3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb

Analysis

max time kernel
221s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
Size

72KB
MD5

07e75e26efd2984622f449e5721d9c98
SHA1

09b60b297240cabcf07849da59904c74db857839
SHA256

3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb
SHA512

ad1809706ed3d32383aa48b26f2fb8d307b8a99221cd5e9029d917ac83d91a72fc7f31688ae155c69290315665f6bac523cfc18e16cc091837086ae2ff42cfae
SSDEEP

768:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrTd3FAuNn:HeT7BVwxfvqguKRFA8

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exedata.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

Processes:

backup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exe

pid	process
1648	backup.exe
1516	data.exe
1512	backup.exe
1000	backup.exe
1804	backup.exe
1676	backup.exe
1756	backup.exe
932	backup.exe
1072	backup.exe
1792	backup.exe
2032	backup.exe
1752	data.exe
1732	backup.exe
1324	System Restore.exe
1992	backup.exe
1616	backup.exe
1600	backup.exe
1028	backup.exe
664	backup.exe
1328	backup.exe
324	System Restore.exe
1000	backup.exe
1692	backup.exe
1492	backup.exe
1560	backup.exe
920	System Restore.exe
1796	backup.exe
1256	update.exe
812	backup.exe
1044	backup.exe
2012	backup.exe
1132	backup.exe
1588	backup.exe
1552	backup.exe
1732	backup.exe
1376	backup.exe
1296	backup.exe
1612	data.exe
1968	backup.exe
852	backup.exe
1292	backup.exe
584	backup.exe
340	backup.exe
1336	backup.exe
1928	backup.exe
1692	backup.exe
1504	backup.exe
1404	backup.exe
1584	backup.exe
600	System Restore.exe
932	backup.exe
1720	backup.exe
1424	update.exe
968	backup.exe
1740	backup.exe
2040	backup.exe
1644	backup.exe
1716	backup.exe
1588	backup.exe
1028	backup.exe
680	data.exe
1332	backup.exe
1356	backup.exe
1776	backup.exe

Loads dropped DLL 64 IoCs

Processes:

3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exebackup.exebackup.exebackup.exedata.exeSystem Restore.exebackup.exebackup.exeupdate.exe

pid	process
1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
1756	backup.exe
1756	backup.exe
1072	backup.exe
1072	backup.exe
1756	backup.exe
1756	backup.exe
2032	backup.exe
2032	backup.exe
1752	data.exe
1752	data.exe
2032	backup.exe
2032	backup.exe
1324	System Restore.exe
1324	System Restore.exe
1992	backup.exe
1992	backup.exe
1992	backup.exe
1992	backup.exe
1600	backup.exe
1600	backup.exe
1600	backup.exe
1600	backup.exe
1600	backup.exe
1600	backup.exe
1600	backup.exe
1600	backup.exe
1600	backup.exe
1600	backup.exe
1600	backup.exe
1600	backup.exe
1756	backup.exe
1992	backup.exe
1324	System Restore.exe
1600	backup.exe
1756	backup.exe
1324	System Restore.exe
2032	backup.exe
2032	backup.exe
1600	backup.exe
1256	update.exe
1256	update.exe
1256	update.exe
1324	System Restore.exe
1756	backup.exe
1324	System Restore.exe
1756	backup.exe
2032	backup.exe
2032	backup.exe
1600	backup.exe
1600	backup.exe

Drops file in Program Files directory 64 IoCs

Processes:

System Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exeSystem Restore.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exeSystem Restore.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\data.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\data.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\data.exe	update.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\update.exe	backup.exe

Drops file in Windows directory 26 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\ShellBrd\backup.exe	backup.exe
File opened for modification	C:\Windows\CSC\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe

pid process

1164 3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
1648	backup.exe
1516	data.exe
1512	backup.exe
1000	backup.exe
1804	backup.exe
1676	backup.exe
1756	backup.exe
932	backup.exe
1072	backup.exe
1792	backup.exe
2032	backup.exe
1752	data.exe
1732	backup.exe
1324	System Restore.exe
1992	backup.exe
1616	backup.exe
1600	backup.exe
1028	backup.exe
664	backup.exe
1328	backup.exe
324	System Restore.exe
1000	backup.exe
1692	backup.exe
1560	backup.exe
1492	backup.exe
920	System Restore.exe
1796	backup.exe
1256	update.exe
812	backup.exe
1044	backup.exe
1588	backup.exe
2012	backup.exe
1132	backup.exe
1376	backup.exe
1552	backup.exe
1732	backup.exe
852	backup.exe
1292	backup.exe
1612	data.exe
1336	backup.exe
1968	backup.exe
1928	backup.exe
584	backup.exe
1296	backup.exe
340	backup.exe
1692	backup.exe
932	backup.exe
600	System Restore.exe
1424	update.exe
1740	backup.exe
968	backup.exe
1404	backup.exe
1504	backup.exe
1720	backup.exe
1584	backup.exe
2040	backup.exe
1644	backup.exe
1716	backup.exe
1588	backup.exe
564	backup.exe
1332	backup.exe
1656	backup.exe
1776	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exebackup.exebackup.exebackup.exebackup.exedata.exeSystem Restore.exebackup.exe

description	pid	process	target process
PID 1164 wrote to memory of 1648	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1648	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1648	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1648	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1516	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	data.exe
PID 1164 wrote to memory of 1516	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	data.exe
PID 1164 wrote to memory of 1516	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	data.exe
PID 1164 wrote to memory of 1516	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	data.exe
PID 1164 wrote to memory of 1512	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1512	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1512	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1512	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1000	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1000	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1000	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1000	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1804	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1804	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1804	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1804	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1676	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1676	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1676	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 1676	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1648 wrote to memory of 1756	1648	backup.exe	backup.exe
PID 1648 wrote to memory of 1756	1648	backup.exe	backup.exe
PID 1648 wrote to memory of 1756	1648	backup.exe	backup.exe
PID 1648 wrote to memory of 1756	1648	backup.exe	backup.exe
PID 1164 wrote to memory of 932	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 932	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 932	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1164 wrote to memory of 932	1164	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe	backup.exe
PID 1756 wrote to memory of 1072	1756	backup.exe	backup.exe
PID 1756 wrote to memory of 1072	1756	backup.exe	backup.exe
PID 1756 wrote to memory of 1072	1756	backup.exe	backup.exe
PID 1756 wrote to memory of 1072	1756	backup.exe	backup.exe
PID 1072 wrote to memory of 1792	1072	backup.exe	backup.exe
PID 1072 wrote to memory of 1792	1072	backup.exe	backup.exe
PID 1072 wrote to memory of 1792	1072	backup.exe	backup.exe
PID 1072 wrote to memory of 1792	1072	backup.exe	backup.exe
PID 1756 wrote to memory of 2032	1756	backup.exe	backup.exe
PID 1756 wrote to memory of 2032	1756	backup.exe	backup.exe
PID 1756 wrote to memory of 2032	1756	backup.exe	backup.exe
PID 1756 wrote to memory of 2032	1756	backup.exe	backup.exe
PID 2032 wrote to memory of 1752	2032	backup.exe	data.exe
PID 2032 wrote to memory of 1752	2032	backup.exe	data.exe
PID 2032 wrote to memory of 1752	2032	backup.exe	data.exe
PID 2032 wrote to memory of 1752	2032	backup.exe	data.exe
PID 1752 wrote to memory of 1732	1752	data.exe	backup.exe
PID 1752 wrote to memory of 1732	1752	data.exe	backup.exe
PID 1752 wrote to memory of 1732	1752	data.exe	backup.exe
PID 1752 wrote to memory of 1732	1752	data.exe	backup.exe
PID 2032 wrote to memory of 1324	2032	backup.exe	System Restore.exe
PID 2032 wrote to memory of 1324	2032	backup.exe	System Restore.exe
PID 2032 wrote to memory of 1324	2032	backup.exe	System Restore.exe
PID 2032 wrote to memory of 1324	2032	backup.exe	System Restore.exe
PID 1324 wrote to memory of 1992	1324	System Restore.exe	backup.exe
PID 1324 wrote to memory of 1992	1324	System Restore.exe	backup.exe
PID 1324 wrote to memory of 1992	1324	System Restore.exe	backup.exe
PID 1324 wrote to memory of 1992	1324	System Restore.exe	backup.exe
PID 1992 wrote to memory of 1616	1992	backup.exe	backup.exe
PID 1992 wrote to memory of 1616	1992	backup.exe	backup.exe
PID 1992 wrote to memory of 1616	1992	backup.exe	backup.exe
PID 1992 wrote to memory of 1616	1992	backup.exe	backup.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe
"C:\Users\Admin\AppData\Local\Temp\3b1118a275cea98dbc4ed911cfaae8b8bf597943263f511477ac71766bfd04fb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1164

C:\Users\Admin\AppData\Local\Temp\2019930328\backup.exe
C:\Users\Admin\AppData\Local\Temp\2019930328\backup.exe C:\Users\Admin\AppData\Local\Temp\2019930328\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648

C:\backup.exe
\backup.exe \
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072

C:\PerfLogs\Admin\backup.exe
C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1792

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032

C:\Program Files\7-Zip\data.exe
"C:\Program Files\7-Zip\data.exe" C:\Program Files\7-Zip\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1752

C:\Program Files\7-Zip\Lang\backup.exe
"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Program Files\Common Files\System Restore.exe
"C:\Program Files\Common Files\System Restore.exe" C:\Program Files\Common Files\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1992

C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:664

C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1328

C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:324

C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:584

C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
8⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:468

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
9⤵
PID:1240

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
9⤵
PID:392

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
9⤵
PID:968

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1588

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
9⤵
- System policy modification
PID:2408

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
9⤵
PID:2588

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
9⤵
PID:2960

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2136

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
9⤵
PID:2436

C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
8⤵
PID:1656

C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
8⤵
PID:1532

C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
8⤵
PID:2180

C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
8⤵
- Modifies visibility of file extensions in Explorer
PID:2644

C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1796

C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
8⤵
PID:2288

C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
8⤵
PID:2368

C:\Program Files\Common Files\Microsoft Shared\MSInfo\update.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1256

C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1336

C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\data.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- System policy modification
PID:680

C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
8⤵
PID:1704

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
8⤵
PID:1332

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1404

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
7⤵
PID:2008

C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
7⤵
- Drops file in Program Files directory
PID:188

C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
PID:2220

C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
8⤵
PID:2564

C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
8⤵
PID:2888

C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
8⤵
- System policy modification
PID:3008

C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
8⤵
PID:2264

C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
8⤵
PID:2508

C:\Program Files\Common Files\Microsoft Shared\Triedit\data.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\data.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:888

C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
8⤵
PID:2156

C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
8⤵
PID:2636

C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
8⤵
PID:2996

C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
8⤵
PID:2308

C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
8⤵
PID:2084

C:\Program Files\Common Files\Microsoft Shared\VC\data.exe
"C:\Program Files\Common Files\Microsoft Shared\VC\data.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
7⤵
- Modifies visibility of file extensions in Explorer
PID:2652

C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
7⤵
- System policy modification
PID:2092

C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
7⤵
PID:1832

C:\Program Files\Common Files\Services\backup.exe
"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1492

C:\Program Files\Common Files\SpeechEngines\backup.exe
"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:812

C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Program Files\Common Files\System\data.exe
"C:\Program Files\Common Files\System\data.exe" C:\Program Files\Common Files\System\
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Program Files\Common Files\System\ado\backup.exe
"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:932

C:\Program Files\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1644

C:\Program Files\Common Files\System\ado\en-US\backup.exe
"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
8⤵
- Suspicious use of SetWindowsHookEx
PID:564

C:\Program Files\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
8⤵
PID:1432

C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
8⤵
PID:1008

C:\Program Files\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
8⤵
- System policy modification
PID:1964

C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
8⤵
PID:2060

C:\Program Files\Common Files\System\de-DE\backup.exe
"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
7⤵
- System policy modification
PID:324

C:\Program Files\Common Files\System\en-US\backup.exe
"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
7⤵
PID:1720

C:\Program Files\Common Files\System\es-ES\backup.exe
"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
7⤵
PID:1828

C:\Program Files\Common Files\System\fr-FR\backup.exe
"C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
7⤵
- System policy modification
PID:2388

C:\Program Files\Common Files\System\it-IT\backup.exe
"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2620

C:\Program Files\Common Files\System\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
7⤵
PID:948

C:\Program Files\Common Files\System\msadc\backup.exe
"C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
7⤵
PID:2720

C:\Program Files\DVD Maker\System Restore.exe
"C:\Program Files\DVD Maker\System Restore.exe" C:\Program Files\DVD Maker\
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:920

C:\Program Files\DVD Maker\de-DE\backup.exe
"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1132

C:\Program Files\DVD Maker\en-US\backup.exe
"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Program Files\DVD Maker\es-ES\System Restore.exe
"C:\Program Files\DVD Maker\es-ES\System Restore.exe" C:\Program Files\DVD Maker\es-ES\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:600

C:\Program Files\DVD Maker\fr-FR\backup.exe
"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2040

C:\Program Files\DVD Maker\it-IT\backup.exe
"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1776

C:\Program Files\DVD Maker\ja-JP\backup.exe
"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
6⤵
PID:1232

C:\Program Files\DVD Maker\Shared\backup.exe
"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
6⤵
- System policy modification
PID:1404

C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
7⤵
- Drops file in Program Files directory
PID:2196

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
8⤵
PID:2660

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
8⤵
PID:2952

C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
8⤵
PID:2320

C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
8⤵
PID:2344

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Program Files\Google\Chrome\backup.exe
"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:340

C:\Program Files\Google\Chrome\Application\backup.exe
"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1504

C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
PID:1028

C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
9⤵
- System policy modification
PID:1796

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
9⤵
PID:564

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1928

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
9⤵
PID:2332

C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
9⤵
- Modifies visibility of file extensions in Explorer
PID:2688

C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
9⤵
PID:1504

C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
9⤵
PID:2496

C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
"C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
8⤵
PID:952

C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1624

C:\Program Files\Internet Explorer\backup.exe
"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1736

C:\Program Files\Internet Explorer\de-DE\backup.exe
"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
6⤵
- System policy modification
PID:2084

C:\Program Files\Internet Explorer\en-US\backup.exe
"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
6⤵
- Modifies visibility of file extensions in Explorer
PID:2348

C:\Program Files\Internet Explorer\es-ES\backup.exe
"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2524

C:\Program Files\Internet Explorer\fr-FR\backup.exe
"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
6⤵
PID:3032

C:\Program Files\Internet Explorer\images\backup.exe
"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
6⤵
PID:1064

C:\Program Files\Internet Explorer\it-IT\backup.exe
"C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
6⤵
PID:968

C:\Program Files\Java\backup.exe
"C:\Program Files\Java\backup.exe" C:\Program Files\Java\
5⤵
- Drops file in Program Files directory
- System policy modification
PID:2040

C:\Program Files\Java\jdk1.7.0_80\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\
6⤵
- Drops file in Program Files directory
PID:2164

C:\Program Files\Java\jdk1.7.0_80\bin\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\bin\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
7⤵
PID:2364

C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:2604

C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
8⤵
- System policy modification
PID:2920

C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
8⤵
PID:324

C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
7⤵
PID:2376

C:\Program Files\Java\jre7\backup.exe
"C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
6⤵
PID:2184

C:\Program Files\Microsoft Games\backup.exe
"C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1376

C:\Program Files\Microsoft Games\Chess\backup.exe
"C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:2096

C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
7⤵
PID:2280

C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
"C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
7⤵
- Modifies visibility of file extensions in Explorer
PID:2628

C:\Program Files\Microsoft Games\Chess\es-ES\update.exe
"C:\Program Files\Microsoft Games\Chess\es-ES\update.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
7⤵
- Modifies visibility of file extensions in Explorer
PID:2972

C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
7⤵
PID:2312

C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
7⤵
PID:2220

C:\Program Files\Microsoft Games\FreeCell\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
6⤵
PID:2476

C:\Program Files\Microsoft Office\backup.exe
"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
5⤵
PID:2484

C:\Program Files (x86)\backup.exe
"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Program Files (x86)\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:852

C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1720

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1356

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1708

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
8⤵
- System policy modification
PID:824

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
8⤵
- Modifies visibility of file extensions in Explorer
PID:552

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2068

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
9⤵
PID:2372

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
8⤵
- System policy modification
PID:2556

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
8⤵
PID:1488

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
9⤵
PID:2272

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
8⤵
PID:2468

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
7⤵
- Drops file in Program Files directory
PID:1752

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
8⤵
PID:2204

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
9⤵
- System policy modification
PID:2444

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2612

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
8⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:2928

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
9⤵
PID:824

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
9⤵
PID:2440

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
8⤵
PID:2160

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
7⤵
PID:1952

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
8⤵
- Modifies visibility of file extensions in Explorer
PID:2340

C:\Program Files (x86)\Common Files\backup.exe
"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
5⤵
- Drops file in Program Files directory
- System policy modification
PID:1740

C:\Program Files (x86)\Common Files\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:2248

C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
7⤵
- Modifies visibility of file extensions in Explorer
PID:2496

C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
7⤵
- Modifies visibility of file extensions in Explorer
PID:2704

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2912

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
9⤵
- Modifies visibility of file extensions in Explorer
PID:1624

C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
7⤵
PID:2732

C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
6⤵
PID:2728

C:\Program Files (x86)\Google\backup.exe
"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
5⤵
- Modifies visibility of file extensions in Explorer
PID:316

C:\Program Files (x86)\Google\CrashReports\backup.exe
"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
6⤵
PID:2212

C:\Program Files (x86)\Google\Policies\backup.exe
"C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
6⤵
- System policy modification
PID:2580

C:\Program Files (x86)\Google\Temp\backup.exe
"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
6⤵
- Modifies visibility of file extensions in Explorer
PID:2988

C:\Program Files (x86)\Google\Update\backup.exe
"C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2064

C:\Program Files (x86)\Internet Explorer\backup.exe
"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
5⤵
- Drops file in Program Files directory
PID:2532

C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
"C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
6⤵
- Modifies visibility of file extensions in Explorer
PID:3024

C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
6⤵
PID:2256

C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
"C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
6⤵
PID:2284

C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
5⤵
PID:2460

C:\Users\backup.exe
C:\Users\backup.exe C:\Users\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1044

C:\Users\Admin\backup.exe
C:\Users\Admin\backup.exe C:\Users\Admin\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1732

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1292

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1740

C:\Users\Admin\Documents\backup.exe
C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1332

C:\Users\Admin\Downloads\backup.exe
C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
6⤵
- System policy modification
PID:1064

C:\Users\Admin\Favorites\data.exe
C:\Users\Admin\Favorites\data.exe C:\Users\Admin\Favorites\
6⤵
PID:1844

C:\Users\Admin\Links\backup.exe
C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
6⤵
- System policy modification
PID:680

C:\Users\Admin\Music\backup.exe
C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
6⤵
PID:2380

C:\Users\Admin\Pictures\backup.exe
C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
6⤵
PID:2696

C:\Users\Admin\Saved Games\backup.exe
"C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1616

C:\Users\Admin\Searches\backup.exe
C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
6⤵
PID:2716

C:\Users\Public\backup.exe
C:\Users\Public\backup.exe C:\Users\Public\
5⤵
PID:1664

C:\Users\Public\Documents\backup.exe
C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
6⤵
PID:2356

C:\Users\Public\Downloads\backup.exe
C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2572

C:\Users\Public\Music\backup.exe
C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
6⤵
- Modifies visibility of file extensions in Explorer
PID:2936

C:\Users\Public\Music\Sample Music\backup.exe
"C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
7⤵
- System policy modification
PID:952

C:\Users\Public\Pictures\backup.exe
C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
6⤵
PID:2504

C:\Windows\backup.exe
C:\Windows\backup.exe C:\Windows\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1296

C:\Windows\addins\backup.exe
C:\Windows\addins\backup.exe C:\Windows\addins\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:968

C:\Windows\AppCompat\backup.exe
C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
5⤵
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Windows\AppPatch\backup.exe
C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
5⤵
- Drops file in Windows directory
PID:1980

C:\Windows\AppPatch\AppPatch64\backup.exe
C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
6⤵
- System policy modification
PID:2188

C:\Windows\AppPatch\Custom\backup.exe
C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
6⤵
- Drops file in Windows directory
PID:2548

C:\Windows\AppPatch\Custom\Custom64\backup.exe
C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2880

C:\Windows\AppPatch\de-DE\backup.exe
C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
6⤵
- System policy modification
PID:1256

C:\Windows\AppPatch\en-US\backup.exe
C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
6⤵
PID:2144

C:\Windows\AppPatch\es-ES\backup.exe
C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
6⤵
PID:2072

C:\Windows\assembly\backup.exe
C:\Windows\assembly\backup.exe C:\Windows\assembly\
5⤵
- Drops file in Windows directory
PID:520

C:\Windows\assembly\GAC\backup.exe
C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
6⤵
- Drops file in Windows directory
- System policy modification
PID:2172

C:\Windows\assembly\GAC\ADODB\backup.exe
C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
7⤵
- Drops file in Windows directory
PID:2540

C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
PID:2944

C:\Windows\assembly\GAC\Extensibility\backup.exe
C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
7⤵
- Modifies visibility of file extensions in Explorer
PID:808

C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe
C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\
7⤵
PID:2412

C:\Windows\assembly\GAC_32\backup.exe
C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
6⤵
PID:2448

C:\Windows\Branding\backup.exe
C:\Windows\Branding\backup.exe C:\Windows\Branding\
5⤵
- Drops file in Windows directory
PID:2052

C:\Windows\Branding\Basebrd\backup.exe
C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
6⤵
- Drops file in Windows directory
- System policy modification
PID:2396

C:\Windows\Branding\Basebrd\de-DE\backup.exe
C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\
7⤵
- System policy modification
PID:2596

C:\Windows\Branding\Basebrd\en-US\backup.exe
C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\
7⤵
PID:3016

C:\Windows\Branding\Basebrd\es-ES\backup.exe
C:\Windows\Branding\Basebrd\es-ES\backup.exe C:\Windows\Branding\Basebrd\es-ES\
7⤵
- Modifies visibility of file extensions in Explorer
PID:2296

C:\Windows\Branding\Basebrd\fr-FR\backup.exe
C:\Windows\Branding\Basebrd\fr-FR\backup.exe C:\Windows\Branding\Basebrd\fr-FR\
7⤵
PID:2188

C:\Windows\Branding\ShellBrd\backup.exe
C:\Windows\Branding\ShellBrd\backup.exe C:\Windows\Branding\ShellBrd\
6⤵
PID:2216

C:\Windows\CSC\backup.exe
C:\Windows\CSC\backup.exe C:\Windows\CSC\
5⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1804

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:932

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
2da546db311091fa48fb8c9d2bb2cb78

SHA1
24a9772337be50b8e69c94313391915b9b80e474

SHA256
6ebe01c2686c4c0d595816a9a332f737a59302e342f0cfa7eb13b3c37dbb583e

SHA512
84806fcab5f82ce5c2bdd4da0430fd83ef10fcd078efb50f2ee767d52e080a0e7cea236359b5cfceea4275a3a418ea25f4f89325fdf04344131cc88561110501

Download Submit
C:\PerfLogs\backup.exe
Filesize
72KB

MD5
fe78c92e408cbe78c0fd7c25d43cb8b3

SHA1
ef289608fab2e8bfccdc2fa2da718ae4dc488abf

SHA256
83ba69e2140700ed2a3b3214cc9287e6376fb26b1e678454f8d46a4faab65b1b

SHA512
6bfc7eaaac2f6d103237efed498b9b862ddbf6b5abc0e94942f89993bf927e8b96220774e58f2ccd855466b3ada0f3b4b1b7de0ee170ecf8852a1d591e9e432d

Download Submit
C:\PerfLogs\backup.exe
Filesize
72KB

MD5
fe78c92e408cbe78c0fd7c25d43cb8b3

SHA1
ef289608fab2e8bfccdc2fa2da718ae4dc488abf

SHA256
83ba69e2140700ed2a3b3214cc9287e6376fb26b1e678454f8d46a4faab65b1b

SHA512
6bfc7eaaac2f6d103237efed498b9b862ddbf6b5abc0e94942f89993bf927e8b96220774e58f2ccd855466b3ada0f3b4b1b7de0ee170ecf8852a1d591e9e432d

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
d97e5a8b13520dea63cbbf64d4ea81cc

SHA1
ce5cc68993c921a1f6151a3d799d318595db7468

SHA256
a2b2bd88fbb98e1746b1004dacb1e375ea49d1441f04443a624a81b12fb1aea0

SHA512
c92ac558a3de1a949e28edbc6abaa631b80496b0424c400de6dbad360d19582d8bc3d683a44f8c59ae78f238897abfefa30d8018c75a77b5f5a2210aa9f8e90a

Download Submit
C:\Program Files\7-Zip\data.exe
Filesize
72KB

MD5
e2fb86c067a1aea0a4604985870e1f55

SHA1
f51cb1dd1a27026b254a1341226d34dad373bf75

SHA256
36c1323150eb60e8b9d3325bdd9849cdc3f327dfe90571b2886178c166c9efe2

SHA512
7cbf7f7e747d827edfcff61ec45f952383495790c312efe22244dce8f579d347566b3c5396638484ae5fdf65f6cd5bc8ac32703796c1a7744317e06045824695

Download Submit
C:\Program Files\7-Zip\data.exe
Filesize
72KB

MD5
e2fb86c067a1aea0a4604985870e1f55

SHA1
f51cb1dd1a27026b254a1341226d34dad373bf75

SHA256
36c1323150eb60e8b9d3325bdd9849cdc3f327dfe90571b2886178c166c9efe2

SHA512
7cbf7f7e747d827edfcff61ec45f952383495790c312efe22244dce8f579d347566b3c5396638484ae5fdf65f6cd5bc8ac32703796c1a7744317e06045824695

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
4bfd9d48d032a9e52a842cf1bb117309

SHA1
93971648a9df95fa33a3f2d739e9d1fcc114ca7b

SHA256
dbe909730bd63b3a6446f3f974cee25b6114b842a9029e08c203dd273fd63d67

SHA512
787685e8fe2e8d2acd36aed33ae31b778a3039a9a42c8dd01d73ed3c9332b4ad5a5ad447df8790b263e38c15d35197ba36760b5cda05387b4cddb2cb931754bc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
f1cfc3474f680479a0622dcdac8fd680

SHA1
f5ec53ac8eefacfe5310f9ea1644df2bff2b7181

SHA256
77b14c7b85d9d2e4bb6785b5b98750c912280b8693bf4a670dc1a0e90ef41f7d

SHA512
500d38e5480f15c5eb1c8935b9c64a4526783b4a80b60f0e8412df0f3c6bba262666f8b7dd24afeff415e256e57fa16c719bf0e750d6e213fcb1c7ffd2f26fd2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
f1cfc3474f680479a0622dcdac8fd680

SHA1
f5ec53ac8eefacfe5310f9ea1644df2bff2b7181

SHA256
77b14c7b85d9d2e4bb6785b5b98750c912280b8693bf4a670dc1a0e90ef41f7d

SHA512
500d38e5480f15c5eb1c8935b9c64a4526783b4a80b60f0e8412df0f3c6bba262666f8b7dd24afeff415e256e57fa16c719bf0e750d6e213fcb1c7ffd2f26fd2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
1e1a720f966b006ad25fc6b35085a1fa

SHA1
5888f8e6e98d33e61b23adae43bd5cb246687211

SHA256
efbc99c68d32bbaff910a856ea95fa5131e273054431620239280bd6af28f2b1

SHA512
18dec64fb7ec4f0df5cebc14ef3f2eb9558f925ecd43912c8ac25be76b5983cef075b25e543d738a059d3e81a879579423c6f3717ef892968f160259884ca5c2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
4bfd9d48d032a9e52a842cf1bb117309

SHA1
93971648a9df95fa33a3f2d739e9d1fcc114ca7b

SHA256
dbe909730bd63b3a6446f3f974cee25b6114b842a9029e08c203dd273fd63d67

SHA512
787685e8fe2e8d2acd36aed33ae31b778a3039a9a42c8dd01d73ed3c9332b4ad5a5ad447df8790b263e38c15d35197ba36760b5cda05387b4cddb2cb931754bc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
4bfd9d48d032a9e52a842cf1bb117309

SHA1
93971648a9df95fa33a3f2d739e9d1fcc114ca7b

SHA256
dbe909730bd63b3a6446f3f974cee25b6114b842a9029e08c203dd273fd63d67

SHA512
787685e8fe2e8d2acd36aed33ae31b778a3039a9a42c8dd01d73ed3c9332b4ad5a5ad447df8790b263e38c15d35197ba36760b5cda05387b4cddb2cb931754bc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
1e1a720f966b006ad25fc6b35085a1fa

SHA1
5888f8e6e98d33e61b23adae43bd5cb246687211

SHA256
efbc99c68d32bbaff910a856ea95fa5131e273054431620239280bd6af28f2b1

SHA512
18dec64fb7ec4f0df5cebc14ef3f2eb9558f925ecd43912c8ac25be76b5983cef075b25e543d738a059d3e81a879579423c6f3717ef892968f160259884ca5c2

Download Submit
C:\Program Files\Common Files\System Restore.exe
Filesize
72KB

MD5
bc4d298b3cc81b4da1ba682cf2d74248

SHA1
2329e2e178ec400849e904427b38195e1ede76dd

SHA256
d95e7e57511d796f3050e16eb1fefb83f6e147f2431f50d9cb6bf82e6fbe978e

SHA512
b7de4bc080c822dacacb4308e3d8f5b8135298a15d3933b30b2a8bc72122a4e5679affda963fbd6bef703bca9e17bb72ee49f64eb6b98e58b695edd4353ec318

Download Submit
C:\Program Files\Common Files\System Restore.exe
Filesize
72KB

MD5
bc4d298b3cc81b4da1ba682cf2d74248

SHA1
2329e2e178ec400849e904427b38195e1ede76dd

SHA256
d95e7e57511d796f3050e16eb1fefb83f6e147f2431f50d9cb6bf82e6fbe978e

SHA512
b7de4bc080c822dacacb4308e3d8f5b8135298a15d3933b30b2a8bc72122a4e5679affda963fbd6bef703bca9e17bb72ee49f64eb6b98e58b695edd4353ec318

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
535db604bfa71b3a80a9cc4b99a129cd

SHA1
de29af1916ab8465f8c8dd394f1ee0565cec138f

SHA256
2af30c8ae8a8e487d3052cca7dffc14a610abb2e5fc9fcc422a08fbda5a1a7fb

SHA512
f424b7fde9a955ba1dd7c9b77167effa69c1f888a41f3072f77e5d360ca96ab251ed0a10521bb4447bbb3c6ef6767968a9ac46048f572cde008e2c56a2d08133

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
535db604bfa71b3a80a9cc4b99a129cd

SHA1
de29af1916ab8465f8c8dd394f1ee0565cec138f

SHA256
2af30c8ae8a8e487d3052cca7dffc14a610abb2e5fc9fcc422a08fbda5a1a7fb

SHA512
f424b7fde9a955ba1dd7c9b77167effa69c1f888a41f3072f77e5d360ca96ab251ed0a10521bb4447bbb3c6ef6767968a9ac46048f572cde008e2c56a2d08133

Download Submit
C:\Users\Admin\AppData\Local\Temp\2019930328\backup.exe
Filesize
72KB

MD5
6da66f4d871939662e1cfd13203a77a6

SHA1
bbdfa91d10cdd5e2e690799597de759b11acb35e

SHA256
e4d5c36faffa28a1fe5034a5b6baff18116c1b068ffa47cfc42234bf1c84d3ed

SHA512
1b8d5e55943a0ab3eaef3f4fee1dc5d986f3638f741bbf10ecbb29f63f48439a05f19440e764d6a18f88c6832ac99d21a604689d23fbb562208701157c22429d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2019930328\backup.exe
Filesize
72KB

MD5
6da66f4d871939662e1cfd13203a77a6

SHA1
bbdfa91d10cdd5e2e690799597de759b11acb35e

SHA256
e4d5c36faffa28a1fe5034a5b6baff18116c1b068ffa47cfc42234bf1c84d3ed

SHA512
1b8d5e55943a0ab3eaef3f4fee1dc5d986f3638f741bbf10ecbb29f63f48439a05f19440e764d6a18f88c6832ac99d21a604689d23fbb562208701157c22429d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
cf217c672702947f95bfcad50183a12b

SHA1
2070084808db464be6ccc4f03babe1ac5a6c485a

SHA256
f974955953b4fb94075ed566e71aca53f937195b894956f04ec2669869d854ee

SHA512
5a84070dca9c3c7131b910dc20452a0476b212cf78c4829fd8505318d7a32ae6474e34a00f6d9c2e5ba2cca8b2e842caab14175ceee36445a5c29b20232abace

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
cf217c672702947f95bfcad50183a12b

SHA1
2070084808db464be6ccc4f03babe1ac5a6c485a

SHA256
f974955953b4fb94075ed566e71aca53f937195b894956f04ec2669869d854ee

SHA512
5a84070dca9c3c7131b910dc20452a0476b212cf78c4829fd8505318d7a32ae6474e34a00f6d9c2e5ba2cca8b2e842caab14175ceee36445a5c29b20232abace

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
cf217c672702947f95bfcad50183a12b

SHA1
2070084808db464be6ccc4f03babe1ac5a6c485a

SHA256
f974955953b4fb94075ed566e71aca53f937195b894956f04ec2669869d854ee

SHA512
5a84070dca9c3c7131b910dc20452a0476b212cf78c4829fd8505318d7a32ae6474e34a00f6d9c2e5ba2cca8b2e842caab14175ceee36445a5c29b20232abace

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
4aada418c227ecc9f3341bfccaf891f1

SHA1
b38ce5b3ee42dd9483b7c01c8052369f9db88bfa

SHA256
438e38bf5a63f49c37206a391edc176cf6e0fa5bb3de30b880a2372ad52131ac

SHA512
0d082ec6870463f3ef53075ea54d08adb068b5b5f00332e8a125651b387f28e90b8fb579c085366660cf3144f31a39d5cb314574c3fe59dc3d4d09d87285b47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe
Filesize
72KB

MD5
cf217c672702947f95bfcad50183a12b

SHA1
2070084808db464be6ccc4f03babe1ac5a6c485a

SHA256
f974955953b4fb94075ed566e71aca53f937195b894956f04ec2669869d854ee

SHA512
5a84070dca9c3c7131b910dc20452a0476b212cf78c4829fd8505318d7a32ae6474e34a00f6d9c2e5ba2cca8b2e842caab14175ceee36445a5c29b20232abace

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
cf217c672702947f95bfcad50183a12b

SHA1
2070084808db464be6ccc4f03babe1ac5a6c485a

SHA256
f974955953b4fb94075ed566e71aca53f937195b894956f04ec2669869d854ee

SHA512
5a84070dca9c3c7131b910dc20452a0476b212cf78c4829fd8505318d7a32ae6474e34a00f6d9c2e5ba2cca8b2e842caab14175ceee36445a5c29b20232abace

Download Submit
C:\backup.exe
Filesize
72KB

MD5
40b3f2c772c3f25104f772613ac47fd7

SHA1
faa45c653f11bf6458fbcd084fc12198da139449

SHA256
7898c372e57acfc9a30b94a14ceb39905a80fcd9c13e86549ac1278dcc85a1a8

SHA512
846a919a061070962a9fb133e6cca02eb09bd778d1cfb7b066cd7eb33512313a49878bb5f847dddf10b89881db9248ce50d1e7dd6c16b29161d2a25a08ababde

Download Submit
C:\backup.exe
Filesize
72KB

MD5
40b3f2c772c3f25104f772613ac47fd7

SHA1
faa45c653f11bf6458fbcd084fc12198da139449

SHA256
7898c372e57acfc9a30b94a14ceb39905a80fcd9c13e86549ac1278dcc85a1a8

SHA512
846a919a061070962a9fb133e6cca02eb09bd778d1cfb7b066cd7eb33512313a49878bb5f847dddf10b89881db9248ce50d1e7dd6c16b29161d2a25a08ababde

Download Submit
\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
2da546db311091fa48fb8c9d2bb2cb78

SHA1
24a9772337be50b8e69c94313391915b9b80e474

SHA256
6ebe01c2686c4c0d595816a9a332f737a59302e342f0cfa7eb13b3c37dbb583e

SHA512
84806fcab5f82ce5c2bdd4da0430fd83ef10fcd078efb50f2ee767d52e080a0e7cea236359b5cfceea4275a3a418ea25f4f89325fdf04344131cc88561110501

Download Submit
\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
2da546db311091fa48fb8c9d2bb2cb78

SHA1
24a9772337be50b8e69c94313391915b9b80e474

SHA256
6ebe01c2686c4c0d595816a9a332f737a59302e342f0cfa7eb13b3c37dbb583e

SHA512
84806fcab5f82ce5c2bdd4da0430fd83ef10fcd078efb50f2ee767d52e080a0e7cea236359b5cfceea4275a3a418ea25f4f89325fdf04344131cc88561110501

Download Submit
\PerfLogs\backup.exe
Filesize
72KB

MD5
fe78c92e408cbe78c0fd7c25d43cb8b3

SHA1
ef289608fab2e8bfccdc2fa2da718ae4dc488abf

SHA256
83ba69e2140700ed2a3b3214cc9287e6376fb26b1e678454f8d46a4faab65b1b

SHA512
6bfc7eaaac2f6d103237efed498b9b862ddbf6b5abc0e94942f89993bf927e8b96220774e58f2ccd855466b3ada0f3b4b1b7de0ee170ecf8852a1d591e9e432d

Download Submit
\PerfLogs\backup.exe
Filesize
72KB

MD5
fe78c92e408cbe78c0fd7c25d43cb8b3

SHA1
ef289608fab2e8bfccdc2fa2da718ae4dc488abf

SHA256
83ba69e2140700ed2a3b3214cc9287e6376fb26b1e678454f8d46a4faab65b1b

SHA512
6bfc7eaaac2f6d103237efed498b9b862ddbf6b5abc0e94942f89993bf927e8b96220774e58f2ccd855466b3ada0f3b4b1b7de0ee170ecf8852a1d591e9e432d

Download Submit
\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
d97e5a8b13520dea63cbbf64d4ea81cc

SHA1
ce5cc68993c921a1f6151a3d799d318595db7468

SHA256
a2b2bd88fbb98e1746b1004dacb1e375ea49d1441f04443a624a81b12fb1aea0

SHA512
c92ac558a3de1a949e28edbc6abaa631b80496b0424c400de6dbad360d19582d8bc3d683a44f8c59ae78f238897abfefa30d8018c75a77b5f5a2210aa9f8e90a

Download Submit
\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
d97e5a8b13520dea63cbbf64d4ea81cc

SHA1
ce5cc68993c921a1f6151a3d799d318595db7468

SHA256
a2b2bd88fbb98e1746b1004dacb1e375ea49d1441f04443a624a81b12fb1aea0

SHA512
c92ac558a3de1a949e28edbc6abaa631b80496b0424c400de6dbad360d19582d8bc3d683a44f8c59ae78f238897abfefa30d8018c75a77b5f5a2210aa9f8e90a

Download Submit
\Program Files\7-Zip\data.exe
Filesize
72KB

MD5
e2fb86c067a1aea0a4604985870e1f55

SHA1
f51cb1dd1a27026b254a1341226d34dad373bf75

SHA256
36c1323150eb60e8b9d3325bdd9849cdc3f327dfe90571b2886178c166c9efe2

SHA512
7cbf7f7e747d827edfcff61ec45f952383495790c312efe22244dce8f579d347566b3c5396638484ae5fdf65f6cd5bc8ac32703796c1a7744317e06045824695

Download Submit
\Program Files\7-Zip\data.exe
Filesize
72KB

MD5
e2fb86c067a1aea0a4604985870e1f55

SHA1
f51cb1dd1a27026b254a1341226d34dad373bf75

SHA256
36c1323150eb60e8b9d3325bdd9849cdc3f327dfe90571b2886178c166c9efe2

SHA512
7cbf7f7e747d827edfcff61ec45f952383495790c312efe22244dce8f579d347566b3c5396638484ae5fdf65f6cd5bc8ac32703796c1a7744317e06045824695

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
4bfd9d48d032a9e52a842cf1bb117309

SHA1
93971648a9df95fa33a3f2d739e9d1fcc114ca7b

SHA256
dbe909730bd63b3a6446f3f974cee25b6114b842a9029e08c203dd273fd63d67

SHA512
787685e8fe2e8d2acd36aed33ae31b778a3039a9a42c8dd01d73ed3c9332b4ad5a5ad447df8790b263e38c15d35197ba36760b5cda05387b4cddb2cb931754bc

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
4bfd9d48d032a9e52a842cf1bb117309

SHA1
93971648a9df95fa33a3f2d739e9d1fcc114ca7b

SHA256
dbe909730bd63b3a6446f3f974cee25b6114b842a9029e08c203dd273fd63d67

SHA512
787685e8fe2e8d2acd36aed33ae31b778a3039a9a42c8dd01d73ed3c9332b4ad5a5ad447df8790b263e38c15d35197ba36760b5cda05387b4cddb2cb931754bc

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
f1cfc3474f680479a0622dcdac8fd680

SHA1
f5ec53ac8eefacfe5310f9ea1644df2bff2b7181

SHA256
77b14c7b85d9d2e4bb6785b5b98750c912280b8693bf4a670dc1a0e90ef41f7d

SHA512
500d38e5480f15c5eb1c8935b9c64a4526783b4a80b60f0e8412df0f3c6bba262666f8b7dd24afeff415e256e57fa16c719bf0e750d6e213fcb1c7ffd2f26fd2

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
f1cfc3474f680479a0622dcdac8fd680

SHA1
f5ec53ac8eefacfe5310f9ea1644df2bff2b7181

SHA256
77b14c7b85d9d2e4bb6785b5b98750c912280b8693bf4a670dc1a0e90ef41f7d

SHA512
500d38e5480f15c5eb1c8935b9c64a4526783b4a80b60f0e8412df0f3c6bba262666f8b7dd24afeff415e256e57fa16c719bf0e750d6e213fcb1c7ffd2f26fd2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
1e1a720f966b006ad25fc6b35085a1fa

SHA1
5888f8e6e98d33e61b23adae43bd5cb246687211

SHA256
efbc99c68d32bbaff910a856ea95fa5131e273054431620239280bd6af28f2b1

SHA512
18dec64fb7ec4f0df5cebc14ef3f2eb9558f925ecd43912c8ac25be76b5983cef075b25e543d738a059d3e81a879579423c6f3717ef892968f160259884ca5c2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
1e1a720f966b006ad25fc6b35085a1fa

SHA1
5888f8e6e98d33e61b23adae43bd5cb246687211

SHA256
efbc99c68d32bbaff910a856ea95fa5131e273054431620239280bd6af28f2b1

SHA512
18dec64fb7ec4f0df5cebc14ef3f2eb9558f925ecd43912c8ac25be76b5983cef075b25e543d738a059d3e81a879579423c6f3717ef892968f160259884ca5c2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
4bfd9d48d032a9e52a842cf1bb117309

SHA1
93971648a9df95fa33a3f2d739e9d1fcc114ca7b

SHA256
dbe909730bd63b3a6446f3f974cee25b6114b842a9029e08c203dd273fd63d67

SHA512
787685e8fe2e8d2acd36aed33ae31b778a3039a9a42c8dd01d73ed3c9332b4ad5a5ad447df8790b263e38c15d35197ba36760b5cda05387b4cddb2cb931754bc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
4bfd9d48d032a9e52a842cf1bb117309

SHA1
93971648a9df95fa33a3f2d739e9d1fcc114ca7b

SHA256
dbe909730bd63b3a6446f3f974cee25b6114b842a9029e08c203dd273fd63d67

SHA512
787685e8fe2e8d2acd36aed33ae31b778a3039a9a42c8dd01d73ed3c9332b4ad5a5ad447df8790b263e38c15d35197ba36760b5cda05387b4cddb2cb931754bc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
1e1a720f966b006ad25fc6b35085a1fa

SHA1
5888f8e6e98d33e61b23adae43bd5cb246687211

SHA256
efbc99c68d32bbaff910a856ea95fa5131e273054431620239280bd6af28f2b1

SHA512
18dec64fb7ec4f0df5cebc14ef3f2eb9558f925ecd43912c8ac25be76b5983cef075b25e543d738a059d3e81a879579423c6f3717ef892968f160259884ca5c2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
1e1a720f966b006ad25fc6b35085a1fa

SHA1
5888f8e6e98d33e61b23adae43bd5cb246687211

SHA256
efbc99c68d32bbaff910a856ea95fa5131e273054431620239280bd6af28f2b1

SHA512
18dec64fb7ec4f0df5cebc14ef3f2eb9558f925ecd43912c8ac25be76b5983cef075b25e543d738a059d3e81a879579423c6f3717ef892968f160259884ca5c2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
Filesize
72KB

MD5
1e1a720f966b006ad25fc6b35085a1fa

SHA1
5888f8e6e98d33e61b23adae43bd5cb246687211

SHA256
efbc99c68d32bbaff910a856ea95fa5131e273054431620239280bd6af28f2b1

SHA512
18dec64fb7ec4f0df5cebc14ef3f2eb9558f925ecd43912c8ac25be76b5983cef075b25e543d738a059d3e81a879579423c6f3717ef892968f160259884ca5c2

Download Submit
\Program Files\Common Files\System Restore.exe
Filesize
72KB

MD5
bc4d298b3cc81b4da1ba682cf2d74248

SHA1
2329e2e178ec400849e904427b38195e1ede76dd

SHA256
d95e7e57511d796f3050e16eb1fefb83f6e147f2431f50d9cb6bf82e6fbe978e

SHA512
b7de4bc080c822dacacb4308e3d8f5b8135298a15d3933b30b2a8bc72122a4e5679affda963fbd6bef703bca9e17bb72ee49f64eb6b98e58b695edd4353ec318

Download Submit
\Program Files\Common Files\System Restore.exe
Filesize
72KB

MD5
bc4d298b3cc81b4da1ba682cf2d74248

SHA1
2329e2e178ec400849e904427b38195e1ede76dd

SHA256
d95e7e57511d796f3050e16eb1fefb83f6e147f2431f50d9cb6bf82e6fbe978e

SHA512
b7de4bc080c822dacacb4308e3d8f5b8135298a15d3933b30b2a8bc72122a4e5679affda963fbd6bef703bca9e17bb72ee49f64eb6b98e58b695edd4353ec318

Download Submit
\Program Files\backup.exe
Filesize
72KB

MD5
535db604bfa71b3a80a9cc4b99a129cd

SHA1
de29af1916ab8465f8c8dd394f1ee0565cec138f

SHA256
2af30c8ae8a8e487d3052cca7dffc14a610abb2e5fc9fcc422a08fbda5a1a7fb

SHA512
f424b7fde9a955ba1dd7c9b77167effa69c1f888a41f3072f77e5d360ca96ab251ed0a10521bb4447bbb3c6ef6767968a9ac46048f572cde008e2c56a2d08133

Download Submit
\Program Files\backup.exe
Filesize
72KB

MD5
535db604bfa71b3a80a9cc4b99a129cd

SHA1
de29af1916ab8465f8c8dd394f1ee0565cec138f

SHA256
2af30c8ae8a8e487d3052cca7dffc14a610abb2e5fc9fcc422a08fbda5a1a7fb

SHA512
f424b7fde9a955ba1dd7c9b77167effa69c1f888a41f3072f77e5d360ca96ab251ed0a10521bb4447bbb3c6ef6767968a9ac46048f572cde008e2c56a2d08133

Download Submit
\Users\Admin\AppData\Local\Temp\2019930328\backup.exe
Filesize
72KB

MD5
6da66f4d871939662e1cfd13203a77a6

SHA1
bbdfa91d10cdd5e2e690799597de759b11acb35e

SHA256
e4d5c36faffa28a1fe5034a5b6baff18116c1b068ffa47cfc42234bf1c84d3ed

SHA512
1b8d5e55943a0ab3eaef3f4fee1dc5d986f3638f741bbf10ecbb29f63f48439a05f19440e764d6a18f88c6832ac99d21a604689d23fbb562208701157c22429d

Download Submit
\Users\Admin\AppData\Local\Temp\2019930328\backup.exe
Filesize
72KB

MD5
6da66f4d871939662e1cfd13203a77a6

SHA1
bbdfa91d10cdd5e2e690799597de759b11acb35e

SHA256
e4d5c36faffa28a1fe5034a5b6baff18116c1b068ffa47cfc42234bf1c84d3ed

SHA512
1b8d5e55943a0ab3eaef3f4fee1dc5d986f3638f741bbf10ecbb29f63f48439a05f19440e764d6a18f88c6832ac99d21a604689d23fbb562208701157c22429d

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
cf217c672702947f95bfcad50183a12b

SHA1
2070084808db464be6ccc4f03babe1ac5a6c485a

SHA256
f974955953b4fb94075ed566e71aca53f937195b894956f04ec2669869d854ee

SHA512
5a84070dca9c3c7131b910dc20452a0476b212cf78c4829fd8505318d7a32ae6474e34a00f6d9c2e5ba2cca8b2e842caab14175ceee36445a5c29b20232abace

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
cf217c672702947f95bfcad50183a12b

SHA1
2070084808db464be6ccc4f03babe1ac5a6c485a

SHA256
f974955953b4fb94075ed566e71aca53f937195b894956f04ec2669869d854ee

SHA512
5a84070dca9c3c7131b910dc20452a0476b212cf78c4829fd8505318d7a32ae6474e34a00f6d9c2e5ba2cca8b2e842caab14175ceee36445a5c29b20232abace

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
cf217c672702947f95bfcad50183a12b

SHA1
2070084808db464be6ccc4f03babe1ac5a6c485a

SHA256
f974955953b4fb94075ed566e71aca53f937195b894956f04ec2669869d854ee

SHA512
5a84070dca9c3c7131b910dc20452a0476b212cf78c4829fd8505318d7a32ae6474e34a00f6d9c2e5ba2cca8b2e842caab14175ceee36445a5c29b20232abace

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
cf217c672702947f95bfcad50183a12b

SHA1
2070084808db464be6ccc4f03babe1ac5a6c485a

SHA256
f974955953b4fb94075ed566e71aca53f937195b894956f04ec2669869d854ee

SHA512
5a84070dca9c3c7131b910dc20452a0476b212cf78c4829fd8505318d7a32ae6474e34a00f6d9c2e5ba2cca8b2e842caab14175ceee36445a5c29b20232abace

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
cf217c672702947f95bfcad50183a12b

SHA1
2070084808db464be6ccc4f03babe1ac5a6c485a

SHA256
f974955953b4fb94075ed566e71aca53f937195b894956f04ec2669869d854ee

SHA512
5a84070dca9c3c7131b910dc20452a0476b212cf78c4829fd8505318d7a32ae6474e34a00f6d9c2e5ba2cca8b2e842caab14175ceee36445a5c29b20232abace

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
cf217c672702947f95bfcad50183a12b

SHA1
2070084808db464be6ccc4f03babe1ac5a6c485a

SHA256
f974955953b4fb94075ed566e71aca53f937195b894956f04ec2669869d854ee

SHA512
5a84070dca9c3c7131b910dc20452a0476b212cf78c4829fd8505318d7a32ae6474e34a00f6d9c2e5ba2cca8b2e842caab14175ceee36445a5c29b20232abace

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
4aada418c227ecc9f3341bfccaf891f1

SHA1
b38ce5b3ee42dd9483b7c01c8052369f9db88bfa

SHA256
438e38bf5a63f49c37206a391edc176cf6e0fa5bb3de30b880a2372ad52131ac

SHA512
0d082ec6870463f3ef53075ea54d08adb068b5b5f00332e8a125651b387f28e90b8fb579c085366660cf3144f31a39d5cb314574c3fe59dc3d4d09d87285b47b

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
4aada418c227ecc9f3341bfccaf891f1

SHA1
b38ce5b3ee42dd9483b7c01c8052369f9db88bfa

SHA256
438e38bf5a63f49c37206a391edc176cf6e0fa5bb3de30b880a2372ad52131ac

SHA512
0d082ec6870463f3ef53075ea54d08adb068b5b5f00332e8a125651b387f28e90b8fb579c085366660cf3144f31a39d5cb314574c3fe59dc3d4d09d87285b47b

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe
Filesize
72KB

MD5
cf217c672702947f95bfcad50183a12b

SHA1
2070084808db464be6ccc4f03babe1ac5a6c485a

SHA256
f974955953b4fb94075ed566e71aca53f937195b894956f04ec2669869d854ee

SHA512
5a84070dca9c3c7131b910dc20452a0476b212cf78c4829fd8505318d7a32ae6474e34a00f6d9c2e5ba2cca8b2e842caab14175ceee36445a5c29b20232abace

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe
Filesize
72KB

MD5
cf217c672702947f95bfcad50183a12b

SHA1
2070084808db464be6ccc4f03babe1ac5a6c485a

SHA256
f974955953b4fb94075ed566e71aca53f937195b894956f04ec2669869d854ee

SHA512
5a84070dca9c3c7131b910dc20452a0476b212cf78c4829fd8505318d7a32ae6474e34a00f6d9c2e5ba2cca8b2e842caab14175ceee36445a5c29b20232abace

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
cf217c672702947f95bfcad50183a12b

SHA1
2070084808db464be6ccc4f03babe1ac5a6c485a

SHA256
f974955953b4fb94075ed566e71aca53f937195b894956f04ec2669869d854ee

SHA512
5a84070dca9c3c7131b910dc20452a0476b212cf78c4829fd8505318d7a32ae6474e34a00f6d9c2e5ba2cca8b2e842caab14175ceee36445a5c29b20232abace

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
cf217c672702947f95bfcad50183a12b

SHA1
2070084808db464be6ccc4f03babe1ac5a6c485a

SHA256
f974955953b4fb94075ed566e71aca53f937195b894956f04ec2669869d854ee

SHA512
5a84070dca9c3c7131b910dc20452a0476b212cf78c4829fd8505318d7a32ae6474e34a00f6d9c2e5ba2cca8b2e842caab14175ceee36445a5c29b20232abace

Download Submit
memory/324-182-0x0000000000000000-mapping.dmp

Download
memory/340-244-0x0000000000000000-mapping.dmp

Download
memory/584-243-0x0000000000000000-mapping.dmp

Download
memory/600-265-0x0000000000000000-mapping.dmp

Download
memory/664-174-0x0000000000000000-mapping.dmp

Download
memory/680-301-0x0000000000000000-mapping.dmp

Download
memory/812-207-0x0000000000000000-mapping.dmp

Download
memory/852-232-0x0000000000000000-mapping.dmp

Download
memory/920-197-0x0000000000000000-mapping.dmp

Download
memory/932-96-0x0000000000000000-mapping.dmp

Download
memory/932-267-0x0000000000000000-mapping.dmp

Download
memory/968-273-0x0000000000000000-mapping.dmp

Download
memory/1000-76-0x0000000000000000-mapping.dmp

Download
memory/1000-185-0x0000000000000000-mapping.dmp

Download
memory/1028-299-0x0000000000000000-mapping.dmp

Download
memory/1028-168-0x0000000000000000-mapping.dmp

Download
memory/1044-208-0x0000000000000000-mapping.dmp

Download
memory/1072-106-0x0000000000000000-mapping.dmp

Download
memory/1132-217-0x0000000000000000-mapping.dmp

Download
memory/1164-107-0x0000000075671000-0x0000000075673000-memory.dmp

Filesize
8KB

Download
memory/1164-112-0x0000000074061000-0x0000000074063000-memory.dmp

Filesize
8KB

Download
memory/1256-203-0x0000000000000000-mapping.dmp

Download
memory/1292-238-0x0000000000000000-mapping.dmp

Download
memory/1296-235-0x0000000000000000-mapping.dmp

Download
memory/1324-141-0x0000000000000000-mapping.dmp

Download
memory/1328-179-0x0000000000000000-mapping.dmp

Download
memory/1332-305-0x0000000000000000-mapping.dmp

Download
memory/1336-245-0x0000000000000000-mapping.dmp

Download
memory/1356-303-0x0000000000000000-mapping.dmp

Download
memory/1376-218-0x0000000000000000-mapping.dmp

Download
memory/1404-264-0x0000000000000000-mapping.dmp

Download
memory/1424-271-0x0000000000000000-mapping.dmp

Download
memory/1492-191-0x0000000000000000-mapping.dmp

Download
memory/1504-263-0x0000000000000000-mapping.dmp

Download
memory/1512-70-0x0000000000000000-mapping.dmp

Download
memory/1516-64-0x0000000000000000-mapping.dmp

Download
memory/1552-214-0x0000000000000000-mapping.dmp

Download
memory/1560-192-0x0000000000000000-mapping.dmp

Download
memory/1584-266-0x0000000000000000-mapping.dmp

Download
memory/1588-302-0x0000000000000000-mapping.dmp

Download
memory/1588-215-0x0000000000000000-mapping.dmp

Download
memory/1600-161-0x0000000000000000-mapping.dmp

Download
memory/1612-233-0x0000000000000000-mapping.dmp

Download
memory/1616-155-0x0000000000000000-mapping.dmp

Download
memory/1644-294-0x0000000000000000-mapping.dmp

Download
memory/1648-58-0x0000000000000000-mapping.dmp

Download
memory/1676-88-0x0000000000000000-mapping.dmp

Download
memory/1692-188-0x0000000000000000-mapping.dmp

Download
memory/1692-260-0x0000000000000000-mapping.dmp

Download
memory/1716-296-0x0000000000000000-mapping.dmp

Download
memory/1720-270-0x0000000000000000-mapping.dmp

Download
memory/1732-135-0x0000000000000000-mapping.dmp

Download
memory/1732-216-0x0000000000000000-mapping.dmp

Download
memory/1740-275-0x0000000000000000-mapping.dmp

Download
memory/1752-128-0x0000000000000000-mapping.dmp

Download
memory/1756-93-0x0000000000000000-mapping.dmp

Download
memory/1776-306-0x0000000000000000-mapping.dmp

Download
memory/1792-115-0x0000000000000000-mapping.dmp

Download
memory/1796-200-0x0000000000000000-mapping.dmp

Download
memory/1804-82-0x0000000000000000-mapping.dmp

Download
memory/1928-246-0x0000000000000000-mapping.dmp

Download
memory/1968-234-0x0000000000000000-mapping.dmp

Download
memory/1992-148-0x0000000000000000-mapping.dmp

Download
memory/2012-213-0x0000000000000000-mapping.dmp

Download
memory/2032-121-0x0000000000000000-mapping.dmp

Download
memory/2040-292-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads