe
1572	backup.exe
1008	backup.exe
1968	backup.exe
1352	backup.exe
832	backup.exe
764	backup.exe
1496	backup.exe
1504	backup.exe
2004	backup.exe
1644	backup.exe
912	backup.exe
1064	backup.exe
856	data.exe
952	backup.exe
1596	backup.exe
1680	backup.exe
1096	backup.exe
1116	backup.exe
696	backup.exe
532	backup.exe
872	backup.exe
1772	backup.exe
108	data.exe
636	backup.exe
1080	backup.exe
992	backup.exe
1964	backup.exe
1508	backup.exe
1968	backup.exe
560	backup.exe
1828	backup.exe
1332	backup.exe
1140	backup.exe
2044	backup.exe
980	backup.exe
1260	backup.exe
2004	backup.exe
1068	backup.exe
1640	backup.exe
1972	update.exe
1056	backup.exe
908	System Restore.exe
1712	backup.exe
1668	backup.exe
1636	backup.exe
1680	backup.exe
1544	backup.exe
1288	backup.exe
800	backup.exe
984	backup.exe
988	backup.exe
868	backup.exe
108	System Restore.exe
1416	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1136	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	26
PID 1384 wrote to memory of 1136	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	26
PID 1384 wrote to memory of 1136	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	26
PID 1384 wrote to memory of 1136	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	26
PID 1384 wrote to memory of 704	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	27
PID 1384 wrote to memory of 704	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	27
PID 1384 wrote to memory of 704	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	27
PID 1384 wrote to memory of 704	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	27
PID 1384 wrote to memory of 1000	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	28
PID 1384 wrote to memory of 1000	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	28
PID 1384 wrote to memory of 1000	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	28
PID 1384 wrote to memory of 1000	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	28
PID 1384 wrote to memory of 1724	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	29
PID 1384 wrote to memory of 1724	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	29
PID 1384 wrote to memory of 1724	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	29
PID 1384 wrote to memory of 1724	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	29
PID 1136 wrote to memory of 1660	1136	backup.exe	30
PID 1136 wrote to memory of 1660	1136	backup.exe	30
PID 1136 wrote to memory of 1660	1136	backup.exe	30
PID 1136 wrote to memory of 1660	1136	backup.exe	30
PID 1384 wrote to memory of 1100	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	31
PID 1384 wrote to memory of 1100	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	31
PID 1384 wrote to memory of 1100	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	31
PID 1384 wrote to memory of 1100	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	31
PID 1660 wrote to memory of 1336	1660	backup.exe	32
PID 1660 wrote to memory of 1336	1660	backup.exe	32
PID 1660 wrote to memory of 1336	1660	backup.exe	32
PID 1660 wrote to memory of 1336	1660	backup.exe	32
PID 1384 wrote to memory of 1520	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	33
PID 1384 wrote to memory of 1520	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	33
PID 1384 wrote to memory of 1520	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	33
PID 1384 wrote to memory of 1520	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	33
PID 1336 wrote to memory of 636	1336	backup.exe	34
PID 1336 wrote to memory of 636	1336	backup.exe	34
PID 1336 wrote to memory of 636	1336	backup.exe	34
PID 1336 wrote to memory of 636	1336	backup.exe	34
PID 1384 wrote to memory of 1572	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	35
PID 1384 wrote to memory of 1572	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	35
PID 1384 wrote to memory of 1572	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	35
PID 1384 wrote to memory of 1572	1384	45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe	35
PID 1660 wrote to memory of 1008	1660	backup.exe	36
PID 1660 wrote to memory of 1008	1660	backup.exe	36
PID 1660 wrote to memory of 1008	1660	backup.exe	36
PID 1660 wrote to memory of 1008	1660	backup.exe	36
PID 1008 wrote to memory of 1968	1008	backup.exe	37
PID 1008 wrote to memory of 1968	1008	backup.exe	37
PID 1008 wrote to memory of 1968	1008	backup.exe	37
PID 1008 wrote to memory of 1968	1008	backup.exe	37
PID 1968 wrote to memory of 1352	1968	backup.exe	38
PID 1968 wrote to memory of 1352	1968	backup.exe	38
PID 1968 wrote to memory of 1352	1968	backup.exe	38
PID 1968 wrote to memory of 1352	1968	backup.exe	38
PID 1008 wrote to memory of 832	1008	backup.exe	39
PID 1008 wrote to memory of 832	1008	backup.exe	39
PID 1008 wrote to memory of 832	1008	backup.exe	39
PID 1008 wrote to memory of 832	1008	backup.exe	39
PID 832 wrote to memory of 764	832	backup.exe	40
PID 832 wrote to memory of 764	832	backup.exe	40
PID 832 wrote to memory of 764	832	backup.exe	40
PID 832 wrote to memory of 764	832	backup.exe	40
PID 764 wrote to memory of 1496	764	backup.exe	41
PID 764 wrote to memory of 1496	764	backup.exe	41
PID 764 wrote to memory of 1496	764	backup.exe	41
PID 764 wrote to memory of 1496	764	backup.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe
"C:\Users\Admin\AppData\Local\Temp\45e11c8c95e5a1557c6e2656caa87f4b6c1aa2b2895d4437db2fe1e6d1917541.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\1902929976\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1902929976\backup.exe C:\Users\Admin\AppData\Local\Temp\1902929976\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1136
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1660
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:636
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1008
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1968
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1352
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:832
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:764
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1496
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1096
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        System policy modification
        
        PID:1356
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:308
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:1320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:272
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        System policy modification
        
        PID:1720
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:1564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:2052
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:2156
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:2304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:2464
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1288
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:784
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1176
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        System policy modification
        
        PID:1372
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        System policy modification
        
        PID:1740
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        System policy modification
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        System policy modification
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:880
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1452
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2192
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2280
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2456
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1640
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1164
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1892
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:880
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1520
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1820
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:628
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1544
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1812
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        System policy modification
        
        PID:1640
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1744
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1088
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1820
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1580
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:992
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1828
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2044
      - C:\Program Files\DVD Maker\es-ES\update.exe
        
        "C:\Program Files\DVD Maker\es-ES\update.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1056
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1636
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:800
      - C:\Program Files\DVD Maker\Shared\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\System Restore.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:108
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:432
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1732
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        System policy modification
        
        PID:1648
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:776
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        System policy modification
        
        PID:968
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        System policy modification
        
        PID:280
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1636
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1600
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1900
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:760
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1824
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:2172
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:2312
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:2488
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1388
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1640
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1744
      - C:\Program Files\Internet Explorer\es-ES\System Restore.exe
        
        "C:\Program Files\Internet Explorer\es-ES\System Restore.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2148
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2320
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2480
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2000
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:992
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1476
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2200
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2356
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2472
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1772
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:636
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1080
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1260
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1712
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        System policy modification
        
        PID:592
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:272
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:952
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:988
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1656
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1264
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:1892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1320
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:1988
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:636
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1332
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1628
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1164
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:280
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Drops file in Program Files directory
        
        PID:1244
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        System policy modification
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1544
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:856
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1068
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:572
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1792
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1492
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:544
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        System policy modification
        
        PID:584
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        System policy modification
        
        PID:2040
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\data.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1644
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        
        PID:1532
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:776
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        Drops file in Program Files directory
        
        PID:1828
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:832
      - C:\Program Files (x86)\Common Files\DESIGNER\update.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\update.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1372
      - C:\Program Files (x86)\Common Files\microsoft shared\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1908
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1560
      - C:\Program Files (x86)\Common Files\SpeechEngines\update.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\update.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2164
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2296
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:108
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1776
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:452
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:672
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2124
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:584
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:2236
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:2376
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1432
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1600
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\System Restore.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2180
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2272
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2420
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1260
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:540
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1580
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1776
      - C:\Users\Admin\Documents\data.exe
        
        C:\Users\Admin\Documents\data.exe C:\Users\Admin\Documents\
        6⤵
        System policy modification
        
        PID:1596
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:592
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:980
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:908
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2016
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2132
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:2244
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2400
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:868
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:1288
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:400
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1052
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2096
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:2328
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:2412
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Windows directory
      System policy modification
      PID:800
    - - C:\Windows\addins\update.exe
        
        C:\Windows\addins\update.exe C:\Windows\addins\
        5⤵
        
        PID:1100
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:964
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:1064
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:2140
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:2288
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:704
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1000
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1100
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1520
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
e80ce0b7aca6b875abc9941c8e21af72

SHA1
fe13b66043fd4d6ffe2089ef3f9a511a424f81e1

SHA256
f4568063d0702a0ef8fe96b7e0dedd55dc4a7ce5ab2d372f4ab9009881b97926

SHA512
1ebee13c0bcd16e84362302c9622172cfc7de6cc76bfc9a055c4fd40a73dd7760913d4a6b042c39120d72e923121f9533374979032d65c0f7688065a91974c0e

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
96b860fffe8dbfa6aa81a4ae90f04c1c

SHA1
42048ac81b49d8e5fefad6f03af3855ec6f7fbfe

SHA256
bd0b9d57b17efbb8730d983e70590c1e95776f54d207eb6020e5fb5ce56515c8

SHA512
1d561f9d281d99219f6ab92e31937da5e0b8b4fa6b981a85ba0919e9305b3c9e966e3ef7cb693f6b36eec84cb26e40f324b4228dbe2e4b489d9e9a8f90f8c81f

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
96b860fffe8dbfa6aa81a4ae90f04c1c

SHA1
42048ac81b49d8e5fefad6f03af3855ec6f7fbfe

SHA256
bd0b9d57b17efbb8730d983e70590c1e95776f54d207eb6020e5fb5ce56515c8

SHA512
1d561f9d281d99219f6ab92e31937da5e0b8b4fa6b981a85ba0919e9305b3c9e966e3ef7cb693f6b36eec84cb26e40f324b4228dbe2e4b489d9e9a8f90f8c81f

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
2a056d9deb0e655cf959be0519c5673c

SHA1
94fac1ee26024ad288c21aa6cabaab9adab663fd

SHA256
cf24840cf03c2b3c76debaafe721ff8fa218bc3e55554b00b6903c04d3daf4d1

SHA512
c73430776c58a586ec29d1d0d7a65d8e020bb65732eacc3d00644a569977eed50a72a443809f67a616c9e437b23d2acb38d014893ebfb31b67dbae538532cae6

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5b8f69eded0c37488e6c85959d00ee96

SHA1
79bf2e349091ffefda7b57a38af2bae0ad491247

SHA256
82e33204c2ab4fbf583f1b45315c1043fb24abbeb81ac1e3b6ce2017ce1e50ff

SHA512
721e7606c7fbf6f36d62e1ae41ec101d68a5faeefe7a5cce722f13e1968686344743d373617e67417b20b9ba20266684ba9b83309d95825780070e427f72bcfc

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5b8f69eded0c37488e6c85959d00ee96

SHA1
79bf2e349091ffefda7b57a38af2bae0ad491247

SHA256
82e33204c2ab4fbf583f1b45315c1043fb24abbeb81ac1e3b6ce2017ce1e50ff

SHA512
721e7606c7fbf6f36d62e1ae41ec101d68a5faeefe7a5cce722f13e1968686344743d373617e67417b20b9ba20266684ba9b83309d95825780070e427f72bcfc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
78cd4f93922b5ec32abb1a30de9db4e0

SHA1
849878fd5c242a14250fe28821fa946e48195f33

SHA256
8d5e44c093dc7bd453a75902435dbea6d2c4d99ca1efae8e9a81172e4ed8de89

SHA512
905777ea6aa171290ce68abc11001a82ead4c8d0e3464dfef2f5e61b70516b626fcc888de033729c85a7b180a57dba0e616463a665198b8376a955f332fc3ebf

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
50dcd80fc73234aabc6d7956a7a84fc5

SHA1
7d5b9defecd1964a2e8882402a495f1ef3f0ce9f

SHA256
6a1abd45c91ef46dab3b553c88363a20d50b6b4989dcc0cb066df31b03ffe41a

SHA512
47ae8d57be00eb90210b197c2b56fb12494efddf393cb3c4e6f418ae20015e83f8bb1c148f22f5689bce98533f50e46a071112de97b0b6e6a6fcdb614e3be7e5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
50dcd80fc73234aabc6d7956a7a84fc5

SHA1
7d5b9defecd1964a2e8882402a495f1ef3f0ce9f

SHA256
6a1abd45c91ef46dab3b553c88363a20d50b6b4989dcc0cb066df31b03ffe41a

SHA512
47ae8d57be00eb90210b197c2b56fb12494efddf393cb3c4e6f418ae20015e83f8bb1c148f22f5689bce98533f50e46a071112de97b0b6e6a6fcdb614e3be7e5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
2c14f5b8fa1bf9d1f4200fe6832e18b8

SHA1
addd769141f81456d9c81497a3abb585e558f4db

SHA256
0283d37afa83997e9b2b3326e90241f697151f80e79a2e92cb04e8b488b85f26

SHA512
a1824abc54b56653249bcad11d64fcddb023b0d7f6df60bb7d4d2a0a9f71897a6b78edae4099f8486a4f94338a2d1c92bf1109f82bab57687ab901310c599db4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
c7d50f0e2c7151a445db4fb58b7cba0a

SHA1
e60c3914d6f2d0edfec87dbcf785110aae073851

SHA256
e7923e8107a5f5e040b30de6ae2d2c0f5c06018794000d7bfccc15df42b5249f

SHA512
e42b394a27ec4c269ca4436571c2a463509722631361d8dc011e4a2413244190e728b7c74396756b9f6e44767b9df424016ad2ef902b7e214c1401a6833c3ad2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
c7d50f0e2c7151a445db4fb58b7cba0a

SHA1
e60c3914d6f2d0edfec87dbcf785110aae073851

SHA256
e7923e8107a5f5e040b30de6ae2d2c0f5c06018794000d7bfccc15df42b5249f

SHA512
e42b394a27ec4c269ca4436571c2a463509722631361d8dc011e4a2413244190e728b7c74396756b9f6e44767b9df424016ad2ef902b7e214c1401a6833c3ad2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
2c14f5b8fa1bf9d1f4200fe6832e18b8

SHA1
addd769141f81456d9c81497a3abb585e558f4db

SHA256
0283d37afa83997e9b2b3326e90241f697151f80e79a2e92cb04e8b488b85f26

SHA512
a1824abc54b56653249bcad11d64fcddb023b0d7f6df60bb7d4d2a0a9f71897a6b78edae4099f8486a4f94338a2d1c92bf1109f82bab57687ab901310c599db4

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
e661a21959a4d7f4cf30b3acd566e646

SHA1
45bbada16d7455532fd7af9b62847cf765095450

SHA256
cf6159af92a328383e4cfc4a4a9b7249119418e33e6a5ed08256ef629e7044f1

SHA512
992a2de5d6e2dfd3bcde58cb39a22ab571543138cccb715caae3b5b5ce8f7a74e295c01905d6551a562abea2c5218991e5b1819b09f5b4df6a5394b6552b9fe1

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
e661a21959a4d7f4cf30b3acd566e646

SHA1
45bbada16d7455532fd7af9b62847cf765095450

SHA256
cf6159af92a328383e4cfc4a4a9b7249119418e33e6a5ed08256ef629e7044f1

SHA512
992a2de5d6e2dfd3bcde58cb39a22ab571543138cccb715caae3b5b5ce8f7a74e295c01905d6551a562abea2c5218991e5b1819b09f5b4df6a5394b6552b9fe1

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
4b2de71ab8b3bc1e490dd53372ef11b4

SHA1
47fb65e0da1785b8c4febbd9d566aeb08b7ab807

SHA256
b2fe416f661556fa7a4b7d4eeb419a1c105dbc2e7ecbb93720e7abf285e5ebd5

SHA512
4bb487a89f00bbd7f2cf521279d41990e6c64ab7e2029321de5f43e27503017fd3fa28acb7ea0b4c1787cd109df6afd4885be223ecb4482e4b725f345d112dd1

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
4b2de71ab8b3bc1e490dd53372ef11b4

SHA1
47fb65e0da1785b8c4febbd9d566aeb08b7ab807

SHA256
b2fe416f661556fa7a4b7d4eeb419a1c105dbc2e7ecbb93720e7abf285e5ebd5

SHA512
4bb487a89f00bbd7f2cf521279d41990e6c64ab7e2029321de5f43e27503017fd3fa28acb7ea0b4c1787cd109df6afd4885be223ecb4482e4b725f345d112dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1902929976\backup.exe

Filesize
72KB

MD5
5c937cb8892b31b13ad689b5298dd01e

SHA1
b4eeda1127a8dc3bc1e96d474000f7b8318e1bec

SHA256
5e5ba14cb242148d1dd0285c235d725fb227e92844cf2eac1568c3d27c57c6f6

SHA512
2d5d07e96d8024bf9553afbd9a337f83e07ec226c174ee282abda56e42c52291da42b6d61445eb509cc13dea4bb1a7bce098dc39c26889800a772763fca05d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\1902929976\backup.exe

Filesize
72KB

MD5
5c937cb8892b31b13ad689b5298dd01e

SHA1
b4eeda1127a8dc3bc1e96d474000f7b8318e1bec

SHA256
5e5ba14cb242148d1dd0285c235d725fb227e92844cf2eac1568c3d27c57c6f6

SHA512
2d5d07e96d8024bf9553afbd9a337f83e07ec226c174ee282abda56e42c52291da42b6d61445eb509cc13dea4bb1a7bce098dc39c26889800a772763fca05d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
85de3bca8bd46fee0aed38f58b6e80bb

SHA1
b2733a8dc8806e35fa9d8face8358052a87b7979

SHA256
0c8c5cbc275df7264a9917f5d9f14a049c96b096e13db6f59ea3a895219fd60d

SHA512
6b909ae3cf29f8925e6798b0abab4144d7cee8df65abf547aa48de5d82f1a1f315b94e190c5b540ea5d77ea5bd83714d5718233c919977debf8794a969814807

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
85de3bca8bd46fee0aed38f58b6e80bb

SHA1
b2733a8dc8806e35fa9d8face8358052a87b7979

SHA256
0c8c5cbc275df7264a9917f5d9f14a049c96b096e13db6f59ea3a895219fd60d

SHA512
6b909ae3cf29f8925e6798b0abab4144d7cee8df65abf547aa48de5d82f1a1f315b94e190c5b540ea5d77ea5bd83714d5718233c919977debf8794a969814807

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
85de3bca8bd46fee0aed38f58b6e80bb

SHA1
b2733a8dc8806e35fa9d8face8358052a87b7979

SHA256
0c8c5cbc275df7264a9917f5d9f14a049c96b096e13db6f59ea3a895219fd60d

SHA512
6b909ae3cf29f8925e6798b0abab4144d7cee8df65abf547aa48de5d82f1a1f315b94e190c5b540ea5d77ea5bd83714d5718233c919977debf8794a969814807

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
cf63bb4acf56cd3dc7637f364e39a22a

SHA1
0f3f1d7caaa55dabb05fa599a4c57bd884c20b2d

SHA256
0c0af6d991d693ab0890a2164759bd7f00cadfc47aaa37890c60508b8974d991

SHA512
16c9be22482aea1d2d45ac06b3547c2d3cf0293ef863d4b5e7679bdacb2a3ca3e777e9fa4f59ec446b4ec350b45fa5a8f44059f8e3aec2ef0c2c184946e824e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7dee315a93ddf10005351bf27013df32

SHA1
edc7b3ea5df65d515c5ff2fcc23fbef86eba5f45

SHA256
2af450e4366d516152032d21231ba5063b36545570b6945d0acf2ed9a5ba859c

SHA512
1e329eb1fa5f82989b416c7d891ee169a40514f509546dc09ef70fed7c6022d1fcbc8e5d02f6090c928b04bc147d1bbd5e4be26972496f5261f32c855b2d76ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a640d3953e7696c91daf45eb5b0ea39c

SHA1
6106042089fe77506fe2c90c3855b79c0a44359d

SHA256
d2511c382403489809dd034ee0976618e4d09e4ee8f416ce2d9b299c8fea785d

SHA512
6c79cbda14ef838ed9cc802dac7fb67c365e5e4509269857457f15d873f009ff82364958252e0419eb3df71aed2fd74d4c5a2d58006f80cb5a0a48156d34c676

Download Submit
C:\backup.exe

Filesize
72KB

MD5
7708774c82f1f97cc485d1ed4c21e9ff

SHA1
a7e1e1fca13cacc02b58de1f46157772c2d03487

SHA256
beec935590fca34b53f617dea400098677ae95cffc0b32c544344fac25d555be

SHA512
9670682ada05c74e0843280b4c80735665e6eef6e0e6c42a5f311bb8808204a5e79fe9730487154ff8a35e6585b769a61bd2cbee931c9fb4ccc39e2fd2faef3d

Download Submit
C:\backup.exe

Filesize
72KB

MD5
7708774c82f1f97cc485d1ed4c21e9ff

SHA1
a7e1e1fca13cacc02b58de1f46157772c2d03487

SHA256
beec935590fca34b53f617dea400098677ae95cffc0b32c544344fac25d555be

SHA512
9670682ada05c74e0843280b4c80735665e6eef6e0e6c42a5f311bb8808204a5e79fe9730487154ff8a35e6585b769a61bd2cbee931c9fb4ccc39e2fd2faef3d

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
e80ce0b7aca6b875abc9941c8e21af72

SHA1
fe13b66043fd4d6ffe2089ef3f9a511a424f81e1

SHA256
f4568063d0702a0ef8fe96b7e0dedd55dc4a7ce5ab2d372f4ab9009881b97926

SHA512
1ebee13c0bcd16e84362302c9622172cfc7de6cc76bfc9a055c4fd40a73dd7760913d4a6b042c39120d72e923121f9533374979032d65c0f7688065a91974c0e

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
e80ce0b7aca6b875abc9941c8e21af72

SHA1
fe13b66043fd4d6ffe2089ef3f9a511a424f81e1

SHA256
f4568063d0702a0ef8fe96b7e0dedd55dc4a7ce5ab2d372f4ab9009881b97926

SHA512
1ebee13c0bcd16e84362302c9622172cfc7de6cc76bfc9a055c4fd40a73dd7760913d4a6b042c39120d72e923121f9533374979032d65c0f7688065a91974c0e

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
96b860fffe8dbfa6aa81a4ae90f04c1c

SHA1
42048ac81b49d8e5fefad6f03af3855ec6f7fbfe

SHA256
bd0b9d57b17efbb8730d983e70590c1e95776f54d207eb6020e5fb5ce56515c8

SHA512
1d561f9d281d99219f6ab92e31937da5e0b8b4fa6b981a85ba0919e9305b3c9e966e3ef7cb693f6b36eec84cb26e40f324b4228dbe2e4b489d9e9a8f90f8c81f

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
96b860fffe8dbfa6aa81a4ae90f04c1c

SHA1
42048ac81b49d8e5fefad6f03af3855ec6f7fbfe

SHA256
bd0b9d57b17efbb8730d983e70590c1e95776f54d207eb6020e5fb5ce56515c8

SHA512
1d561f9d281d99219f6ab92e31937da5e0b8b4fa6b981a85ba0919e9305b3c9e966e3ef7cb693f6b36eec84cb26e40f324b4228dbe2e4b489d9e9a8f90f8c81f

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
2a056d9deb0e655cf959be0519c5673c

SHA1
94fac1ee26024ad288c21aa6cabaab9adab663fd

SHA256
cf24840cf03c2b3c76debaafe721ff8fa218bc3e55554b00b6903c04d3daf4d1

SHA512
c73430776c58a586ec29d1d0d7a65d8e020bb65732eacc3d00644a569977eed50a72a443809f67a616c9e437b23d2acb38d014893ebfb31b67dbae538532cae6

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
2a056d9deb0e655cf959be0519c5673c

SHA1
94fac1ee26024ad288c21aa6cabaab9adab663fd

SHA256
cf24840cf03c2b3c76debaafe721ff8fa218bc3e55554b00b6903c04d3daf4d1

SHA512
c73430776c58a586ec29d1d0d7a65d8e020bb65732eacc3d00644a569977eed50a72a443809f67a616c9e437b23d2acb38d014893ebfb31b67dbae538532cae6

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5b8f69eded0c37488e6c85959d00ee96

SHA1
79bf2e349091ffefda7b57a38af2bae0ad491247

SHA256
82e33204c2ab4fbf583f1b45315c1043fb24abbeb81ac1e3b6ce2017ce1e50ff

SHA512
721e7606c7fbf6f36d62e1ae41ec101d68a5faeefe7a5cce722f13e1968686344743d373617e67417b20b9ba20266684ba9b83309d95825780070e427f72bcfc

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5b8f69eded0c37488e6c85959d00ee96

SHA1
79bf2e349091ffefda7b57a38af2bae0ad491247

SHA256
82e33204c2ab4fbf583f1b45315c1043fb24abbeb81ac1e3b6ce2017ce1e50ff

SHA512
721e7606c7fbf6f36d62e1ae41ec101d68a5faeefe7a5cce722f13e1968686344743d373617e67417b20b9ba20266684ba9b83309d95825780070e427f72bcfc

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
78cd4f93922b5ec32abb1a30de9db4e0

SHA1
849878fd5c242a14250fe28821fa946e48195f33

SHA256
8d5e44c093dc7bd453a75902435dbea6d2c4d99ca1efae8e9a81172e4ed8de89

SHA512
905777ea6aa171290ce68abc11001a82ead4c8d0e3464dfef2f5e61b70516b626fcc888de033729c85a7b180a57dba0e616463a665198b8376a955f332fc3ebf

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
78cd4f93922b5ec32abb1a30de9db4e0

SHA1
849878fd5c242a14250fe28821fa946e48195f33

SHA256
8d5e44c093dc7bd453a75902435dbea6d2c4d99ca1efae8e9a81172e4ed8de89

SHA512
905777ea6aa171290ce68abc11001a82ead4c8d0e3464dfef2f5e61b70516b626fcc888de033729c85a7b180a57dba0e616463a665198b8376a955f332fc3ebf

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
50dcd80fc73234aabc6d7956a7a84fc5

SHA1
7d5b9defecd1964a2e8882402a495f1ef3f0ce9f

SHA256
6a1abd45c91ef46dab3b553c88363a20d50b6b4989dcc0cb066df31b03ffe41a

SHA512
47ae8d57be00eb90210b197c2b56fb12494efddf393cb3c4e6f418ae20015e83f8bb1c148f22f5689bce98533f50e46a071112de97b0b6e6a6fcdb614e3be7e5

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
50dcd80fc73234aabc6d7956a7a84fc5

SHA1
7d5b9defecd1964a2e8882402a495f1ef3f0ce9f

SHA256
6a1abd45c91ef46dab3b553c88363a20d50b6b4989dcc0cb066df31b03ffe41a

SHA512
47ae8d57be00eb90210b197c2b56fb12494efddf393cb3c4e6f418ae20015e83f8bb1c148f22f5689bce98533f50e46a071112de97b0b6e6a6fcdb614e3be7e5

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
2c14f5b8fa1bf9d1f4200fe6832e18b8

SHA1
addd769141f81456d9c81497a3abb585e558f4db

SHA256
0283d37afa83997e9b2b3326e90241f697151f80e79a2e92cb04e8b488b85f26

SHA512
a1824abc54b56653249bcad11d64fcddb023b0d7f6df60bb7d4d2a0a9f71897a6b78edae4099f8486a4f94338a2d1c92bf1109f82bab57687ab901310c599db4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
2c14f5b8fa1bf9d1f4200fe6832e18b8

SHA1
addd769141f81456d9c81497a3abb585e558f4db

SHA256
0283d37afa83997e9b2b3326e90241f697151f80e79a2e92cb04e8b488b85f26

SHA512
a1824abc54b56653249bcad11d64fcddb023b0d7f6df60bb7d4d2a0a9f71897a6b78edae4099f8486a4f94338a2d1c92bf1109f82bab57687ab901310c599db4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
c7d50f0e2c7151a445db4fb58b7cba0a

SHA1
e60c3914d6f2d0edfec87dbcf785110aae073851

SHA256
e7923e8107a5f5e040b30de6ae2d2c0f5c06018794000d7bfccc15df42b5249f

SHA512
e42b394a27ec4c269ca4436571c2a463509722631361d8dc011e4a2413244190e728b7c74396756b9f6e44767b9df424016ad2ef902b7e214c1401a6833c3ad2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
c7d50f0e2c7151a445db4fb58b7cba0a

SHA1
e60c3914d6f2d0edfec87dbcf785110aae073851

SHA256
e7923e8107a5f5e040b30de6ae2d2c0f5c06018794000d7bfccc15df42b5249f

SHA512
e42b394a27ec4c269ca4436571c2a463509722631361d8dc011e4a2413244190e728b7c74396756b9f6e44767b9df424016ad2ef902b7e214c1401a6833c3ad2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
2c14f5b8fa1bf9d1f4200fe6832e18b8

SHA1
addd769141f81456d9c81497a3abb585e558f4db

SHA256
0283d37afa83997e9b2b3326e90241f697151f80e79a2e92cb04e8b488b85f26

SHA512
a1824abc54b56653249bcad11d64fcddb023b0d7f6df60bb7d4d2a0a9f71897a6b78edae4099f8486a4f94338a2d1c92bf1109f82bab57687ab901310c599db4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
2c14f5b8fa1bf9d1f4200fe6832e18b8

SHA1
addd769141f81456d9c81497a3abb585e558f4db

SHA256
0283d37afa83997e9b2b3326e90241f697151f80e79a2e92cb04e8b488b85f26

SHA512
a1824abc54b56653249bcad11d64fcddb023b0d7f6df60bb7d4d2a0a9f71897a6b78edae4099f8486a4f94338a2d1c92bf1109f82bab57687ab901310c599db4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
d3f152b32af4c49c811f0e5e9385446b

SHA1
cdbd649100fe2b8490f1db9d076f00ab8e57a367

SHA256
12bb34b6c16d23d5947888abf5116333288b65de27d342258638f6810f3b965b

SHA512
8cdfd1f430e45a09b0e8d232f366c5e1052614305e31a949397d62aa8723b6fb8d1be94f9b2b4ff8edd13d64175ab3c56f5039913a0859d5ffa54909df4a2fc0

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
e661a21959a4d7f4cf30b3acd566e646

SHA1
45bbada16d7455532fd7af9b62847cf765095450

SHA256
cf6159af92a328383e4cfc4a4a9b7249119418e33e6a5ed08256ef629e7044f1

SHA512
992a2de5d6e2dfd3bcde58cb39a22ab571543138cccb715caae3b5b5ce8f7a74e295c01905d6551a562abea2c5218991e5b1819b09f5b4df6a5394b6552b9fe1

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
e661a21959a4d7f4cf30b3acd566e646

SHA1
45bbada16d7455532fd7af9b62847cf765095450

SHA256
cf6159af92a328383e4cfc4a4a9b7249119418e33e6a5ed08256ef629e7044f1

SHA512
992a2de5d6e2dfd3bcde58cb39a22ab571543138cccb715caae3b5b5ce8f7a74e295c01905d6551a562abea2c5218991e5b1819b09f5b4df6a5394b6552b9fe1

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
4b2de71ab8b3bc1e490dd53372ef11b4

SHA1
47fb65e0da1785b8c4febbd9d566aeb08b7ab807

SHA256
b2fe416f661556fa7a4b7d4eeb419a1c105dbc2e7ecbb93720e7abf285e5ebd5

SHA512
4bb487a89f00bbd7f2cf521279d41990e6c64ab7e2029321de5f43e27503017fd3fa28acb7ea0b4c1787cd109df6afd4885be223ecb4482e4b725f345d112dd1

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
4b2de71ab8b3bc1e490dd53372ef11b4

SHA1
47fb65e0da1785b8c4febbd9d566aeb08b7ab807

SHA256
b2fe416f661556fa7a4b7d4eeb419a1c105dbc2e7ecbb93720e7abf285e5ebd5

SHA512
4bb487a89f00bbd7f2cf521279d41990e6c64ab7e2029321de5f43e27503017fd3fa28acb7ea0b4c1787cd109df6afd4885be223ecb4482e4b725f345d112dd1

Download Submit
\Users\Admin\AppData\Local\Temp\1902929976\backup.exe

Filesize
72KB

MD5
5c937cb8892b31b13ad689b5298dd01e

SHA1
b4eeda1127a8dc3bc1e96d474000f7b8318e1bec

SHA256
5e5ba14cb242148d1dd0285c235d725fb227e92844cf2eac1568c3d27c57c6f6

SHA512
2d5d07e96d8024bf9553afbd9a337f83e07ec226c174ee282abda56e42c52291da42b6d61445eb509cc13dea4bb1a7bce098dc39c26889800a772763fca05d75

Download Submit
\Users\Admin\AppData\Local\Temp\1902929976\backup.exe

Filesize
72KB

MD5
5c937cb8892b31b13ad689b5298dd01e

SHA1
b4eeda1127a8dc3bc1e96d474000f7b8318e1bec

SHA256
5e5ba14cb242148d1dd0285c235d725fb227e92844cf2eac1568c3d27c57c6f6

SHA512
2d5d07e96d8024bf9553afbd9a337f83e07ec226c174ee282abda56e42c52291da42b6d61445eb509cc13dea4bb1a7bce098dc39c26889800a772763fca05d75

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
85de3bca8bd46fee0aed38f58b6e80bb

SHA1
b2733a8dc8806e35fa9d8face8358052a87b7979

SHA256
0c8c5cbc275df7264a9917f5d9f14a049c96b096e13db6f59ea3a895219fd60d

SHA512
6b909ae3cf29f8925e6798b0abab4144d7cee8df65abf547aa48de5d82f1a1f315b94e190c5b540ea5d77ea5bd83714d5718233c919977debf8794a969814807

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
85de3bca8bd46fee0aed38f58b6e80bb

SHA1
b2733a8dc8806e35fa9d8face8358052a87b7979

SHA256
0c8c5cbc275df7264a9917f5d9f14a049c96b096e13db6f59ea3a895219fd60d

SHA512
6b909ae3cf29f8925e6798b0abab4144d7cee8df65abf547aa48de5d82f1a1f315b94e190c5b540ea5d77ea5bd83714d5718233c919977debf8794a969814807

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
85de3bca8bd46fee0aed38f58b6e80bb

SHA1
b2733a8dc8806e35fa9d8face8358052a87b7979

SHA256
0c8c5cbc275df7264a9917f5d9f14a049c96b096e13db6f59ea3a895219fd60d

SHA512
6b909ae3cf29f8925e6798b0abab4144d7cee8df65abf547aa48de5d82f1a1f315b94e190c5b540ea5d77ea5bd83714d5718233c919977debf8794a969814807

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
85de3bca8bd46fee0aed38f58b6e80bb

SHA1
b2733a8dc8806e35fa9d8face8358052a87b7979

SHA256
0c8c5cbc275df7264a9917f5d9f14a049c96b096e13db6f59ea3a895219fd60d

SHA512
6b909ae3cf29f8925e6798b0abab4144d7cee8df65abf547aa48de5d82f1a1f315b94e190c5b540ea5d77ea5bd83714d5718233c919977debf8794a969814807

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
85de3bca8bd46fee0aed38f58b6e80bb

SHA1
b2733a8dc8806e35fa9d8face8358052a87b7979

SHA256
0c8c5cbc275df7264a9917f5d9f14a049c96b096e13db6f59ea3a895219fd60d

SHA512
6b909ae3cf29f8925e6798b0abab4144d7cee8df65abf547aa48de5d82f1a1f315b94e190c5b540ea5d77ea5bd83714d5718233c919977debf8794a969814807

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
85de3bca8bd46fee0aed38f58b6e80bb

SHA1
b2733a8dc8806e35fa9d8face8358052a87b7979

SHA256
0c8c5cbc275df7264a9917f5d9f14a049c96b096e13db6f59ea3a895219fd60d

SHA512
6b909ae3cf29f8925e6798b0abab4144d7cee8df65abf547aa48de5d82f1a1f315b94e190c5b540ea5d77ea5bd83714d5718233c919977debf8794a969814807

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
cf63bb4acf56cd3dc7637f364e39a22a

SHA1
0f3f1d7caaa55dabb05fa599a4c57bd884c20b2d

SHA256
0c0af6d991d693ab0890a2164759bd7f00cadfc47aaa37890c60508b8974d991

SHA512
16c9be22482aea1d2d45ac06b3547c2d3cf0293ef863d4b5e7679bdacb2a3ca3e777e9fa4f59ec446b4ec350b45fa5a8f44059f8e3aec2ef0c2c184946e824e2

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
cf63bb4acf56cd3dc7637f364e39a22a

SHA1
0f3f1d7caaa55dabb05fa599a4c57bd884c20b2d

SHA256
0c0af6d991d693ab0890a2164759bd7f00cadfc47aaa37890c60508b8974d991

SHA512
16c9be22482aea1d2d45ac06b3547c2d3cf0293ef863d4b5e7679bdacb2a3ca3e777e9fa4f59ec446b4ec350b45fa5a8f44059f8e3aec2ef0c2c184946e824e2

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7dee315a93ddf10005351bf27013df32

SHA1
edc7b3ea5df65d515c5ff2fcc23fbef86eba5f45

SHA256
2af450e4366d516152032d21231ba5063b36545570b6945d0acf2ed9a5ba859c

SHA512
1e329eb1fa5f82989b416c7d891ee169a40514f509546dc09ef70fed7c6022d1fcbc8e5d02f6090c928b04bc147d1bbd5e4be26972496f5261f32c855b2d76ca

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7dee315a93ddf10005351bf27013df32

SHA1
edc7b3ea5df65d515c5ff2fcc23fbef86eba5f45

SHA256
2af450e4366d516152032d21231ba5063b36545570b6945d0acf2ed9a5ba859c

SHA512
1e329eb1fa5f82989b416c7d891ee169a40514f509546dc09ef70fed7c6022d1fcbc8e5d02f6090c928b04bc147d1bbd5e4be26972496f5261f32c855b2d76ca

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a640d3953e7696c91daf45eb5b0ea39c

SHA1
6106042089fe77506fe2c90c3855b79c0a44359d

SHA256
d2511c382403489809dd034ee0976618e4d09e4ee8f416ce2d9b299c8fea785d

SHA512
6c79cbda14ef838ed9cc802dac7fb67c365e5e4509269857457f15d873f009ff82364958252e0419eb3df71aed2fd74d4c5a2d58006f80cb5a0a48156d34c676

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a640d3953e7696c91daf45eb5b0ea39c

SHA1
6106042089fe77506fe2c90c3855b79c0a44359d

SHA256
d2511c382403489809dd034ee0976618e4d09e4ee8f416ce2d9b299c8fea785d

SHA512
6c79cbda14ef838ed9cc802dac7fb67c365e5e4509269857457f15d873f009ff82364958252e0419eb3df71aed2fd74d4c5a2d58006f80cb5a0a48156d34c676

Download Submit
memory/1384-117-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads