18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6

Analysis

max time kernel
141s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
Size

72KB
MD5

c358ebe8c3ab88a68031792bd0513d49
SHA1

ce9cb4b77aae0288286b75503e43542b5924021a
SHA256

18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6
SHA512

50ae8bf85ccb33d5f7932a2e40f1c0f4711232384d92d13de00c40e6c441b61fd9d03575b9ee5825771170121dd45c0d756d8cb440f49ac0e80dbb93fb676408
SSDEEP

384:N6wayA+1mwnA353BXR+oGfPmfm4MlcTGXdhjwroyY2rebV5O6KgxWb/83BXR+oGt:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrQ

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1624	data.exe
1088	backup.exe
1116	backup.exe
276	backup.exe
520	backup.exe
1296	backup.exe
1804	backup.exe
524	backup.exe
1960	backup.exe
1816	update.exe
1208	backup.exe
1984	backup.exe
632	backup.exe
580	backup.exe
1872	backup.exe
1152	backup.exe
1072	backup.exe
840	backup.exe
1660	data.exe
1732	backup.exe
1088	backup.exe
2020	backup.exe
984	backup.exe
1696	backup.exe
1456	backup.exe
636	update.exe
1676	backup.exe
1528	backup.exe
1408	backup.exe
872	backup.exe
1772	backup.exe
1740	update.exe
832	backup.exe
1536	backup.exe
1888	System Restore.exe
1056	backup.exe
1988	backup.exe
572	backup.exe
1004	backup.exe
624	backup.exe
1216	data.exe
1508	backup.exe
112	backup.exe
1152	update.exe
1900	backup.exe
1580	System Restore.exe
840	backup.exe
2036	backup.exe
1728	backup.exe
1760	backup.exe
276	backup.exe
584	backup.exe
1696	backup.exe
1704	backup.exe
636	backup.exe
1676	backup.exe
1804	backup.exe
332	backup.exe
1908	backup.exe
980	backup.exe
776	backup.exe
832	backup.exe
1960	backup.exe
1904	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
524	backup.exe
524	backup.exe
1960	backup.exe
1816	update.exe
1816	update.exe
1816	update.exe
524	backup.exe
524	backup.exe
1208	backup.exe
1208	backup.exe
1984	backup.exe
1984	backup.exe
1208	backup.exe
1208	backup.exe
580	backup.exe
580	backup.exe
1872	backup.exe
1872	backup.exe
1872	backup.exe
1872	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
636	update.exe
636	update.exe
636	update.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
1408	backup.exe
1408	backup.exe
1408	backup.exe
1408	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
1624	data.exe
1088	backup.exe
1116	backup.exe
276	backup.exe
520	backup.exe
1296	backup.exe
1804	backup.exe
524	backup.exe
1960	backup.exe
1816	update.exe
1208	backup.exe
1984	backup.exe
632	backup.exe
580	backup.exe
1872	backup.exe
1152	backup.exe
1072	backup.exe
840	backup.exe
1660	data.exe
1732	backup.exe
1088	backup.exe
2020	backup.exe
984	backup.exe
1696	backup.exe
1456	backup.exe
636	update.exe
1676	backup.exe
1528	backup.exe
1408	backup.exe
872	backup.exe
1772	backup.exe
1740	update.exe
832	backup.exe
1536	backup.exe
1888	System Restore.exe
1056	backup.exe
1988	backup.exe
572	backup.exe
1004	backup.exe
624	backup.exe
1216	data.exe
1508	backup.exe
112	backup.exe
1152	update.exe
1900	backup.exe
1728	backup.exe
1580	System Restore.exe
2036	backup.exe
840	backup.exe
1760	backup.exe
1704	backup.exe
584	backup.exe
1696	backup.exe
636	backup.exe
1804	backup.exe
1676	backup.exe
332	backup.exe
1908	backup.exe
980	backup.exe
276	backup.exe
776	backup.exe
832	backup.exe
1960	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1624	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	27
PID 1932 wrote to memory of 1624	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	27
PID 1932 wrote to memory of 1624	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	27
PID 1932 wrote to memory of 1624	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	27
PID 1932 wrote to memory of 1088	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	28
PID 1932 wrote to memory of 1088	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	28
PID 1932 wrote to memory of 1088	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	28
PID 1932 wrote to memory of 1088	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	28
PID 1932 wrote to memory of 1116	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	29
PID 1932 wrote to memory of 1116	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	29
PID 1932 wrote to memory of 1116	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	29
PID 1932 wrote to memory of 1116	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	29
PID 1932 wrote to memory of 276	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	30
PID 1932 wrote to memory of 276	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	30
PID 1932 wrote to memory of 276	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	30
PID 1932 wrote to memory of 276	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	30
PID 1932 wrote to memory of 520	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	31
PID 1932 wrote to memory of 520	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	31
PID 1932 wrote to memory of 520	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	31
PID 1932 wrote to memory of 520	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	31
PID 1932 wrote to memory of 1296	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	32
PID 1932 wrote to memory of 1296	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	32
PID 1932 wrote to memory of 1296	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	32
PID 1932 wrote to memory of 1296	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	32
PID 1932 wrote to memory of 1804	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	33
PID 1932 wrote to memory of 1804	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	33
PID 1932 wrote to memory of 1804	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	33
PID 1932 wrote to memory of 1804	1932	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe	33
PID 1624 wrote to memory of 524	1624	data.exe	34
PID 1624 wrote to memory of 524	1624	data.exe	34
PID 1624 wrote to memory of 524	1624	data.exe	34
PID 1624 wrote to memory of 524	1624	data.exe	34
PID 524 wrote to memory of 1960	524	backup.exe	35
PID 524 wrote to memory of 1960	524	backup.exe	35
PID 524 wrote to memory of 1960	524	backup.exe	35
PID 524 wrote to memory of 1960	524	backup.exe	35
PID 1960 wrote to memory of 1816	1960	backup.exe	36
PID 1960 wrote to memory of 1816	1960	backup.exe	36
PID 1960 wrote to memory of 1816	1960	backup.exe	36
PID 1960 wrote to memory of 1816	1960	backup.exe	36
PID 1960 wrote to memory of 1816	1960	backup.exe	36
PID 1960 wrote to memory of 1816	1960	backup.exe	36
PID 1960 wrote to memory of 1816	1960	backup.exe	36
PID 524 wrote to memory of 1208	524	backup.exe	37
PID 524 wrote to memory of 1208	524	backup.exe	37
PID 524 wrote to memory of 1208	524	backup.exe	37
PID 524 wrote to memory of 1208	524	backup.exe	37
PID 1208 wrote to memory of 1984	1208	backup.exe	38
PID 1208 wrote to memory of 1984	1208	backup.exe	38
PID 1208 wrote to memory of 1984	1208	backup.exe	38
PID 1208 wrote to memory of 1984	1208	backup.exe	38
PID 1984 wrote to memory of 632	1984	backup.exe	39
PID 1984 wrote to memory of 632	1984	backup.exe	39
PID 1984 wrote to memory of 632	1984	backup.exe	39
PID 1984 wrote to memory of 632	1984	backup.exe	39
PID 1208 wrote to memory of 580	1208	backup.exe	40
PID 1208 wrote to memory of 580	1208	backup.exe	40
PID 1208 wrote to memory of 580	1208	backup.exe	40
PID 1208 wrote to memory of 580	1208	backup.exe	40
PID 580 wrote to memory of 1872	580	backup.exe	41
PID 580 wrote to memory of 1872	580	backup.exe	41
PID 580 wrote to memory of 1872	580	backup.exe	41
PID 580 wrote to memory of 1872	580	backup.exe	41
PID 1872 wrote to memory of 1152	1872	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe
"C:\Users\Admin\AppData\Local\Temp\18ac16a91a44e777aa8c2d9689d70f7ea0a1d19c38fd2558b44c420750d20fa6.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1932
- C:\Users\Admin\AppData\Local\Temp\1619929238\data.exe
  C:\Users\Admin\AppData\Local\Temp\1619929238\data.exe C:\Users\Admin\AppData\Local\Temp\1619929238\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1624
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:524
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\PerfLogs\Admin\update.exe
        
        C:\PerfLogs\Admin\update.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1816
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1984
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:632
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:580
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1088
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1408
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1216
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1152
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        System policy modification
        
        PID:1420
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        System policy modification
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:456
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        System policy modification
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        System policy modification
        
        PID:1412
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1216
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:2020
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:560
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:332
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1056
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:624
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:868
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:1308
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:788
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:432
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:2172
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1408
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1804
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1696
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:584
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:332
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1904
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        System policy modification
        
        PID:1408
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:112
        
        C:\Program Files\Common Files\System\ado\es-ES\update.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\update.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1576
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1496
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        System policy modification
        
        PID:1996
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1268
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1636
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:1508
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1124
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:788
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2020
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1888
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:776
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:1108
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:1824
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        System policy modification
        
        PID:1100
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1268
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1540
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1596
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        
        PID:1972
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        System policy modification
        
        PID:2028
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:1456
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1484
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:1996
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:636
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:2148
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2036
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1804
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:776
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:2004
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        System policy modification
        
        PID:1768
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1108
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1308
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:872
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        System policy modification
        
        PID:1596
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1716
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:268
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1484
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        System policy modification
        
        PID:1720
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1488
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1964
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1504
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:268
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1696
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:568
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:1908
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:1960
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:2164
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        
        PID:2268
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1248
      - C:\Program Files\Google\Chrome\update.exe
        
        "C:\Program Files\Google\Chrome\update.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:560
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1772
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        
        PID:1324
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1360
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:2180
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1076
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1704
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:2240
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2032
    - - C:\Program Files\Microsoft Office\System Restore.exe
        
        "C:\Program Files\Microsoft Office\System Restore.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2140
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2276
  - - C:\Program Files (x86)\System Restore.exe
      "C:\Program Files (x86)\System Restore.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1580
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:276
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1924
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:624
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:1544
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1760
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        System policy modification
        
        PID:868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        System policy modification
        
        PID:1972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1216
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1200
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1704
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1640
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:684
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1152
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:1296
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:1492
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:2028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:2196
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1088
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        System policy modification
        
        PID:1736
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1692
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1716
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1196
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1900
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1200
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1360
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:828
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1488
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1984
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2008
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1608
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:368
    - - C:\Program Files (x86)\Microsoft Analysis Services\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\System Restore.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1404
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2156
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2260
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1420
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1184
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1604
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1528
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1508
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:672
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2040
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2188
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2252
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:268
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:948
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1088
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1116
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:276
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:520
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1296
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
b198c6bcac20aa88a49424bc64936b61

SHA1
f7a2bc14238ecbd7bf54267a3b36f33b173d2c63

SHA256
87df0eb3f49c91868ae0fb5e73020716978b7b478ba9a859e93a6738bba241b3

SHA512
8aae4b83e2d9cfc4de4af97a53cba2634a8cc27a210ba23ebbf2746932babf6cb78dfbc375a10e46f3548b01a444699bfe7df3bb89cdca141160562a960b342c

Download Submit
C:\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
b198c6bcac20aa88a49424bc64936b61

SHA1
f7a2bc14238ecbd7bf54267a3b36f33b173d2c63

SHA256
87df0eb3f49c91868ae0fb5e73020716978b7b478ba9a859e93a6738bba241b3

SHA512
8aae4b83e2d9cfc4de4af97a53cba2634a8cc27a210ba23ebbf2746932babf6cb78dfbc375a10e46f3548b01a444699bfe7df3bb89cdca141160562a960b342c

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
2e7332a7d3ecda14462d10aad51c3f3d

SHA1
b0524194e7166a3d81f20105c9fa2b583f718e43

SHA256
02cfd3d2a16b650231a06c519be570947e83d0de6fd9c61e3ccd5a908a63b78a

SHA512
7ca0cbea9768900e08135cbc3179330090f99caa3a1218b57a875851d87ec81875597af62edda39e0ea6d13930e4cdfdaaa84d8392834c2aec7554c8c3e61f0a

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
2e7332a7d3ecda14462d10aad51c3f3d

SHA1
b0524194e7166a3d81f20105c9fa2b583f718e43

SHA256
02cfd3d2a16b650231a06c519be570947e83d0de6fd9c61e3ccd5a908a63b78a

SHA512
7ca0cbea9768900e08135cbc3179330090f99caa3a1218b57a875851d87ec81875597af62edda39e0ea6d13930e4cdfdaaa84d8392834c2aec7554c8c3e61f0a

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a89cfdace5b8c248068a58f617560608

SHA1
8820b033d5649b61192e27fe5b8e8fb1fbf2b0db

SHA256
cfdbc8f3403e290345efdb32e93f59242a748008a006778c56af5ec910b056bc

SHA512
a29f78411dea7b63facead5c2b8e2f23ddf71b0a8dc621b11af379b20627425aa55f26b3e5df05069567f1d47808c55820048e4afc4ed75034ad39af75380d38

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
b198c6bcac20aa88a49424bc64936b61

SHA1
f7a2bc14238ecbd7bf54267a3b36f33b173d2c63

SHA256
87df0eb3f49c91868ae0fb5e73020716978b7b478ba9a859e93a6738bba241b3

SHA512
8aae4b83e2d9cfc4de4af97a53cba2634a8cc27a210ba23ebbf2746932babf6cb78dfbc375a10e46f3548b01a444699bfe7df3bb89cdca141160562a960b342c

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
b198c6bcac20aa88a49424bc64936b61

SHA1
f7a2bc14238ecbd7bf54267a3b36f33b173d2c63

SHA256
87df0eb3f49c91868ae0fb5e73020716978b7b478ba9a859e93a6738bba241b3

SHA512
8aae4b83e2d9cfc4de4af97a53cba2634a8cc27a210ba23ebbf2746932babf6cb78dfbc375a10e46f3548b01a444699bfe7df3bb89cdca141160562a960b342c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
6a797c1fa3cfc1d68541dc5c4fc21503

SHA1
2a2707514da6efff6914a2e2c81e7ebe9b60e24d

SHA256
508b8753142cb0e7d5d837e2c30b5c2d4654659126ede84036d9499b17aac42b

SHA512
42d067bbe1607d70f01f575f5505a249b0b9495f08294bdbfa91d46aa90a1a36792005fb3a93275fc841df70c0ee4666729d838ec2ff7c6896e89525b5faa04e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
4388327a5bd7139c86721109e91a4d8d

SHA1
eba14d44e9db424bd899c266d1400bd8eb93492b

SHA256
42654c60080afaa14fba7759ccddce6f00d194b91d23c2257e2de084d68373d2

SHA512
2d83775a516758cd8fcdd39b4ea3954097442ba1d97e99e738f6e6fd9bf02d56dfb3ee53f440d148e7f48cf3d56448a0299a10c373a420c0df030a3b94c55768

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
4388327a5bd7139c86721109e91a4d8d

SHA1
eba14d44e9db424bd899c266d1400bd8eb93492b

SHA256
42654c60080afaa14fba7759ccddce6f00d194b91d23c2257e2de084d68373d2

SHA512
2d83775a516758cd8fcdd39b4ea3954097442ba1d97e99e738f6e6fd9bf02d56dfb3ee53f440d148e7f48cf3d56448a0299a10c373a420c0df030a3b94c55768

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
143f5349e100fe46b9bcb59521fc4453

SHA1
ca3525235a5a147bd5b49634de3fb4e5f5fc528d

SHA256
963b3ee74ee17820125b1b647c376298c479391df55c5aab0a506e2ead382513

SHA512
fd4ef3c1b8b1d23cc9e8bf86ef9e990212ee4a9829113411fadf037be78e306e6ab168d2a8dcb4f2c5450e4987e8e31b4f6ba3b9aeb19d75c83330b2124c1c19

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6a797c1fa3cfc1d68541dc5c4fc21503

SHA1
2a2707514da6efff6914a2e2c81e7ebe9b60e24d

SHA256
508b8753142cb0e7d5d837e2c30b5c2d4654659126ede84036d9499b17aac42b

SHA512
42d067bbe1607d70f01f575f5505a249b0b9495f08294bdbfa91d46aa90a1a36792005fb3a93275fc841df70c0ee4666729d838ec2ff7c6896e89525b5faa04e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6a797c1fa3cfc1d68541dc5c4fc21503

SHA1
2a2707514da6efff6914a2e2c81e7ebe9b60e24d

SHA256
508b8753142cb0e7d5d837e2c30b5c2d4654659126ede84036d9499b17aac42b

SHA512
42d067bbe1607d70f01f575f5505a249b0b9495f08294bdbfa91d46aa90a1a36792005fb3a93275fc841df70c0ee4666729d838ec2ff7c6896e89525b5faa04e

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
042ee1fb2eedb4dd3cd9a51f1cec0958

SHA1
5d0e98b41dc0dcb6d3a42259d223516746fce79a

SHA256
a4d2eb3f6825d8243489966b6588cab111aac3d8728dc69a742ceed99b910f6a

SHA512
ef67da271837e93976876e37c4f3f6cb1ba13a821cbd3d6a8c113ac934a1931ce4554ffd84e385182f5bb4a9799b3254a4e7d9b10b1976b5ea45aa3213365b3e

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
042ee1fb2eedb4dd3cd9a51f1cec0958

SHA1
5d0e98b41dc0dcb6d3a42259d223516746fce79a

SHA256
a4d2eb3f6825d8243489966b6588cab111aac3d8728dc69a742ceed99b910f6a

SHA512
ef67da271837e93976876e37c4f3f6cb1ba13a821cbd3d6a8c113ac934a1931ce4554ffd84e385182f5bb4a9799b3254a4e7d9b10b1976b5ea45aa3213365b3e

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2e7332a7d3ecda14462d10aad51c3f3d

SHA1
b0524194e7166a3d81f20105c9fa2b583f718e43

SHA256
02cfd3d2a16b650231a06c519be570947e83d0de6fd9c61e3ccd5a908a63b78a

SHA512
7ca0cbea9768900e08135cbc3179330090f99caa3a1218b57a875851d87ec81875597af62edda39e0ea6d13930e4cdfdaaa84d8392834c2aec7554c8c3e61f0a

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2e7332a7d3ecda14462d10aad51c3f3d

SHA1
b0524194e7166a3d81f20105c9fa2b583f718e43

SHA256
02cfd3d2a16b650231a06c519be570947e83d0de6fd9c61e3ccd5a908a63b78a

SHA512
7ca0cbea9768900e08135cbc3179330090f99caa3a1218b57a875851d87ec81875597af62edda39e0ea6d13930e4cdfdaaa84d8392834c2aec7554c8c3e61f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1619929238\data.exe

Filesize
72KB

MD5
80119389d8099537d2ac20336982f275

SHA1
ef535a90bfbcb0602f3d4b71913cd51c1def6bf0

SHA256
f78f029385a0e162a8a05986cda3a30016de5ac755654c74fa01e63e8043a747

SHA512
98e5523d52b59c755242df8916b5e6b714a0533c47a73592536d313e9959bf6c1675e8abbff94a5a908fd1d3a487b7d6cbaea35e5e9aa3691c8a6026363c6b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1619929238\data.exe

Filesize
72KB

MD5
80119389d8099537d2ac20336982f275

SHA1
ef535a90bfbcb0602f3d4b71913cd51c1def6bf0

SHA256
f78f029385a0e162a8a05986cda3a30016de5ac755654c74fa01e63e8043a747

SHA512
98e5523d52b59c755242df8916b5e6b714a0533c47a73592536d313e9959bf6c1675e8abbff94a5a908fd1d3a487b7d6cbaea35e5e9aa3691c8a6026363c6b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
C:\backup.exe

Filesize
72KB

MD5
3a3cd0bbccedb20b3eb1c108f88387fc

SHA1
faf5458834579a162c745ac90be4a3f27b4c4aba

SHA256
020c04c602650bb1d5d95107758704aa1ae831d48bf2fec102948ed8263aa974

SHA512
70345cdd65311ee9aa7ab20dac9b50f0800202dd97cf292954b854582d986bc216bc470cf078cf5e1dab7833fb0e2c5bac51b5d68b24809b0294bbfd2ddf812b

Download Submit
C:\backup.exe

Filesize
72KB

MD5
3a3cd0bbccedb20b3eb1c108f88387fc

SHA1
faf5458834579a162c745ac90be4a3f27b4c4aba

SHA256
020c04c602650bb1d5d95107758704aa1ae831d48bf2fec102948ed8263aa974

SHA512
70345cdd65311ee9aa7ab20dac9b50f0800202dd97cf292954b854582d986bc216bc470cf078cf5e1dab7833fb0e2c5bac51b5d68b24809b0294bbfd2ddf812b

Download Submit
\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
b198c6bcac20aa88a49424bc64936b61

SHA1
f7a2bc14238ecbd7bf54267a3b36f33b173d2c63

SHA256
87df0eb3f49c91868ae0fb5e73020716978b7b478ba9a859e93a6738bba241b3

SHA512
8aae4b83e2d9cfc4de4af97a53cba2634a8cc27a210ba23ebbf2746932babf6cb78dfbc375a10e46f3548b01a444699bfe7df3bb89cdca141160562a960b342c

Download Submit
\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
b198c6bcac20aa88a49424bc64936b61

SHA1
f7a2bc14238ecbd7bf54267a3b36f33b173d2c63

SHA256
87df0eb3f49c91868ae0fb5e73020716978b7b478ba9a859e93a6738bba241b3

SHA512
8aae4b83e2d9cfc4de4af97a53cba2634a8cc27a210ba23ebbf2746932babf6cb78dfbc375a10e46f3548b01a444699bfe7df3bb89cdca141160562a960b342c

Download Submit
\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
b198c6bcac20aa88a49424bc64936b61

SHA1
f7a2bc14238ecbd7bf54267a3b36f33b173d2c63

SHA256
87df0eb3f49c91868ae0fb5e73020716978b7b478ba9a859e93a6738bba241b3

SHA512
8aae4b83e2d9cfc4de4af97a53cba2634a8cc27a210ba23ebbf2746932babf6cb78dfbc375a10e46f3548b01a444699bfe7df3bb89cdca141160562a960b342c

Download Submit
\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
b198c6bcac20aa88a49424bc64936b61

SHA1
f7a2bc14238ecbd7bf54267a3b36f33b173d2c63

SHA256
87df0eb3f49c91868ae0fb5e73020716978b7b478ba9a859e93a6738bba241b3

SHA512
8aae4b83e2d9cfc4de4af97a53cba2634a8cc27a210ba23ebbf2746932babf6cb78dfbc375a10e46f3548b01a444699bfe7df3bb89cdca141160562a960b342c

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
2e7332a7d3ecda14462d10aad51c3f3d

SHA1
b0524194e7166a3d81f20105c9fa2b583f718e43

SHA256
02cfd3d2a16b650231a06c519be570947e83d0de6fd9c61e3ccd5a908a63b78a

SHA512
7ca0cbea9768900e08135cbc3179330090f99caa3a1218b57a875851d87ec81875597af62edda39e0ea6d13930e4cdfdaaa84d8392834c2aec7554c8c3e61f0a

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
2e7332a7d3ecda14462d10aad51c3f3d

SHA1
b0524194e7166a3d81f20105c9fa2b583f718e43

SHA256
02cfd3d2a16b650231a06c519be570947e83d0de6fd9c61e3ccd5a908a63b78a

SHA512
7ca0cbea9768900e08135cbc3179330090f99caa3a1218b57a875851d87ec81875597af62edda39e0ea6d13930e4cdfdaaa84d8392834c2aec7554c8c3e61f0a

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a89cfdace5b8c248068a58f617560608

SHA1
8820b033d5649b61192e27fe5b8e8fb1fbf2b0db

SHA256
cfdbc8f3403e290345efdb32e93f59242a748008a006778c56af5ec910b056bc

SHA512
a29f78411dea7b63facead5c2b8e2f23ddf71b0a8dc621b11af379b20627425aa55f26b3e5df05069567f1d47808c55820048e4afc4ed75034ad39af75380d38

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a89cfdace5b8c248068a58f617560608

SHA1
8820b033d5649b61192e27fe5b8e8fb1fbf2b0db

SHA256
cfdbc8f3403e290345efdb32e93f59242a748008a006778c56af5ec910b056bc

SHA512
a29f78411dea7b63facead5c2b8e2f23ddf71b0a8dc621b11af379b20627425aa55f26b3e5df05069567f1d47808c55820048e4afc4ed75034ad39af75380d38

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
b198c6bcac20aa88a49424bc64936b61

SHA1
f7a2bc14238ecbd7bf54267a3b36f33b173d2c63

SHA256
87df0eb3f49c91868ae0fb5e73020716978b7b478ba9a859e93a6738bba241b3

SHA512
8aae4b83e2d9cfc4de4af97a53cba2634a8cc27a210ba23ebbf2746932babf6cb78dfbc375a10e46f3548b01a444699bfe7df3bb89cdca141160562a960b342c

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
b198c6bcac20aa88a49424bc64936b61

SHA1
f7a2bc14238ecbd7bf54267a3b36f33b173d2c63

SHA256
87df0eb3f49c91868ae0fb5e73020716978b7b478ba9a859e93a6738bba241b3

SHA512
8aae4b83e2d9cfc4de4af97a53cba2634a8cc27a210ba23ebbf2746932babf6cb78dfbc375a10e46f3548b01a444699bfe7df3bb89cdca141160562a960b342c

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
6a797c1fa3cfc1d68541dc5c4fc21503

SHA1
2a2707514da6efff6914a2e2c81e7ebe9b60e24d

SHA256
508b8753142cb0e7d5d837e2c30b5c2d4654659126ede84036d9499b17aac42b

SHA512
42d067bbe1607d70f01f575f5505a249b0b9495f08294bdbfa91d46aa90a1a36792005fb3a93275fc841df70c0ee4666729d838ec2ff7c6896e89525b5faa04e

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
6a797c1fa3cfc1d68541dc5c4fc21503

SHA1
2a2707514da6efff6914a2e2c81e7ebe9b60e24d

SHA256
508b8753142cb0e7d5d837e2c30b5c2d4654659126ede84036d9499b17aac42b

SHA512
42d067bbe1607d70f01f575f5505a249b0b9495f08294bdbfa91d46aa90a1a36792005fb3a93275fc841df70c0ee4666729d838ec2ff7c6896e89525b5faa04e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
4388327a5bd7139c86721109e91a4d8d

SHA1
eba14d44e9db424bd899c266d1400bd8eb93492b

SHA256
42654c60080afaa14fba7759ccddce6f00d194b91d23c2257e2de084d68373d2

SHA512
2d83775a516758cd8fcdd39b4ea3954097442ba1d97e99e738f6e6fd9bf02d56dfb3ee53f440d148e7f48cf3d56448a0299a10c373a420c0df030a3b94c55768

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
4388327a5bd7139c86721109e91a4d8d

SHA1
eba14d44e9db424bd899c266d1400bd8eb93492b

SHA256
42654c60080afaa14fba7759ccddce6f00d194b91d23c2257e2de084d68373d2

SHA512
2d83775a516758cd8fcdd39b4ea3954097442ba1d97e99e738f6e6fd9bf02d56dfb3ee53f440d148e7f48cf3d56448a0299a10c373a420c0df030a3b94c55768

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
143f5349e100fe46b9bcb59521fc4453

SHA1
ca3525235a5a147bd5b49634de3fb4e5f5fc528d

SHA256
963b3ee74ee17820125b1b647c376298c479391df55c5aab0a506e2ead382513

SHA512
fd4ef3c1b8b1d23cc9e8bf86ef9e990212ee4a9829113411fadf037be78e306e6ab168d2a8dcb4f2c5450e4987e8e31b4f6ba3b9aeb19d75c83330b2124c1c19

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
143f5349e100fe46b9bcb59521fc4453

SHA1
ca3525235a5a147bd5b49634de3fb4e5f5fc528d

SHA256
963b3ee74ee17820125b1b647c376298c479391df55c5aab0a506e2ead382513

SHA512
fd4ef3c1b8b1d23cc9e8bf86ef9e990212ee4a9829113411fadf037be78e306e6ab168d2a8dcb4f2c5450e4987e8e31b4f6ba3b9aeb19d75c83330b2124c1c19

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6a797c1fa3cfc1d68541dc5c4fc21503

SHA1
2a2707514da6efff6914a2e2c81e7ebe9b60e24d

SHA256
508b8753142cb0e7d5d837e2c30b5c2d4654659126ede84036d9499b17aac42b

SHA512
42d067bbe1607d70f01f575f5505a249b0b9495f08294bdbfa91d46aa90a1a36792005fb3a93275fc841df70c0ee4666729d838ec2ff7c6896e89525b5faa04e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6a797c1fa3cfc1d68541dc5c4fc21503

SHA1
2a2707514da6efff6914a2e2c81e7ebe9b60e24d

SHA256
508b8753142cb0e7d5d837e2c30b5c2d4654659126ede84036d9499b17aac42b

SHA512
42d067bbe1607d70f01f575f5505a249b0b9495f08294bdbfa91d46aa90a1a36792005fb3a93275fc841df70c0ee4666729d838ec2ff7c6896e89525b5faa04e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe

Filesize
72KB

MD5
143f5349e100fe46b9bcb59521fc4453

SHA1
ca3525235a5a147bd5b49634de3fb4e5f5fc528d

SHA256
963b3ee74ee17820125b1b647c376298c479391df55c5aab0a506e2ead382513

SHA512
fd4ef3c1b8b1d23cc9e8bf86ef9e990212ee4a9829113411fadf037be78e306e6ab168d2a8dcb4f2c5450e4987e8e31b4f6ba3b9aeb19d75c83330b2124c1c19

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
042ee1fb2eedb4dd3cd9a51f1cec0958

SHA1
5d0e98b41dc0dcb6d3a42259d223516746fce79a

SHA256
a4d2eb3f6825d8243489966b6588cab111aac3d8728dc69a742ceed99b910f6a

SHA512
ef67da271837e93976876e37c4f3f6cb1ba13a821cbd3d6a8c113ac934a1931ce4554ffd84e385182f5bb4a9799b3254a4e7d9b10b1976b5ea45aa3213365b3e

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
042ee1fb2eedb4dd3cd9a51f1cec0958

SHA1
5d0e98b41dc0dcb6d3a42259d223516746fce79a

SHA256
a4d2eb3f6825d8243489966b6588cab111aac3d8728dc69a742ceed99b910f6a

SHA512
ef67da271837e93976876e37c4f3f6cb1ba13a821cbd3d6a8c113ac934a1931ce4554ffd84e385182f5bb4a9799b3254a4e7d9b10b1976b5ea45aa3213365b3e

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
2e7332a7d3ecda14462d10aad51c3f3d

SHA1
b0524194e7166a3d81f20105c9fa2b583f718e43

SHA256
02cfd3d2a16b650231a06c519be570947e83d0de6fd9c61e3ccd5a908a63b78a

SHA512
7ca0cbea9768900e08135cbc3179330090f99caa3a1218b57a875851d87ec81875597af62edda39e0ea6d13930e4cdfdaaa84d8392834c2aec7554c8c3e61f0a

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
2e7332a7d3ecda14462d10aad51c3f3d

SHA1
b0524194e7166a3d81f20105c9fa2b583f718e43

SHA256
02cfd3d2a16b650231a06c519be570947e83d0de6fd9c61e3ccd5a908a63b78a

SHA512
7ca0cbea9768900e08135cbc3179330090f99caa3a1218b57a875851d87ec81875597af62edda39e0ea6d13930e4cdfdaaa84d8392834c2aec7554c8c3e61f0a

Download Submit
\Users\Admin\AppData\Local\Temp\1619929238\data.exe

Filesize
72KB

MD5
80119389d8099537d2ac20336982f275

SHA1
ef535a90bfbcb0602f3d4b71913cd51c1def6bf0

SHA256
f78f029385a0e162a8a05986cda3a30016de5ac755654c74fa01e63e8043a747

SHA512
98e5523d52b59c755242df8916b5e6b714a0533c47a73592536d313e9959bf6c1675e8abbff94a5a908fd1d3a487b7d6cbaea35e5e9aa3691c8a6026363c6b1d

Download Submit
\Users\Admin\AppData\Local\Temp\1619929238\data.exe

Filesize
72KB

MD5
80119389d8099537d2ac20336982f275

SHA1
ef535a90bfbcb0602f3d4b71913cd51c1def6bf0

SHA256
f78f029385a0e162a8a05986cda3a30016de5ac755654c74fa01e63e8043a747

SHA512
98e5523d52b59c755242df8916b5e6b714a0533c47a73592536d313e9959bf6c1675e8abbff94a5a908fd1d3a487b7d6cbaea35e5e9aa3691c8a6026363c6b1d

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
cb59fc5da9109347000be131d8aff643

SHA1
13b89313728a694851f372a88136eadc7e171dc9

SHA256
d0911574380638fcbb7dcfea0f8b9127dd5d3064888859d41db90bd308c1d7e2

SHA512
1791d907437fcb7fbf314801ae086bb2e7e80c144afe39dc36d1f52ef3a8bee9374342dd976a69b6c73dfc76c204d2d53ec43353c274f21c6c99cf903f4f62a2

Download Submit
memory/1932-105-0x0000000074D01000-0x0000000074D03000-memory.dmp

Filesize
8KB

Download
memory/1932-98-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads