fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4

Analysis

max time kernel
161s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 13:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
Size

72KB
MD5

33e37e20da3fb92038fcb9c3f5f1b370
SHA1

8f03bd5f40b6ac9786cd6f6f0fba139b71e51c73
SHA256

fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4
SHA512

c673840beedcbe8bd01309c1440a4457c738f1227ea729aa9d0922601f5fe2232ab912941e91183827e6c4e33f72692326a70a47a5879142e338c146c03ec927
SSDEEP

384:IU6wayA+1mwnA353BXR+oGfPZT9lP50L8h0B62B/VweIo46VL/Wr/83BXR+oGf2h:IUpQNwC3BEtB9P0YzoJVsE3BEJwRr9

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1948	backup.exe
2036	backup.exe
1696	backup.exe
900	backup.exe
276	backup.exe
1888	backup.exe
1192	backup.exe
396	backup.exe
1896	backup.exe
1672	backup.exe
556	backup.exe
1704	backup.exe
1180	backup.exe
1452	backup.exe
1916	backup.exe
768	backup.exe
1620	backup.exe
2028	backup.exe
1344	System Restore.exe
1104	System Restore.exe
1600	backup.exe
1468	backup.exe
1776	backup.exe
1284	backup.exe
1748	backup.exe
1232	backup.exe
1576	backup.exe
1580	backup.exe
1828	backup.exe
1196	backup.exe
1544	backup.exe
1820	backup.exe
608	backup.exe
1160	backup.exe
1252	backup.exe
1844	backup.exe
2008	backup.exe
1704	backup.exe
1180	backup.exe
1116	backup.exe
984	backup.exe
2004	backup.exe
844	backup.exe
1520	backup.exe
1988	backup.exe
1984	backup.exe
1904	backup.exe
888	backup.exe
1716	backup.exe
568	backup.exe
1992	backup.exe
332	backup.exe
1232	backup.exe
1460	backup.exe
1748	backup.exe
1580	backup.exe
1592	backup.exe
1764	backup.exe
1068	backup.exe
1692	backup.exe
1668	update.exe
1072	System Restore.exe
1972	backup.exe
1004	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
396	backup.exe
396	backup.exe
1896	backup.exe
1896	backup.exe
396	backup.exe
396	backup.exe
556	backup.exe
556	backup.exe
1704	backup.exe
1704	backup.exe
556	backup.exe
556	backup.exe
1452	backup.exe
1452	backup.exe
1916	backup.exe
1916	backup.exe
1916	backup.exe
1916	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1828	backup.exe
1828	backup.exe
1828	backup.exe
1828	backup.exe
1828	backup.exe
1828	backup.exe
1828	backup.exe
1828	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\System Restore.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\update.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
1948	backup.exe
2036	backup.exe
1696	backup.exe
900	backup.exe
276	backup.exe
1888	backup.exe
1192	backup.exe
396	backup.exe
1896	backup.exe
1672	backup.exe
556	backup.exe
1704	backup.exe
1180	backup.exe
1452	backup.exe
1916	backup.exe
768	backup.exe
1620	backup.exe
2028	backup.exe
1344	System Restore.exe
1104	System Restore.exe
1600	backup.exe
1468	backup.exe
1776	backup.exe
1284	backup.exe
1748	backup.exe
1232	backup.exe
1576	backup.exe
1580	backup.exe
1828	backup.exe
1196	backup.exe
1544	backup.exe
1820	backup.exe
608	backup.exe
1160	backup.exe
1252	backup.exe
1844	backup.exe
2008	backup.exe
1180	backup.exe
1704	backup.exe
1116	backup.exe
984	backup.exe
2004	backup.exe
844	backup.exe
1988	backup.exe
1984	backup.exe
1904	backup.exe
888	backup.exe
1716	backup.exe
568	backup.exe
1992	backup.exe
332	backup.exe
1460	backup.exe
1748	backup.exe
1232	backup.exe
1580	backup.exe
1592	backup.exe
1764	backup.exe
1068	backup.exe
1692	backup.exe
1004	backup.exe
1972	backup.exe
1072	System Restore.exe
1148	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1948	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	27
PID 2044 wrote to memory of 1948	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	27
PID 2044 wrote to memory of 1948	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	27
PID 2044 wrote to memory of 1948	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	27
PID 2044 wrote to memory of 2036	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	28
PID 2044 wrote to memory of 2036	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	28
PID 2044 wrote to memory of 2036	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	28
PID 2044 wrote to memory of 2036	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	28
PID 2044 wrote to memory of 1696	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	29
PID 2044 wrote to memory of 1696	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	29
PID 2044 wrote to memory of 1696	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	29
PID 2044 wrote to memory of 1696	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	29
PID 2044 wrote to memory of 900	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	30
PID 2044 wrote to memory of 900	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	30
PID 2044 wrote to memory of 900	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	30
PID 2044 wrote to memory of 900	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	30
PID 2044 wrote to memory of 276	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	31
PID 2044 wrote to memory of 276	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	31
PID 2044 wrote to memory of 276	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	31
PID 2044 wrote to memory of 276	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	31
PID 2044 wrote to memory of 1888	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	32
PID 2044 wrote to memory of 1888	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	32
PID 2044 wrote to memory of 1888	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	32
PID 2044 wrote to memory of 1888	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	32
PID 2044 wrote to memory of 1192	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	33
PID 2044 wrote to memory of 1192	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	33
PID 2044 wrote to memory of 1192	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	33
PID 2044 wrote to memory of 1192	2044	fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe	33
PID 1948 wrote to memory of 396	1948	backup.exe	34
PID 1948 wrote to memory of 396	1948	backup.exe	34
PID 1948 wrote to memory of 396	1948	backup.exe	34
PID 1948 wrote to memory of 396	1948	backup.exe	34
PID 396 wrote to memory of 1896	396	backup.exe	35
PID 396 wrote to memory of 1896	396	backup.exe	35
PID 396 wrote to memory of 1896	396	backup.exe	35
PID 396 wrote to memory of 1896	396	backup.exe	35
PID 1896 wrote to memory of 1672	1896	backup.exe	36
PID 1896 wrote to memory of 1672	1896	backup.exe	36
PID 1896 wrote to memory of 1672	1896	backup.exe	36
PID 1896 wrote to memory of 1672	1896	backup.exe	36
PID 396 wrote to memory of 556	396	backup.exe	37
PID 396 wrote to memory of 556	396	backup.exe	37
PID 396 wrote to memory of 556	396	backup.exe	37
PID 396 wrote to memory of 556	396	backup.exe	37
PID 556 wrote to memory of 1704	556	backup.exe	38
PID 556 wrote to memory of 1704	556	backup.exe	38
PID 556 wrote to memory of 1704	556	backup.exe	38
PID 556 wrote to memory of 1704	556	backup.exe	38
PID 1704 wrote to memory of 1180	1704	backup.exe	39
PID 1704 wrote to memory of 1180	1704	backup.exe	39
PID 1704 wrote to memory of 1180	1704	backup.exe	39
PID 1704 wrote to memory of 1180	1704	backup.exe	39
PID 556 wrote to memory of 1452	556	backup.exe	40
PID 556 wrote to memory of 1452	556	backup.exe	40
PID 556 wrote to memory of 1452	556	backup.exe	40
PID 556 wrote to memory of 1452	556	backup.exe	40
PID 1452 wrote to memory of 1916	1452	backup.exe	41
PID 1452 wrote to memory of 1916	1452	backup.exe	41
PID 1452 wrote to memory of 1916	1452	backup.exe	41
PID 1452 wrote to memory of 1916	1452	backup.exe	41
PID 1916 wrote to memory of 768	1916	backup.exe	42
PID 1916 wrote to memory of 768	1916	backup.exe	42
PID 1916 wrote to memory of 768	1916	backup.exe	42
PID 1916 wrote to memory of 768	1916	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe
"C:\Users\Admin\AppData\Local\Temp\fa70d5fa5d95cb69764c4faa2cd9e078b771b825ffe95d7cf57d0fa2ae8221b4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\1410017387\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1410017387\backup.exe C:\Users\Admin\AppData\Local\Temp\1410017387\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1948
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1672
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1704
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1180
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1452
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1344
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1104
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1232
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1252
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        System policy modification
        
        PID:996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        System policy modification
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:1924
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:2228
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:772
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        System policy modification
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        System policy modification
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:780
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        System policy modification
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:2064
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:2204
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\update.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2088
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1904
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1748
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1068
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1004
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1244
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1940
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1472
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        System policy modification
        
        PID:1556
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:580
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1396
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:944
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:956
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1552
        
        C:\Program Files\Common Files\System\fr-FR\update.exe
        
        "C:\Program Files\Common Files\System\fr-FR\update.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:580
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1912
        
        C:\Program Files\Common Files\System\msadc\data.exe
        
        "C:\Program Files\Common Files\System\msadc\data.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:988
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:996
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:844
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:888
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1460
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1972
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:436
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1464
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:1980
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:936
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        System policy modification
        
        PID:608
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1972
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:1100
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1472
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1692
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1956
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:2000
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1776
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1828
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1960
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1136
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:2156
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:2528
    - - C:\Program Files\Google\update.exe
        
        "C:\Program Files\Google\update.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:584
      - C:\Program Files\Google\Chrome\System Restore.exe
        
        "C:\Program Files\Google\Chrome\System Restore.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1764
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:552
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Drops file in Program Files directory
        
        PID:1892
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:1456
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:900
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:1160
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:824
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:2072
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:2244
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:2536
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1628
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:892
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:888
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:780
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2080
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2196
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1180
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1988
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1716
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:332
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1580
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1148
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1924
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        System policy modification
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1344
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1156
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        System policy modification
        
        PID:1928
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:996
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:920
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        System policy modification
        
        PID:1600
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        System policy modification
        
        PID:568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Drops file in Program Files directory
        
        PID:884
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1396
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:2032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1100
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:2188
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1148
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1828
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:2236
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:320
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Drops file in Program Files directory
        
        PID:608
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1968
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        System policy modification
        
        PID:1028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2020
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:1244
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:1532
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1844
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:2180
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1552
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1460
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2028
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        System policy modification
        
        PID:1844
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:952
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:1520
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1032
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1348
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1476
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2096
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2220
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1676
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1516
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:580
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2164
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1708
    - - C:\Program Files (x86)\Microsoft Analysis Services\update.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\update.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2004
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2148
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2572
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1112
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:332
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:920
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        System policy modification
        
        PID:1592
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1912
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        System policy modification
        
        PID:1192
      - C:\Users\Admin\Favorites\update.exe
        
        C:\Users\Admin\Favorites\update.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1556
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:668
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1668
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1032
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        System policy modification
        
        PID:1656
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:1468
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:1672
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        System policy modification
        
        PID:964
      - C:\Users\Public\Documents\System Restore.exe
        
        "C:\Users\Public\Documents\System Restore.exe" C:\Users\Public\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1920
      - C:\Users\Public\Downloads\data.exe
        
        C:\Users\Public\Downloads\data.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:780
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1592
        
        C:\Users\Public\Music\Sample Music\backup.exe
        
        "C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
        7⤵
        
        PID:840
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:456
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:1396
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:2056
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      System policy modification
      PID:700
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1092
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        System policy modification
        
        PID:364
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:1724
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1968
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        
        PID:1820
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:2172
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:2520
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1728
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:1104
    - - C:\Windows\Cursors\data.exe
        
        C:\Windows\Cursors\data.exe C:\Windows\Cursors\
        5⤵
        
        PID:2140
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        
        PID:2512
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:900
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:276
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1888
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
41b4a90d16026c4be9fa101df4e8aecd

SHA1
9ebf643a0f25004628cbaac0ff7403a38cb67fcc

SHA256
6e7bba3fa6a99152d0a7687111243bd65f83f95a11f5d97d01167926aa73d3f9

SHA512
c33e215c61c08d5f1df6574142fd2ed5b40472cc2543db527c14a2ed7047a951ea39d172a60bab761618693d1d88f5f399c71ed31a7e6f9494385ef551b40436

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
306dca6e8e74fecddad082f40991460c

SHA1
c4840686b156e0326a8ed53886b99e6d9823be95

SHA256
1fe0042883654a2886f48ff7a04d26da8bf2aa4d0f3da1c98943db6f7d08a3ee

SHA512
7e13075e6ad0ec5b2e3a53f646d8e06c7177228a2ee9fdd8a7c39d522be6e0b0bf67b708f62d09445f136fa907b50ee09c5330e0cdfedfb20ce6dc347519bd98

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
306dca6e8e74fecddad082f40991460c

SHA1
c4840686b156e0326a8ed53886b99e6d9823be95

SHA256
1fe0042883654a2886f48ff7a04d26da8bf2aa4d0f3da1c98943db6f7d08a3ee

SHA512
7e13075e6ad0ec5b2e3a53f646d8e06c7177228a2ee9fdd8a7c39d522be6e0b0bf67b708f62d09445f136fa907b50ee09c5330e0cdfedfb20ce6dc347519bd98

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
db4b65b9547d1bc84ddc0c31d534fa5e

SHA1
005345c998d7dcf870166145d8e413d447e09ab2

SHA256
821de763d1dfb6778dc516a251216fb6b382b2755b354e40c147784a3d96e167

SHA512
9247cd16a218529025e1414e9783c53acbb0fc111ce1f4e49d2079800306c58079848922f8d85e2adadddaff426ab16da4b4bbfef48efd1bca7f53b5eedbfbf8

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
41b4a90d16026c4be9fa101df4e8aecd

SHA1
9ebf643a0f25004628cbaac0ff7403a38cb67fcc

SHA256
6e7bba3fa6a99152d0a7687111243bd65f83f95a11f5d97d01167926aa73d3f9

SHA512
c33e215c61c08d5f1df6574142fd2ed5b40472cc2543db527c14a2ed7047a951ea39d172a60bab761618693d1d88f5f399c71ed31a7e6f9494385ef551b40436

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
41b4a90d16026c4be9fa101df4e8aecd

SHA1
9ebf643a0f25004628cbaac0ff7403a38cb67fcc

SHA256
6e7bba3fa6a99152d0a7687111243bd65f83f95a11f5d97d01167926aa73d3f9

SHA512
c33e215c61c08d5f1df6574142fd2ed5b40472cc2543db527c14a2ed7047a951ea39d172a60bab761618693d1d88f5f399c71ed31a7e6f9494385ef551b40436

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
a8ca737c041b0c8ce1276857f50e1cef

SHA1
ddd4ec2fefcaf6aa57510ee7081f50af5b9dcca0

SHA256
40e959fa78331a8493029026181c6dd16aefd67b30464431db94fb822b063a71

SHA512
3dc05e77237bb1aee619b3fc826cab1b271a02138de080b1b48ec79aabf6f44654546766e75c20372abfced924ece98cfc8a277f652a54f1a03683d52ad618bc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
db4b65b9547d1bc84ddc0c31d534fa5e

SHA1
005345c998d7dcf870166145d8e413d447e09ab2

SHA256
821de763d1dfb6778dc516a251216fb6b382b2755b354e40c147784a3d96e167

SHA512
9247cd16a218529025e1414e9783c53acbb0fc111ce1f4e49d2079800306c58079848922f8d85e2adadddaff426ab16da4b4bbfef48efd1bca7f53b5eedbfbf8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
db4b65b9547d1bc84ddc0c31d534fa5e

SHA1
005345c998d7dcf870166145d8e413d447e09ab2

SHA256
821de763d1dfb6778dc516a251216fb6b382b2755b354e40c147784a3d96e167

SHA512
9247cd16a218529025e1414e9783c53acbb0fc111ce1f4e49d2079800306c58079848922f8d85e2adadddaff426ab16da4b4bbfef48efd1bca7f53b5eedbfbf8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
51f055fe5d8bb4f3415b4174bd53bd95

SHA1
135e0e2405443990c9029b51f40c688d54ff08d2

SHA256
b7974151fecacc320dac44d2a999b8b4ad556ae5552f4c5baee5c272a4a640d9

SHA512
8cd8a46a699101512cb98e55c5ebfd0b9b16325ba917828c9484c9a3716deaf5870105db0f500bb320150818cd055e9613dd8420acc8636ff2f7afd680bde262

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0c94d1f456a2fb121ddc53d7b12c385b

SHA1
23c3823c46b5004b6b2951dec51fb458af37d118

SHA256
a8cdb250f40277f109edd64398069d26013c2b72fd9f3fe246c22271b4b9508b

SHA512
8093942e872600ddb083200dbcefa05b2d5b4a76bff4087bfd0600307d6e6d4c5d0b84da7156da468253463e59d1265d1f58951bd6902d6352584d0db509cd8c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0c94d1f456a2fb121ddc53d7b12c385b

SHA1
23c3823c46b5004b6b2951dec51fb458af37d118

SHA256
a8cdb250f40277f109edd64398069d26013c2b72fd9f3fe246c22271b4b9508b

SHA512
8093942e872600ddb083200dbcefa05b2d5b4a76bff4087bfd0600307d6e6d4c5d0b84da7156da468253463e59d1265d1f58951bd6902d6352584d0db509cd8c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\System Restore.exe

Filesize
72KB

MD5
51f055fe5d8bb4f3415b4174bd53bd95

SHA1
135e0e2405443990c9029b51f40c688d54ff08d2

SHA256
b7974151fecacc320dac44d2a999b8b4ad556ae5552f4c5baee5c272a4a640d9

SHA512
8cd8a46a699101512cb98e55c5ebfd0b9b16325ba917828c9484c9a3716deaf5870105db0f500bb320150818cd055e9613dd8420acc8636ff2f7afd680bde262

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
41b4a90d16026c4be9fa101df4e8aecd

SHA1
9ebf643a0f25004628cbaac0ff7403a38cb67fcc

SHA256
6e7bba3fa6a99152d0a7687111243bd65f83f95a11f5d97d01167926aa73d3f9

SHA512
c33e215c61c08d5f1df6574142fd2ed5b40472cc2543db527c14a2ed7047a951ea39d172a60bab761618693d1d88f5f399c71ed31a7e6f9494385ef551b40436

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
41b4a90d16026c4be9fa101df4e8aecd

SHA1
9ebf643a0f25004628cbaac0ff7403a38cb67fcc

SHA256
6e7bba3fa6a99152d0a7687111243bd65f83f95a11f5d97d01167926aa73d3f9

SHA512
c33e215c61c08d5f1df6574142fd2ed5b40472cc2543db527c14a2ed7047a951ea39d172a60bab761618693d1d88f5f399c71ed31a7e6f9494385ef551b40436

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
306dca6e8e74fecddad082f40991460c

SHA1
c4840686b156e0326a8ed53886b99e6d9823be95

SHA256
1fe0042883654a2886f48ff7a04d26da8bf2aa4d0f3da1c98943db6f7d08a3ee

SHA512
7e13075e6ad0ec5b2e3a53f646d8e06c7177228a2ee9fdd8a7c39d522be6e0b0bf67b708f62d09445f136fa907b50ee09c5330e0cdfedfb20ce6dc347519bd98

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
306dca6e8e74fecddad082f40991460c

SHA1
c4840686b156e0326a8ed53886b99e6d9823be95

SHA256
1fe0042883654a2886f48ff7a04d26da8bf2aa4d0f3da1c98943db6f7d08a3ee

SHA512
7e13075e6ad0ec5b2e3a53f646d8e06c7177228a2ee9fdd8a7c39d522be6e0b0bf67b708f62d09445f136fa907b50ee09c5330e0cdfedfb20ce6dc347519bd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1410017387\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\1410017387\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
2014dcecfd8b687c06acf85a5b950c81

SHA1
584db8d518dc442d5b1acdf0375f5981ff0c2554

SHA256
072e805264c52481b915d17c26dddba3ae06211c3cd06ba35afed0a50e5ff912

SHA512
6d431b32153e03adc97a0eb8ed82e0916fbaafce122b73bec82644243a762882020bea7681fc8612758af067a3acda54311219c098e7d21b8fbdaea8d1102c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
2014dcecfd8b687c06acf85a5b950c81

SHA1
584db8d518dc442d5b1acdf0375f5981ff0c2554

SHA256
072e805264c52481b915d17c26dddba3ae06211c3cd06ba35afed0a50e5ff912

SHA512
6d431b32153e03adc97a0eb8ed82e0916fbaafce122b73bec82644243a762882020bea7681fc8612758af067a3acda54311219c098e7d21b8fbdaea8d1102c94

Download Submit
C:\backup.exe

Filesize
72KB

MD5
d57f99678fca6dc7c0b36910c19c17d7

SHA1
aa3936fa040db60f6be55b040fb60560990fb137

SHA256
d0ad90da26f265aafe926276e5737346ba6c33ae3e8d5fc2cc364b37ea252d47

SHA512
226919367e3a7faf59f68e14f810847a217700d84d756bae2cae1dfce7340e91e5f027f67e429bb3a234d0d964925b50de0e5e1d7a3c4d24e56d6df62ad4bd50

Download Submit
C:\backup.exe

Filesize
72KB

MD5
d57f99678fca6dc7c0b36910c19c17d7

SHA1
aa3936fa040db60f6be55b040fb60560990fb137

SHA256
d0ad90da26f265aafe926276e5737346ba6c33ae3e8d5fc2cc364b37ea252d47

SHA512
226919367e3a7faf59f68e14f810847a217700d84d756bae2cae1dfce7340e91e5f027f67e429bb3a234d0d964925b50de0e5e1d7a3c4d24e56d6df62ad4bd50

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
41b4a90d16026c4be9fa101df4e8aecd

SHA1
9ebf643a0f25004628cbaac0ff7403a38cb67fcc

SHA256
6e7bba3fa6a99152d0a7687111243bd65f83f95a11f5d97d01167926aa73d3f9

SHA512
c33e215c61c08d5f1df6574142fd2ed5b40472cc2543db527c14a2ed7047a951ea39d172a60bab761618693d1d88f5f399c71ed31a7e6f9494385ef551b40436

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
41b4a90d16026c4be9fa101df4e8aecd

SHA1
9ebf643a0f25004628cbaac0ff7403a38cb67fcc

SHA256
6e7bba3fa6a99152d0a7687111243bd65f83f95a11f5d97d01167926aa73d3f9

SHA512
c33e215c61c08d5f1df6574142fd2ed5b40472cc2543db527c14a2ed7047a951ea39d172a60bab761618693d1d88f5f399c71ed31a7e6f9494385ef551b40436

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
306dca6e8e74fecddad082f40991460c

SHA1
c4840686b156e0326a8ed53886b99e6d9823be95

SHA256
1fe0042883654a2886f48ff7a04d26da8bf2aa4d0f3da1c98943db6f7d08a3ee

SHA512
7e13075e6ad0ec5b2e3a53f646d8e06c7177228a2ee9fdd8a7c39d522be6e0b0bf67b708f62d09445f136fa907b50ee09c5330e0cdfedfb20ce6dc347519bd98

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
306dca6e8e74fecddad082f40991460c

SHA1
c4840686b156e0326a8ed53886b99e6d9823be95

SHA256
1fe0042883654a2886f48ff7a04d26da8bf2aa4d0f3da1c98943db6f7d08a3ee

SHA512
7e13075e6ad0ec5b2e3a53f646d8e06c7177228a2ee9fdd8a7c39d522be6e0b0bf67b708f62d09445f136fa907b50ee09c5330e0cdfedfb20ce6dc347519bd98

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
db4b65b9547d1bc84ddc0c31d534fa5e

SHA1
005345c998d7dcf870166145d8e413d447e09ab2

SHA256
821de763d1dfb6778dc516a251216fb6b382b2755b354e40c147784a3d96e167

SHA512
9247cd16a218529025e1414e9783c53acbb0fc111ce1f4e49d2079800306c58079848922f8d85e2adadddaff426ab16da4b4bbfef48efd1bca7f53b5eedbfbf8

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
db4b65b9547d1bc84ddc0c31d534fa5e

SHA1
005345c998d7dcf870166145d8e413d447e09ab2

SHA256
821de763d1dfb6778dc516a251216fb6b382b2755b354e40c147784a3d96e167

SHA512
9247cd16a218529025e1414e9783c53acbb0fc111ce1f4e49d2079800306c58079848922f8d85e2adadddaff426ab16da4b4bbfef48efd1bca7f53b5eedbfbf8

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
41b4a90d16026c4be9fa101df4e8aecd

SHA1
9ebf643a0f25004628cbaac0ff7403a38cb67fcc

SHA256
6e7bba3fa6a99152d0a7687111243bd65f83f95a11f5d97d01167926aa73d3f9

SHA512
c33e215c61c08d5f1df6574142fd2ed5b40472cc2543db527c14a2ed7047a951ea39d172a60bab761618693d1d88f5f399c71ed31a7e6f9494385ef551b40436

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
41b4a90d16026c4be9fa101df4e8aecd

SHA1
9ebf643a0f25004628cbaac0ff7403a38cb67fcc

SHA256
6e7bba3fa6a99152d0a7687111243bd65f83f95a11f5d97d01167926aa73d3f9

SHA512
c33e215c61c08d5f1df6574142fd2ed5b40472cc2543db527c14a2ed7047a951ea39d172a60bab761618693d1d88f5f399c71ed31a7e6f9494385ef551b40436

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
a8ca737c041b0c8ce1276857f50e1cef

SHA1
ddd4ec2fefcaf6aa57510ee7081f50af5b9dcca0

SHA256
40e959fa78331a8493029026181c6dd16aefd67b30464431db94fb822b063a71

SHA512
3dc05e77237bb1aee619b3fc826cab1b271a02138de080b1b48ec79aabf6f44654546766e75c20372abfced924ece98cfc8a277f652a54f1a03683d52ad618bc

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
a8ca737c041b0c8ce1276857f50e1cef

SHA1
ddd4ec2fefcaf6aa57510ee7081f50af5b9dcca0

SHA256
40e959fa78331a8493029026181c6dd16aefd67b30464431db94fb822b063a71

SHA512
3dc05e77237bb1aee619b3fc826cab1b271a02138de080b1b48ec79aabf6f44654546766e75c20372abfced924ece98cfc8a277f652a54f1a03683d52ad618bc

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
db4b65b9547d1bc84ddc0c31d534fa5e

SHA1
005345c998d7dcf870166145d8e413d447e09ab2

SHA256
821de763d1dfb6778dc516a251216fb6b382b2755b354e40c147784a3d96e167

SHA512
9247cd16a218529025e1414e9783c53acbb0fc111ce1f4e49d2079800306c58079848922f8d85e2adadddaff426ab16da4b4bbfef48efd1bca7f53b5eedbfbf8

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
db4b65b9547d1bc84ddc0c31d534fa5e

SHA1
005345c998d7dcf870166145d8e413d447e09ab2

SHA256
821de763d1dfb6778dc516a251216fb6b382b2755b354e40c147784a3d96e167

SHA512
9247cd16a218529025e1414e9783c53acbb0fc111ce1f4e49d2079800306c58079848922f8d85e2adadddaff426ab16da4b4bbfef48efd1bca7f53b5eedbfbf8

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
51f055fe5d8bb4f3415b4174bd53bd95

SHA1
135e0e2405443990c9029b51f40c688d54ff08d2

SHA256
b7974151fecacc320dac44d2a999b8b4ad556ae5552f4c5baee5c272a4a640d9

SHA512
8cd8a46a699101512cb98e55c5ebfd0b9b16325ba917828c9484c9a3716deaf5870105db0f500bb320150818cd055e9613dd8420acc8636ff2f7afd680bde262

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
51f055fe5d8bb4f3415b4174bd53bd95

SHA1
135e0e2405443990c9029b51f40c688d54ff08d2

SHA256
b7974151fecacc320dac44d2a999b8b4ad556ae5552f4c5baee5c272a4a640d9

SHA512
8cd8a46a699101512cb98e55c5ebfd0b9b16325ba917828c9484c9a3716deaf5870105db0f500bb320150818cd055e9613dd8420acc8636ff2f7afd680bde262

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0c94d1f456a2fb121ddc53d7b12c385b

SHA1
23c3823c46b5004b6b2951dec51fb458af37d118

SHA256
a8cdb250f40277f109edd64398069d26013c2b72fd9f3fe246c22271b4b9508b

SHA512
8093942e872600ddb083200dbcefa05b2d5b4a76bff4087bfd0600307d6e6d4c5d0b84da7156da468253463e59d1265d1f58951bd6902d6352584d0db509cd8c

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0c94d1f456a2fb121ddc53d7b12c385b

SHA1
23c3823c46b5004b6b2951dec51fb458af37d118

SHA256
a8cdb250f40277f109edd64398069d26013c2b72fd9f3fe246c22271b4b9508b

SHA512
8093942e872600ddb083200dbcefa05b2d5b4a76bff4087bfd0600307d6e6d4c5d0b84da7156da468253463e59d1265d1f58951bd6902d6352584d0db509cd8c

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\System Restore.exe

Filesize
72KB

MD5
51f055fe5d8bb4f3415b4174bd53bd95

SHA1
135e0e2405443990c9029b51f40c688d54ff08d2

SHA256
b7974151fecacc320dac44d2a999b8b4ad556ae5552f4c5baee5c272a4a640d9

SHA512
8cd8a46a699101512cb98e55c5ebfd0b9b16325ba917828c9484c9a3716deaf5870105db0f500bb320150818cd055e9613dd8420acc8636ff2f7afd680bde262

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\System Restore.exe

Filesize
72KB

MD5
51f055fe5d8bb4f3415b4174bd53bd95

SHA1
135e0e2405443990c9029b51f40c688d54ff08d2

SHA256
b7974151fecacc320dac44d2a999b8b4ad556ae5552f4c5baee5c272a4a640d9

SHA512
8cd8a46a699101512cb98e55c5ebfd0b9b16325ba917828c9484c9a3716deaf5870105db0f500bb320150818cd055e9613dd8420acc8636ff2f7afd680bde262

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\System Restore.exe

Filesize
72KB

MD5
51f055fe5d8bb4f3415b4174bd53bd95

SHA1
135e0e2405443990c9029b51f40c688d54ff08d2

SHA256
b7974151fecacc320dac44d2a999b8b4ad556ae5552f4c5baee5c272a4a640d9

SHA512
8cd8a46a699101512cb98e55c5ebfd0b9b16325ba917828c9484c9a3716deaf5870105db0f500bb320150818cd055e9613dd8420acc8636ff2f7afd680bde262

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
41b4a90d16026c4be9fa101df4e8aecd

SHA1
9ebf643a0f25004628cbaac0ff7403a38cb67fcc

SHA256
6e7bba3fa6a99152d0a7687111243bd65f83f95a11f5d97d01167926aa73d3f9

SHA512
c33e215c61c08d5f1df6574142fd2ed5b40472cc2543db527c14a2ed7047a951ea39d172a60bab761618693d1d88f5f399c71ed31a7e6f9494385ef551b40436

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
41b4a90d16026c4be9fa101df4e8aecd

SHA1
9ebf643a0f25004628cbaac0ff7403a38cb67fcc

SHA256
6e7bba3fa6a99152d0a7687111243bd65f83f95a11f5d97d01167926aa73d3f9

SHA512
c33e215c61c08d5f1df6574142fd2ed5b40472cc2543db527c14a2ed7047a951ea39d172a60bab761618693d1d88f5f399c71ed31a7e6f9494385ef551b40436

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
306dca6e8e74fecddad082f40991460c

SHA1
c4840686b156e0326a8ed53886b99e6d9823be95

SHA256
1fe0042883654a2886f48ff7a04d26da8bf2aa4d0f3da1c98943db6f7d08a3ee

SHA512
7e13075e6ad0ec5b2e3a53f646d8e06c7177228a2ee9fdd8a7c39d522be6e0b0bf67b708f62d09445f136fa907b50ee09c5330e0cdfedfb20ce6dc347519bd98

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
306dca6e8e74fecddad082f40991460c

SHA1
c4840686b156e0326a8ed53886b99e6d9823be95

SHA256
1fe0042883654a2886f48ff7a04d26da8bf2aa4d0f3da1c98943db6f7d08a3ee

SHA512
7e13075e6ad0ec5b2e3a53f646d8e06c7177228a2ee9fdd8a7c39d522be6e0b0bf67b708f62d09445f136fa907b50ee09c5330e0cdfedfb20ce6dc347519bd98

Download Submit
\Users\Admin\AppData\Local\Temp\1410017387\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
\Users\Admin\AppData\Local\Temp\1410017387\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
2014dcecfd8b687c06acf85a5b950c81

SHA1
584db8d518dc442d5b1acdf0375f5981ff0c2554

SHA256
072e805264c52481b915d17c26dddba3ae06211c3cd06ba35afed0a50e5ff912

SHA512
6d431b32153e03adc97a0eb8ed82e0916fbaafce122b73bec82644243a762882020bea7681fc8612758af067a3acda54311219c098e7d21b8fbdaea8d1102c94

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
2014dcecfd8b687c06acf85a5b950c81

SHA1
584db8d518dc442d5b1acdf0375f5981ff0c2554

SHA256
072e805264c52481b915d17c26dddba3ae06211c3cd06ba35afed0a50e5ff912

SHA512
6d431b32153e03adc97a0eb8ed82e0916fbaafce122b73bec82644243a762882020bea7681fc8612758af067a3acda54311219c098e7d21b8fbdaea8d1102c94

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
70c3d5bb24c0a8c55de153d8769e4997

SHA1
27d6e1c152791a472cd5e4ba9e66ee0c9cec9693

SHA256
03aa9c7e45908435476d8826b5cc431fa090db4de70cf2e188ebec971a343898

SHA512
61b781650338a98d26d535886c3bf789cce9148a8b64115c8d6e6c9bf31054863b39263e16d8b36196c88bcbdee870351b9dda6574d2bdd3aed8b2351f417b79

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
2014dcecfd8b687c06acf85a5b950c81

SHA1
584db8d518dc442d5b1acdf0375f5981ff0c2554

SHA256
072e805264c52481b915d17c26dddba3ae06211c3cd06ba35afed0a50e5ff912

SHA512
6d431b32153e03adc97a0eb8ed82e0916fbaafce122b73bec82644243a762882020bea7681fc8612758af067a3acda54311219c098e7d21b8fbdaea8d1102c94

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
2014dcecfd8b687c06acf85a5b950c81

SHA1
584db8d518dc442d5b1acdf0375f5981ff0c2554

SHA256
072e805264c52481b915d17c26dddba3ae06211c3cd06ba35afed0a50e5ff912

SHA512
6d431b32153e03adc97a0eb8ed82e0916fbaafce122b73bec82644243a762882020bea7681fc8612758af067a3acda54311219c098e7d21b8fbdaea8d1102c94

Download Submit
memory/2044-102-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/2044-98-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads